Social Media Compliance Best Practices: Company Procedures And Recordkeeping

by: Michelle M. Waymire


The SEC has clearly stated in its Risk Alert on Social Media that advisors must take care to separate their social media procedures from other company procedures.

Social media procedures should contain usage guidelines, personal vs. professional guidelines, content standards and an approval process.

The SEC also mandates that advisors maintain records of their social media activity, which can be facilitated through the use of a number of compliance software options.

Disclaimer: I am not a lawyer; I don't even play one on TV. So suffice it to say that the material available in this article is for informational purposes only and not for the purpose of providing legal advice.

This blog post is the last installment of a three-part series on social media compliance in the financial services industry. However, I have received requests for an SA-specific compliance post, which will be coming in the next couple of weeks!

If you've been keeping up with previous posts, you'll know that the world of social media compliance is chock full of road blocks and gray areas. In particular, advisors should be aware of four key areas when it comes to keeping compliant:

  1. Advertising
  2. Testimonials
  3. Company procedures
  4. Recordkeeping

In our last posts, we focused on issues related to advertising and testimonials. In this post, we'll be talking about both procedural and recordkeeping needs for your practice.

Company Procedures

As a financial advisor, you've likely built up a number of company compliance procedures that apply to other parts of your business: paid advertising, format of client statements, general disclaimers, electronic communications, etc. However, the SEC has clearly stated in its Risk Alert on Social Media that advisors must take care to separate their social media procedures from the rest. In other words, blanket communication procedures won't cut it here; you have to be specific about which procedures apply to which communication mediums.

Moreover, not only do you have to write a set of procedures, you need to distribute them among your employees and certify that your employees have read and understood the procedures. Like other compliance policies, you must also periodically review their effectiveness, then adjust the procedures as needed. Ideally, that's how you're running your compliance department already, so rather than get into the nuts and bolts there, it makes more sense to go over some of the key things your Social Media Policies should contain:

Usage Guidelines

In simplest terms, usage guidelines dictate what social media you can use. According to the SEC, this might be as sweeping as a list of approved social media sites or a list of specific functionalities on those sites. Your usage guidelines should take into account the reputation of the site you want to use, the site's privacy policy, the ability to remove third-party posts, and controls on anonymous posting.

Personal vs. Professional Guidelines

In a lot of ways, this one is an offshoot of the usage guidelines. While a blanket list of social media sites might be part of your usage guidelines, it is important to separate personal accounts from professional ones. Use of enterprise-wide sites such as company pages is a little more cut and dried. While some firms may opt for profiles under individual names, these must be treated like company pages: all the usual rules and regulations apply if you're using it to grow your practice or solicit business. The guidelines for personal vs. professional pages should be clearly articulated, as well as criteria for which individuals are permitted to use their personal pages for business reasons.

Content Standards

This is the "what to post" part of the equation. Some companies give really specific guidance about what is allowed, while others leave more discretion. However, in general, it is best to limit the content that can be most frequently construed as either an advertisement or testimonial. This includes content that contains investment recommendations, information on specific investment services, or investment performance. For example, at BPV, we don't use social media to discuss any of our investment products or performance; rather, we focus on thought leadership and insights.

Approval of Content

A good compliance policy should also make clear that a supervisor or compliance officer is to have oversight of each social media channel, so that they can monitor posts and online engagement.

The policy should also dictate whether content needs to be approved in advance, or whether it can be subject to review later on. Whether posts are reviewed after the fact will depend on the kind of information your policies allow you to publish. For instance, if you have an Instagram feed set up to showcase office life, that is less likely a liability than your Twitter feed about market commentary. The monitoring will need to match the medium, in other words.

For posts that don't require approval in advance, there should also be a system that dictates frequency of review. In other words, will your social media page be checked daily, weekly, biweekly, or at some other interval?


Recordkeeping is in a lot of ways the easiest and most difficult aspect of compliance, once a policy is in place and everyone knows the guidelines of what to publish. It's certainly cheap yet time consuming for those who don't have a software solution in place; expensive yet painless for those who do.

The question is, what records to keep? According to the SEC's Rule 204-2, advisors must maintain all copies of policies and procedures for five years -- this includes that social media policy we just discussed above. SEC Rules 204-2 and 206(4)-7 also require advisors to implement a compliance archiving and monitoring solution to archive and supervise emails, messages and social media. Moreover, social media comments must be archived in their original formats, which means showing the content in its actual form, not just the text you used to make the social media post. You have to keep social posts for 3 years.

Luckily, there are a number of resources that help with this very function:


Smarsh currently assists over 20,000 firms with their compliance needs in email, instant messaging, text, web, video and social media communications. They offer various packages that can help you based on your level of need.

Global Relay:

This service allows you to locate and track previous messages sent from numerous devices. Global Relay is able to search from the platforms it archives which include: Email, Public Instant Messaging, Bloomberg® messages, Thomson Reuters, Social Media, ICE Chat, Pivot 360, Web, Chatter, Yammer, and for Lync/Skype for Business.


Actiance can help ease the stress of recordkeeping by actively enforcing policies across over 70 social platforms and communication channels. Some current clients of Actiance are J.P. Morgan, Fidelity, Bank of America and Verizon to name a few.


Socialware thrives in the social media realm. They can help with any compliance and archiving needs that you might have. Socialware also offers assistance with protecting your social brand.

Hearsay Social:

Hearsay Social walks advisors through the whole compliance process by notifying you in real time about a problematic post or tweet; it pre-approves other content, and also captures and archives all social activity.


While putting together a comprehensive policy and recordkeeping process that addresses these issues can be difficult, we believe it's worth it to keep all employees on the same compliant page. You can get started by tackling the following:

  1. Identify what social media platforms you want to use, who is permitted to use them, and whether they can use personal or professional pages
  2. Set guidelines for off-limit topics
  3. Craft a procedure for compliance pre-approval or post-review
  4. Create a recordkeeping plan, using third-party software for efficiency
  5. Pull all policies into a singular document and distribute to employees
  6. Conduct training and confirmations of handbook receipt, as needed
  7. Maintain ongoing oversight and reassess policies as needed
  8. Go forth, and be social!

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it. I have no business relationship with any company whose stock is mentioned in this article.