For financial institutions responding to and servicing digital-savvy audiences, online communication is equal parts risk and opportunity. Websites and social media profiles offer excellent customer success opportunities for clients who are always online.
According to the J.D. Power 2023 U.S. Consumer Financing Satisfaction Study, financial institutions that choose to engage with their customers via digital channels achieve higher levels of satisfaction.
Online customer communication, however, can present vulnerabilities related to institutional integrity, credibility, data security, and compliance. Digital communication is also subject to numerous regulations in financial services. Non-compliance can cause reputational damage—sometimes irreparably so. It can also attract scrutiny and result in hefty fines from regulatory authorities.
Understanding and implementing compliance strategies for financial services serving online audiences can prevent a number of negative consequences for firms simply looking to connect with their customers.
In the U.S., compliance for financial services means adherence to the rules and regulatory mandates outlined by the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA).
These regulatory bodies work together to oversee and enforce compliance requirements for financial institutions operating within the US. The regulations apply to all forms of online communication undertaken by broker-dealers and financial institutions.
The FINRA and SEC’s recordkeeping compliance guidelines are designed to protect investors’ interests. Fraud prevention, improving transparency, and maintaining market integrity are the desired outcome of these rules.
While regulatory compliance is not new for finance sector service providers, the evolving, multifaceted nature of digital communication channels make adhering to regulations more complex than ever.
Below are some of the most important regulatory rules and notices from the SEC & FINRA that every financial institution should be aware of and plan for when establishing online communication:
The Securities & Exchange Act Rules 17a-3 mandates financial institutions create and preserve accurate, current, and detailed records of their securities business.
SEC Rule 17a-4 details how long records must be kept (typically three to six years, depending on the type of record), the format in which they must be stored (ensuring they are tamper-proof), and how they should be accessible for inspection by regulatory authorities.
This rule also addresses the electronic storage of records, requiring that records are preserved exclusively in a non-rewritable, non-erasable format, or WORM. Write Once, Read Many (WORM) technology allows for retrospective audits and the ability to track and hold parties accountable for any changes made.
Over the years, the SEC has made several amendments to Rules 17a-3 and 17a-4 to address the evolving landscape of the securities industry and technological advancements. These amendments are intended to be flexible enough to accommodate future technological innovations in recordkeeping without necessitating further amendments.
Amendments have also been made to ensure that records are easily accessible for a specified period and can be produced promptly to regulators.
FINRA Rule 2210 mandates communication standards for financial services firms and brokers, including on social media, advertisements, and websites. It also outlines requirements for content, approval, and recordkeeping of public communications.
Here are some key requirements:
The goal of this Notice is to ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations, and firms are able to effectively and appropriately supervise their associated persons' participation in these sites.
Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and FINRA Rule 3110. SEC and FINRA rules require that broker-dealers must retain those electronic communications that relate to its "business as such."
It goes on to clarify that static content on social media (e.g., profiles, background info) are treated as advertisements and thus require prior approval by a registered principle. Interactive content on the other hand, (comments, reactions, etc.) are considered interactive electronic forums, so do not require pre-approval but still must be supervised.
The notice also reminds financial service providers that a registered representative's participation in an Internet chat room is subject to the same requirements as a presentation in person before a group of investors. FINRA defined the term "public appearance" in FINRA Rule 2210 to include participation in an interactive electronic forum.
It also makes the distinction that third-party posts on social media are not considered firm communications, unless the firm helped prepare it or endorses it or approves it (through liking, resharing, reacting, etc.).
This notice is in response to comments received when FINRA proposed guidance for member firms to consider when developing supervisory systems for electronic communications. They note concerns from commenters that text-messaging should NOT be included because it is too difficult to capture and maintain records.
FINRA clarifies that supervision is based on content and audience, not communication format, and firms must supervise all electronic communications used for business, regardless of channel, including text messaging. They advise that firms must consider supervisory and recordkeeping impacts before adopting new technologies.
The notice goes on to detail the key principles of electronic communications supervisory systems required. Firms must:
When the rubber meets the road, how can financial institutions stay compliant with regulatory requirements while employing new communication technologies and their benefits? In short, this can be accomplished by taking a proactive approach to social media and website recordkeeping.
Compliance for financial institutions consists of:
Mitigation measures cannot be put in place without identifying existing and potential sources of risk. For financial institutions, this involves understanding how information shared on webpages, social media posts, and instant messages can lead to regulatory risk.
Risk assessment usually involves:
After a risk assessment, the next step is to devise a recordkeeping policy that can be applied company-wide and which provides a blueprint for compliance management.
Since no two financial institutions are the same, the policy regarding recordkeeping is bound to vary among firms. That’s why it is critical to establish a policy that strictly adheres to SEC and FINRA requirements and eliminate the chances of unintentional non-compliance. Other relevant factors, such as information storage, accessibility, and data security, are also integral to a compliance policy.
Implementation usually involves finding the right compliance and recordkeeping software for financial services. Archiving and surveillance software designed for recordkeeping can automate a lot of compliance workflows or, at least, make operations much more efficient. The dashboard of a dedicated software should be easy to monitor in real time and provides readily available data for audits or enforcement queries.
Implementation also involves training stakeholders engaging in communication with clients.
Conducting regular reviews of compliance management practices and tools deployed is the last step. It ensures the policies are effective, uncovers gaps, and ensures mitigation measures are taken in a timely manner.
The SEC and FINRA are vigilant in enforcing and overseeing compliance mandates. Accordingly, the repercussions can be severe for financial service providers or their affiliates who fail to comply.
In the past, non-compliance has led to crackdowns on several service providers and broker-dealers.
Back in 2022, the SEC collected $1.1 billion in fines from 16 high-profile firms and broker-dealers for failing to retain records of digital exchanges with their respective clientele. That same year, FINRA charged H.C. Wainwright & Co. a whopping $1.5 million in fines for failing to meet its broader compliance regulations.
In a case of off-channel non-compliance, FINRA fined former Charles Schwab representative Daniel Michael Roper $15,000 for violating online communication recordkeeping laws. Roper exchanged off-channel messages with a client via his personal credentials. And he was unable to provide court-admissible copies of these messages and emails.
This was a violation of FINRA Rule 4511. Rule 4511 requires financial institutions and their affiliated broker-dealers to maintain accurate records of exchanges with clients.
There are countless other cases of costly non-compliance penalties underscoring the importance for all financial institutions that engage in any form of online communication to adhere to relevant recordkeeping rules. They must also closely monitor the online activities of individuals affiliated with them.
Staying compliant with the SEC and FINRA’s mandates for online communication is not optional. And, it begins with recordkeeping.
Recordkeeping in financial services has two key components: digital archiving and monitoring.
Digital archiving involves collecting, storing, and organizing digital communication data. It ensures data integrity, readiness for compliance queries, and adherence to retention schedules.
It begins with data collection from online channels, including webpages, social media accounts, instant messengers, and enterprise collaboration software. The next step is storing the large volume of sensitive data safely and securely. The last step is ensuring this data is easily accessible without compromising its integrity and quality.
When coupled with monitoring efforts, digital archiving helps financial service providers retain information per the SEC and FINRA mandates. In turn, financial institutions and individuals stay compliant and audit-ready. It helps avoid scrutiny from regulatory bodies and prevents incurring fines.
A strong online communication compliance program is proof of a financial service provider’s integrity. A compliant financial institution is trustworthy, assures investors of fair treatment, and readily attracts new customers.
Beyond brand perception, staying compliant helps avoid financial losses from regulatory penalties. Strong compliance in financial institutions has many interconnected, cascading benefits.
Pagefreezer’s archiving solutions capture online data from all your social media accounts, websites, enterprise collaboration platforms, and even text messages.
Pagefreezer captures important metadata alongside hash values for any content on your website, social media and internal collaboration tools. The collected data is always timestamped and digitally signed with a SHA-256 signature as proof of integrity and authenticity. The records are also stored in WORM, tamper-proof storage. Information retrieval is also quick and easy, with full-text search capabilities.