Blog
Can Social Media be Compliantly Supervised? The RegTech Option
By BUFFERZONE Team, 14/06/2017
One of the most difficult compliance challenges faced by companies in the financial and health industries is the requirement to record and supervise employee communications over social media. Let’s take a look at this challenge and at some of the ways to meet it.
Recordkeeping and Supervision Requirements and Regulations
Social media is a useful and powerful business tool, but has its drawbacks as well. Social media communications can sometimes be seen as representing company positions, and this can include even simple communications such as comments or likes on LinkedIn or on Facebook, or even retweets or other sharing of third-party content, which can be considered endorsements of that content.
Because of this, various national or industry-wide regulatory bodies such as the Financial Regulatory Industry Authority (FINRA) and the Federal Financial Institutions Examination Council (FFIEC) have issued guidelines for companies in the financial service, pharmaceutical and health sectors, applying general regulations for electronic communications specifically to social media. Typically, the guidelines require that all business-oriented social media communication – often including simple likes and shares – be consistently recorded, archived, and supervised. The recording can be automated; however, much of the communication also needs to be specifically supervised and checked for the specific content’s conformity with organizational and regulatory guidelines. The supervision cannot be outsourced. And finally, the policies and procedures for the recordkeeping and supervision need to be demonstrable for auditing. Firms can be, and are, fined for not being able to provide evidence of written protocols and procedures for their recordkeeping and supervision responsibilities.
Is Social Media Worth the Headache?
Needless to say, these requirements create a huge headache for companies’ legal and compliance departments, not to mention for the groups tasked with the required supervision. In light of these challenges, it’s little wonder that many organizations prefer the simpler, easier and probably more reliable option of just blocking most employees from accessing social media altogether. Only employees who are specifically tasked with marketing and advertising over social media are allowed to access sites such as Facebook, Twitter, LinkedIn, and YouTube. In this case recordkeeping and supervision needs are rendered irrelevant and unnecessary for the activities of most company departments.
However, this simple solution carries a significant business price. Social media can be a rich source of information for market and other types of research, for recruiting, investigation, and networking. Blocking social media can disrupt legitimate and even important business needs. And, pressures from frustrated employees can result in ad-hoc exclusions to the blocking policy, thus reducing the solution’s effectiveness and reliability, and possibly endangering compliance.
Have Your Cake and Eat It Too
What is really needed is a solution that would allow unrestricted viewing access to social media sites and block only the ability to perform communicative actions such as commenting, liking and sharing. Such a solution would ensure compliance without hindering business needs. Everyone would be happy: your employees, your legal and compliance departments, and most importantly – the regulators.
But is allowing access without outbound communication even possible?
BUFFERZONE’s new Read-Only Browsing feature provides a RegTech (Regulatory Technology) solution that does exactly this.
BUFFERZONE itself is a centrally-managed endpoint agent that keeps all applications that have access to the outside world, such as browsers, in a virtual container. The container’s main function is to isolate potential malware from endpoint native resources and from organizational network resources, creating faultless endpoint protection. With the new Read-Only Browsing (beta) feature, contained web browsing sessions are read-only for designated sites, disabling only the parts of the web page intended for users to enter or submit various kinds of content.
With this BUFFERZONE solution, users can read all of the web page content, but there are no submitted comments, likes, or shares to be recorded or supervised. And, since organizational proxy servers can force access to untrusted sites to come from contained browsers, users can’t circumvent this policy. The compliance burden is removed, and users who otherwise would be completely blocked from their favorite social media sites are happy with their new empowerment.
Sources
FINRA 10-06, FINRA 11-39
FFIEC Social Media: Consumer Compliance Risk Management Guidance
J. Belbey on forbes.com, 9 Best Practices for Using Social Media Compliantly in Financial Services, August 2016