—
Social media as a compliance risk
Is social media a compliance risk, and how is that risk being managed?
Global Relay’s Data Insights Report 2023 referenced the data of over 10,000 financial services firms to analyze which communication channels are most commonly captured for compliance. In comparison to “traditional” business communications channels, such as email, SMS, and financial messaging tools, it became apparent that social media was being increasingly considered as a compliance risk.
In particular, LinkedIn featured in the top three most captured communication channels, with 33% of financial services firms capturing LinkedIn communication data.
Social media poses myriad compliance challenges. The collapse of Silicon Valley Bank in 2022 was accelerated by panic on social media that saw backers remove their funding, hastening the bank’s failure – dubbed the first ever “Twitter-fueled bank run.” In January 2024, the U.S. saw billion-dollar market swings as a result of an SEC X account hack. As well as this, social media presents significant Marketing Rule and advertising risks, and provides yet more channels for potential off-channel communications.
The risks of social media have not gone unnoticed in 2024’s Industry Insights Report, with 55.7% of survey respondents noting that they are considering social media as a compliance risk to their business.
When broken down regionally, both global banks (55.6%) and North American banks (54.9%) were slightly more cognizant of the risks social media presents. EMEA-based firms tilted the balance (45.5%) but, generally speaking, around half of all respondents see social media communication as some form of challenge for compliance teams.
An analysis of the commentary offered by respondents around social media risk uncovered five main approaches.
Those who view social media as a Marketing Rule or advertising risk
“As a private equity firm, we offer our funds privately. Therefore, no advertising is allowed on public sites.”
“Our business model does not include sales, policies prohibit use of social media for business and are monitored by Compliance.”
Those who see it as a recordkeeping or communication risk, and are proactively archiving or monitoring
“We only allow LinkedIn, capture it on Global Relay, and pre-approve postings.”
“We use lexicons to search for social media being mentioned in email, and then have approved social media platforms.”
“Compliance approval of social media and compliance monitoring by periodically logging in to see what communication, if any, there is.”
“Use of LinkedIn for staff who opted-in for archiving.”
Those who perceive it as a risk, but are uncertain of a watertight solution
“We don't allow the use of Instagram, TikTok or Snapchat, but we also don't have a way to monitor them to be sure they aren't being used – other than doing a Google search and using lexicons in our email monitoring.”
“These are banned, but it's impossible to put a perfect control in place to enforce.”
“We are trying to sort out how to archive and keep costs down.”
Those that manage social media channels through policies
“We have a social media policy banning the use for business communications.”
“The firm is constantly updating its social media policies around communications and the tools allowed for business.”
Those that have banned it altogether
“We do not allow social media usage.”
“We block access to social media sites from our corporate network.”
The main challenge posed by social media is that the proliferation of its use within a business context has been gradual and is, as yet, still an emerging risk. Social media, especially channels such as LinkedIn, blur the line between personal communication and business communication which poses distinct recordkeeping challenges.
Social media is a real nightmare for compliance. Again, companies risk tying themselves up in knots by sending out mixed messages. It's the problem with telling staff to ‘bring their whole self to work.’ This blurs the boundary between your professional self – which is what you should bring to work – and your personal self, which is not anyone's business but your own and which keeping separate from your work life is probably necessary to stay sane.
Employers need to guard against behaving like a mother, monitoring and tut-tutting about every aspect of their employees' lives. They also need to guard against imposing a 'received opinion' on everyone, especially about non-work topics expressed outside work. So, firms need to be clear – if they monitor social media channels – what exactly are the compliance risks they are looking for. Make these clear to staff so that they understand the boundaries. Firms also need to make a distinction between stuff said, which could be attributable to the firm (especially if the individual is senior), and stuff said in a personal capacity.
If it's just 'things we don't like to hear or disagree with' or they are making it up as they go along, they risk getting in a legal mess. A certain amount of toughness is needed: companies and staff should not allow themselves to be bullied by social media activists or trolls.
Carroll Barry-Walsh, Lawyer, Speaker, and Founder at Barry-Walsh Associates
Without individuals having clearly separated personal and business accounts, it is difficult to know how to capture and monitor business communication data, without simultaneously capturing personal data which organizations may have no legitimate right (or interest) in capturing – and may be subject to stringent data control and anonymity requirements in some jurisdictions.
From a Marketing Rule or advertising perspective, social media presents similarly unchartered waters. In May 2024, the FCA brought charges against nine individuals who promoted an unauthorized foreign exchange scheme on social media.
In the U.S., FINRA fined a firm $850,000 for social media posts made by “finfluencers” on the firm’s behalf, which were found to be misleading. Similarly, the SEC’s Marketing Rule 206(4)-1 imposes strict limitations on how firms can market their products, which extends to social media.
Finfluencers is another focus area where we have seen regulators trying to take a strong stance.
Those who benefit from ‘stock-tipping’ without declaring their beneficial interest are in the regulators’ sights, but the ability to reach a wide number of followers means that the influence of some on financial markets and regulated securities can be huge. As we have seen with Elon Musk, it doesn’t take much to have a material impact.
Finfluencers can also perpetrate more fraudulent type activities, where the individual indirectly benefits from recommending followers invest in certain areas.
Rob Mason, Director of Regulatory Intelligence, Global Relay
