United States: Haunted By A Ghost: Snapchat, Wall Street, And The Evolving Focus Of Financial Social Media Regulation

Reproduced with permission from Securities Regulation & Law Report, 45 SRLR 1488, 08/12/2013. Copyright _ 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

A new service, Snapchat, has joined the constellation of social media services with potential business implications. Snapchat is a mobile application, originally aimed at teenagers, which allows users to send photos and text that ''disappear'' from a recipient's inbox within 10 seconds of viewing. Although the temporary nature of its messages is a key feature of Snapchat, there are ways around the permanent deletion of these messages, and forensic data vendors can retrieve Snapchat images from a phone's memory.¹ Additionally, the application tracks the date and time each message is sent, received, and opened, as well as the identity of senders and recipients.

As of June 2013, Snapchat, whose logo features a smiling ghost evocative of the fleeting quality of its message product, said it was processing more than 200 million user messages per day.² New York magazine recently reported that Snapchat had transcended its intended demographic and that bankers on Wall Street were ''obsessed'' with using the smartphone application to share embarrassing and incriminating pictures and texts with friends while avoiding more permanent social media sites such as Facebook, where a current or prospective employer might find them.³

Since the New York article, the media has been buzzing about the use of Snapchat on Wall Street for social purposes.⁴ It does not take much imagination, however, to envision how traders, bankers, and broker-dealer and public company employees could move from personal to business use of Snapchat, or the problems that this evolution could bring.⁵ And, there is no reason to believe that the U.S. Department of Justice, U.S. Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and other regulators and agencies have failed to take note of this potential. When asked about the use of Snapchat in a July interview regarding recent insider trading investigations, Preet Bharara, U.S. Attorney for the Southern District of New York, explained that such forms of communication could come back to ''haunt'' financial institutions and their employees, and he emphasized: ''Nobody should feel safe because they're using a particular method of communication because . . . we have case after case where . . . [the counterparty to the crime] will come to the government and reveal all the criminal activity. Nobody should feel safe, no matter what form of communication they are using.''⁶ Thus, it is critical that public companies, regulated banks, broker-dealers, and others take steps to prevent this social media phenomenon from becoming their next regulatory and discovery headache.

This article looks at the challenges Snapchat represents in the context of the ever-expanding regulatory focus on social media usage by registered brokerdealers and registered investment advisers (collectively, ''regulated entities'') and public companies. We also offer suggestions of prudent steps companies should consider to stay ahead of the regulatory curve.

Snapchat, Social Media, and Regulatory Scrutiny

Regulators have a long history of monitoring social media and electronic communications, dating back to a 1996 FINRA alert concerning a broker-dealer's intentions to develop a website and its use of electronic mail and chat rooms. At that time, FINRA indicated that it regarded websites as advertisements and participation in chat rooms as public appearances.⁷ The SEC has focused on social media since at least 2008, when it published guidance on how companies can use websites to provide information to investors.⁸

In June 2013, FINRA further dove into the world of social media by issuing a targeted examination letter spot-checking broker-dealers' social media communications and policies.⁹ Further, in April, the SEC issued guidance on the use of Twitter, Facebook, and other social media sites by public companies after Netflix's chief executive officer posted company news on his personal Facebook newsfeed.¹⁰ Immediately thereafter, the New York Stock Exchange (NYSE) issued guidance for NYSE member firms on the topic.¹¹ Additionally, FINRA has recently settled matters concerning a registered person's use of Twitter.¹²

Legal and Regulatory Considerations Regarding Social Media

Many of the key rules and regulations governing the financial services industry, and applicable to regulated entities, focus on supervision, surveillance, disclosure, transparency and conflicts of interest. Narrower rules on some of these issues also apply to public companies. Given the many regulatory requirements within this framework, the rapid development and sweeping popularity of Snapchat and other social media have had a significant impact on companies and their employees, as well as regulators focused on whether social media is consistent with regulatory requirements.¹³

Each new form of social media moves regulators to reassess existing regulatory frameworks. They may decide to modify existing rules and regulations or issue guidance explaining the applicability of existing requirements to new forms of communication. Regulated entities and public companies must stay apprised of these developments to ensure that they satisfy applicable obligations as they evolve. Given the recent media coverage of Snapchat, the issuance of new regulations or guidance applying to this new application would not be a surprise.

Depending on the regulatory jurisdiction to which a regulated entity or public company is subject, various requirements may apply to the use of social media, including Snapchat. At a broad level, these rules and regulations address:

Policies and Procedures

Regulated entities subject to FINRA or SEC jurisdiction typically must establish and maintain detailed policies and procedures reasonably designed to prevent the entity or its employees from violating applicable securities laws, rules, and regulations. Although these provisions do not expressly require that policies and procedures address the use of social media, regulators have made clear that they expect as much from entities under their jurisdiction.¹⁴

Supervision and Surveillance

Regulated entities are required to supervise and conduct surveillance of business-related employee communications,¹⁵ including social media communications. NASD Rule 3010 requires that a broker-dealer establish and maintain a system reasonably designed to achieve compliance with applicable laws and regulations and to supervise employee activities.¹⁶ The system must include written supervisory procedures that address, among others, the activities and communications of employees.¹⁷ Advisers Act Rule 206(4)-7 similarly requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act.¹⁸ Regulatory guidance indicates that even where a supervision rule does not expressly address social media, a regulated entity should nonetheless apply the rule to employee communications disseminated through social media.¹⁹

Communications with the Public

Business-related communications with the public sent through social media may be subject to pre-use review, approval, and/or filing requirements.²⁰ Even where a particular entity—such as an investment adviser—is not specifically required to review communications prior to use, regulators, including the SEC, suggest that they do so in some capacity (e.g., an afterthe- fact risk-based review, rather than reviewing all communications).²¹ The fact that a communication was sent from an employee's personal device, rather than a company device, does not absolve a regulated entity of its regulatory responsibility and accountability if the communication is ''business-related.''²²

Recordkeeping and Record Retention

Detailed recordkeeping and record retention rules apply to regulated entities.²³ For instance, Exchange Act Rule 17a-4(b) requires broker-dealers to retain certain business-related communications for specified time periods.²⁴ Advisers Act Rule 204-2 applies similar requirements to investment advisers.²⁵ Such rules have been interpreted broadly to encompass electronic communications and social media.²⁶ Although these rules seem straightforward, it may be difficult, if not impossible, to satisfy them if an application—such as Snapchat—is used that prevents saving copies of all communications. FINRA has explained that technology that automatically deletes records could preclude a broker-dealer from satisfying its regulatory obligations.²⁷ Thus, and as discussed in greater detail below, regulated entities should take steps to either prohibit or carefully limit the use of technology that prevents them from satisfying their regulatory obligations.

Disclosure

Publicly held companies, such as issuers, are subject to SEC Regulation FD, which promotes full and fair disclosure by requiring that a company disclosing material nonpublic information to stock analysts, institutional investors, or certain market participants make public disclosure of the information simultaneously (if disclosure was intentional) or promptly (if disclosure was unintentional). The SEC recently indicated that companies may use social media to announce information to the public in accordance with Regulation FD, provided that they notify investors of exactly which social media outlet(s) will be used in advance of the announcement.²⁸

How to Avoid a Snapchat (or Other Social Media) Headache

Corporate responses to the regulatory risks of social media are by no means ''one size fits all.'' Due to varying sizes, structures and businesses, it is unlikely that all companies—whether a regulated entity or public company— could or should implement the same solution to satisfy their regulatory obligations concerning social media usage. Rather, each must balance its regulatory obligations and expectations²⁹ with the specific risk that it faces. Although the potential for exposure to regulatory scrutiny or penalties cannot be entirely eliminated, it can be mitigated by well-crafted, and carefully implemented and enforced proscriptive measures. Below are some steps regulated entities and public companies may consider following as they construct and reassess their social media compliance and risk management frameworks.

Business vs. Personal Use

Before revising or creating any new policies, procedures or controls, regulated entities and public companies should consider defining what constitutes a business versus a personal communication. This distinction is a key aspect of any compliance or risk management system of a regulated entity, and public companies may also consider incorporating such a distinction into their internal policies and controls. Regulators have declined to specifically define these types of communications, leaving it to each company to decide on its own.³⁰ In drawing this line, a regulated entity or public company should consider whether specific types of communications relate in any way to their business or their employees' day-to-day job functions.

Social Media Policies

Once a regulated entity or public company defines the line between business and personal communications, it can assess whether its policies and procedures sufficiently address the risks of social media. After this review, it should consider updating its policies to address, to some degree, the supervision, surveillance and retention of social media communications, and describe appropriate and approved modes of business communications (e.g., communicating with clients only through business and not personal channels).

Given how quickly new social media tools develop and gain popularity, regulated entities and public companies should routinely review and update their policies and procedures to address popular new applications. During these updates, descriptions may be added regarding specific social media, such as procedures that address the use of Snapchat by employees generally and for business purposes in particular. It is best for regulated entities and public companies to remain proactive and to address new forms of communication as they develop, rather than waiting until a regulatory or discovery issue arises.

Policies should be unambiguous as to whether employees are strictly prohibited from using Snapchat or other forms of social media for business purposes and/or on company devices. If a regulated entity with record retention obligations permits its employees to use social media for business communications, it must institute a reasonably reliable procedure for recording and retaining these communications to comply with applicable rules.

This concern does not, however, implicate only regulated entities subject to specific regulatory requirements. Rather, it raises discovery issues for both regulated entities and public companies if a regulator requests copies of Snapchat or other social media communications in the course of a formal investigation or action, or makes a request for ''all documents'' or ''all communications'' concerning a particular issue or involving specific participants. For instance, if a company has not clearly articulated rules governing business communications and its employees' use of Snapchat on company devices or linked to company phone numbers or email addresses, then these communications may be relevant for discovery purposes, despite the fact that they are not necessarily retrievable.

If records cannot reliably be retained, regulated entities and public companies should consider stronger measures. Due to the rapid development of new technology, they should consider instituting a policy that prohibits the use of new social media services for business purposes until the regulated entity or public company itself determines that the service complies with its policies and procedures. Alternatively, employees may be prohibited from using any form of social media for business purposes. Blocking technology also may be installed on company hardware to restrict the ability to download applications or access social media websites. Finally, employees may be required to sign annual attestations stating that they have read and understand the company's policies and procedures regarding the use of social media, that they are in compliance with the policies and procedures, and that they do not use social media on company devices or for business purposes.

Audit/Exam Process

Regulated entities are required to periodically examine their businesses or to perform internal audits to ascertain compliance with company policies, and rules and regulations.³¹ Nonregulated entities may not be subject to these requirements, but, regardless, they may utilize some form of internal examination or audit as a best practice. Internal examinations or audits can be a vital risk-mitigation opportunity and can assist a regulated entity or public company in enforcing, and evidencing the enforcement of, its policies and procedures in the social media space. For instance, if internal policies and procedures strictly prohibit employees from using Snapchat for business purposes and/or using social media applications on company hardware, a regulated entity or public company may, in the course of an internal examination, examine company devices and search employees' names on social media applications to ascertain whether they are impermissibly using the social media.

Training and Continuing Education

Regulated entities and public companies may consider educating their employees both at the outset of employment and periodically through continuing education programs about the use of, and potential regulatory risks related to, social media. If such programs are established, the curricula should clearly describe the main regulatory requirements to which the regulated entity or public company is subject related to the use of social media, and the policies and procedures regarding the use of social media, including what constitutes business versus personal use, the extent to which employees may use social media, and how employees can avoid or prevent violations of relevant regulatory requirements.³²

Conclusion

It is too soon to say whether Snapchat's popularity among financial sector employees will be a passing fad or an enduring feature of the culture. Regardless, as the popularity of social media grows exponentially, developers will continue to introduce new ways to communicate that will present new risks and challenges to regulated entities and public companies. Challenges such as those presented by Snapchat—the self-deletion of messages and the difficulty of capturing or retaining information— have drawn the attention of at least one U.S. Attorney and will continue to draw scrutiny from regulatory agencies. Accordingly, as the press covers the risks and potential pitfalls of social media such as Snapchat, regulated entities and public companies should not be surprised when subpoenas begin to call for a broader array of responsive media, and regulatory examiners begin to question—either at an industry level or individually during examinations—how their compliance and risk management systems address the use of new forms of social media. Companies must remain vigilant and proactive to ensure that they are addressing new social media applications as they arise to mitigate any potential regulatory exposure from these new forms of communication.

Ben Neaderland is a counsel in WilmerHale's Washington office and a member of the firm's Securities Department. Jeremy Moorehouse is an associate in WilmerHale's Washington office and a member of the firm's Securities Department. Daniel Hartman is a JD student at Cornell Law School and was a 2013 summer associate at WilmerHale.

^{1 Salvador Rodriguez, Vanished Snapchat Photos Can Be Restored, Data Retrieval Firm Says, L.A. TIMES (May 11, 2013), http://articles.latimes.com/2013/may/11/business/la-fi-tnsnapchat-photos-restored-300-20130510.}

^{2 See Evelyn M. Rusli, IVP Defends $60 Million Investment in Snapchat WALL STREET J. DIGITS BLOG (June 24, 2013, 3:49 p.m.), http://blogs.wsj.com/digits/2013/06/24/ivp-defends-60-million-investment-in-snapchat/.}

^{3 Kevin Roose, Wall Street is Obsessed with Snapchat, NEW YORK MAGAZINE DAILY INTELLIGENCER (June 12, 2013, 10:24 a.m.), http://nymag.com/daily/intelligencer/2013/06/wall-street-isobsessed-with-snapchat.html.}

^{4 See, e.g., Victor Luckerson, Wall Street Falls in Love with Snapchat, TIME, June 14, 2013, available at http://business.time.com/2013/06/14/wall-street-falls-in-love-withsnapchat/.}

^{5 Some media coverage of Wall Street's Snapchat usage have hinted at this issue already. See, e.g., John Carney, It's the Summer of Snapchat on Wall Street, CNBC, http://www.cnbc.com/id/100811454 (suggesting that Snapchat may provide bankers with a way to send incriminating business messages that will not come back to haunt them).}

^{6 William Alden, The Statute of Limitations Is Longer Now, Bharara Warns Wrongdoers, NEW YORK TIMES DEALBOOK (July 17, 2013, 11:07 AM), http://dealbook.nytimes.com/2013/07/17/statute-of-limitations-is-longer-bharara-warns/.}

^{7 Ask The Analyst – About Electronic Communications, FINRA Regulatory and Compliance Alerts (April 1996), http://www.finra.org/Industry/Regulation/Guidance/RCA/p015417.}

^{8 Commission Guidance on the Use of Company Web Sites, Exchange Act Release No. 58,288 (Aug. 7, 2008).}

^{9 Targeted Examination Letter Re: Spot-Check of Social Media Communications, FINRA (June 2013), http://www.finra.org/Industry/Regulation/Guidance/TargetedExaminationLetters/P282569 (requesting that brokerdealers explain their use of social media, including specific details as to which forms they use to generate business).}

^{10 Michael J. De La Merced, S.E.C. Sets Rules for Disclosures Using Social Media, N.Y. TIMES DEALBOOK (Apr. 2, 2013, 4:54 PM), http://dealbook.nytimes.com/2013/04/02/s-e-c-clearssocial-media-for-corporate-announcements/?_r=0. See also Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix Inc., and Reed Hastings, Exchange Act Release No. 69,279 (Apr. 2, 2013) [hereinafter, ''Report of Investigation of Netflix and Reed Hastings''] (companies may use social media to announce information to the public in compliance with Regulation FD, but they must first notify investors of which outlet will be used).}

^{11 Jason P. Juall, NYSE Issues Guidance on Use of Social Media as a Disclosure Tool, Holland & Knight Securities & Financial News to Note (Apr. 29, 2013), http://www.hklaw.com/publications/NYSE-Issues-Guidance-on-Use-of-Social-Mediaas-a-Disclosure-Tool-04-29-2013/ (the NYSE's letter focused on Section 202.06(B) of the NYSE Listed Company Manual concerning listed a company's sharing material information with the NYSE prior to public dissemination).}

^{12 Jenny Quyen Ta, FINRA Letter of Acceptance, Waiver and Consent No. 2010021538701 (Registered person ''tweeted'' in an ''unbalanced'' manner concerning a company in which she and her family held shares).}

^{13 See, e.g., In re Anthony Fields, et al., SEC Initial Decision Release No. 474 (Dec. 5, 2012) (fictitious offerings on LinkedIn); Dep't of Enforcement v. Levy, FINRA Disciplinary Proceeding No. 2009018050201 (June 15, 2011) (discussing pending and prospective mergers on a blog); Jenny Quyen Ta, supra note 12.}

^{14 See Social Media Websites and the Use of Personal Devices for Business Communications, FINRA Regulatory Notice 11-39 at 2 (Aug. 2011) [hereinafter, ''Notice 11-39'']; National Examination Risk Alert: Investment Adviser Use of Social Media, SEC Office of Compliance Inspections and Examinations (Jan. 4, 2012) [hereinafter, ''Social Media Risk Alert''].}

^{15 See, e.g., NASD Rule 3010; NASD Rule 3012; Advisers Act Rule 206(4)-7.}

^{16 NASD Rule 3010(a).}

^{17 See NASD Rule 3010(b). Additionally, the SEC staff has indicated that registered investment advisers may consider articulating guidelines regarding business-related social media communications, including prohibiting content and monitoring employee communications. Social Media Risk Alert at 3.}

^{18 Advisers Act Rule 206(4)-7(a).}

^{19 See, e.g., Social Media Risk Alert; Notice 11-39; Social Media Web Sites, FINRA Regulatory Notice 10-06 at 4 (Jan. 2010) [hereinafter, ''Notice 10-06''] (describing the applicability of NASD and FINRA rules to social media).}

^{20 See FINRA Rule 2210; see also Notice 11-39; Notice 10- 06.}

^{21 Although not required, the SEC has explained that registered investment advisers should consider implementing a process for pre-approving content before it is disseminated publicly through social media. Social Media Risk Alert at 4.}

^{22 Notice 11-39 at 7.}

^{23 See Exchange Act Rule 17a-4; Advisers Act Rule 204-2; FINRA Rule 4511 (requiring broker-dealers to follow Exchange Act Rule 17a-4).}

^{24 Exchange Act Rule 17a-4(a)-(b).}

^{25 Advisers Act Rule 204-2(a)(7), (a)(11), (e)(1).}

^{26 See, e.g., Notice 11-39 at 2.}

^{27 Notice 11-39 at 4 (FINRA also explained that ''firms and associated persons may not sponsor such sites or use such devices.'').}

^{28 Report of Investigation of Netflix and Reed Hastings.}

^{29 For instance, a company that is not subject to FINRA jurisdiction may, nonetheless, implement policies and procedures that address social media use.}

^{30 See Notice 11-39 at 3-4; Notice 10-06 at 2 (''The Notice does not purport to address the use by individuals of Social media sites for purely personal reasons.''). FINRA has provided some limited guidance indicating that an individual may list his or her ''business card information'' on a social media website, such as LinkedIn, and that this likely would not constitute a business communication. See Presentation on Compliance Considerations for Social Media, FINRA Annual Conference (May 2011), http://www.finra.org/web/groups/industry/@ip/@edu/@mat/documents/education/p123612.pdf.}

^{31 See, e.g., NASD Rule 3010.}

^{32 Social Media Risk Alert at 4.}

Originally published August 2013

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.