Archive for August, 2011
FINRA 11-39: Applause, Missing Pieces, and Users
Posted by SarahActiance in Compliance, FINRA, Malware, Social Networking, Web Security on August 25, 2011
In the week that “retweeted” was officially added to the Oxford English Dictionary, after only two years of use, FINRA beats the retweet and issues new guidelines on social media, just 18 months after 10-06 hit our doorsteps, and “So, what do you read into 11-39?” is the question on the tip of everyone’s tongue.
As expected, a few points are clarified; the latest guidance has become more prescriptive in some areas and less so in others. (Puzzled looks abound, I’m sure.) If you’d rather hear more about this, than to continue reading, please join me on a webinar Wednesday, August 31st at 10am EST and I’ll explain.
I’ll start with the missing pieces of 11-39
What’s missing is the specific reference to individual social networking sites (I bet that’s not what you were expecting). And for this, I applaud FINRA. Examples were given in 10-06 – Facebook was mentioned twice (OK, three times if you look at the endnotes), Twitter four times, and LinkedIn just the once. Interesting that, in the conversations I’ve had with wealth management firms and wire houses, it’s LinkedIn that is the network of choice.
Why my applause though? Good job, FINRA, I say, because you’ve recognized that this world moves very quickly. Three months ago, YouTube was the fastest growing social network. Then it was Google+. And now, as Google+’s new member growth falls by 30% a day to 700,000, we’re not sure anymore. That said, LinkedIn has added 20 million new profiles since its IPO in May and now boasts 120 million profiles. Equally, since January 1, 2011, we’ve tracked 938 changes across Facebook, LinkedIn, and Twitter (yes, really!).
Good job, FINRA, because you’ve recognized that loyalty in our social world is somewhat limited. And, that just because Facebook, LinkedIn, and Twitter are today’s Holy Trinity of social, it doesn’t necessarily mean that they will be tomorrow.
What else is good?
It’s also good to see clarification on business versus personal commentary – this reinforces what we’ve been saying for some time, that “the regulator is interested in the communications related to the business and when the individual is representing the business” – the advice we have been giving since January 2010, is NOT to go against the Facebook rules (for instance) and set up two profiles, but take advantage of Facebook giving you the ability to set up a profile for personal use and a page for professional use, because contrary to a lot of public opinion, you CAN do this – as a businessperson, you can set up a specific page for your business use (drop me a note if you want step-by-step instructions). The SEC itself has stated that the content of an electronic communications determines whether it should be preserved. Just like the FSA out of the UK does. It doesn’t matter about the modality.
I do believe that, as an industry, we are perhaps being somewhat short-sighted by thinking that you can absolutely separate personal from business communications in the social world. I think the lines will continue to blur (increasingly so) as we become more accustomed to social. I do believe we’ll see more guidance on this as time goes on.
What else is new?
A proposed social media site must be approved in the “form in which it will be launched.” FINRA is talking here about the launch of new social media sites. So, if you’re launching a new design, a new Twitter feed, for instance, then the graphics that you’re using, the imagery, and the actual site – the “wireframes” in design parlance – need to be part of the approvals process. Third Party Data Feeds are referenced also. FINRA reminds us that the firm is responsible for checking the proficiency of the vendor of the data and its ability to provide accurate data – and it must regularly review for red flags.
Don’t Delete!
In reaction perhaps to the number of new companies popping up purporting to provide control and manage social media, FINRA specifically calls out details on technology that automatically erases or deletes content, stating that this precludes the ability of the firm to retain the communications in compliance with their obligations under SEA Rule 17a-4, yet further into the 11-39 guidelines, FINRA details more about the deletion of inappropriate third-party content.
It’s clear that a record of communications that doesn’t contain the full record is no record at all. However, I do hold to the fact that some content simply has to be deleted. I can’t control the 750 million other Facebook users out there (heck, I can’t even control what my little brother says on Facebook), and not all of those users have the same filtering mechanism that I have when it comes to content. I’ve deleted some friends and banned others because their language would offend my Mother, who to me, is my ultimate Facebook controller. In a corporate environment, I certainly don’t want the Actiance brand associated with profanity, racism, or a host of other comments, that we automatically delete through the use of our Urban Dictionary.
But we do record the fact that they were made. We also record the fact that they were deleted. We also record what the page looks like before and after the delete. Belt and braces. It might not be on the social network anymore, but it’s in the archive.
Mobile IS mainstream, and network barriers have crumbled.
And, it’s clear to see that the growth of mobile is having an impact; 250 million of the 750 million active Facebook users use the site through a mobile device – and on mobile, they’re twice as active. It’s clear that firms are concerned about mobile, rightly so, but equally, that FINRA is being sensible about how firms operate and how they do business. And, not all of us use devices that are firm-owned to post content and collaborate on social networks. That’s the way the world is changing. It’s one of the biggest challenges of today’s CIO: the personally owned device (whatever that might be – iPhone, BlackBerry, Droid, iPad, Tablet, Netbook). FINRA reminds us that it’s the communications, not the device, that is important.
The Users, the pesky Users…
FINRA gives an even bigger call-out about training and education. Human beings, I’m convinced were put on earth to create chaos. And in a social world, we can do this very quickly and very easily. (I should at this point, before our CEO, @Kambwani, sees this, reference that this quote is mine and mine alone.) But equally, you don’t just give 20,000 financial advisors access to LinkedIn and expect that they know what to do. In a lot of instances, there is a generational gap, injecting social into the DNA of individuals doesn’t happen overnight. FINRA is dead-right by saying that training is important, that certification is important. And regular training is not just a one-off, because people forget when they’re on a social network. They forget who they’re connected to, and who might see their content.
We are, after all, as human beings, ultimately fallible. And, we have technology in every other area of our business lives to protect us (anti-spam and security in the email world), to stop us sending our bank account details to Nigeria or our intimate personal details to hackers, Web filtering in the Web world to stop us playing online poker all day, and maybe even Actiance to limit our usage of Farmville to a mere 30 minutes a day. In other words, we use technology to protect us against technology. And it goes without saying that using technology to protect us from malware infection (our very own @jaeho9kim wrote about this recently right here on this blog), from ourselves, and from malicious intent.
I think I’ve rattled on quite long enough now, so I’ll leave you with this final set of questions. Did 11-39 answer your questions? Did it raise more? What do you think it didn’t cover? Tune in next week for our webinar – and for thoughts that I’ve gathered recently, when I got together with 60 Financial Services Marketing, Compliance, and IT professionals and asked them what they thought FINRA should issue in terms of guidance.
Charting the History of Social and FINRA – from 10-06 to 11-39
Posted by belbey in Compliance, FINRA, Social Networking on August 24, 2011
In 2009, as social media rose to prominence, the securities industry asked its largest independent regulator, FINRA (Financial Industry Regulatory Authority), for guidance on how to use social media while complying with the rules and regulations governing the industry.
In response, FINRA convened a Social Networking Task Force of FINRA staff and industry representatives and issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Sites in January 2010. The goal of the Notice was to “ensure that – as the use of social media sites increases over time – investors are protected from false or misleading claims and representations, and firms are able to effectively and appropriately supervise their associated persons’ participation in these sites.”
In addition, FINRA also provided a Guide to the Internet for Registered Representatives and a series of educational programs designed to help firms understand how to use social media within a culture of compliance.
In short, through the Regulatory Notice, Guide and various educational programs, FINRA conveyed that electronic communications shared over the Internet are governed by the same rules governing communications with the public that firms already follow: record keeping, suitability, supervision and content requirements. FINRA did make a distinction between static and interactive content: that static content is considered advertising and as such, required preapproval by a registered principal of the firm and that interactive content was akin to a public appearance and did not require pre-approval, but required supervision after the fact.
The industry had been hoping that FINRA’s would provide a specific road map to social media compliance, instead, FINRA provided guidance and encouraged firms to interpret the rules themselves: “each firm must develop policies and procedures that are best designed to ensure that the firm and its personnel comply with all applicable requirements. Every firm should consider the guidance provided by this Notice in the context of its own business and its compliance and supervisory programs.”
For 18 months, the industry debated how to specifically interpret the direction that FINRA provided and requested further clarification. In response, FINRA organized another Task Force and last week released Regulatory Notice 11-39 Social Media Websites and the Use of Personal Devices for Business Communications.
Regulatory Notice 11-39 reiterates the guidance previously provided around record keeping, supervision, suitability and content requirements. It also makes some further clarifications, including: a principal of the firm must review a social media site in the form that it will be “launched”, the content, not the device, determines record keeping requirements, the firm is subject to “adoption” and “entanglement” issues regarding third party posts, and that business communications through a personal device must be retained, retrievable and supervised. Like 10-06, Regulatory Notice 11-39 emphasizes that firms must create written social media policies and must provide training to its associated persons.
Again, although helpful, this further guidance will most certainly create even more debate about how to specifically interpret the rules to implement social media within the securities industry. Are there any other precedents to follow?
As we discussed in Beer and SEC Don’t Mix, there has been one social media-specific sanction to date. In January 2011, FINRA fined a broker $10,000 and suspended her for one year for sending series of “misrepresentative and unbalanced” messages on Twitter among other issues.
When you combine FINRA’s guidance, educational programs, and single sanction, firms now have more than enough direction to develop and implement compliant social media strategies. Work with your compliance department, check in with Human Resources and collaborate with IT and your service providers to work through the technology issues. And when in doubt on the best way to proceed, remember to follow the spirit of FINRA’s mission to: protect investors by maintaining fairness in the US Capital markets.
Twitter Malware: It’s Coming After You
Posted by Jae Kim in Malware, Social Networking, Web 2.0, Web Security on August 23, 2011
 |
| I may need to wear a shirt like this in the office. |
Most readers of this blog are savvy social media users. I would include myself in that category. Well, I would have until last Sunday.
Yes, I will come out and admit it for once. I got suckered into clicking on a Twitter malware link that was forwarded to me by one of my ‘trusted’ venture friends. Now that I got that off my chest (and demonstrated that I could be just as naive as thousands of users out in the Internet), I think I can talk about this incident somewhat objectively.
It turns out that this particular malware spreads by getting a Twitter user to click on the shortened t.co URL that’s sent via private message. When an unsuspecting recipient clicks on the link, it automatically sends the same tweet to all of the recipient’s followers as a private message. Very sneaky.
It was quite an embarrassing moment when I realized what just happened (I even had to update the new Twitter app to follow the link on my iPhone). Thanks to a couple of my co-workers and good Twitter citizen @DevonAlderton, I came to my senses only after a few hours had passed. Once a few seconds of disillusionment of my malware ‘detect-o-meter’ had passed, I regained my composure to delete all of my private tweets to all my followers (thank goodness I don’t have Kim Kardashian’s follower base) and took remedial action to shore up my defenses.
The “Facebook Law” – First Law Prohibiting Teachers from Sending Private Messages on Social Networking Sites
Posted by belbey in Compliance, Enterprise 2.0, New Internet, Social Networking, Trends on August 16, 2011
In an effort to protect children from sexual misconduct by teachers, the Missouri Governor Jay Nixon recently signed the first law in the country designed to prohibit private communications between teachers and their students.
Specifically, the “Amy Hestir Student Protection Act” states “Teachers cannot establish, maintain, or use a work-related website unless it is available to school administrators and the child’s legal custodian, physical custodian, or legal guardian. Teachers also cannot have a nonwork-related website that allows exclusive access with a current or former student. (they have to wait until they hit 18) ” The bill also requires that school districts adopt written policies for teacher-student communications, including social media.
The bill, nicknamed, the “Facebook Law” has prompted discussions about the risks versus the rewards of using social media within an academic environment. Although they applaud efforts by legislators to protect children from sexual predators, many teachers , administrators, Facebook executives and even the ACLU, struggle with the possibilities that this law, and others that may follow, may diminish innovation in education, limit trust between student and teacher, impede personal privacy and prohibit free speech.
Regulated industries also struggle with elasticity between private and public personas and the risk and rewards of social media. For example, Financial Services firms need to comply with rules and regulations that govern the electronic communications between financial advisors and their clients. In an effort to take the least risky approach, most firms first 1) prohibit social media, then 2) recognize its value, and 3) search for ways that it can be used appropriately. Typically, this involves deploying technology that turns off certain features, monitors conversations and archives communications for later review.
Until similar technology solutions are available to school districts, there are some lessons from regulated industries to apply to the educational system:
- Craft written policies about appropriate electronic communications between teacher and student.
- Specifically define and prohibit “exclusive access” if mandated by law in your state.
- Educate teachers, students and parents on the policies. If social media is allowed, encourage all to participate.
- Check adherence to policies on an ongoing basis.
Specifically for educators, Facebook offers some options on maintaining a professional presence separate from your personal profile. You can create a friend list of just students, create a Page to broadcast information, and create a Group for collaboration.
Do you have any other suggestions?
Social Media and Cloud Security, are they on the new Federal CIO’s radar?
Posted by actiancefederal in Malware, Social Networking, Unified Communications, Web 2.0, Web Security on August 8, 2011
Last week, it was announced that Steven VanRoekel would be replacing Vivek Kundra as the CIO at the Office of Management and Budget (OMB). It’s a high-profile position that essentially puts VanRoekel in charge of the federal government’s IT budget – currently about $80 billion a year. A tidy sum of money.
So, as VanRoekel assumes his new role, all eyes will be focused on how he handles the projects he’s inheriting from Kundra as well as new initiatives. Of the former, issues such as data center consolidation and the “cloud” are top-of-mind. Recently, much of the buzz, both in the government and in the private sector, has revolved around Web 2.0 and social media. However, they’re just two components of an overall security strategy.
VanRoekel must also take into consideration other types of application that factor into a comprehensive cybersecurity strategy. These days, hackers are pretty sophisticated and are quite adept at exploiting encrypted traffic to pass along viruses or other types of malware. For instance, unified communications (UC) platforms, such as Jabber, Microsoft OCS and Lync, and IBM Sametime, all enable federation, which is the ability to communicate with others who are not members of your UC community. The danger here is federating with outside networks that may present unknown risks, like viruses, hackers, enemies mining for confidential information, etc.
The same analogy holds for the “cloud” initiative. Cloud computing is all the rage, but there’s no shortage of companies and government agencies that are incredibly leery of turning over key computing processes and applications to the cloud. Security is almost always the first issue mentioned when talking to skeptics of the cloud. Multi-tenancy (i.e., sharing physical appliances that have been logically partitioned), data storage off-premises, and the relatively short history of this computing paradigm send shivers down the spines of the most experienced IT practitioners.
With the Internet being a global resource, the potential scope of security breaches is immense. Sophisticated hackers might reside in the US, China, Russia, Iraq, North Korea; you just never know. It is under this backdrop that VanRoekel will have to drawn upon his experience in the private and public sectors to devise a strategy addressing all of these security concerns. A daunting challenge for sure, but absolutely attainable, given today’s technology.
Wouldn’t you agree?
