- February 4, 2021
- Bill Tolson|
- Data Privacy|
- Regulatory Compliance|
- Information Security|
- Information Technology|
Social media platforms have proliferated as a direct method for companies to connect with their customers. However, in the last several years, businesses have been forced to collect and make available social media content for both eDiscovery and regulatory compliance.
The financial services industry has increasingly made use of social media platforms. However, FINRA, the SEC and the CFTC have all created rules for communicating with their clients, including now social media. In fact FINRA issued regulatory notice 10-06 in January of 2010 stating that “Every firm that intends to communicate, or permits its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications.” They followed up with further clarification issuing notice 11-39, Social Media Websites and the Use of Personal devices for Business Communications.
SEC Rule 17a-4(b) requires broker-dealers to preserve targeted records for a period of not less than three years, the first two in an easily accessible place. Among these records, are “originals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such.” Also, FINRA, the SEC and CFTC have all stated that “electronic communications” are not limited to email but now include social media content as well.
The reasoning behind these communication retention requirements are so the regulatory agencies can conduct effective examinations of broker-dealers business practices. These records retention requirements are also discoverable under specific rules as part of the arbitration procedure when broker-dealer clients believe they have been wronged.
Over the years, new social media platforms have been appeared at an accelerating rate. Social media and related platforms now encompass instant messaging, blogs, team collaboration tools, VoIP applications like Skype, enterprise social platforms such as Jive and Yammer, and applications most identified as public social platforms - LinkedIn, Facebook, Twitter, Instagram, and YouTube.
Public social platforms are especially difficult for financial services companies to monitor and control. Employees can access and utilize these platforms as individuals outside of the enterprise. Because of that, companies don’t have a process to proactively manage the content their employees post and share. Instead they, and the regulatory agencies, can monitor specific employee social media activity after the fact and bring disciplinary action if company, industry, or regulatory rules are broken such as fines, loss of job, and forfeiture of professional licenses.
Newer technologies can automate the monitoring and capture of employee social media activity and alert the company to prohibited actions such as releasing confidential information, trafficking in insider information, or promising clients specific return rates. Financial services employees and companies can be fined or even shut down if prohibited employee actions on social media are deliberately ignored. Its best to steer clear of any business related social media activity without direct corporate approval.
Section 17(a)(1) of the Securities Exchange Act of 1934 or “SEA” requires registered broker-dealers to make, keep, furnish, and disseminate records and reports prescribed by the SEC. The SEC books and records rules applicable to broker-dealers include SEC Rules 17a-3 and 17a-4 which specify minimum requirements with respect to the records that broker-dealers create, how long those records and other documents relating to a broker-dealer’s business must be kept, and in what format they may be kept, for example in an immutable format. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations, and state securities regulators may conduct effective examinations of broker-dealer activities.
FINRA also has explicit recordkeeping rules and is responsible for enforcing compliance by its members and their associated persons with the SEC books and records rules.
There are several applications available that enables companies to capture social media activity. Some of these applications capture social media content and save it as an email message that can be archived. Others capture and save the social media content in its original formats and archive it separately.
For broker-dealers, because they are required to capture and retain this content in immutable (WORM) storage, financial services companies must be sure they also meet this requirement. There are several possibilities when looking for immutable storage capability. The original solution dating back to the late 1990s was to purchase specialty, on premise WORM storage to store broker-dealer email via the Exchange Journal into an email archive. These WORM storage systems and archiving software were especially expensive and troublesome to maintain.
Over the last several years, specialty cloud platforms have taken market share away from on premise WORM storage platforms due to their ease of use and features/benefits. However, these cloud platforms were, and are, still ridiculously priced and make it exceedingly difficult to leave due to data extraction costs, sometimes rising to absurd levels such as $50 per GB to move your data out. These practices enable specialty cloud platforms to hold your data ransom.
Archive360 and Microsoft recently announced a new cloud storage and information management solution, Archive2Azure, to ensure financial services regulatory compliance on the Microsoft Azure Platform. This is the first native Azure solution that meets SEC Rules 17a-3 and 17a-4 guidelines, including ensuring WORM compliant storage.
To prove compliance, Archive360 has provided a legal opinion from a respected Washington DC law firm, Wiley Rein, LLP, that can be reviewed and downloaded here, that explains point by point how Archive2Azure meets SEC Rule a-3 and a-4 including immutability (WORM) requirements.
Your regulated data is stored in a highly secure and industry standard Microsoft Azure platform, not a specialty cloud platform, and is managed by Archive2Azure. Archive360 always captures and manages information and metadata in its native format so data conversions are never necessary. And we will never charge you to move data out of the Archive2Azure solution – ever, so your data is never held hostage.
Besides the ability to capture email journals for regulatory compliance requirements, Archive2Azure will also store and manage all types of other unstructured data, including social media content, into the Azure cloud.
With this new cloud offering, Archive2Azure plus Microsoft Azure offers financial services organizations the best of all worlds when it comes to low cost and compliant cloud archiving of all of your regulated communications.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.