GRC Roll Up: Social Media Guidance and a Comply or Die Report

4 minute read
Marisa Peacock avatar

Wasn’t it just last week that we were pondering the sustainability of GRC as an acronym? Have no fear; the world of GRC still spins. This week: financial advisers tackle social media, how to comply with multiple regulations and security compliance predictions for 2010.

FINRA Offers Guidance on Blogs and Social Networking Websites

Have you ever wondered what rules or guidelines there are for financial advisers on social media? Maybe not, but still it’s an interesting question. And it’s one that the Financial Industry Regulatory Authority Inc. (FINRA), the largest independent securities regulator in the US, has been pondering.

They are the governing body responsible for what registered personnel can and can't say in public. On Monday they issued guidance to securities firms and brokers regarding the use of social networking websites such as Facebook, Twitter, LinkedIn and blogs to communicate with the public. The guidelines were made available via Regulatory Notice 10-06, and are presented in Q&A format.

It seeks to clarify the responsibilities of firms to supervise the use of social networking sites to ensure that recommendations are suitable and their customers are not misled.While transparency among the financial industry is crucial, FINRA makes it clear that:

interactive electronic forums are subject to other supervisory requirements and to the content requirements of FINRA’s communications rule.

However, FINRA makes some surprising statements. For instance, because:

many blogs enable users to engage in real-time interactive communications…if the blog is used to engage in real-time interactive communications, FINRA would consider the blog to be an interactive electronic forum that does not require prior principal approval. (Q4)

As far as Facebook and Twitter are concerned, FINRA takes a more supervisory role stating:

a registered principal of the firm must approve all static content on a page of a social networking site established by the firm or a registered representative before it is posted. (Q5)

Overall the guidelines strike a fair balance between common sense and the need for oversight. Considering how sensitive the financial industry can be to public scrutiny over its practices, it’s a noble step for a governing body to think proactively about a platform that many industries would rather choose to ignore.

Will this Help with Compliance?

It’s no surprise that the enterprise is concerned about being compliant, or at least enough so as to avoid incident.According to a recent InformationWeek Analytics survey on regulatory compliance, 80% of respondents indicated that there are at least 2 requirement sets their organizations are addressing, while 35% indicated that they are focused on 4 or more.

To help ease the hardship, Information Week has released “Comply And/Or Die” a report that provides ways companies can work smarter and cover multiple compliance mandates with careful planning.

Much like any business plan or decision, Information Week is quick to point out that when it comes to regulatory compliance, “the framework you select for your organization will set the tone for the whole security program and ultimately structure how you'll approach risk mitigation.” While companies might rush to be compliant out of fear, IW advises everyone to take a deep breath and create a sound strategy before getting in too deep.

Learning Opportunities

Regulations to Watch For

SearchSecurity.com’s David Mortman says the security compliance outlook for 2010 is full of regulations. Here’s a few that we can look forward to:


On February 17, Health Information Technology for Economic and Clinical Health Act (HITECH), which updates HIPAA, will go into effect.

What does it do?

It adds breach notifications and extends coverage to a much broader range of organizations, including Web-based electronic health records management systems such as Google Health.

Red Flag Rules

Having been delayed a few times over the years, the FTC's Red Flags Rules are slated to take affect in June. The rules are the result of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

What does it do?

Among other requirements, FACTA required FTC to enact rules to require financial institutions and "creditors" to develop programs to assist the government in detecting, preventing and mitigating "red flags" of identity theft.