On February 28, 2023, the Financial Industry Regulatory Authority, Inc. (FINRA) provided an update on its targeted exam, or Sweep, relating to social media influencers, customer acquisition and related information protection. The Update focused on social media influencers and referral programs as well as firms' privacy obligations and summarized selected practices observed to date as FINRA continues to review responses to the Sweep.
With respect to social media influencers and referral programs, the Update provided very basic guidance that did not go beyond what could reasonably be inferred by the requests made by the Sweep.
FINRA's Update identified a practice of maintaining written supervisory procedures (WSPs) that focused on and distinguished between social media influencers and referral programs. The Update also suggested that firms may want to consider the need for additional controls with respect to social media influencers with a relatively large social media presence and whether social media programs managed by member firms, affiliates or marketing agencies may trigger additional requirements. The Update also reminded firms of the need to update their WSPs on a regular basis and in response to program developments, regulatory changes or industry trends. Firms should also consider the need for their WSPs to address participants' referral related compensation. While the Update did not go into any detail regarding permissible and impermissible referral related compensation, firms should consider whether transaction-related compensation paid in the context of referrals may run afoul of FINRA Rule 2040 – Payments to Unregistered Persons.
Another practiced identified by FINRA's Update was the conduct by firms of an evaluation for compliance and reputational risk of the social media influencers' background and prior social media activities. The Update also identified the provision of training to social media influencers, including with respect to permitted and prohibited conduct.
In addition, the Update referenced the need to maintain records of social media influencer and referral program communications consistent with SEC and FINRA recordkeeping obligations. While the Update did not identify the scope of these obligations, the requests set forth in the Sweep likely provide a good sense of their scope. This includes the need to maintain copies of any social media communications posted by the influencer as well as communications posted by the firm on an influencer's social media accounts together with such other records as may be required by FINRA Rule 2210 - Communication with the Public. Consideration should also be given to whether each such posting must be approved by a registered principal of the firm and otherwise made available to FINRA's Advertising Regulation Department pursuant to FINRA Rule 2210. While not discussed in the Sweep, firms should consider the applicability of the content standards of Rule 2210, including those relating to testimonials, postings by the influencer and the firm.
With respect to privacy, FINRA's Update reminded firms of their obligation pursuant to Regulation S-P to protect customer nonpublic information (NPI) and the limitations on disclosing customer NPI to non-affiliated third parties.
FINRA's Update also stressed the need to maintain WSPs addressing Regulation S-P obligations. WSPs should address the obligation to deliver timely privacy notices to customers and protect usage information for customers who opt out of information sharing, including information collected using "cookies".
The Update also stated that the privacy notices to customers should identify categories of NPI collected and shared with third parties as well as the categories of affiliated and non-affiliated third parties with whom the information is shared. To the extent firms share non-anonymized NPI with third parties, firms must have written agreements with such parties limiting their use of such information.
More generally, firms should consider that FINRA's review of the responses to its Sweep are ongoing and that more detailed findings are likely both in the form of possible enforcement actions as well as further guidance. Accordingly, firms should view FINRA's latest guidance as highly preliminary and should not consider it as the last word regarding firms' obligations in this context.