Social Media Guidelines for Insurance Industry

Insurance and Social MediaUnderstanding the Rules

32 3Insurance and Social Media |

The tide of social media has reached the shores of the insurance industry.

Following in the footsteps of their broker-dealer brethren, insurance

companies are beginning to utilize social to build brand awareness, enhance

customer service, recruit new agents, enhance existing relationships, and

identify and nurture prospective clients. However, as a regulated industry,

insurance firms are taking a cautious approach when permitting agents to

use social media. A lesson learned from regulators of the securities industry,

such as the Securities and Exchange Commission and the Financial Industry

Regulatory Authority (FINRA) is that regulators consider social media as just

another form of electronic communications and should be treated as such.

This article takes a look at four sources of regulations to understand

the direction the insurance industry is heading with respect to social

media guidelines:

•AdraftofawhitepaperissuedbytheNationalAssociationof

Insurance Commissioners (NAIC)

•SocialmediaguidanceissuedbyFINRA,whichappliestobroker-dealers

and registered representatives who sell variable life and annuity products

•SEC’sNationalExaminationAlert,InvestmentAdvisorUseofSocialMedia,

which applies to Investment Advisors and Registered Investment Advisors

•Recentguidancefromastateregulator(Massachusetts)

Insurance and Social Media: Understanding the Rules National Association of Insurance Commissioners

In addition to the SEC and FINRA (for those insurance firms who sell variable

life and annuity products), insurance firms are also regulated by each of the

individual state insurance regulators. However, the National Association of

Insurance Commissioners (NAIC) was created in 1871 to address the need to

coordinate regulation of multistate insurers. As a result, in 2011, the NAIC

formedaworkinggrouptodraftawhitepaperon“TheUseofSocialMediain

Insurance”.1 Although still in draft form (as of December 2011), this document

still reveals hints on how the NAIC will treat social media in the future.

Supervision, Monitoring, and Training

Social media communications must align with existing regulations

related to advertising, marketing, record retention, privacy, and consumer

complaints. Firms must relay their internal policies to their appointed

producers and employ a risk-based approach to train users.

Content

•Firmsareresponsibleforcontentpostedtoitsownsites,forpostsby

appointed producers (if attributed back to the firm), and possibly for posts

of third parties.

• LikeFINRA’sguidance,contentisconsideredeitherstaticorinteractive.

Static content, i.e., content that remains posted until it is changed by

the author, must comply with state marketing and advertising regulations.

Interactive content, i.e., real-time communications, requires a more

“nuanced,“ or fact-based approach. Such content may not require filing

or approval prior to use. As a best practice, firms should develop workflows

that facilitate the pre-approval of static content and the supervision and

moderation of interactive content.

5 5Insurance and Social Media |

• Accordingtoexisting“adoption”and“entanglement”theories,firms

may be responsible for third-party content, should an insurer/producer

be involved in the preparation of content or the implicit or explicit

endorsement of the third-party content. As a best practice, to avoid being

responsible for third-party content, firms often disable the use of “retweet”

or “favorite” within social media sites.

• Firmsshouldadoptpoliciesandcontrolstoensurecontentisaccurate

and timely and any product recommendations should comply with existing

state laws and regulations. As a best practice, firms need to design

risk-based supervisory procedures to ensure compliance with content

standards that may include sampling and lexicon-based automated

searches, typically by working with a third party.

Recordkeeping Requirements

Firms must maintain books and records so that examiners may readily

determine compliance with rules and regulations. When an insurer is

responsible for content, it must comply with individual state record retention

requirements. As a best practice, as native social media sites do not provide

retention or retrieval capabilities, firms typically work with third-party

vendors to meet recordkeeping requirements.

FINRA, regulator of broker-dealer firms in the securities industry, issued

specific guidance for social media in January 20102 and then again in

August of 2011.3 FINRA reiterated that there are no new rules. Instead,

firms are challenged to interpret how to apply these existing categories of

rules and regulations to social media:

Recordkeeping

Firms must capture, save, and make easily available all written business

correspondence, including social media communications, such as updates,

tweets, direct messages, from both business and personal devices. The content

is determinative. Timeframes vary, but in some cases, these communications

need to be archived for at least five years. As a best practice, since social

media sites do not offer this capability natively, firms are challenged to find

another solution, typically by working with a third-party vendor(s).

Suitability

Broker-dealers must ensure that recommendations registered representatives

(RRs) make to their clients are suitable for each investor. That means that

theRRsmustknowtheircustomers’investmentobjectivesandrisktolerance

at that moment in time. As a best practice, firms typically prohibit

recommending specific products, unless a registered principal of the

firm has approved the communication.

Communications with the Public

Firms need to adhere to content standards for all communications.

For example, they must disclose all the facts, cannot be misleading, nor can

guarantee results. Testimonials are only allowed in certain circumstances

for RRs. As a best practice, firms typically monitor communications to make

sure content standards are being adhered to and also disable the ability to

make recommendations and, in some cases, to “like.”

Financial Industry Regulatory Authority (FINRA)

76 7| Insurance and Social Media Insurance and Social Media |

Firms also need to make sure communications are reviewed, either before or

after they are made public, depending on how they are categorized and on

the content. Static content, such as an advertisement, brochure, or profile

on a social media site, needs to be pre-approved by a registered principal of

the firm before it is made public. However, interactive communications, such

as real-time interactions, may not require pre-approval, but a pre-determined

percentage of them must be supervised. Both static and interactive com-

munications must meet content standards and be supervised. Furthermore,

all communications must be captured and retained. As a best practice, as

communications rules are fairly complex and their interpretation is evolving,

firms typically confer with their compliance department to develop processes

for review and approval of content, either before it is posted or after, depending

on the content of the communications and the firm’s risk tolerance.4

Firms are not responsible for third-party content unless they have involved

themselves in the preparation of the content or explicitly or implicitly en-

dorsed or approved the content. As a best practice, firms should establish

and publish usage guidelines for customers and other third parties that are

permitted to post on firm-sponsored websites. Firms should also monitor and

block inappropriate third-party content and provide disclaimers regarding

its responsibility for third-party posts. As retweeting, “liking,” or marking as

“favorite” could be considered an endorsement of the post, firms typically

block these capabilities.

Supervision

As with any type of electronic communications (such as email or instant

messages), firms must demonstrate that they are supervising communications

to ensure adherence with content standards. Regulators do not specify

what percentage of communications must be reviewed. Instead, FINRA

allows firms to use a risk-based approach, i.e., firms create supervision

policies based on their own tolerance for risk, the type of content, plus

compliance history of staff. However, FINRA does specify those associated

persons who use social media must first receive training. As a best practice,

firms develop and follow risk-based written supervisory procedures to ensure

processes are in place to pre-approve static and product-related content.

For interactive content that does necessarily require pre-approval, firms

determine how, when, and what percentage of content will be reviewed and

then develop training programs for everyone who will be using social media.


On January 4, 2012, the SEC issued the National Examination Risk Alert,

Investment Advisor Use of Social Media 5. SEC staff of the Office of Compliance

InspectionsandExaminationsstatedthatfirms’useofsocialmediamust

comply with federal securities laws, including anti-fraud provisions,

compliance provisions, and recordkeeping. Furthermore, the SEC noted

that many firms have overlapping procedures that apply to advertisements,

i.e., client communications which may or may not include social media.

They warned that this lack of specificity creates confusion. The SEC also

stated that firms should identify risks and then test whether their in-house

policies and procedures effectively address these risks.

Factors to Consider Before Implementing Social Media

The SEC identified thirteen factors that an investment advisor may want

to consider when evaluating the effectiveness of its compliance program.

Factors include clearly establishing usage guidelines, thinking through

how you will monitor social media sites as well as how often. For example,

the SEC warned that due to the viral nature of social media, post-review

(e.g., days later) may not be sufficient. The SEC also suggests that firms

design and implement workflows for pre-approving content and to train and

certify investment advisors on the use of social media. Also important, firms

should determine in advance whether there are enough resources dedicated

tomonitoringactivity.Likeotherregulators,suchasFINRAandtheInvest-

ment Industry Regulatory Organization of Canada (IIROC), the SEC points

out the importance of training and suggests examining the functionality

of each social media site to ensure client privacy. The SEC made special

mention about the risks of data security, as social media can render

firms more vulnerable to data leakage and malware. Best Practice: the

SEC suggests that each firm identify and thoughtfully think through the

compliance factors that may create risk for the firm and then test whether

existing policies and procedures address or mitigate those risks.

The Securities and Exchange Commission (SEC)

Third-Party Postings

The SEC further states that firms which allow third-party postings on their

social media sites should develop policies about these third-party posts,

particularly testimonials. Whether a third-party posting is a testimonial

depends on all the “facts and circumstances,” however, SEC staff interprets

thetermtoincludeclients’experienceswith,orendorsementof,anIA.

Therefore,theuseof“socialplug-ins”suchasthe“Like”buttoncouldbe

interpretedasatestimonialundertheAdvisersAct,ifit’sanexplicitor

implicitstatementofaclient’sexperiencewithanadvisor.Incaseswhere

socialmediasitesdonotallowtheabilitytodisable“Like”orsimilar

features, RIAs should develop a system to monitor and remove certain third-

party postings. Best Practice: to avoid the interpretation of a testimonial,

firms typically disable “Like” and “Recommendations” when possible.

Recordkeeping

The final section of the alert concerns recordkeeping. The existing Advisers

Act defines recordkeeping requirements for IAs. In short, like FINRA and

IIROC in Canada, the SEC does not treat social media any differently than

any other written communications, such as emails or instant messages.

Furthermore, like the other regulators, content is determinative – meaning that

the content will determine the recordkeeping requirements. The SEC and the

other regulators are only interested in business communications “as such.”

All social media communications (e.g., status updates, direct messaging,

texting, etc.) must be retained and be easily available for inspection for at

least five years. The SEC also states that firms should conduct employee train-

ing programs specifically for recordkeeping requirements and do spot checks

to ensure employees are complying with the policies. These records should be

indexed in such a way that they are easily retrievable. Best Practice: as the

SEC suggests, firms should consider using third parties for record retention.


Earlyin2012,theMassachusettsSecuritiesDivisionoftheCommonwealth

ofMassachusettsprovidedregulatoryguidanceonsocialmedia.6 While the

Division’salertappliesonlytostate-registeredinvestmentadvisors,itis

worth noting as regulators tend to look to each other when issuing guidance

on new areas of compliance. The essence of this guidance echoes SEC,

FINRA and NAIC:

• Social media is considered advertising and subject to applicable

regulatory requirements.

• RecordkeepingobligationsundertheAdviser’sActandotherapplicable

Massachusettsregulationsincludescontentonsocialmediasites.

• According to adoption and entanglement theories discussed above, firms

may be responsible for third-party content.

• Testimonials are prohibited.

• Full and fair disclosure of all material information relating to advertised

performance is required. Investment advisors are advised to consider the

appropriateness of social media for performance advertising.

• Firms must establish and maintain a system to supervise the activities of

investment advisors and other employees to ensure compliance.

Massachusetts Issues Regulatory Guidance on Social Media Summary

Although there are subtle, but important, differences in the interpretation of

rules (e.g., pre- and post-approval of content, the use of testimonials, and

circumstances where firms are responsible for third-party content) across all

the regulators, the overall tone of regulatory guidance is fairly consistent.

Firms need to adhere to all recordkeeping and supervisory requirements and

have the appropriate processes and policies in place to ensure compliance.

Anything short of that may generate negative regulatory scrutiny and

possibly risk the reputation of the firm.


• Firmsshouldestablishandpublishusageguidelinesforcustomers

and other third parties that are permitted to post on firm-sponsored

websites. Firms should also monitor and block inappropriate third-party

content and provide disclaimers regarding its responsibility for third-party

posts. As retweeting, “liking,” or marking as “favorite” could be considered

an endorsement of the post, firms typically block these capabilities.

• Firmsdevelopandfollowrisk-basedwrittensupervisoryprocedures

to ensure processes are in place to pre-approve static and

product-related content.

• Forinteractivecontentthatdoesnecessarilyrequirepre-approval,

firms determine how, when, and what percentage of content will be

reviewed and then develop training programs for everyone who will

be using social media.

• TheSECsuggeststhateachfirmidentifyandthoughtfullythink

through the compliance factors that may create risk for the firm and

then test whether existing policies and procedures address or

mitigate those risks.

• Toavoidtheinterpretationofatestimonial,firmstypicallydisable

“Like”and“Recommendations”whenpossible.

• AstheSECsuggests,firmsshouldconsiderusingthirdpartiesfor

record retention.

Best Practices Overview

• Firmsshoulddevelopworkflowsthatfacilitatethepre-approvalof

static content and the supervision and moderation of interactive content.

• Toavoidbeingresponsibleforthird-partycontent,firmsoftendisablethe

use of “retweet” or “favorite” within social media sites.

• Firmsneedtodesignrisk-basedsupervisoryprocedurestoensure

compliance with content standards that may include sampling and

lexicon-based automated searches, typically by working with a third party.

• Asnativesocialmediasitesdonotprovideretentionorretrieval

capabilities, firms typically work with third-party vendors to meet

recordkeeping requirements.

• Sincesocialmediasitesdonotofferrecordkeepingcapabilitiesnatively,

firms are challenged to find another solution, typically by working with

a third-party vendor(s).

• Firmstypicallyprohibitrecommendingspecificproducts,unlessa

registered principal of the firm has approved the communication.

• Firmstypicallymonitorcommunicationstomakesurecontent

standards are being adhered to and also disable the ability to make

recommendations and, in some cases, to “like.”

• Ascommunicationsrulesarefairlycomplexandtheirinterpretation

is evolving, firms typically confer with their compliance department to

develop processes for review and approval of content, either before

it is posted or after, depending on the content of the communications

andthefirm’srisktolerance.

15 15Insurance and Social Media |14 | Insurance and Social Media

The Socialite platform helps organizations protect their brand and ensure

compliance while allowing employees to share relevant content, measure

impact, and increase engagement. Socialite controls access to more than

200 features across social networks but can also moderate, manage,

and archive any social mediatraffic routed through the solution.

Socialite References

About Actiance

Actiance helps organizations manage, secure and ensure compliance across

unified communications, collaboration, and Web 2.0 applications such

asblogs,wikisandsocialnetworks.Actiance’saward-winningplatforms

are used by 9 of the top 10 US banks and nearly 300 FINRA-regulated firms

firms globally. The Actiance platform allows organizations to gain visibility

of applications in use, apply usage and content policies, ensure compliance,

and gain valuable insights across the communications and collaboration

channels in use. Actiance supports all leading social networks, unified

communications,andcollaborationprovidersandIMplatforms,including

Facebook,LinkedIn,Twitter,Google,Yahoo!,AOL,Skype,Cisco,Microsoft,

Jive,andIBM.ActianceisheadquarteredinBelmont,California.

For more information, visit www.actiance.com or call 1-888-349-3223.

1 http://www.naic.org/documents/committees_d_social_media_exposures_111201_whitepaper_draft_social_ media.pdf

2FINRARegulatoryNotice10-06,“GuidanceonBlogsandSocialNetworkingWebSites,” http://www.finra.org/Industry/Regulation/Notices/2010/P120760

3FINRARegulatoryNotice11-39,“GuidanceonSocialNetworkingWebsitesandBusinessCommunications” http://www.finra.org/Industry/Regulation/Notices/2011/P124187

4 For more information detailed recommendations, see Actiance Addressing FINRA Regulations for SocialMedia

5SECNationalExaminationAlert,InvestmentAdvisorUseofSocialMediahttp://www.sec.gov/about/offices/ ocie/riskalert-socialmedia.pdf

6http://www.sec.state.ma.us/sct/sctpdf/The%20Use%20of%20Social%20Media%20by%20Investment%20 Advisers.pdf

Worldwide Headquarters1301 Shoreway, Suite 275Belmont, CA 94002 USA(650) 631-6300 [email protected]

This document is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc.

© 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks ofActiance,Inc.ActianceVantage,UnifiedSecurityGateway,Socialite,andInsightaretrademarksofActiance, Inc. All other trademarks are the property of their respective owners.

EMEA Headquarters400 Thames Valley ParkReading,Berkshire,RG61PTUK+44 (0) 118 963 7469 [email protected]

Social Media Guidelines for Insurance Industry

Technology

Transcript of Social Media Guidelines for Insurance Industry