Insurance and Social MediaUnderstanding the Rules
32 3Insurance and Social Media |
The tide of social media has reached the shores of the insurance industry.
Following in the footsteps of their broker-dealer brethren, insurance
companies are beginning to utilize social to build brand awareness, enhance
customer service, recruit new agents, enhance existing relationships, and
identify and nurture prospective clients. However, as a regulated industry,
insurance firms are taking a cautious approach when permitting agents to
use social media. A lesson learned from regulators of the securities industry,
such as the Securities and Exchange Commission and the Financial Industry
Regulatory Authority (FINRA) is that regulators consider social media as just
another form of electronic communications and should be treated as such.
This article takes a look at four sources of regulations to understand
the direction the insurance industry is heading with respect to social
media guidelines:
•AdraftofawhitepaperissuedbytheNationalAssociationof
Insurance Commissioners (NAIC)
•SocialmediaguidanceissuedbyFINRA,whichappliestobroker-dealers
and registered representatives who sell variable life and annuity products
•SEC’sNationalExaminationAlert,InvestmentAdvisorUseofSocialMedia,
which applies to Investment Advisors and Registered Investment Advisors
•Recentguidancefromastateregulator(Massachusetts)
Insurance and Social Media: Understanding the Rules National Association of Insurance Commissioners
In addition to the SEC and FINRA (for those insurance firms who sell variable
life and annuity products), insurance firms are also regulated by each of the
individual state insurance regulators. However, the National Association of
Insurance Commissioners (NAIC) was created in 1871 to address the need to
coordinate regulation of multistate insurers. As a result, in 2011, the NAIC
formedaworkinggrouptodraftawhitepaperon“TheUseofSocialMediain
Insurance”.1 Although still in draft form (as of December 2011), this document
still reveals hints on how the NAIC will treat social media in the future.
Supervision, Monitoring, and Training
Social media communications must align with existing regulations
related to advertising, marketing, record retention, privacy, and consumer
complaints. Firms must relay their internal policies to their appointed
producers and employ a risk-based approach to train users.
Content
•Firmsareresponsibleforcontentpostedtoitsownsites,forpostsby
appointed producers (if attributed back to the firm), and possibly for posts
of third parties.
• LikeFINRA’sguidance,contentisconsideredeitherstaticorinteractive.
Static content, i.e., content that remains posted until it is changed by
the author, must comply with state marketing and advertising regulations.
Interactive content, i.e., real-time communications, requires a more
“nuanced,“ or fact-based approach. Such content may not require filing
or approval prior to use. As a best practice, firms should develop workflows
that facilitate the pre-approval of static content and the supervision and
moderation of interactive content.
5 5Insurance and Social Media |
• Accordingtoexisting“adoption”and“entanglement”theories,firms
may be responsible for third-party content, should an insurer/producer
be involved in the preparation of content or the implicit or explicit
endorsement of the third-party content. As a best practice, to avoid being
responsible for third-party content, firms often disable the use of “retweet”
or “favorite” within social media sites.
• Firmsshouldadoptpoliciesandcontrolstoensurecontentisaccurate
and timely and any product recommendations should comply with existing
state laws and regulations. As a best practice, firms need to design
risk-based supervisory procedures to ensure compliance with content
standards that may include sampling and lexicon-based automated
searches, typically by working with a third party.
Recordkeeping Requirements
Firms must maintain books and records so that examiners may readily
determine compliance with rules and regulations. When an insurer is
responsible for content, it must comply with individual state record retention
requirements. As a best practice, as native social media sites do not provide
retention or retrieval capabilities, firms typically work with third-party
vendors to meet recordkeeping requirements.
FINRA, regulator of broker-dealer firms in the securities industry, issued
specific guidance for social media in January 20102 and then again in
August of 2011.3 FINRA reiterated that there are no new rules. Instead,
firms are challenged to interpret how to apply these existing categories of
rules and regulations to social media:
Recordkeeping
Firms must capture, save, and make easily available all written business
correspondence, including social media communications, such as updates,
tweets, direct messages, from both business and personal devices. The content
is determinative. Timeframes vary, but in some cases, these communications
need to be archived for at least five years. As a best practice, since social
media sites do not offer this capability natively, firms are challenged to find
another solution, typically by working with a third-party vendor(s).
Suitability
Broker-dealers must ensure that recommendations registered representatives
(RRs) make to their clients are suitable for each investor. That means that
theRRsmustknowtheircustomers’investmentobjectivesandrisktolerance
at that moment in time. As a best practice, firms typically prohibit
recommending specific products, unless a registered principal of the
firm has approved the communication.
Communications with the Public
Firms need to adhere to content standards for all communications.
For example, they must disclose all the facts, cannot be misleading, nor can
guarantee results. Testimonials are only allowed in certain circumstances
for RRs. As a best practice, firms typically monitor communications to make
sure content standards are being adhered to and also disable the ability to
make recommendations and, in some cases, to “like.”
Financial Industry Regulatory Authority (FINRA)
76 7| Insurance and Social Media Insurance and Social Media |
Firms also need to make sure communications are reviewed, either before or
after they are made public, depending on how they are categorized and on
the content. Static content, such as an advertisement, brochure, or profile
on a social media site, needs to be pre-approved by a registered principal of
the firm before it is made public. However, interactive communications, such
as real-time interactions, may not require pre-approval, but a pre-determined
percentage of them must be supervised. Both static and interactive com-
munications must meet content standards and be supervised. Furthermore,
all communications must be captured and retained. As a best practice, as
communications rules are fairly complex and their interpretation is evolving,
firms typically confer with their compliance department to develop processes
for review and approval of content, either before it is posted or after, depending
on the content of the communications and the firm’s risk tolerance.4
Firms are not responsible for third-party content unless they have involved
themselves in the preparation of the content or explicitly or implicitly en-
dorsed or approved the content. As a best practice, firms should establish
and publish usage guidelines for customers and other third parties that are
permitted to post on firm-sponsored websites. Firms should also monitor and
block inappropriate third-party content and provide disclaimers regarding
its responsibility for third-party posts. As retweeting, “liking,” or marking as
“favorite” could be considered an endorsement of the post, firms typically
block these capabilities.
Supervision
As with any type of electronic communications (such as email or instant
messages), firms must demonstrate that they are supervising communications
to ensure adherence with content standards. Regulators do not specify
what percentage of communications must be reviewed. Instead, FINRA
allows firms to use a risk-based approach, i.e., firms create supervision
policies based on their own tolerance for risk, the type of content, plus
compliance history of staff. However, FINRA does specify those associated
persons who use social media must first receive training. As a best practice,
firms develop and follow risk-based written supervisory procedures to ensure
processes are in place to pre-approve static and product-related content.
For interactive content that does necessarily require pre-approval, firms
determine how, when, and what percentage of content will be reviewed and
then develop training programs for everyone who will be using social media.
98 9| Insurance and Social Media Insurance and Social Media |
On January 4, 2012, the SEC issued the National Examination Risk Alert,
Investment Advisor Use of Social Media 5. SEC staff of the Office of Compliance
InspectionsandExaminationsstatedthatfirms’useofsocialmediamust
comply with federal securities laws, including anti-fraud provisions,
compliance provisions, and recordkeeping. Furthermore, the SEC noted
that many firms have overlapping procedures that apply to advertisements,
i.e., client communications which may or may not include social media.
They warned that this lack of specificity creates confusion. The SEC also
stated that firms should identify risks and then test whether their in-house
policies and procedures effectively address these risks.
Factors to Consider Before Implementing Social Media
The SEC identified thirteen factors that an investment advisor may want
to consider when evaluating the effectiveness of its compliance program.
Factors include clearly establishing usage guidelines, thinking through
how you will monitor social media sites as well as how often. For example,
the SEC warned that due to the viral nature of social media, post-review
(e.g., days later) may not be sufficient. The SEC also suggests that firms
design and implement workflows for pre-approving content and to train and
certify investment advisors on the use of social media. Also important, firms
should determine in advance whether there are enough resources dedicated
tomonitoringactivity.Likeotherregulators,suchasFINRAandtheInvest-
ment Industry Regulatory Organization of Canada (IIROC), the SEC points
out the importance of training and suggests examining the functionality
of each social media site to ensure client privacy. The SEC made special
mention about the risks of data security, as social media can render
firms more vulnerable to data leakage and malware. Best Practice: the
SEC suggests that each firm identify and thoughtfully think through the
compliance factors that may create risk for the firm and then test whether
existing policies and procedures address or mitigate those risks.
The Securities and Exchange Commission (SEC)
Third-Party Postings
The SEC further states that firms which allow third-party postings on their
social media sites should develop policies about these third-party posts,
particularly testimonials. Whether a third-party posting is a testimonial
depends on all the “facts and circumstances,” however, SEC staff interprets
thetermtoincludeclients’experienceswith,orendorsementof,anIA.
Therefore,theuseof“socialplug-ins”suchasthe“Like”buttoncouldbe
interpretedasatestimonialundertheAdvisersAct,ifit’sanexplicitor
implicitstatementofaclient’sexperiencewithanadvisor.Incaseswhere
socialmediasitesdonotallowtheabilitytodisable“Like”orsimilar
features, RIAs should develop a system to monitor and remove certain third-
party postings. Best Practice: to avoid the interpretation of a testimonial,
firms typically disable “Like” and “Recommendations” when possible.
Recordkeeping
The final section of the alert concerns recordkeeping. The existing Advisers
Act defines recordkeeping requirements for IAs. In short, like FINRA and
IIROC in Canada, the SEC does not treat social media any differently than
any other written communications, such as emails or instant messages.
Furthermore, like the other regulators, content is determinative – meaning that
the content will determine the recordkeeping requirements. The SEC and the
other regulators are only interested in business communications “as such.”
All social media communications (e.g., status updates, direct messaging,
texting, etc.) must be retained and be easily available for inspection for at
least five years. The SEC also states that firms should conduct employee train-
ing programs specifically for recordkeeping requirements and do spot checks
to ensure employees are complying with the policies. These records should be
indexed in such a way that they are easily retrievable. Best Practice: as the
SEC suggests, firms should consider using third parties for record retention.
1110 11| Insurance and Social Media Insurance and Social Media |
Earlyin2012,theMassachusettsSecuritiesDivisionoftheCommonwealth
ofMassachusettsprovidedregulatoryguidanceonsocialmedia.6 While the
Division’salertappliesonlytostate-registeredinvestmentadvisors,itis
worth noting as regulators tend to look to each other when issuing guidance
on new areas of compliance. The essence of this guidance echoes SEC,
FINRA and NAIC:
• Social media is considered advertising and subject to applicable
regulatory requirements.
• RecordkeepingobligationsundertheAdviser’sActandotherapplicable
Massachusettsregulationsincludescontentonsocialmediasites.
• According to adoption and entanglement theories discussed above, firms
may be responsible for third-party content.
• Testimonials are prohibited.
• Full and fair disclosure of all material information relating to advertised
performance is required. Investment advisors are advised to consider the
appropriateness of social media for performance advertising.
• Firms must establish and maintain a system to supervise the activities of
investment advisors and other employees to ensure compliance.
Massachusetts Issues Regulatory Guidance on Social Media Summary
Although there are subtle, but important, differences in the interpretation of
rules (e.g., pre- and post-approval of content, the use of testimonials, and
circumstances where firms are responsible for third-party content) across all
the regulators, the overall tone of regulatory guidance is fairly consistent.
Firms need to adhere to all recordkeeping and supervisory requirements and
have the appropriate processes and policies in place to ensure compliance.
Anything short of that may generate negative regulatory scrutiny and
possibly risk the reputation of the firm.
1312 13| Insurance and Social Media Insurance and Social Media |
• Firmsshouldestablishandpublishusageguidelinesforcustomers
and other third parties that are permitted to post on firm-sponsored
websites. Firms should also monitor and block inappropriate third-party
content and provide disclaimers regarding its responsibility for third-party
posts. As retweeting, “liking,” or marking as “favorite” could be considered
an endorsement of the post, firms typically block these capabilities.
• Firmsdevelopandfollowrisk-basedwrittensupervisoryprocedures
to ensure processes are in place to pre-approve static and
product-related content.
• Forinteractivecontentthatdoesnecessarilyrequirepre-approval,
firms determine how, when, and what percentage of content will be
reviewed and then develop training programs for everyone who will
be using social media.
• TheSECsuggeststhateachfirmidentifyandthoughtfullythink
through the compliance factors that may create risk for the firm and
then test whether existing policies and procedures address or
mitigate those risks.
• Toavoidtheinterpretationofatestimonial,firmstypicallydisable
“Like”and“Recommendations”whenpossible.
• AstheSECsuggests,firmsshouldconsiderusingthirdpartiesfor
record retention.
Best Practices Overview
• Firmsshoulddevelopworkflowsthatfacilitatethepre-approvalof
static content and the supervision and moderation of interactive content.
• Toavoidbeingresponsibleforthird-partycontent,firmsoftendisablethe
use of “retweet” or “favorite” within social media sites.
• Firmsneedtodesignrisk-basedsupervisoryprocedurestoensure
compliance with content standards that may include sampling and
lexicon-based automated searches, typically by working with a third party.
• Asnativesocialmediasitesdonotprovideretentionorretrieval
capabilities, firms typically work with third-party vendors to meet
recordkeeping requirements.
• Sincesocialmediasitesdonotofferrecordkeepingcapabilitiesnatively,
firms are challenged to find another solution, typically by working with
a third-party vendor(s).
• Firmstypicallyprohibitrecommendingspecificproducts,unlessa
registered principal of the firm has approved the communication.
• Firmstypicallymonitorcommunicationstomakesurecontent
standards are being adhered to and also disable the ability to make
recommendations and, in some cases, to “like.”
• Ascommunicationsrulesarefairlycomplexandtheirinterpretation
is evolving, firms typically confer with their compliance department to
develop processes for review and approval of content, either before
it is posted or after, depending on the content of the communications
andthefirm’srisktolerance.
15 15Insurance and Social Media |14 | Insurance and Social Media
The Socialite platform helps organizations protect their brand and ensure
compliance while allowing employees to share relevant content, measure
impact, and increase engagement. Socialite controls access to more than
200 features across social networks but can also moderate, manage,
and archive any social mediatraffic routed through the solution.
Socialite References
About Actiance
Actiance helps organizations manage, secure and ensure compliance across
unified communications, collaboration, and Web 2.0 applications such
asblogs,wikisandsocialnetworks.Actiance’saward-winningplatforms
are used by 9 of the top 10 US banks and nearly 300 FINRA-regulated firms
firms globally. The Actiance platform allows organizations to gain visibility
of applications in use, apply usage and content policies, ensure compliance,
and gain valuable insights across the communications and collaboration
channels in use. Actiance supports all leading social networks, unified
communications,andcollaborationprovidersandIMplatforms,including
Facebook,LinkedIn,Twitter,Google,Yahoo!,AOL,Skype,Cisco,Microsoft,
Jive,andIBM.ActianceisheadquarteredinBelmont,California.
For more information, visit www.actiance.com or call 1-888-349-3223.
1 http://www.naic.org/documents/committees_d_social_media_exposures_111201_whitepaper_draft_social_ media.pdf
2FINRARegulatoryNotice10-06,“GuidanceonBlogsandSocialNetworkingWebSites,” http://www.finra.org/Industry/Regulation/Notices/2010/P120760
3FINRARegulatoryNotice11-39,“GuidanceonSocialNetworkingWebsitesandBusinessCommunications” http://www.finra.org/Industry/Regulation/Notices/2011/P124187
4 For more information detailed recommendations, see Actiance Addressing FINRA Regulations for SocialMedia
5SECNationalExaminationAlert,InvestmentAdvisorUseofSocialMediahttp://www.sec.gov/about/offices/ ocie/riskalert-socialmedia.pdf
6http://www.sec.state.ma.us/sct/sctpdf/The%20Use%20of%20Social%20Media%20by%20Investment%20 Advisers.pdf
Worldwide Headquarters1301 Shoreway, Suite 275Belmont, CA 94002 USA(650) 631-6300 [email protected]
This document is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc.
© 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks ofActiance,Inc.ActianceVantage,UnifiedSecurityGateway,Socialite,andInsightaretrademarksofActiance, Inc. All other trademarks are the property of their respective owners.
EMEA Headquarters400 Thames Valley ParkReading,Berkshire,RG61PTUK+44 (0) 118 963 7469 [email protected]