Broker-dealers using social media for business purposes face new scrutiny from FINRA, which has issued two detailed Regulatory Notices and a new rule on electronic communications with the public. The authors discuss these FINRA initiatives, and make practical suggestions regarding the essential components of supervision, conflicts with state privacy laws, required recordkeeping, and responsibility for third-party content.

Similar to the explosion of the use of e-mail in the early 2000s, the use of social media websites for business purposes has become commonplace for broker-dealers and their associated persons. Accordingly, the Financial Industry Regulatory Authority, Inc. ("FINRA") has been taking steps in the past several years to provide its member firms and their associated persons with guidance and compliance considerations relating to their use of social media. FINRA has issued two detailed Regulatory Notices and enacted a new rule on communications with the public that specifically references social media through electronic communications. On the enforcement side, FINRA has brought very few disciplinary actions against the improper use of social media and the failure to archive electronic communications. However, in June 2013, FINRA posted a targeted examination letter (the "June Sweep Letter") on its website indicating it is conducting periodic spot-checking of firms' social media communications. FINRA has also been asking more targeted questions relating to the use of social media in routine exams and during the course of its review of Continuing Membership Applications and New Membership Applications. Thus, there is a movement towards holding firms accountable for their compliance obligations relating to the use and supervision of this medium.

In general, the use of social media sites by broker-dealers and their associated persons for business purposes should be treated no differently from any other business-related electronic communication. This perspective is helpful in the sense that member firms already have policies and procedures in place dealing with recordkeeping, suitability, supervision, and content requirements for the use of other electronic communications, such as e-mail and fax. These same procedures can be applied to business communications made through social media websites. However, certain features and aspects of social media may raise concerns that should be separately considered and addressed in a firm's policies and procedures.

This article takes a brief review of the relevant historical guidance provided by FINRA applicable to the use of social media and discusses the practical implications member firms must consider to comply with FINRA rules if they want to use social media for business purposes. This includes the implementation of appropriate policies and procedures to ensure these communications are properly supervised, as well as the potential conflicts in supervising this use given recent changes in state privacy laws. Then it discusses FINRA's recent enforcement actions related to the use of electronic communications, including e-mail and social media, the June Sweep Letter, and FINRA's likely direction with respect to such enforcement actions.


Regulatory Notices

In December 2007, FINRA issued Regulatory Notice 07-59 relating to the review and supervision of electronic communications.1 It stated that "FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm's business [emphasis in original]." FINRA urged that a firm should consider, prior to implementing new or different methods of communication, whether the adoption of new electronic communications technologies would require any updates or changes to the firm's supervisory policies and procedures, so that the firm can identify and timely address any issues that may arise. FINRA also reminded its member firms that "they have a separate, but equally important, obligation to ensure that their use of electronic communications media enables them to make and keep records, as required by [applicable SEC and FINRA recordkeeping rules]." As social media communications are electronic communications, FINRA's expectations and compliance concerns are no different for the use of social media than those for any other type of electronic communication medium.

In January 2010, FINRA released Regulatory Notice 10-06, its first guidance specifically on the use of social media websites.2 This notice was released at a time when many firms were fearful of allowing the use of social media to conduct business and on the heels of problems arising from using social media in unsupervised and undetected ways.3

In this Regulatory Notice, FINRA emphasized that each firm must develop and adopt policies and procedures regarding the firm's electronic communications with the public that are best designed to ensure compliance with the applicable federal securities laws and FINRA rules governing communications in the context of its own business. Each firm needs to understand and clearly document the permissible use of social media by the firm or its associated persons.

The notice also explained that the substance and nature of the content of the communication, irrespective of its form, may result in it being subject to different rules or requirements. For example, whether the communication is "static" or "interactive" will affect the member's compliance obligations. Static content is a planned communication to a target audience that cannot be altered or does not provide for interaction with the author once published. This includes posts that will remain posted until removed, such as a website, banner or advertisement, sales literature, profile, video, and background information. Such static content is required to be approved by a registered principal before it is posted and subsequently edited. On the other hand, interactive content and non-static, real-time communications, such as tweets or status updates on Twitter, LinkedIn, Facebook, or blogs that are used to engage in real-time interactive communications with a target audience, do not need prior approval by a registered principal, unless such interactive content becomes static.

In August 2011, FINRA supplemented and refined its guidance in Regulatory Notice 10-06 through the issuance of Regulatory Notice 11-39.4 Regulatory Notice 11-39 focused on reminding member firms of their supervisory obligations, particularly by establishing and maintaining systems to supervise, train, and educate their personnel who are permitted to use social media for business purposes. FINRA also re-emphasized that firms must retain records of communications that relate to their "business as such," regardless of the form of the communications. In addition, FINRA provided answers to questions from member firms that had arisen since the issuance of Regulatory Notice 10-06, including with respect to third-party posts and content on linked third-party sites, management of data feeds into the member firms' own websites, and business communications conducted from personal devices owned by associated persons.

In both Regulatory Notices 10-06 and 11-39, FINRA stressed repeatedly that firms must have policies and procedures ensuring compliance with the rules as applied to new technologies, but stopped short of prescribing particular types of procedures that a firm should adopt for this purpose to allow flexibility.

FINRA Rule 2210

New FINRA Rule 2210, which went into effect in February 2013, fine-tuned the rules of engagement for member firms that allow use of social media. First, the six categories of communication with the public under the old rule were reduced to three: "Retail Communications," "Correspondence," and "Institutional Communications."5 Most communications that used to be classified as "advertisements" or "sales literature" under the old rule are now viewed as retail communications, which include any written, including electronic, communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period.6 The rule also provides for an explicit exemption from the pre-approval requirement for retail communications posted in online interactive forums, such as chat rooms or online seminars, that do not make any financial or investment recommendation, or otherwise promote a product or service of the member firm.7 However, firms still must supervise and maintain records of the communications. Finally, under FINRA Rule 2210, a social media communication may be considered "Correspondence" if it is communicated to fewer than 25 retail customers.8 There are no pre-approval or filing requirements for Correspondence. The only requirement is that it be supervised and reviewed by an appropriately qualified principal.9


If a firm intends to allow its associated persons to use social media for business purposes, it must first have in place clear and detailed supervisory policies, procedures, and controls. To that end, registered principals must review, prior to use, any social media site that an associated person intends to use for business purposes, assess the universe of what the principal will need to supervise the associated person, and ensure that he has the tools to capture and review such communications. Third-party service providers that initially were formed for the purpose of archiving e-mail and other electronic communications have expanded their technology to also cover the rapidly evolving social media sites. Certain of these third parties provide enhanced tools that can be leveraged to supervise social media sites that are used to communicate for business purposes. Firms must take that into consideration when determining which social media sites it is authorizing for use and which third-party archiving firm it is using to retain these communications. It is for these reasons that a firm must have a general policy prohibiting use of any social media sites that it cannot properly supervise.

Permitted Use

A firm needs to clearly define in its written supervisory procedures and convey orally to its associated persons, prior to use, which social media sites they are permitted to use and the limitations, if any, on their use of such sites. In view of the fact that there is a wide range of sites with different functions and varied formats, a firm should tailor its policies to reflect the firm's intended use of social media and its resources available for supervision. A firm may choose to distinguish the use of social media allowed for conveying information to the general public from its use for communicating with individual customers. To the extent possible, a firm should consider blocking access to all social media sites other than those it permits. It is important to remember that member firms must be able to retain, retrieve, and supervise business communications regardless of whether the communications are made through a personal device or a firm device. Therefore, if business activity is conducted from a personal device, a firm should consider requiring use of a separately identifiable application or account for business communications to facilitate the firm's ability to readily retrieve business communications without capturing personal communications made on the same device.

Review Process

A firm should determine who will be reviewing social media communications and how often the review will be performed. Factors to be considered include, how many people are allowed to communicate using social media, which sites they can use, how social media can be used, and the number of all users in the firm. A firm should address how required approval will be granted and consider requiring documentation of the submitted content and the review process by the registered principal, either through a third-party archiving system or in hard copy. Firms may adopt various methods of post-use review of communications, conducting random spot-checking and lexicon searches, monthly inventory checks, and quarterly audits. Of course, it must follow up on any "red-flags" discovered. Since very comparable issues arise regarding supervision of e-mails, firms likely already have the requisite infrastructure in place and can implement a similar review process over business communications made through social media. Firms should also strongly consider doing some due diligence of their own by conducting Internet and social media searches of the names of associated persons in order to ensure that all potential social media involvement relating to business activities has been disclosed and identified.

Suitability and Recommendations

A member firm or its associated person's "recommendations" to customers using social media will trigger application of the general suitability rule.10 As a best practice, a firm should consider prohibiting its associated persons from using interactive social media forums to recommend specific investment products or strategies, unless the content has been reviewed and received approval from a registered principal prior to use. Alternatively, a firm could prohibit such recommendations, unless the communication recommending a specific investment product or strategy conforms to a previously approved template, and the specific recommendation has been approved by a registered principal. Firms should also consider implementing a similar policy governing any communication that promotes specific investment products, even if it may not rise to the level of a recommendation under the FINRA suitability rule, as some forms of electronic communications can be difficult to characterize.

Training and Education

Prior to allowing associated persons to use social media for business purposes, a firm's policies and procedures must provide for training and education of its personnel relating to the parameters of permitted use. Registered principals and associated persons need to understand the difference between interactive and static content, between business and non-business communications, and whether the communication is a retail communication requiring pre-approval. A firm should consider requiring training in the use of social media prior to permitting use. At a minimum, firms that permit use of social media sites must hold annual training as part of its continuing education obligations. Any such training will reinforce personnel understanding of the firm's policies and procedures as applied to this continuously evolving technology and in turn serve to limit the firm's compliance risks.

Conflicts with State Privacy Laws

Member firms must consider the recent state privacy laws relating to protection of employees' social media accounts when formulating their supervisory policies and procedures. In general, these laws restrict employers from coercing or requiring employees to surrender access to their personal social media accounts.11 Such privacy laws could potentially undermine a broker-dealer's ability to effectively supervise its personnel's use of social media for business purposes, especially when many people use the same account for both personal and business activity.

Some states provide specific carve-outs to their general prohibition, allowing employers to conduct investigations for the purpose of ensuring compliance with applicable securities or financial laws, or regulatory requirements. Maryland, one of the first states to enact a social media password protection law, provided such an exception, but employers are allowed to conduct investigations based on information the employer has in its possession about the use of a personal account for business purposes before conducting the investigation.12 However, the statute does not define or elaborate on what kind of information would suffice or subsequent remedies an employer might legally take to investigate the associated online activity.

FINRA has been advocating for such exceptions and has sent letters to lawmakers seeking carve-outs to social media employee privacy laws for the financial services industry.13 However, only some of the states provide such carve-outs. Even if a state privacy law provides an exception for compliance with securities laws and regulations, it may be narrower than the language suggested by FINRA, which does not require possession of information of wrongdoing or non-compliance prior to investigation.14

FINRA has expressed publicly that its rules do not conflict with state privacy laws because it does not require member firms to conduct routine surveillance of representative's personal social media or keep passwords and user names on file.15 Nevertheless, state privacy laws still can create conflicts and obstacles for member firms. Without a body of case law to draw upon, firms are faced with having to reconcile the risk of incurring regulatory scrutiny and possible sanctions by FINRA for less than adequate online supervision with the risk of exposure to liability by testing the limits of an undefined exception to state privacy laws. The outcome of possible conflicts posed by the state privacy laws will likely unfold in some form of litigation, either FINRA sanctioning a member firm for not meeting its mandates or a state bringing suit for a violation of an employee's privacy rights.

Meanwhile, a firm should determine whether its supervisory policies are adequate to meet FINRA mandates with deference to the relevant state privacy laws. A firm may avoid having to reconcile the conflict by forbidding its employees to participate in online social media for business purposes altogether. If a firm decides to allow its employees to engage in social media for business purposes, at a minimum, it should require employees to maintain entirely separate accounts for business and personal use to the extent such social media sites permit multiple accounts. In addition to requiring each associated person to certify that he or she is acting in a manner consistent with the firm's policies, a firm may also require more rigorous review and detection of its personnel's activity through general searches and random spot-checks to ensure that there is no misuse of the personal sites.


For recordkeeping purposes, business communications made through social media must be treated no differently than any other electronic communications. Such communications must be preserved for a period of not less than three years, the first two in an easily accessible place.16 The content of the communication determines whether it must be preserved, regardless of the ownership of the device used, the technology employed, or the nature of the forum used to transmit the communication. This is a critical component for any firm allowing the use of social media, as each firm must be able to retrieve and retain the records in order to supervise the activity. As previously mentioned, a firm should consider working with technology providers it is currently using to retain and retrieve e-mails for an archiving solution to capture and review social media communications. FINRA is already requesting archived records of business communications made through social media from member firms to determine how supervision is being conducted. Hence, if firms cannot ensure that they are capturing and retaining all required records that relate to their associated persons' use of social media, firms also will not be able to fully supervise the activity and conduct appropriate reviews of the activity. Such a failure will dilute the value of having robust policies and procedures relating to the use of social media, since the supervisors will not be able to attest that they are seeing all relevant communications.


A firm may become responsible for third-party posts on its sites or content on third-party sites if it has adopted or becomes entangled with such third-party content. A firm may be deemed to be "entangled" with a third-party post or content on a third-party site if the firm participates in the development or preparation of the content.17 A firm may be deemed to "adopt" a third-party post or content on a third-party site if the firm or its personnel explicitly or implicitly endorses or approves the post or the content.18 If a firm co-brands a third-party site by, for example, placing its logo prominently on the site, it will effectively adopt the content of the entire site.19 In addition, firms may not establish a link to any third-party site that the firm knows or has reason to know contains false or misleading content.20

Member firms should set up barriers and prominent disclaimers regarding third-party content where possible. Such barriers and disclaimers would be part of the facts and circumstances that FINRA would consider in an analysis of whether a firm had adopted or become entangled with a third-party posting. Firms linking to third-party sites or posts should consider including a disclaimer that third-party posts do not reflect the views of the firm and have not been reviewed by the firm in order to prevent the firm from being viewed as endorsing such posts.

A firm should enact usage guidelines, and train and educate associated persons regarding appropriate treatment of third-party content. Such guidelines should address how to deal with third-party posts to the firm's social media site or third-party posts relating to the firm's business posted to a personal social media site. Depending on how a firm has embraced the use of social media, it may want to provide associated persons with a pre-approved, non-substantive response to third-party posts on a personal social media site directing the third party to the associated person's business e-mail address.

Firms that have parent or affiliated companies should also take into consideration how to manage posts, links, and websites of those companies and the staff of those companies where they reference the firm or link to the firm's site. To avoid risks associated with entanglement and adoption of the affiliates' content, a firm may want to consider avoiding dual employment or prohibiting the personnel of the affiliates from posting information about the firm or linking to the firm's site without pre-approval by a senior executive.

In the absence of adoption and entanglement, FINRA does not consider a third-party post to be a firm communication with the public. Nevertheless, a firm should have usage guidelines and content requirements for third parties permitted to post on firm sites. Firms should establish a process for screening and monitoring third-party content, be vigilant in its supervision of third-party posts, and place conspicuous disclosures of the firm's policies regarding its lack of responsibility for third-party posts.


For several years, FINRA has brought enforcement actions and has continued developing cases relating to the supervision and retention of e-mail. In 2010, Piper Jaffray & Co. was censured and fined $700,000, for intermittent e-mail retention failures for a five-year period and the firm's failure to inform FINRA of such issues.21 One firm and its principals were fined more than $900,000 for a variety of violations, one of which was deleting all firm e-mails and not having a system in place to retain deleted e-mails.22 In 2011, FINRA censured and fined Citigroup $750,000 for the firm's failure to retain millions of e-mails during the period October 21, 2008 through December 26, 2009, and for the deficiency of its supervisory system in ensuring timely detection of e-mail retention failures.23 In February 2013, FINRA fined ING Groep N.V $1.2 million for failing to retain or review millions of e-mails over a six-year period.24 In April 2013, FINRA announced its largest fine ever against LPL Financial LLC ("LPL"), $7.5 million for significant e-mail system failures, which prevented LPL from meeting its obligations to capture e-mails, supervise its representatives, and respond to regulatory requests.25 Going forward, as broker-dealer use of social media sites to communicate for business purposes continues its growth, FINRA will be looking to make similar cases against firms for failing to supervise and maintain records relating to these types of electronic communications.

At present, there have been very few publicized cases brought by the FINRA Division of Enforcement relating to use of social media. The most notable case was brought in 2010, when FINRA announced it was taking disciplinary action against a broker for, among other things, her use of Twitter.26 FINRA found that Jenny Quyen Ta, a registered principal, posted hundreds of undisclosed tweets, 32 of which were extremely optimistic and positive about a particular stock. Ta's tweets failed to disclose that she and her family members owned 100,000 shares of the stock she was touting. It is worth noting that the problematic tweets were made during 2009, prior to the release of FINRA's Regulatory Notices on social media discussed above. Ta had also conducted outside business activities, held outside brokerage accounts, and created websites with representations about her career accomplishments, none of which were disclosed to her firm. Ta received a one-year suspension from associating with any FINRA member and a $10,000 fine. Given the more recent focus on the use and compliance issues surrounding social media sites, it is very likely that a similar case brought today would garner a much larger fine; FINRA would also take a very close look at the firm's supervisory controls, expecting that the firm would have searched the Internet and social media sites for undisclosed use by its associated persons.

The June Sweep Letter

FINRA's June Sweep Letter to spot-check how social media communications were being used, monitored, and archived, requested the following information:

1. explanation of how the firm uses social media and blogs at the corporate level and business purpose of each platform;

2. URL for all sites used by the firm, date began using each site, and identity of all individuals who post/update the content;

3. explanation of how the firm's registered representatives and associated persons generally use social media in the conduct of the firm's business, including dates of first use of each platform;

4. firm's written supervisory procedures concerning the production, approval, and distribution of social media communications in effect during the time period February 4, 2013 through May 4, 2013;

5. explanation of measures firm adopted to monitor compliance with the firm's social media policies; and

6. list of firm's top 20 producing RRs who used social media to interact with retail investors, including type of platform.27

Information gathered during sweep examinations is used to carry out investigations, focus examinations, and gauge the industry's current level of compliance to communications rules and guidance. The expectation is that, depending on how social media are being used generally by the firm or by its associated persons to communicate with customers, FINRA will find some compliance failures of the member firms relating to such use. As a result, FINRA will likely seek disciplinary actions.

Given FINRA's recent enforcement actions related to other forms of electronic communications and its focus on social media communications, firms should expect that FINRA will be requesting information in connection with social media more frequently going forward. The fear of FINRA regularly making such requests during exams or otherwise will compel the member firms to examine their procedures and internal training programs to ensure adequate compliance with supervisory review, recordkeeping, and filing requirements prior to permitting the use of social media for communication and solicitation. The spot checks also allow member firms an opportunity to test their systems and determine how closely their systems adhere to FINRA's demand. Yet again, the requests FINRA is making regarding social media communications are similar to the type of requests made in the past for e-mail, and firms must view compliance issues related to social media in the same context as complying with the requirements for use of any other electronic communication medium.


Given the applicability of supervisory and recordkeeping rules to all electronic communications, examining member firms' use of social media and their adherence to those rules is a ripe issue for FINRA. As has been the case with e-mail in recent years, member firms will begin to regularly receive requests from FINRA through sweeps, examinations, and investigations to provide information relating to its new focus, social media use. In light of this expectation of closer scrutiny, each firm must ensure that if it permits the use of social media for business purposes, it also must develop and maintain detailed and comprehensive social media policies and procedures to ensure compliance with the recordkeeping, suitability, supervision, and content requirements.


1 FINRA Regulatory Notice 07-59, "Supervision of Electronic Communications" (Dec. 2007) on FINRA website.

2 FINRA Regulatory Notice 10-06, "Social Media Web Sites – Guidance on Blogs and Social Networking Web Sites" (Jan. 2010) on FINRA website.

3 See, e.g., id. n.9, in which FINRA discusses that on Nov. 23, 2009, FINRA fined and suspended a registered principal who held put options for himself and, without disclosing his interest in the stock, posted unapproved bulletin board messages urging investors to sell the underlying stock. See also the case involving Jenny Quyen Ta cited infra note 26.

4 FINRA Regulatory Notice 11-39, "Social Media Websites and Use of Personal Devices for Business Communications," (Aug. 2011) on FINRA website.

5 FINRA Rule 2210(b).

6 "Retail investor" means any person other than an institutional investor, regardless of whether the person has an account with a member. "Institutional investor" includes a bank, savings and loan association, insurance company, registered investment company, SEC or state-registered investment adviser, natural person or entity with total assets of at least $50 million, government entity, certain employee benefit plans with at least 100 participants (but not any participant of such plans), FINRA members and their registered persons, and any person acting solely on behalf of an institutional investor. FINRA Rule 2210(a).

7 FINRA Rule 2210(b)(1)(D).

8 FINRA Rule 2210(a)(2).

9 FINRA Rule 2210(b)(2).

10 FINRA Rule 2111.

11 Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont, and Washington have enacted such laws, and comparable legislation has been introduced or is pending in many other states as of September 12, 2013. See Employer Access to Social Media Usernames and Passwords 2012 and 2013 maintained by National Conference of State Legislatures at . Bills proposing similar federal legislation have also been introduced in both the Senate and the House of Representatives. Password Protection Act of 2013, H.R. 2077, 113th Cong. (2013).

12 MD. CODE ANN. [LAB. & EMPL], §3-712(e)(1) (2013).

13 Jean Eaglesham & Michael Rothfeld, Wall Street vs. Its Employee's Policy, THE WALL STREET JOURNAL, Apr. 22, 2013, available at .

14 An example of FINRA's suggested carve-out is this: "This act shall not apply to the personal social media accounts or devices of a financial services employee who uses such accounts or devices to carry out the business of the employer that is subject to the content, supervision, and retention requirements imposed by federal securities laws and regulations or a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934, as amended." FINRA's comment letter to California State Assembly (June 19, 2012), .

15 Melanie Waddell, BDs Beware: Social Media Privacy Laws May Conflict with FINRA Rules, THINKADVISORONE.COM (July 12, 2012), .

16 SEC Exchange Act Rules 17a-3 and 17a-4 and FINRA Rule 4510.

17 FINRA Regulatory Notice 10-06, supra note 2, at 7, 8.

18 Id.

19 FINRA Regulatory Notice 11-39, supra note 4, at 6.

20 Id. at 3.

21 FINRA News Release, May 24, 2010, Newsroom/NewsReleases/2010/P121506, and FINRA Letter of Acceptance, Waiver and Consent ("AWC") No. 20090197795, available at

22 National Adjudicatory Council Decision, October 8, 2010, available at .

23 FINRA AWC No. 20100218231, available at .

24 FINRA AWC No. 2012031270301, available at .

25 FINRA AWC No. 2010032218001, available at .

26 FINRA AWC No. 2010021538701, available at .

27 Targeted Examination Letter, .

RSCR Publications LLC Published 22 times a year by RSCR Publications LLC. Executive and Editorial Offices, 2628 Broadway, Suite 29A, New York, NY 10025-5055. Subscription rates: $1,197 per year in U.S., Canada, and Mexico; $1,262 elsewhere (air mail delivered). A 15% discount is available for qualified academic libraries and full-time teachers. For subscription information and customer service call (866) 425-1171 or visit our Web site at General Editor: Michael O. Finkelstein; tel. 212-876-1715; e-mail Associate Editor: Sarah Strauss Himmelfarb; tel. 301-294-6233; e-mail To submit a manuscript for publication contact Ms. Himmelfarb. Copyright © 2013 by RSCR Publications LLC. ISSN: 0884-2426. Reproduction in whole or in part prohibited except by permission. All rights reserved. Information has been obtained by The Review of Securities & Commodities Regulation from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, The Review of Securities & Commodities Regulation does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions, or for the results obtained from the use of such information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.