Social media guide

Social Media Compliance Workflow

In a regulated industry, the social post is only half the obligation. The other half is being able to prove, months or years later, exactly what was published, who approved it, what it linked to, and that it was supervised before it went live. Finance, healthcare, insurance and pharma teams are not judged on engagement when an examiner calls. They are judged on whether the record exists and holds up.

This guide is about that record-keeping and supervision layer. It assumes you already handle claims sign-off (covered in legal approval for social media ) and focuses on what compliance specifically demands: documented review, retained evidence and an audit trail that survives scrutiny.

What regulators actually expect

The specifics vary by jurisdiction and sector, but the underlying obligations are consistent. A defensible workflow has to satisfy four things at once:

  • Pre-use supervisory review. A qualified person approved the content before it published, not after a complaint.
  • Complete, immutable records. The post, its approvals and its context are captured and cannot be silently altered.
  • Retention. Records are kept for the mandated period, commonly several years, and are retrievable on demand.
  • Capture of the living post. Comments, edits and interactions are archived too, because a clean post under a non-compliant comment thread is still a problem.

Engagement-first tools are built for none of this. That is why regulated teams need a workflow designed around evidence, not reach.

The record you must be able to produce

For any published post, an examiner may ask for the full file. Decide now what it contains so you are never assembling it under pressure.

Record elementWhat it captures
Final published contentExact text, image and links as they went live
Reviewer and timestampWho approved, when, in what role
SubstantiationEvidence behind any claim, with as-of dates
Version historyEvery draft and edit, including post-publish changes
DistributionWhich accounts and channels it ran on
Interaction captureComments and replies archived over the post’s life
Disposition of issuesAny flagged comment and how it was handled

If your current process cannot produce this file in minutes, you do not have a compliance workflow, you have a hope.

Supervisory review, not just approval

Compliance review is stricter than ordinary editorial approval. The reviewer must be qualified and designated, the review must happen before publication, and the act of reviewing must itself be recorded. Build it as a hard gate: nothing in a regulated account reaches the scheduler without a logged supervisory approval, and the system blocks a publish that lacks one. Separate this from brand and editorial review so the compliance officer evaluates regulatory risk, not tone.

For higher-risk content, a two-person rule is worth the friction: an author and an independent reviewer, never the same individual, so no single person can both write and clear a post.

Pre-approved content keeps the queue alive

Supervisory review does not scale if every post is bespoke. The escape valve is a pre-approved content library: posts and templates already cleared, scoped to where and how long they can run. A pre-cleared educational post about retirement planning can be reused for six months; a market-commentary post expires the day the data is stale. Authors draw from the library and publish without re-review, while genuinely new content goes through full supervision. This is what keeps a compliant calendar from grinding to a standstill.

Archiving is a system, not a folder

Screenshots are not an archive. They miss edits, they miss the comment thread, and they are trivially disputed. A real archive captures content automatically at publish time, captures interactions continuously, write-protects the record, and timestamps everything. The test is simple: if a post was edited after going live, can you show both versions and when each was live? If a customer left a non-compliant comment and you hid it, is that action logged? A workflow that cannot answer yes is exposed.

Metrics compliance actually cares about

Forget likes. The numbers that matter are supervisory review coverage (share of posts with a logged pre-publish approval, which should be 100% in scope), policy exception count (posts that published without proper review, which should be zero), archive completeness (share of posts with a full retained record), and records retrieval time (how fast you can produce the file). These are the numbers that turn an audit from an emergency into a routine request.

How Utin fits

Utin is being built so the compliant path is the default path. It scans your website to draft posts with the source and substantiation attached, enforces a supervisory-review gate before anything can be scheduled, and retains an immutable record of each post, its approvals and its versions. The intent is that the audit trail is a by-product of doing the work, not a separate scramble after it. You can register interest in an early pilot.

For the claims and substantiation layer underneath this, read legal approval for social media . For who owns these gates across the organisation, see social media governance . When content is AI-generated, AI posts with human review explains why the human gate is non-negotiable in a regulated setting.