More On Legal & Compliancefrom The Advisor's Professional Library
- The Need for Thorough and Effective Policies and Procedures Whethere an advisor is SEC or state-registered, RIAs must revise their policies and procedures to address significant compliance problems occurring during the year, changes in business arrangements, and regulatory developments.
- Pay-to-Play Rule Violating the pay-to-play rule can result in serious consequences, and RIAs should adopt robust policies and procedures to prevent and detect contributions made to influence the selection of the firm by a government entity.
“The Internet’s not written in pencil," Facebook founder Mark Zuckerberg's girlfriend warns him in the movie The Social Network. "It’s written in ink.”
According to two attorneys at Sutherland Asbill & Brennan, this quote sets the tone for the online regulatory environment for advisors.
The attorneys published an article in the June issue of Banking & Financial Services Policy Report using The Social Network, the 2010 film about the rise of Facebook, to demonstrate the rise of enforcement against financial advisors for social media infractions.
“Although Internet content does not disappear (too easily), when it does, it can have far-reaching and long-lasting effects on firms and representatives who use it,” Brian Rubin and Caroline Crenshaw wrote.
Rubin is a partner in Sutherland’s Washington, D.C., office and leads the firm's securities enforcement and litigation practice team. Crenshaw is a member of Sutherland’s litigation practice group.
To mitigate those long-term effects, advisors need to have well-documented processes in place for all their communications: email, instant messaging, blogs, social media and any platform yet to come along.
Broker-dealers have to keep business-related records for at least three years, according to the paper, and the first two of these have to be easily accessible. Investment advisors have to keep business-related records, including recommendations, disclosure documents and advertising, in their principal office for at least two years; then they can move them to another (readily accessible) location for another three years.
A case in 2007 showed that just keeping the records wasn’t enough, though. According to the paper, FINRA fined a firm in August 2007 for failing “to preserve, review or retain emails sent via external accounts.” Enforcement actions were brought against firms that were unable to prove that personal email accounts weren’t being used to do business, electronic systems were being maintained properly and emails were readily accessible.
Instant messaging and social media brought up concerns about being able to preserve communications, according to the paper. Rubin and Crenshaw noted that FINRA was the first regulator to show interest in instant messaging. In February 2007, the regulator fined four affiliated firms for failing to preserve communications, and in April fined a representative for inadequately supervising electronic communications.
However, the paper found regulators weren’t satisfied with storing electronic communications electronically. In July 2010, the SEC fined a broker-dealer and its chief compliance officer for keeping instant messages stored on a computer instead of in hard copy or disabling the program altogether.
“Regulatory guidance indicates that firms should preserve all business-related communications, including not just emails but also text messages and social media (as well as whatever channel or forum of communication is developed by the next generation of dropouts from Harvard College or Reed College),” the authors wrote. They stressed that even when firms have policies and procedures in place, they need to confirm that they can access communications easily.
Information online is easily shared, and advisors and broker-dealers can’t always control who sees what. With Regulation Fair Disclosure (Regulation FD), the SEC prohibited firms from disclosing material information to some groups without making it available to the marketplace. The SEC noted that in some cases, posting the information on the company’s website may be sufficient to meet the disclosure requirement.
In December 2012, the SEC considered action against Netflix after CEO Reed Hastings used Facebook to say viewers watched more than a billion hours of video in June. No action was ultimately taken because, as the authors wrote, Stanford Law School Professor and former SEC Commissioner Joseph Grundfest wrote that the posting reached a significant enough portion of the marketplace to meet Regulation FD. The SEC followed up in April with a report saying companies may use Facebook and Twitter to make disclosures to investors as long as investors have been previously informed of where that information will appear.
In “The Social Network,” Zuckerberg, played by Jesse Eisenberg (right), is brought before an administrative board meeting, accused of intentionally breaching security, among other misdeeds. He tells the board he deserves recognition instead of punishment because, as he tells the administrators, “I believe I pointed out some pretty gaping holes in your system.”
Passwords and encryption are common ways for firms to protect data, but, as the authors noted, they can frequently become an annoyance “when they have to be changed every month, and especially when so many different passwords are being used that it becomes difficult to remember them.” Firms have been fined for having inadequate passwords or session inactivity time-outs. In April 2010, a broker-dealer was fined after a hacker broke into its database, which was neither encrypted nor protected by a password. Failing to train employees can also lead to enforcement actions.