Social Media Compliance: An Unpleasant Necessity

A high-level look at the regulatory landscape and how it relates to digital communications.

DISCLAIMER: The views and opinions expressed in this post are my own, and in no way or form associated with or influenced by any third parties.


Fast forward 14 years, and Facebook is largely a household name that rivals traditional brands of the past such as Cheerios, Coca-Cola, or McDonalds. Facebook is used all over the world, by millions of people daily. In fact, there are many modern social media channels and networks used by millions of people globally each day. Linkedin — a popular social network for professionals launched in 2003. Twitter, which started as a microblog, launched in 2006. There are over 25 digital channels active currently, that are classified as social media. And that number won’t stop growing anytime soon.

Figure 1: Most popular social network sites worldwide as of April 2017, ranked by number of active users (in millions) — Statista, 2017

Modern day social has evolved into much more than a digital diary, or a means for folks to share photos of their babies or meals or cats. It is in essence, a channel for businesses to connect with their customers — existing or potential, employment candidates, their communities, and other brands. It is a channel for marketing, for sales, for customer service, for recruitment, for employee advocacy and engagement, for brand awareness, and so on.

Some researchers have theorized that behind only employee or customer referrals, social media is the #1 channel for marketing and sales conversion.

In fact, marketers are allocating increasingly large portions of their budget towards social media including paid ads, social engagement, and social content marketing (however, it is commonly noted that measuring ROI on social media is harder than traditional channels).

And because of this increased usage, there are many risks. For example, many industries are highly regulated and have strict “rules” around communications (whether internal, with patients or clients, customers, or otherwise). Marketing, sales, and advertising must comply with regulations too, along with many other aspects of day-to-day business.

Social in the Financial Services Industry

Banks, insurance brokers, and security exchanges are no different than other companies; they too are leveraging technology to engage with their customers and boost their brand. Banking is one of the most heavily regulated industries, and thus any firm dealing in the trade or brokering of financial products (stocks, bonds, currency, futures, etc.) have to be extra vigilant in their use of social networks and other digital channels.

In the wake of the 2008 financial crisis, regulators like the U.S. Securities Exchange Commission (SEC) were forced to re-evaluate their existing rules and re-vamp them to fit the digital era we live in. After all, the original Securities Exchange Act was implemented in 1934.

Traditionally, “business communications” for broker-dealers consisted mostly of pen & paper documents, snail mail, phone calls, faxes, pages, and eventually e-mail. Communications fall under the same record-keeping rules as books and ledgers that detail customer transactions. The SEC rules (specifically, 17a-4) dictate that records of transactions — including business communications — must be retained and indexed with accessibility for a period of two years, and with non-immediate access for a period of at least six years. Anything electronic must be non-rewriteable and non-erasable.

Figure 2: Traditional Financial Services model of communication.

Tightened regulations led to policy changes across the industry, and these rules needed to be enforced. New technologies and operating models were developed to assist in keeping firms compliant (and out of the headlines). Large scale storage systems were used to ingest e-mail communications into long-term archives, where compliance departments and auditors could monitor and search to identify and prevent misconduct. This technology met the needs of FI’s for years, and variations of this technology is used by most major firms.

Figure 3: Example of modern Financial Industry communication channels.

However, in today’s world everything is online. Within a very short time frame, e-mail became largely unpopular as a primary means of communication. As social media channels and chat services emerged, businesses realized they too can leverage them, as a method to conduct business faster and engage with customers via the channels they use most frequently. The landscape looks something like Figure 3, pictured above.

Interpreting The Rulebook

Between 2010 and 2011, regulators began to recognize this. The Financial Industry Regulatory Authority (FINRA) published new regulatory notices specifically for usage of digital communications and social media by financial firms. This includes FINRA 10–06, 11–32 and 11–39.

FINRA is an American self-regulating organization (SRO) — a type of organization that exercises a degree of regulation and governance either in place or in addition to governmental groups, and is often overseen by the government. In Canada, IIROC is a similar SRO to FINRA.

In summary, these rules stated that firms were required to retain records of any “business” communications made on digital channels. This includes social media communications. In detail, the rules go on to state that tweets and text messages are written material and need to be preserved as such — in a manner similar to other communications regulated by SEC 17a-3 and 17a-4. These rules were developed as a result of the way the industry is shifting, and the way we conduct business today.

FINRA 11–39 establishes the requirement to retain, easily retrieve and supervise all business communications; A “business” communication is not defined, and whether a particular communication is related to the business of the firm depends upon the facts and circumstances. This does not exclude when that communication is conducted from a personal device, or even by non-regulated employees. It is up to firms to interpret regulatory notices, and because of this it is often “better safe than sorry”. This is why it is common for all employee e-mail to be archived, regardless whether or not they are regulated and monitored.

Bringing it all together

When considering the rules above, combined with others, it seems like everything is subject to some sort of regulation. And that’s almost correct. To help consolidate, we can look at the “who” and “what” is regulated, below.


  • Securities firms that do business with the public over the New York Stock Exchange, NASDAQ Stock Market, International Stock Exchange, and American Stock Exchange.
  • Employees of these firms, whether in regulated roles or not — regardless of the country in which they operate. Example: If a Canadian firm does business on the NYSE, those Canadian employees are also subject to regulations of the SEC and FINRA — despite being american regulators.
  • Firms that offer training, licensing or testing for firms or employees of firms that meet the criteria directly above.


  • Business communications by regulated employees, including: e-mails, text messages, chats, or social media communications by personal or business accounts that indicate the firm or any business activities such as products or services.
  • Corporate communications by financial firms including but not limited to static and interactive branded content used for marketing or PR purposes. This includes any published content to e-mail, social media, or other digital mediums. Any communications received by corporate accounts that are responded to (such as customer inquiries or complaints) also fit this criteria.
  • Employee and Brand Advocacy communications by non-regulated employees which are curated by the firm, that may directly or indirectly mention or allude to products or services.

So, what is “off the table” for archival and monitoring? Any communications that are considered non-business, completely personal in nature. There may be select occurrences where firm curated content is considered non-business communications, such as public news articles about the firm, sponsorship of charities and other community involvement pieces, human interest stories, research reports, employment opportunities, or other non-business announcements.

Making it Work

These modern regulations are more difficult to comply with than tradition rules surrounding e-mail. Unlike e-mail, online interactions tend to consist primarily of unstructured data, or semi-structured at best. Unstructured data is much more difficult to index and search upon. The legacy monolith systems built for e-mail just a few years earlier are now largely ineffective when working with this data. Once again, new technologies and ways of performing compliance are required in order to satisfy the regulatory bodies — a key example being the necessary transformations of data into a format that is accepted by e-mail software.

As more and more brands turned to social media for business, we saw an emergence of software providers specializing in managing these activities. In fact, companies like Hootsuite, Sprinklr and Spredfast were formed around 2008 and 2009. Hearsay Social was founded in 2009, with intentions of catering specifically to financial services firms.

Software providers for social media began to add features that allowed the compliant use of these channels by regulated customers — whether native in their platform or via partnerships with RegTech solutions.

Figure 4: Example of Compliance Pipeline

Current State of the Union

As stated, organizations have plenty of options for software that enables them to use social media to their advantage. The market is now littered with social media management solutions, from your basic publishing and content management capabilities to very niche (and often expensive) options available to perform very advanced functionality surrounding planning, analytics, monitoring, deep listening, customer care, etc.

LINK: See the Forrester Wave on Social Media Management here.

Today, it is hard to compete in the social media management market if you don’t have a solution that meets regulatory requirements in some way, shape, or form. There are some providers in the market today that have creative and intelligent ways to archive and monitor social.

Still, most solutions are built with the goal of improving the end-user experience, and the efficiency of how to integrate with regulated compliance systems and processes is secondary. Social has grown drastically in recent years, and transforming those social communications into formats that will work with legacy archival and monitoring platforms is a large undertaking. Think of how many apps are on your phone… how many of those are somehow connected to social media or offer chat or sharing functionality? The challenges of architecting the end-to-end flow of social and digital data needs to be simplified.

Looking Towards Modernization

We now live in an era of service ecosystems. The modern web and standards like REST have gave rise to endless applications and services, which communicate over the same protocols regardless of the data involved. Many solutions — including the leading social media management providers — have open APIs that offer easy data retrieval and updates in real-time, opposed to traditional methods like e-mail or batch file transfers. Furthermore, as mentioned above — many business applications are “socially-integrated”. They offer a means to share with employees or your social network.

A prime example is the upcoming integrations between Microsoft Office and Linkedin — one of the first products of the 2016 acquisition. Surely, as social media, chat and other forms of digital communication becomes a larger part of regulated employees’ day-to-day work, the complexity of monitoring these communications increases in direct correlation.

As legacy compliance solutions begin to reach their limits in practicality, we must stay with the times and adapt our processes and policies to work well with modern technologies. Secondly, the cost of storage over the years has dropped significantly with the emergence of public cloud in consumer and business scenarios. However, the existing technologies employed by the largest FIs are primarily still on-premise, and require storage provisioning to be increased as data increases. This is costly from a technical and operational standpoint.

At what point do organizations begin to move away from the technologies they once used, that are now proving harder to maintain and “play nicely” with? How can organizations — including the traditionally strict and technically conservative compliance departments — along with regulators, leverage modern technologies and open standards to create and consume services?

Ultimately, there must be a better way than forcing anything related to social media or digital communications to take a step backwards, and conform to legacy technical standards that were put in place to support and adhere to outdated regulations and methods of communication. Without innovating and creating new operating models to support regulatory compliance in the digital age — financial services providers are putting themselves at a disadvantage. It is not out-of-reach for internet giants and social media providers themselves to test the waters in banking — and some have already dabbled in digital payments.

Stay tuned for Part 2 of this article, where we will take a look at the benefits of adopting a modern social media and digital communications operating model.

Product Person. Beer Nerd. Traveller. Writes about software, culture, and innovation. In constant search of the best coffee, tacos, and IPAs in a city near you.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store