Social Media Compliance For Regulated Industries: All You Need To Know

Feb 9, 2021 7 min read

Any business, regardless of the industry, needs to have an active social media presence these days.

It presents an unmatched opportunity to engage in direct two-way communication with customers & prospects.

However, for some of these businesses, there are much more serious social media challenges present.

For highly regulated sectors such as finance, healthcare, government, insurance, etc., Social media can be a minefield.

One wrong tweet or a social media post can inflict some serious damage on a company. And that's not it. For these sectors, there are some serious legal implications present as well.

In this post, we'll look at some common social media compliance risks & help you create a strategy to stay compliant.

We have an industry-wise breakdown. So you can jump to the section of your choice.

Common Social Media Compliance Risks

Did you know, 59% of companies don't carry out any form of social media risk assessment.

And most aren't even aware of the compliance risks.

Social Media Posts with Compliance Risks

21% of all monitored posts in July 2020 were flagged for compliance observations—an increase of 12% since January 2020

So, what risks does social media pose?

For better understanding, let's divide them into two main categories.

  • Confidentiality & Data Security
  • Misleading & False Claims

So – what risks fall into each category?

Confidentiality & Data Security

Sharing information on spontaneous & unpredictable platforms comes with underlying hazards.

The government bodies mentioned below have strict rules on social media regarding privacy, confidentiality & Data security.

FTC (the Federal Trade Commission)

  • FINRA (the Financial Industry Regulatory Authority)

  • SEC (the Securities and Exchange Commission)

  • The Office for Civil Rights (HIPAA)
HIPPA Compliance By Varonis

The regulations vary from industry to industry. Some of the prominent ones you can follow are :

These regulations are strict about data storage & sharing.

Misleading & False Claims

For businesses operating in regulated industries, false or misleading claims are not at all allowed as part of your marketing and promotional activities.

Any advertisements or statements that you run on social media channels such as Facebook, Twitter, YouTube, etc., cannot mislead or deceive the audience.

Businesses may also be held responsible for posts or public comments made by others on their social media pages, which are likely to mislead consumers.

A court case held responsible a company that accepted fan posts, user testimonials on its social media pages when it knew about them being misleading and decided not to remove them.

Social Media Compliance For Financial Institutions

From JPMorgan Chase to Goldman Sachs, financial institutions have started using social media activity for a variety of purposes in recent times.

Although marketing laws don't explicitly address any social media requirements for financial institutions, several existing laws & regulations specific to the finance sector treat social media as a marketing channel.

This means that all the requirements applicable to your organization's website also apply to your Twitter account.

Financial Industry Regulatory Authority (FINRA) provides compliance requirements for social media content. But The U.S. Security Exchange Commission (SEC), FTC, NLRB, FFIEC also monitors for social media compliance violations.

Key Social Media Regulations For Financial Instutions

Here are some key social media regulations set by FINRA. These rules & regulations protect investors from false, misleading claims, exaggerated statements, and material omissions.

Supervision & Reviews

FINRA states that financial firms must supervise what business-related & content associated personas are communicated on social media.

Including the possibility of if any recommendations are being made.

Firms must have a registered principle review content for compliance issues before it gets published.

  • Static Content: Long terms lacking the requirement of a real-time conversation. A registered principal must approve static material before use, and sometimes may be required to be filed with FINRA.

  • Interactive Communication: Short terms & real-time involving a dialog with the audience. Interactive material does not require principal approval before use if it is supervised, like how firms supervise correspondence and institutional communications.

Fair Communications

All financial firms need to comply with FINRA's communication rule. Here are some key pointers you need to keep in mind:

  • All communications must be complete, balanced & fair. No material information should be omitted
  • False, misleading, exaggerated, or unwarranted statements & claims are prohibited
  • Communications must not predict or project performance (with certain exceptions)
  • Vital information may not be buried in footnotes
  • Communications must provide a balanced treatment of risks and potential benefits

Books And Records

Financial firms & their registered advocated must retain complete records of communications related to their "business as such." The "business as such" depends on the content of the communication & not the type of technology or device used to send or receive the communication.

Such records must be preserved for at least three years.

Third Party Websites

Financial firms may not link to any third-party site that contains false or misleading content.

As per FINRA's communications rule, Firms become responsible for the content on a linked third part site if the firm has adopted or entangled with the content.

Reg B: Discrimination against certain credit applicants is prohibited.

Reg Z (Truth-in-Lending Act):All commercial messages that promote credit transactions need to follow Reg Z compliance requirements.

Reg D.D. (Truth-in-Savings Act): Any commercial message that promotes deposit accounts need to follow Reg D.D. compliance requirements.

Gramm-Leach-Bliley Act:Firms must ensure that confidential customer account data is not exposed when attempting to provide customer service or assist with products.

Social Media Compliance For Healthcare

Only 26% of hospitals and 36% of physician practices in the U.S. are active on social media.

And there's a good reason for it.

Managing social media in the healthcare & pharmaceuticals feels like swimming with sharks.

Compliance with HIPAA, the Health Insurance Portability and Accountability Act, is complicated and intense.

But this doesn't mean you can skip on it.

240% of people use the information they find about healthcare online to make decisions about their health.

Being familiar with key regulations and knowing how to avoid violating HIPAA rules can help you easily navigate social media.

Key Social Media Regulations For Healthcare

When communicating on social media, ensure that you never any PHI (Protected Health Information) of patients or prospects. Here's a list of these PHI examples:

  • Patients' names (including nicknames)

  • Any dates related to individuals

  • Geographical information and addresses of patients

  • Any online patient identifier including patient URLs, social media handles, I.P. addresses

  • Any important numbers associated with a patient: account numbers, phone numbers, I.D. numbers, medical record numbers, social security, etc.

  • Any information about a patient's vehicle, including license plate numbers, VINs, or information such as a vehicle's make, model, or color.

  • Photos, fingerprints, audio files, or videos.

  • Any other information that could reveal a patient's identity.

Here are some quick tips to prevent your practice from violating the rules of HIPAA on social media:

  1. For medical practices, make sure to separate all physician profiles from personal social profiles

  2. Ensure all your staff is aware of PHIs and other key information to prevent any missteps.

  3. Before featuring any patients in any photography or videos, ensure that you have documented consent. A patient can post their picture on social media, but the company cannot post or repost the same picture without permission.

  4. Employees may not provide any tips or advice on social media

  5. False claims, exaggerations, or inaccurate information should be prohibited

  6. Ensure that you're keeping records that meet the standards (detailed record trails for a minimum of 10 years) of both ERISA (Employee Retirement Income Security Act) and ACA (Affordable Care Act).

Healthcare companies and practitioners can reduce the risks of HIPAA violations by implementing clear information-sharing policies.

Social Media Compliance For Goverment Agencies

Government Bodies have to live and die by the public opinion.

And people these days are openly engaging in discussions & voicing their concerns on social media.

Innovative policymakers are quickly adapting to this norm by creating highly engaging social content to rally follower support.

For any government body to capture and maintain public sentiment and engagement, embracing the new era of social media discourse is critical.

But it's harder than it looks.

All government bodies and representatives have to stay compliant with the Freedom of Information Act (FOIA), General Data Protection Regulation (GDPR), and other public records laws. These acts enforce access & accessibility of critical information.

This means government accounts should not block any followers, be it critics, trolls, etc.

Data handling, citizen engagements, acceptable & forbidden content are a few things that Government bodies can include in their social media policies to stay compliant.

Additionally, it's crucial to provide staff with proper training on how to use their position in your office and when they should disclose their relationship with your agency as they share content on social media.

Best Practices for Social Media Compliance

Here are some best practices that'll help you pass social media audits and keep you in the regulators' good graces.

Risk Assesment

The first & foremost step is to conduct a detailed social media risk assessment.

The assessment won't stop outrages from happening in the future but will help your predict your compliance exposure. You can then establish processes and controls that mitigate these risks.

Content Approval

Regardless of your posting frequency or the social platform you are using, having an approval process in place ensures no guidelines are violated.

Statusbrew's Content Approval Workflows help you create multi-step and multi-user workflows that facilitate submitting, reviewing, approving, or rejecting outgoing posts.

If you'd like to try out Statusbrew for your business, you can sign up right now & start your free trial.

Take Me To Statusbrew


Social media is subject to truth in advertising laws, so include disclosure from third parties involved (even consumers) if they are being compensated in any way.

If any of your employees make comments about the institutions or the product & services, they must disclose their status.

This leads to our next point.

Employee Social Media Policy

Setting up a comprehensive employee social media policy is a must for businesses in the regulated sectors.

Create an employee training program and define a clear rule of engagement & brand advocacy.

Audit Trail

Keep a record of all your social activities (posts, engagements, etc.) for at least two years. Further, preserve any consumer communication on lending or credit terms, promotions for deposit accounts, loan application information, or public comments received about a bank's performance.


Explore the Statusbrew range of social media tools

Cancel anytime!

Shivam is a content and marketing strategist at Statusbrew and loves to write content that tells a story. When he's not on his laptop you can find him working out and jamming to pop music.