Archive for December, 2011
Log into my bank through Facebook?!?!?
Posted by SarahActiance in Privacy, Social Networking, Web Security on December 27, 2011
Such is the proposition of Movenbank, a startup which launched at Sibos with a tagline of “No Paper, No Plastic, No Hidden Fees.” It aims to be the first cardless and branchless bank in the world. Everything will be centered on mobile and social media. The tagline is catchy enough, but what’s really raising eyebrows is Movenbank’s requirement for individuals to register and log in with their Facebook accounts. Now, I happened to speak at Sibos this year (Innotribe session on compliance), and the general consensus among my peers was that the problem with social media really wasn’t compliance, but rather, the enablement of it.
Here, with Movenbank, you get a perfect example of how the enablement of social media opens up new opportunities that perhaps might not have been possible five years ago. Privacy and security issues aside, if Movenbank succeeds with its grand plan, we’ll have witnessed a game-changing blend of old-school (banks) and new school (mobile and social). The fact that it involves real money makes it that much more compelling.
It’s possible with today’s technology to enable social media safely. Since we’re on the topic of banking, already we’ve begun to see firms deploy technology to enable their advisors and representatives to use social for marketing to customers and prospects. As the financial services industry is one of the most regulated when it comes to social media, technology plays a crucial role in assisting firms to remain compliant with current supervision and recordkeeping rules.
Back to Movenbank. Privacy advocates are quick to pounce on the seeming contradiction in using Facebook to log into a bank account that could potentially have someone’s entire life savings. But, as we’ve seen with Raymond James, with the right tools in place, what may have seemed impossible five years ago is now doable.
So, let’s not be too hasty in writing off Movenbank. With the right controls and technology in place, they may yet see their dream come to fruition.
Everyone thinks they’re Warren Buffett
Posted by nleong in Compliance, Social Networking on December 27, 2011
Just to show that regulatory compliance in the financial services sector isn’t just limited to the West, an interesting story came out of Hong Kong this week. Poor ol’ Lo Kam Chung was fined and ordered to complete community service for giving unlicensed securities advice. Chung had set up a private discussion group in Facebook and charged subscribers $200-$300 a month to read about his securities advice. Problem is that he was never licensed with the Securities and Futures Commission (SFC) to do so. If there’s a bright side to this story, it’s that none of the subscribers followed his advice and didn’t lose any money.
This anecdote raises several issues. First, the ease with which Chung was able to set up a platform on which to dispense advice was unequivocal. That’s what happens with social media. Joining social networks is generally free, easy to sign up, and addictive. The successful social networks are those that are intuitive, easy to use, and feature-rich. Facebook is the poster child of such a network, and Chung used it to his advantage.
Secondly, the fact that the SFC stepped in and levied a relatively harsh penalty ($20,000 fine and 80 hours of community service to be completed within a year) speaks volumes about how seriously the SFC considered the Chung matter. Social is a global phenomenon, and I’m sure that the SFC was keen to set an example, much like what FINRA did in the Jenny Ta case this past January. A regulatory body without any enforcement powers is essentially a paper tiger.
Thirdly, the SFC made it very clear that the doling out of securities advice must be licensed, IRRESPECTIVE OF THE MEDIUM. That’s a not-so-subtle callout that social media communications will be policed just like any other form of communication. So, no matter if it’s the US, Canada, the UK, or Hong Kong, the regulatory bodies all share the same view that the content itself is determinative, not the communication channel.
So, don’t be a charlatan, doing your best “armchair Warren Buffett” impression, especially for money. Leave that to the “experts” and let them take the heat when things go south. Do the names Nick Leeson and Jerome Kerviel ring a bell?
”A Nightmare on Belbey Street”
Posted by belbey in Electronically Stored Information (ESI), Privacy, Web Security on December 23, 2011
I suddenly woke up in the middle of the night, convinced that my checking accounts had been hacked. Retirement accounts gone. Identity stolen. Turned on the light, stumbled around my hotel room to find my ATM card, turned it over, and called my bank’s Customer Service number. “Oh no, Ms. Belbey, everything is fine, you just had a nightmare.”
Why was I dreaming of data security breaches?
Actiance recently sponsored (I presented and staffed) an exhibit at the 2011 FS-ISAC Fall Summit, conducted by Financial Services – Information Sharing and Analysis Center. Over the course of three days, I was able to attend a number of sessions that did a deep dive on the risks that firms face protecting their data. The crowd was mostly male and many leveraged their long-time experience in the military to defend their organizations against cyber attacks. In fact, there were so few women at this event that Ernst and Young sponsored a special Women’s Reception — for all 12 of us!
So what do you need to know? First of all, none of this is new. For years, cybercriminals have attempted to gain access to systems or data by personally tricking someone into giving up, say, a password. It’s called social engineering.
There are many techniques. Phone calls, office visits, and “phishing,” where thousands of emails are blasted away in the hope that a few unlucky souls will give up their personal data, have all worked.
In response, data security departments have used technology to thwart these attacks and have done a good job of teaching us not to give out our passcodes or to open suspicious emails or attachments. But, as a result, the cybercriminals have gotten even craftier. They’ve improved their grammar, the look-and-feel of their emails, and even developed landing pages that look very authentic. But still, education and technology prevented many attacks.
In response, the cybercriminals developed new techniques such as “spear-phishing” to lend authenticity to requests for personal data. Not typically initiated by “random hackers,” these sophisticated, highly targeted attacks are perpetrated by criminals who seek financial gain, trade secrets, and military information. These well-researched requests appear to come from trusted sources, such as a colleague, service provider, or even a law firm, and include enough real information to look authentic. And, they often are directed at middle management or anyone gullible enough to let them into the enterprise.
And where can these thieves obtain personal data that they can use to trick us into giving up more data? You guessed it – social media. We post all types of information about ourselves online: our firm name, our titles and connections on LinkedIn, our high school and year of graduation, birthday, special projects and photos of our co-workers on Facebook, and our comings and goings on Twitter, Foursquare, and Sonar. The list goes on.
Our transparency makes us targets. We also tend to view requests for information on social media as coming from a trusted source, our tribe. So we oblige. And let in the bad guys.
When I told a new friend that I met at FS-ISAC , who heads up security at a major telecommunications firm, about my night terrors, he smiled and said, “Well, hanging around with a bunch of cyber security guys for three days is bound to make you paranoid. But, that’s our job. To protect you, so we all don’t have nightmares.”
As you deploy social media, are you engaging your IT Cyber Security teams in the conversations? What are you doing to protect your enterprise?
State Troopers Are Marching In
Posted by nleong in Compliance, FINRA, Social Networking on December 22, 2011
As a potential harbinger of things to come, the state of Massachusetts’ upcoming new guidelines and best practices on social media usage (they take effect in 2012) by investment advisors could usher in a fresh wave of social media-specific guidelines from state regulators. This comes on the heels of FINRA’s announcement that, effective July 28, 2011, FINRA will oversee those firms with more than $100 million in assets under management (old figure was $25 million) with firms below that threshold overseen by the individual state regulators. Translation: state regulators will now have more oversight of smaller advisory firms.
Given that the financial services industry has been at the forefront of regulating social media activities relative to other industries (e.g., FINRA 10-06 and 11-39), it’s no surprise to see similar guidelines being planned at the state level. Already, the states of Oregon, North Carolina, and Florida have issued social media-specific guidelines for the state and local government agencies that fall within their purview, but Massachusetts is the first to issue guidelines targeted at financial advisory firms within its borders.
Massachusetts’ initiative is noteworthy for several reasons. First, it acknowledges that social media is booming and is actively being used in firms. According to this article, 44% of investment advisors in Massachusetts use social media to communicate with clients, yet only 30% of firms have recordkeeping policies in place for social media content. Secondly, because the threshold between state and FINRA regulators’ oversight areas was raised, many states will likely adopt their own social media guidelines for advisory firms and will look to Massachusetts’ language for guidance.
Whether it’s FINRA’s or an individual state regulator’s domain, the requirements will be similar. Having written policies on supervision and recordkeeping will be consistent between the two. Regulators, whether federal or state, are keen to ensure that firms have the requisite policies and procedures in place to properly monitor and document their advisors’ social media activities. Additionally, regulators will also look to see that the technology solutions firms have deployed are themselves up to snuff.
There are plenty of technology vendors purporting to do social media archiving, but that list gets whittled down dramatically when you also consider real-time monitoring, pre-review capabilities, and coverage for all forms of electronic communications, not just social media. Social media may receive all the glamour and headlines, but firms need to pay attention to other forms of electronic communications that are popular among advisors, namely, instant messaging and peer-to-peer applications like Skype.
So, at the end of the day, state regulators will have to draft their guidelines with not just social media in mind, but also, the array of other Web 2.0 communication channels in wide use today. If Massachusetts doesn’t carefully articulate its guidelines, it could create more problems and confusion than doing nothing at all – a veritable 2012 version of the Boston Tea Party looms.
What say you?
Why are people so addicted to Facebook?
Posted by himanshukec in Social Networking on December 21, 2011
Before analyzing that question, let’s ponder the daily routine of a Facebook addict. This weekend, I happened to meet such an addict who works in a financial institution. He described his daily routine to me. I found that Facebook has become an integral part of his life. Verbatim from his own lips:
“I wake up at around 8am. At first, I switch on my laptop next to my pillow, fire it up, and check my Facebook account, expecting to be greeted with some new notifications (although I know the chances of new notifications are low given that I just checked my account six hours before).
I reach my office at around 11am (flex hours!). Then, I check my work email and soon thereafter, I’m logging on to my Facebook account to see what my friends have been sharing. I leave the Facebook page open in a tab to see if any new messages or notifications come in during the day. I never forget to scroll through the page, and the same phenomenon is repeated several times a day until I leave the office.
I’m normally back home around 9pm. And, you won’t believe that the very first thing I do is to turn on my laptop and check my Facebook account, even before removing my shoes.”
The addict discloses that this has been his life for the past year. And, I assume that the same story is repeated millions of times over for Facebook users across the globe.
After my chat with the addict, I decided to seek an answer to the very question of “Why are people so addicted to Facebook?”
I started with a “whopping” sample size of seven persons: myself (an addict in the making) and six volunteers (better to call them as FB addicts). Below is a summary of our responses and may shed some light on our question.
1) They’re happy to have a platform that never lets them feel alone (though they feel the bitter loneliness in spite of the hundred of friends they have on Facebook). They like to be connected to the world, i.e., to the people they know, randomly met somewhere and then became friends (or maybe “Facebook friends”), admirers (hello, ladies). Also, at the same time, they have a chance to connect to people they might know or would be happy to know, at least in a Facebook sense.
2) The three icons in the upper left-hand corner of a Facebook page (Friend requests, Messages, and Notifications) is a magnet of attention. Most of the respondents admitted that the middle one (Messages) was the biggest source of their obsession, followed by friend requests, and then notifications.
3) An addict expresses his addiction in philosophically: “I like to put whatever I have in my mind in FB and perceive a divine satisfaction to see people liking and commenting on my post, regardless if the post involved misfortune or nonsense.” He further exclaims, in regard to Likes and Comments, “I can feel the emotions of people and their care for my post.” This user seems very glad that Facebook also allows users to choose their own target audience. He further adds whenever he feels bored, he scrolls the Facebook timeline and enjoys reading the posts and comments by him and his loved ones.
4) Another user seems fascinated by the Facebook Chat feature. She claims that I can always find someone to chat with, so you should never feel bored or alone.
5) One addict admits that he is a big fan of Facebook and loves to dabble with each of the Facebook features and looks forward with anticipation any new upcoming features. He simply says, “Their innovations keep me hooked.”
6) Facebook has become an information hub, weaving in real-time entertainment at the same time. Besides, user anecdotes are available in the form of “Notes” as well as birthday reminders and marriage invitations via “Events.” An all-in-one-place tool that also offers millions of applications for its users – a boredom-killing, social connector.
Hearing all their experiences (and mine too), I hope we’ve got a compelling answer to our question.
OMG! I’m late logging in to my Facebook account!
Cyber security strategy in the spotlight at DHS
Posted by actiancefederal in Malware, Social Networking, Web Security on December 20, 2011
Recently, the Department of Homeland Security (DHS) released its blueprint on cybersecurity. The document essentially provides a framework for managing the myriad cyber threats that are lurking out there, while still fostering an environment of innovation, prosperity, and economic growth. It’s an ambitious plan, but it’s certainly necessary.
The range of security threats runs the gamut these days. You’ve got so many different options for hackers to ply their trade that it can be quite a challenge to police all physical and virtual borders. The explosion in social media and collaboration tools has opened up a bevy of new channels for hackers to distribute viruses and other types of malware. Thus, the sophistication of criminals nowadays makes cybersecurity one of the most important issues for DHS in the 21st century.
The DHS framework has two key pillars: (1) the infrastructure protecting critical information, and (2) strengthening the cyber ecosystem in general. To achieve these twin objectives, DHS must execute on several fronts: hardening critical networks, prosecuting cybercriminals, raising public awareness, and hiring/training cybersecurity-savvy workers. As you can see, it’s a multi-faceted strategy that requires cooperation and input from several sources and individuals (including we the people).
Thankfully, the pace of technological innovation in the security space is just as brisk. Anti-malware and URL filtering technologies continue to push the envelope in terms of detection capabilities. Monitoring software now offers granular controls over social media sites. And archiving capabilities now include a slew of communications modalities, including email, instant messaging, social media, collaboration platforms, etc., making it easier to build a case should prosecution become an option.
Security dangers may lurk everywhere, but with the right systems, policies, and training in place, the DHS blueprint may well become a reality sooner rather than later.
Chief Data Protection Officer (CDPO): The new C-level exec?
Posted by doates in Social Networking on December 14, 2011
The European Union (EU) may possibly be on the verge of creating a new C-level job title, according to a draft proposal from the European Commission. Reflecting the growing concern over security and data protection, the EU has proposed making it mandatory to have a data protection officer for the public sector, for large enterprises, and for organizations where the “core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.”
This has definitely caught the attention of those in the financial services sector because the proposal also includes provisions for fining businesses up to five percent of their revenue for data breaches. That’s not a percentage to sneeze at when multiplied against billions of euros/pounds/Swiss francs. The potential for security breaches increases exponentially as more people turn to online resources to conduct business. Increasingly, financial services firms are utilizing social media and instant messaging to communicate with clients and prospective clients.
However, the downside is that all these new communications channels and transaction platforms are inviting targets for hackers. The Skypes and Twitters of the world all represent new channels for malware to enter the corporate network. Just a couple of weeks ago, this author himself was a victim of identity theft. So, the threat is real and billions of dollars are at stake. Just look what happened to Citigroup earlier this year.
Already, we’ve begun to see titles like “VP of Digital Marketing” and “Social Media Manager” pop up. So, it logically follows that we will see a “Chief Data Protection Officer” title emerge too. Hackers are becoming ever more sophisticated and the tools at their disposal are the most powerful they’ve ever been. The EU is therefore clearly keen to keep pace with the constant innovation flowing from the technology world. That innovation is responsible for much of the threat, but equally, advances in security and compliance technologies are also a key part of the solution and will be a critical part of the CPDO’s armoury.
The game of cat and mouse will no doubt continue, but at least, there’ll be a CDPO focused on minimizing, if not totally eradicating, the consequences of security and data breaches. Certainly, a framework around how security breaches will be handled and communicated to the public is a good starting point.
So maybe Brussels is finally doing the right thing!
Looking back at the FINRA Advertising Regulation Conference
Posted by nleong in Compliance, FINRA, Social Networking on December 13, 2011
This fall, I attended the FINRA AdReg Conference in Washington, DC, and I’m feeling inspired enough to share some of my observations, following the news that IIROC has now issued its latest guidelines on social media. Not surprisingly, at the FINRA event, social media took center stage as questions were flying around the watchdog’s latest guidelines on social: Regulatory Notice 11-39. FINRA shed some light on what’s considered “static” (very first update or tweet), what’s considered “interactive” (subsequent updates or tweets), what firms need to be wary of when linking to third-party sites (adoption and entanglement), and what to do about personal devices (record all business-related communications). Although it’s great FINRA clarified those items, of course, there remain some gray areas.
The industry as a whole is still treading cautiously in the social media waters. The majority of folks that stopped by our booth still didn’t allow their reps to use social media for business purposes. Others allowed only limited access to the Big 3 (Facebook, LinkedIn, and Twitter). In fact, not one single firm permitted completely unfettered access. It’s obvious to me that the industry still needs some educating on the potential of social media and the potential of technology to effect change, thus creating a foundation on which to build additional revenues for the firm.
Compared to last year’s event, the industry is taking baby steps toward realizing the full potential of social and its power as a marketing tool. My gut feeling is that everyone at the event sensed the inevitable. They just wondered what the best way to go about it was. Similarly, they all agreed that social is an effective medium to reach lots of eyeballs, but because the event was heavily dominated by compliance and legal folks, conservatism ruled the day.
That sentiment was unequivocally reflected in the comments by Mitch Bompey of Morgan Stanley Smith Barney (MSSB). MSSB takes the approach of pre-reviewing ALL tweets, not just the initial one sent by the rep after s/he sets up her/his profile. FINRA’s position is that not every single tweet is considered “static,” just the very first one when the rep sets up her/his profile. FINRA leaves it up to the individual firm and its risk-based principles to decide how they want to treat subsequent tweets and updates.
I also heard several conversations regarding negative commentary. Best practice suggests that it’s up to the firms themselves how they want to handle it, so long as they retain records of the negative commentary and potential customer complaints. To many FINRA folks, leaving only positive comments up is a form of “recommendation,” i.e., by choosing to leave only positive comments up on a firm’s site is an implicit recommendation.
Finally, the explosion in smartphone usage was cited several times. Per 11-39, business communications done through smartphones, tablets, and other similar devices need to be retained, even if they are personal devices. The blending of personal and professional communications is no more evident than in the use of these devices, and this remains one of those gray areas I alluded to earlier.
As usual, much was learned at the show as well as other events I’ve been at this fall, and I’m looking forward to see how firms, reps, and technology vendors react to this latest set of guidelines.
Belbey Blogs: Random Thoughts from the Road
Posted by belbey in Compliance, FINRA, Social Networking on December 12, 2011
Happily sitting at my desk, back in New York, after speaking and exhibiting at a number of events this Fall for Actiance on the East Coast. I guess I’m just a road warrior-in-training. Thought I’d share my observations….
One event of note was the 2-day FINRA Advertising Regulation Conference. For 6 years, I managed creation and delivery of FINRA educational programs, so I appreciated the “behind the scenes” effort to produce an event with such high-quality content, service, and yes, fantastic food. I spent my time catching up with former colleagues, staffing the Actiance booth, talking with compliance professionals, chatting with other exhibitors, and attending a few sessions. And eating!
Social Media was a strong theme. In fact, the second day of the conference started with a General Session: Compliance Considerations for Social Media. My colleague Norv Leong summarized the session nicely, see “Looking back at the FINRA Advertising Regulation Conference” for details.
During this session, I was struck, again and again, by how that FINRA was providing general guidance and leaving it up to the individual firms to take a risk based approach to managing social media. At one point, Joseph E. Price, Senior Vice President, Advertising Regulation/Corporate Financing of FINRA, shared that a vendor called him and said “tell Mitchell Bompey of Morgan Stanley Smith Barney that he is taking a too conservative approach by pre-approving all content in advance”. Price smiled and replied: “Mitchell is doing everything he needs to, based on the risk tolerance of his firm.”
There was a lively conversation about how to apply the SEC concept of “prominence and proximity” to tweets. In other words, can product disclosures be one click away? So far, as there are no new rules and regulations governing social media, firms are looking at earlier guidance regarding banner ads for clues on how to proceed.
Q: Our firm would like to advertise on the Internet using a so-called “banner advertisement” to link to our homepage. Can we simply include our name in the banner advertisement without further disclosure?
A: Yes. Typically, a banner advertisement consists of a single word or phrase, often graphically depicted as a button, which directly links the Internet user to a specific homepage. An Internet banner advertisement functions much like an envelope in a paper communication. In the case of a banner advertisement that does no more than disclose a member firm name and enable the user to link to the member firm’s homepage, there is no need to include additional disclosure in the communication. However, if the advertisement offers specific products or services, additional disclosure may be required to comply with applicable standards.
Firms are interpreting this to mean, “The tweet is the envelope.” And the riskier the product, the closer the disclosure.
We also heard that it is essential to gain the trust of the organization by building comprehensive social media policies, training staff, closely supervising activities, gaining experience through pilots, and then adapting the policies and retraining based on experience. But, once programs were up and running, and polices are in place, we heard that trust is essential. With appropriate supervision of course.
And finally, a few firms, new to social media, expressed concern about the possibilities of negative comments posted on a corporate blog. Shayna Beck, Associate Counsel at The Vanguard replied that they keep both positive and negative comments up and that “taking off bad comments is not how you play in this space.”
And at the end of the session Beck ultimately concluded “We do the best we can.”
So that brings me to the end of my random thoughts this week – and I’ll leave you with this. What’s your attitude to risk? What are you pre approving? What’s ok for post-review?
Does the Donald use social?
Posted by nleong in Compliance, Social Networking on December 10, 2011
So, I’m sitting on a plane now, headed home, after spending basically the last three weeks on the road. I was in Toronto for an event called “Marketing Wealth Management Services to High Net-Worth Individuals.” Ahhh, sexy but true.
Most of the attendees at the event were advisory firms that had a practice or department dedicated to serving and marketing to the Donald Trumps of the world. One attendee came up to me after my presentation and said that his firm has been struggling to make social work. That firm (which shall remain unnamed) understood the power of social and the long-term benefits of having a social strategy. Competition’s also driving this attendee to look at alternative ways of marketing to the affluent set. There are hordes of advisory firms out there (both in the States and Canada) and differentiation is becoming that much more difficult. Enter social.
Having a standout social media strategy and presence will be the key differentiator. That much was clear from my two days in Toronto. Undoubtedly, trusts and estates lawyers, advisory firms, and even heirs are salivating at the golden (or should I say “platinum”) opportunity sitting in front of them. Social could very well be the means for advisory firms to reach out to this segment of the population. You may not get Warren Buffett on the line for a sales call, but you may get someone further down the chain who has peripheral access to his inner circle.
Yet another attendee approached me and asked, “what capabilities do technology vendors have these days with respect to social media, and can we still remain compliant with IIROC guidelines?” As I’ve done many similar events in the US, I wasn’t surprised to hear this question. Education is a big part of making social successful. Social media is a relatively new technology in the grand scheme of things, and it’s a dynamic one to boot. This combination makes education super important for this new marketing paradigm, which advisory firms are still trying to figure out.
Fortunately, there are plenty of technology vendors that do get social and are doing their best to evangelize what a wonderful medium it represents. We like to think of it as one big virtuous circle. We educate the advisory firms, who educate their reps, who utilize technology to make money while remaining compliant. It’s a win-win-win situation and everyone goes home happy.
Me included.
