The use of social media such as Facebook, Twitter and LinkedIn in the business of insurance is becoming widespread. Insurers and producers now use social media for a variety of purposes, including building brand awareness and trust, customer service and agent recruitment.

As the use of social media has grown, regulators have begun to apply existing regulatory standards to this new technology and evaluate where additional guidance and standards are needed. The Financial Industry Regulatory Authority ("FINRA") has been at the forefront of these efforts with guidance issued in 2010 and again this year addressing the application of its rules to the use of social media by broker-dealers and their registered representatives.

State insurance regulators also have become more active in this area. Several state insurance departments now address the use of social media in market conduct examinations. Last year, the NAIC Market Regulation & Consumer Affairs (D) Committee formed the Social Media Working Group, which was charged with producing a white paper to guide state regulators as they consider social media use. The working group has published two drafts of the white paper to date.

Courts also have begun to address issues relating to the business use of social media. Last March, for example, a federal court in California held that messages sent by Facebook users to their Facebook friends' walls, news feeds or home pages are "electronic mail messages" under the CAN-SPAM Act. Facebook, Inc. v. Maxbounty, Inc., 274 F.R.D. 279 (N.D. Calif. 2011).

This article reviews the guidance issued by FINRA on social media, which applies to broker-dealers and registered representatives dealing with variable life and annuity products. Because the FINRA guidance is the starting point for the white paper being developed by the NAIC, it deserves the attention of producers and insurers regardless of their market. In addition, this article examines the draft NAIC white paper in its present form and reviews general considerations important to any insurer or producer in developing a compliance program for social media.1

FINRA Guidance

In January 2010, FINRA issued Regulatory Notice 10-06, providing guidance on the use of blogs and social networking sites. This guidance and more recent guidance in the same area, Regulatory Notice 11-39, issued by FINRA in August 2011, are important for producers who deal with variable products.

The regulatory notices issued by FINRA cover a variety of topics including, among other things, the difference in regulation of "static" versus "interactive" content, firm supervision of social media activities, the treatment of third-party posts, the posting of third-party links, third-party data feeds and recordkeeping.

FINRA draws an important distinction between static and interactive content in the context of social media. According to FINRA, content is static if it remains posted until it is changed by the firm or individual who established the social media account. Examples of static content include blogs and, for sites like Facebook, profile, background or wall information. FINRA considers static content to be an "advertisement" under its rules if a broker-dealer or its registered representative sponsors the blog or social networking page on which the content appears. Thus, such static content must be approved by a registered principal before it is posted.

In contrast to static content, interactive content is composed of real-time communications, such as interactive posts on Twitter or Facebook. Such communications are considered to take place in an "interactive electronic forum" and therefore do not require prior approval by a registered principal. Interactive content, however, is subject to certain supervisory standards.

While approval by a registered principal is not required for interactive content, firms must supervise such communications in a manner reasonably designed to ensure they do not violate the content requirements of FINRA's communications rules. Generally, broker-dealers may employ risk-based principles to determine the extent to which the review of interactive content is necessary for the proper supervision of their business. Certain interactive content, however, is subject to special supervisory rules—for example, communications relating to complaints.

In addition, broker-dealers must adopt policies and procedures reasonably designed to ensure associated persons who participate in social media sites for business purposes are supervised appropriately, have the necessary training and background to engage in such activities and do not present undue risks to investors. Firms must have a general policy prohibiting any associated person from engaging in business communications on a social media site that is not subject to the firm's supervision. As part of this responsibility, a registered principal must review any social media site an associated person intends to use for a business purpose prior to its use.

FINRA typically does not treat content posted by customers or other third parties on a social media site sponsored by a firm as a communication by the firm with the public. Thus, generally speaking, such communications are not subject to prior approval by a registered principal or FINRA content and filing requirements.

Under some circumstances, however, third-party posts may become attributable to a firm. This may occur where the firm has: (1) involved itself in the preparation of the content, which is known as "entanglement" or (2) explicitly or implicitly endorsed or approved the content, which is known as "adoption."

Whether a firm has adopted content by implicitly endorsing or approving it is a fact-based inquiry. A prominent disclaimer on a site stating that a firm does not approve or endorse third-party posts is one factor FINRA may weigh in making such a determination. Other measures firms may take to help avoid implicit adoption include establishing appropriate usage guidelines for third parties who post to a sponsored site and establishing procedures for screening third-party posts. The fact that a firm blocks or deletes certain postings as inappropriate does not mean the firm implicitly has adopted posts that are left on a site.

Links posted on a sponsored site require careful handling. FINRA states that a firm may post a link to the site of an independent third party without assuming responsibility for the content of the linked site if: (1) the firm does not adopt or become entangled in site's content; and (2) the firm does not know or have reason to know the site contains false or misleading information. These standards suggest that a certain amount of due diligence should be conducted before linking to any site. Any such due diligence would need to be repeated periodically, as the content of a linked site may change. In addition, firms may not want to link to a third-party site unless an agreement is executed requiring the third party to follow appropriate standards and assume responsibility for any failure to do so. Finally, a disclaimer relating to links and clear evidence to the user that a link leads to a new website are advisable to help avoid implicit adoption of linked content.

Every firm that communicates, or permits associated persons to communicate, through social media must ensure it can maintain records of all such communications that constitute business communications as required by SEC and FINRA rules. These recordkeeping requirements are the same for both static and interactive content and extend to third-party posts received by a firm or associated person that relate to their business activities.

NAIC Guidance

On July 29, 2011, the NAIC Social Media Working Group released a first draft of a white paper entitled "The Use of Social Media in Insurance." This initial draft was met with sharp criticism by members and representatives of the regulated community. A revised draft of the white paper was released on September 29, 2011. The white paper is an evolving document but worth considering for the direction it points to in the treatment of social media by state regulators.

Like FINRA's guidance, the white paper distinguishes between static and interactive content, which are defined along the same lines as in FINRA's regulatory notices. The white paper treats static content in the same way as more traditional communications by insurers and producers. Thus, the white paper considers static content to be subject to existing state marketing and advertising regulations. This undoubtedly is the case.

The white paper's treatment of interactive content is less clear. In its present form, the white paper clearly considers third-party posts to be interactive content and therefore, absent entanglement or adoption, not subject to regulation as marketing or advertising. In addition, the white paper generally does not consider insurers or producers responsible for the content of such posts so long as they do not become entangled with or explicitly or implicitly adopt the content.

The white paper is vague in its treatment of real-time posts and other interactive content generated by an insurer or producer, as opposed to a third party. It explicitly does not carve out such communications from regulation as marketing or advertising. How the final white paper will treat such communications remains to be seen. It is likely, however, that such communications are subject to state advertising and marketing regulations notwithstanding their interactive nature. Indeed, at least three states—Massachusetts, New York and Virginia—have clarified that social media is subject to their regulations governing marketing and advertising.2 These state standards draw no distinction between static and interactive content. Regulators in other states are likely to take the same position.

This does not mean that all social media communications will be deemed to constitute marketing or advertising. Rather, the same standards for determining whether a communication is marketing or advertising that apply to traditional communications likely apply to communications generated by an insurer or producer through social media.

The white paper's general standards for entanglement and adoption are taken directly from FINRA's 2010 guidance on social media. Although the white paper's guidance in this area lacks some of the detail provided by FINRA, the FINRA guidance is a useful indicator of how state regulators may apply these principles to insurers and producers.

In addition, the white paper states that "an insurer is responsible for its appointed producers' posts, provided such posts may be directly related to the appointing insurer or the insurer's products or services." The white paper also states that insurers are encouraged to train appointed producers who wish to use social media before permitting its use. Given the uncertainty of regulators' attitudes and the law in this area, insurers may want to take a cautious approach to the use of social media by appointed producers.

The white paper encourages insurers and producers to adopt policies and procedures reasonably designed to ensure that insurer and "insurer-attributed" social media communications are accurate and timely. Like FINRA's guidance, the white paper states that insurers should employ risk-based principles to determine the extent to which the review of social media communications is necessary for proper supervision of their business. Procedures for such review may require pre-approval of some or all interactive content or, where appropriate, retrospective review—for example, through sampling or lexicon-based screening.

With respect to recordkeeping, the white paper takes the position that state insurance recordkeeping requirements apply to social media in the same way they do to other forms of written communications. According to the white paper, "when an insurer and/or producer is responsible for the content of a specific social media communication, then the insurer and/or producer is also responsible for complying with state record retention regulations relative to the subject communication."

General Considerations

Insurers and producers who engage in social media should consider establishing policies and procedures governing the appropriate use of such technologies. In doing so, it is important to recognize that many existing regulatory standards likely apply to social media in the same way they do to other forms of communication by the regulated community.

Threshold issues to consider include who may generate content or post links on sponsored sites or feeds, what content is appropriate for a particular site or feed, procedures and approvals necessary to create new content or links and procedures to review posted content and links for accuracy and appropriateness. For example, insurers may want to establish controls to ensure posts by non-licensed personnel do not stray into the realm of communications requiring a producer's license. In addition, all types of content should be screened to ensure they do not violate standards concerning inappropriate inducements, endorsements or unlawful rebates.

Other important issues to consider are how third-party posts will be monitored and what standards should be applied to responses. For example, it is important to direct complaints to personnel who can respond in a manner consistent with applicable regulatory requirements and internal guidelines. Complaints received through social media likely are subject to the same regulatory requirements, including recordkeeping, as complaints received in any other fashion. The same holds true of communications relating to claims that are received through social media.

Links to third-party sites and public responses to third-party posts should be handled so as to avoid explicit or implicit adoption, which may attach responsibility for the post to the insurer or producer sponsoring a site. Additionally, insurers and producers engaging in social media may want to screen third-party posts for inappropriate content such as defamatory or indecent remarks or content that could give rise to trademark or copyright infringement.

Other matters to consider include procedures for safeguarding the privacy of personal information. Sponsors of social media may want to adopt policies and procedures to discourage the posting of personal information—for example, by informing users they should not share personal information and by following up on complaints and claims communications received through social media through private channels. Any notice directing users not to provide personal information should also inform users that any such information they may share in a public posting will not be private. Contracts with social media providers and other vendors should be clear about the permitted uses of information collected on the site and the data security standards for such information.

Record retention policies also are an important consideration for social media platforms. FINRA's guidance explicitly extends record retention requirements to third-party posts. The draft NAIC white paper suggests that, absent adoption or entanglement, third-party posts might not be subject to record retention requirements. However, many state regulators may disagree with this position. Insurers and producers may want to apply their record retention policies equally to their own content and content generated by others, to the extent that this is technologically practicable.

The regulation of social media will continue to evolve as the uses of and technologies associated with social media change. Well-thought-out controls regarding the use of social media can help mitigate regulatory risk. Perhaps more important, such controls also can help mitigate reputational risk, which is a critical consideration for social media given its inherent visibility and "viral" potential. In the end, of course, social media is valuable only to the extent it maintains and enhances the sponsor's reputation.

Footnotes

1 This article focuses on social media used for promotional purposes. The use of social media in claims and fraud investigations is not addressed.

2 See 14 VAC 5-21-20; 211 CMR 152.02; New York DOI Gen. Cnsl. Op. 10-11-07 (Nov. 22, 2010).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.