Social Selling Creates SEC Compliance, Security Demands for Financial Advisers

Social media, where people spend a lot of their time, provides a natural avenue for building relationships with prospective customers because it offers channels for direct communication. And using social media this way gets results. According to research by LinkedIn, social selling leaders generate 45% more leads than peers with a lower social selling index, and 78% of social sellers outsell those who don’t use social media.

However, the opportunities created by social selling come with risks and responsibilities, most notably the reporting requirements included in the SEC’s update of the Investment Advisors Act governing investment adviser advertisements and payments to solicitors. It expanded its definition of an advertisement to include social media marketing and set strict rules for recordkeeping. The law also has teeth in the form of fines and other actions, as several banks and other institutions have discovered since the changes began taking effect in 2021. As of November 2022, the SEC’s reforms are fully enacted.

In addition to compliance requirements, social selling also amplifies security risks. It further expands an organization’s attack surface, offering threat actors new opportunities for spear phishing, accounting takeovers and other attacks that threaten investment advisers’ data, reputations and business.

Investment advisers should take heed. Social selling offers a wealth of potential benefits, but advisers need to ensure they are following safe security practices to protect themselves, their data and their clients. 

Cybersecurity

SEC Proposes Slate of New Cybersecurity Regulations. Is Your Firm Ready?

by Baker Donelson

May 3, 2023

The SEC is continuing its focus on cybersecurity regulations by announcing three new proposed rules and re-opening the comment period on an additional proposed rule from last year.

Read more

The benefits of social selling

Social media is increasingly where people spend their time online. Recent research by GWI found that social media use now accounts for 38% of users’ time spent online worldwide. In fact, while people overall are spending less time on the internet, social media use has increased by 2% (more than 3 minutes) so far in 2023. The average user spends about 2.5 hours on social media, which is 30% more time than they spend watching traditional TV.

The environment is ripe for a strategy of social selling, which is more than just flooding people with tweets or DMs or merely adding names to a contact list — in fact, broadside approaches have been found to drive people away. Social selling is an attempt to connect on a personal level, to build a relationship with prospective customers that can lead to doing business together. Research shows that 70% of Americans are more likely to trust people they know, rather than brands or the general pollution — and in financial services, 48% of retail investors trust their financial advisers because of the technology they use.

SEC sets fine-grained requirements

The amendments to the Investment Advisors Act were an attempt by the SEC to keep pace with the realities of modern communications, and a key element of the reforms is a redefinition of what constitutes an advertisement. Under the reform, communication via social media is considered an ad if it includes a hypothetical performance marketing of services. Most important in terms of social selling, it counts as an ad even if it’s made to one person.

The only exception would be if a message is sent in response to an unsolicited request, or if it’s made to a prospective or current investor in a private fund. For the most part, however, communications made individually to potential customers via LinkedIn, WhatsApp, Facebook, Telegram, Twitter or any other social media platform are considered advertising.

What gives that rule weight are changes the SEC made to recordkeeping under the act — specifically, that investment advisers need to make and keep records of all of their advertisements, including those covered in the new rules.

Failure to comply with rules on social media use and recordkeeping can incur serious consequences, regardless of whether they deal directly with social selling. A Mutual Life Insurance subsidiary in Massachusetts was fined $4 million as a settlement after an investigation into their employees’ social media and trading activity. The SEC also has carried out a $200M enforcement action against one of the largest banks relating to records preservation requirements. And in September 2022, the SEC announced charges against 15 broker-dealers and an affiliated investment adviser for failure to maintain and preserve electronic communications. In total, the firms agreed to pay more than $1.1 billion in penalties.

It’s also important to keep in mind that other rules regarding advertisements, such as disclaimers, can apply to direct communications. Pharmaceutical company Duchesnay received a warning letter from the FDA after Kim Kardashian posted an item about the company’s morning sickness drug while neglecting to mention its side effects.

The need for a centralized digital archive

In addition to being aware of how to conduct advertisements via social media, firms should consider adopting a centralized digital archive for their communications.

The SEC reforms require that, “investment advisers must make and keep records of all advertisements they disseminate.” And although it doesn’t identify any methods for how records should be kept, it does stipulate strict requirements for availability. Records should be kept, “in an easily accessible place for a period of not less than five years,” the rule states, adding that for the first two years, records must be kept at an appropriate office of the investment adviser.

To meet these requirements, it would be wise to centralize your digital archive that would contain all adviser’s social selling activity and be easily searchable if the need crops up for legal or enforcement reasons. A centralized archive with automated tools can manage hundreds of social media accounts, scaling with the size of the firm, and identify scores of risk factors, such as those relating to SEC regulations (or those in other countries), personally identifiable information (PII), high-pressure sales tactics or customer complaints.

Security risks of social selling

Compliance requirements can give investment advisers plenty to keep track of, but they also cannot ignore the security implications of social selling. Making greater use of social media platforms, which have varying privacy and security protections, can open firms to a number of attack vectors that abound in the cyber threat landscape. Among the most common affecting social selling are the following:

• Account takeovers
• Spear phishing and data loss
• Malicious content

Take a proactive approach

Shoring up security on your social media activity and complying with the SEC’s rules on archiving requires a thorough, proactive approach.

Investment advisers should start by gaining visibility into social media assets, which remain invisible to most security teams. The amount of information gathered will vary depending on the size of an organization, but it’s important to be aware of every social media channel being used and how they are being used. Monitoring that use is important for identifying compliance risks as well as security risks, from signs of account takeovers to activity by imposter brands that could harm your reputation.

A robust security solution will scan both the surface and the deep/dark web for imposter social media accounts, as well as monitor, detect, flag and quarantine compromised social media communications. Real-time detection of risks can allow for a quick response, limiting any damage.

Automation is a key part of any solution because of the sheer scale of social media. The number of channels and users is too great for administrators, security teams or anyone else to keep up with manually. Yet the speed of social media — where damage can be done and reputations harmed in a matter of minutes — requires real-time monitoring and response.

User training also is important. Educating users on how to spot phishing and social engineering tactics can help stop some attacks before they get started. Advisers also should be clearly aware of the risks of disclosing too much information in a public setting (even a one-on-one communication).

Conclusion

Social selling has delivered such clear advantages to its avid users that the rest of the field are sure to follow. As it continues to grow as a core business tool, compliance requirements and security threats will follow. With the SEC’s new rules now applying to advertising made to individual social media accounts, investment advisers need a centralized, automated digital archive that can help manage activity and meet compliance rules. Meanwhile, a comprehensive, proactive approach to securing social media activity is necessary for firms to protect their data, reputations and business dealings.