In February 2023, FINRA provided an update on its review of member broker-dealer firms’ practices for their social media practices and related privacy protection. In it, FINRA summarized practices it has observed to date to help firms evaluate whether their practices and supervisory systems are reasonably designed to address risks related to social media influencer and referral programs as well as to address compliance with privacy requirements.

The update followed FINRA’s targeted sweep of such practices announced in September 2021 in which FINRA shared that it would review firms’ practices related to their acquisition of customers through social media channels, as well as firms’ sharing of customers’ usage information with affiliates and non-affiliated third parties.

Social Media Influencer and Referral Programs

FINRA highlighted the importance for broker-dealers using social media of maintaining appropriate written supervisory procedures (“WSPs”) for their social media influencer and referral programs. Per FINRA, possible considerations for such WSPs include:

  • Differentiating between social media influencer and referral programs, including additional controls for social media influencers with a relatively large social media presence, as well as any additional requirements for programs managed by member firms, affiliates, or marketing agencies;
  • Updating WSPs on a regular basis and in response to program developments, regulatory changes, or industry trends; and
  • Addressing program participants’ compensation.

Among other important findings, FINRA highlighted broker-dealers’ practices for maintaining adequate records of social media influencer and referral program communications with the public and providing training and defining permitted and prohibited conduct for social media influencers.

Privacy

In its update, FINRA also noted broker-dealer firms’ obligations for compliance with Regulation S-P and other applicable laws, rules, and regulations for protecting customer nonpublic information (“NPI”) and noted that broker-dealers are limited in disclosing customer NPI with non-affiliated third parties. From its sweep, FINRA highlighted various relevant firm practices including again maintaining WSPs addressing a broker-dealer’s obligations under Regulation S-P by including in the firm’s WSPs if relevant:

  • The general obligation to deliver privacy notices to customers no later than when members establish a customer relationship, and annually thereafter;
  • Protecting usage information for customers who opt out of information sharing; and
  • Collecting and sharing of customer usage information, including information collected using “cookies,” and sharing that information with third parties.

FINRA also highlighted other practices such as permitting customers to opt out of information sharing with third parties and not sharing this information. If the firm shares non-anonymized NPI with third parties, broker-dealers should consider maintaining written agreements with those third parties limiting their use of that information consistent with Regulation S-P.

Final Thoughts

While FINRA released this update, its sweep is still ongoing and FINRA will likely provide additional information about its findings and observations post-sweep. Of note, the SEC continues to focus on social media practices. In February 2023, the SEC entered into an enforcement order with NBA Hall of Famer and Boston Celtics legend Paul Pierce relating to, among other charges, his touting of crypto asset securities on social media without disclosing the payment he received for the promotion. Similarly, privacy continues to be a priority of the SEC in 2023. Its Division of Examinations listed broker-dealers’ information security and operational resiliency as a priority in its 2023 Priorities. Broker-dealer firms can expect more on these topics from FINRA and the SEC in the months to come.