July 12, 2012

BDs Beware: Social Media Privacy Laws May Conflict With FINRA Rules

Federal and state laws in the works may affect BDs’ compliance procedures

More On Legal & Compliance

from The Advisor's Professional Library
  • Risk-Based Oversight of Investment Advisors Even if the SEC had a larger budget and more resources, it is doubtful that the Commission would have the resources to regularly examine all RIAs. Therefore, the SEC is likely to continue relying on risk-based oversight to fulfill its mission of protecting investors.
  • Privacy Policies and Rules Whether an RIA is SEC or state-registered, the firm must have policies and procedures in effect to protect clients’ privacy. Policies and procedures should explicitly require an RIA to send out its privacy notice each year.

Broker-dealers take heed: state and federal social media privacy legislation limiting employers’ access to employees’—and prospective employees’—social media accounts could conflict with the social media rules issued by the Financial Industry Regulatory Authority (FINRA).

According to a recent article by lawyers from Sutherland Asbill & Brennan for Law360, Maryland recently became the first state to pass social media privacy legislation, with Illinois on track to follow suit, and other states like California, Delaware, Massachusetts, Minnesota and New York also likely to do the same in the not too distant future.

Under the Maryland law, employers in that state are prohibited from requesting or requiring information such as the user name or password to access an employee’s or applicant’s personal social media sites, such as Facebook and Twitter, the Sutherland lawyers write.

Federal legislation has also been introduced. In May, Sens. Richard Blumenthal, D-Conn.; Chuck Schumer, D-N.Y.; Ron Wyden, D-Ore.; Jeanne Shaheen, D-N.H.; and Amy Klobuchar, D-Minn., introduced the Password Protection Act of 2012, which would make it illegal for an employer to compel or coerce access to any online information stored anywhere on the Internet if that information is secured against general public access by the user.

Companion legislation has been introduced in the House by Reps. Martin Heinrich, D-N.M., and Ed Perlmutter, D-Col.

The lawmakers state in the summary of the Password Protection Act that “requiring access to prospective or current employees’ password-protected accounts as a condition for employment is an unreasonable violation of employees’ privacy.”

Employees, the lawmakers said, “are not required to hand over the keys to their houses as a condition of employment, and should not be required to hand over access to their most private and personal digital e-mail or social network accounts, either.” Instead, they said, “an employer has several reasonable and comprehensive ways to find out more information about an applicant, including the application or resume, the interview, references or an internet search of the applicant.”

The Sutherland lawyers note that based on a recent survey of independent broker-dealers, almost 80% of firms allow the use of social media. Thus, they say, “legislation that limits access to social media information may pose significant challenges for a large number of broker-dealers.” BDs and their associates, the lawyers say, “are subject to a regulatory framework surrounding the use of social media, requiring the supervision of certain social media and electronic communications.”

The Sutherland lawyers note that such social media privacy laws “may pose potential complications” for broker-dealers attempting to comply with regulatory requirements issued by both FINRA and the Securities and Exchange Commission (SEC), “most significantly by limiting access to associated persons’ communications,” which the lawyers argue is “critical to a broker-dealer’s compliance and supervisory programs.”

But George Smaragdis, a FINRA spokesman, told AdvisorOne that in FINRA’s regulatory notices on social media and in public statements about those notices, "we have never said that firms are required to conduct routine surveillance of representative’s personal social media, nor have we said they must obtain passwords and user names to keep on file 'just in case.'" 

Firms, he said, "must follow up on 'red flags' that may indicate that an associated person is not complying with firm policies," as FINRA points out in Notice 11-39, which states: "Some firms require each associated person to certify on an annual or more frequent basis that the associated person is acting in a manner consistent with such policies. When feasible, some firms also have chosen to randomly spot check websites to help them monitor compliance with firm policies." 

In the article, the lawyers suggest some issues that BDs should consider as they assess the impact of the new social media statutes:

  • Carve-Out Provisions to Firm Supervisory Obligations

"While Maryland’s statute provides specific carve-out provisions, they are very limited and may not apply to most of the securities law regulatory requirements. While the law does permit an investigation for ensuring compliance with applicable securities requirements, the company needs to be in possession of information indicating a potential wrongdoing. The law does not indicate what sort of information the company needs in its possession to meet the requirement or how the company can then investigate. If other states provide for similar carve-outs, these same issues may arise."

  • Employees vs. Independent Contractors

"To date, the social media legislation would apply to employees and prospective employees only. As a result, it appears that these limitations would not apply to associated persons of a broker-dealer who are independent contractors. Firms that allow registered representatives to be either employees or independent contractors may be precluded from applying the same supervision of social media accounts to all representatives. In addition, if independent contractors are also employees of an affiliate, the legislative prohibitions may still affect the broker-dealer’s ability to access such information. Under this scenario, the tension between FINRA’s requirement for broker-dealers to supervise social media activity and the legislative prohibition against the same may be alleviated.

"Finally, independent contractors may argue that they should receive the same protections as employees even though they may not technically be covered by the legislation."

  • Use of Personal Accounts for Business Purposes

"Regulatory requirements apply to business-related communications processed through personal and through firm-sanctioned systems. In contrast, the statutes and proposed legislation concern only personal accounts, but that term is not defined. Thus, firms may need to assess their supervisory systems and procedures to address access to personal accounts while complying with the legislation."

Page 2 of 2
Single page view Reprints Discuss this story
This is where the comments go.