|image by Matt Cordell using Creative Commons content BY-SA 3.0|
The Federal Financial Institutions Examination Council (FFIEC) has published guidance recently that will be used by the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the National Credit Union Administration (NCUA), and the Consumer Financial Protection Bureau (CFPB) to evaluate financial institutions' compliance with various privacy and other laws and regulations.
What kinds of social media are covered?
The guidance defines "social media" as any form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Examples include micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter), forums, blogs (e.g., BizLawNC.com or PrivacyLawNC.com), customer review web sites and bulletin boards (e.g., Yelp), photo and video sites (e.g., Flickr and YouTube), sites that enable professional networking (e.g., LinkedIn), virtual worlds (e.g., Second Life), and social games (e.g., Farmville). These platforms have a wide spectrum of uses, and their user profiles vary.
Financial institutions most often use social media for marketing directly to customers, but it can also be used to provide incentives, collect feedback from the public, recruit employees, and to otherwise engage with prospects and customers. Each of these efforts carries with it particular goals and varying types and degrees of risk.
The FFIEC Guidance states that every financial institution must conduct a risk assessment that addresses the risks raised by its use of social media and maintain a risk management program that is tailored to the risk profile. Every institution using social media should identify, measure, monitor,and control the risks related to social media.
How detailed should the policy statement be? How comprehensive should the procedures be?
The size and complexity of the program should be commensurate with the degree of the institution's involvement in social media, both in terms of depth and breadth. For example, a financial institution that relies heavily on one medium (e.g. Facebook) should have a more focused program. An institution using several media (e.g., Facebook, LinkedIn, Twitter, Yelp, Google +, and YouTube) should have procedures that are more comprehensive.
Who should be involved?
The FFIEC advises that a social media risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. A better suggestion, in my opinion, is the inclusion of individuals whose expertise spans more than one of these categories. (Can you think of anyone who might know about more than one of these areas?)
What are the elements of a social media risk management program?
- A governance structure with clear roles and responsibilities;
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations;
- A process for selecting and managing third-party relationships;
- An employee training program;
- An oversight process;
- Audits to ensure ongoing compliance; and
- Reporting to the board of directors or senior management to enable periodic evaluation of the program.
What are the key areas of risk?
- Deposit and Lending Products
- Truth in Savings Act/Regulation DD
- Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act
- Truth in Lending Act/Regulation Z (including specifically advertising requirements)
- Real Estate Settlement Procedures Act
- Fair Debt Collection Practices Act
- Unfair, Deceptive, or Abusive Acts or Practices
- Deposit Insurance (or Share Insurance) disclosure requirements regarding insurance or NDIPs
- Bank Secrecy Act/Anti-Money Laundering Act
- Community Reinvestment Act
- Gramm-Leach-Bliley Act Privacy Regulations and Data Security Guidelines
- CAN-SPAM Act and Telephone Consumer Protection Act
- Children’s Online Privacy Protection Act
- Fair Credit Reporting Act
- Reputational Risk
- Employment Law/HR Risk
- Operational Risk (malware and account takeover)
What if we don't use social media at our bank?
Even financial institutions that do not use social media should perform a risk assessment, say the regulators: "a financial institution that has chosen not to use social media should still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and,when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them." I have already written about online reputation management at length, and rather than repeat my advice here, I will refer you my earlier post on the subject.
Furthermore, just because an institution does not have an official social media account does not mean individual employees (especially those with business development responsibilities) are not posting on LinkedIn, Facebook, Twitter, and other platforms about, and apparently on behalf of, the the institution. It is unusual these days to find anyone in a sales role who is not active on social media.
The FFIEC Guidance is intended to help financial institutions understand and successfully manage (not eliminate) the risks associated with use of social media. The regulators expect institutions to manage potential risks to themselves and and their customers by identifying areas of risk proactively and adopting and implementing programs to mitigate those risks effectively...and more importantly, so do an increasing number of customers.