Skip navigation

Managing External Links for SEC Compliance

February 17, 2021

External links represent both the power of the Internet and a significant regulatory compliance challenge.  Compliance officers must have compliance policies and disclaimers in place to clearly state their institution’s position with respect to the responsibility for content of linked sites on websites, emails and marketing documents.

17a-4, LLC works with compliance teams to help clients leverage technology and manage corporate data in compliance with regulations. Emerging as one of technology’s new compliance challenges, external links and sites represent, perhaps, a ‘no man’s land’ of responsibility.  Visitors to financial websites or recipients of email or marketing information, do not perceive a difference between the content from the financial institution to that of a discreet third-party site.  Where does the institutional responsibility begin and end?

As a long-standing policy, the Securities & Exchange Commission has maintained the ‘envelope’ rule which states that embedded links represent content contained within the envelope of the communications.  Links to research, corporate sites, the EDGAR system, etc. are all within the construct of a communication, website, tweet or marketing document.

As guidance, 17a-4 recommends that compliance teams take the following 4 steps to address the compliance issue and incorporate their review as part of the annual FINRA 3130 certification. These steps are:

  1. Monitoring communications (email, Teams, Slack, Zoom, Webex) for external links embedded in the conversation.  Supervisory terms such as ‘site’, ‘http:’ and ‘www.*’, represent terms which should be incorporated into the supervisory lexicon.
  2. Disclaimers with language representing that only information directly contained within the site or communication should be relied upon by the recipient of the message.  As this disclaimer is often long and detailed, we recommend that firms use a service such as 17a-4’s eDisclaimer (      ) service.  This allows firms to take advantage of the ‘envelope’ rule to protect your firm with a full and complete disclaimer.
  3. When you do use a link, hash the contents of the link.  By comparing the hash codes on a regular basis, you can be sure that the content has not been changed.  You can be alerted to any change through an email notification. 
  4. Set-up Microsoft SharePoint, Google Cloud or other libraries in which you can retain reference documents.  This allows retention policies to be set and, if appropriate, non-erasable settings applied.  Technically, linked content should be preserved as long as the email, tweet, or marketing document.

These 4 steps represent what we have found are ‘best practices’ and an appropriate effort to address this compliance challenge.  For more information about our linking services, lexicon term or e-disclaimer.