The FFIEC released a request for comment on January 23, 2013 regarding Social Media: Consumer Compliance Risk Management Guidance. Although the guidance indicates that it “does not impose additional obligations on financial institutions,” it does help clarify the risk management practices that banks should be carrying over into the social media realm. The guidance also notes that it encompasses all banks, even those that do not actively participate in marketing themselves on social media. If nothing else, every bank should have a plan for responding to negative comments online and provide guidance for employee use of social media. For those with an active social presence, there are a few more recommendations to consider.
Team Effort — “The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing.”
Although a bank’s social media presence may be actively led by a marketing department, there needs to a bank-wide approach to managing the associated risks. The guidance mostly references relevant compliance legislations, so the necessity for compliance and legal backgrounds is a given. Human resources should be involved to lead the employee side of social media. Whether information security/technology is involved to allow employees access to social media for marketing purposes or deny it based on security rationale, those decisions should also be part of the group discussion.
The guidance also recommends ensuring the board of directors or senior management is actively involved in the goal-planning process and program monitoring. To this effect, the bank should establish a goal plan prior to jumping onto Facebook or Twitter. With all of the electronic communications received in today’s environment, a well-planned roadmap to achieve desired goals will help ensure bank customers and other interested parties are actively following the bank’s social media program.
Vendor Management — “A due diligence process for selecting and managing third-party service provider relationships in connection with social media.”
Similar to any other critical bank vendor, this guidance is recommending that appropriate assessments be completed prior to contracting with social media marketing organizations. By allowing an internal employee to run the bank’s Facebook, the risk exists for the employee to post inappropriate information, especially if they leave the company. (See a recent example from HMV.) When a bank decides to outsource the company’s official voice of social media, this risk now expands to a third party that may not follow the same termination procedures or have the same professional code of conduct. The vendor may not have access to customer information, but the reputational risk should lead to assessing these vendors as higher risk.
Refer to Other Regulations for Guidance — “The laws discussed in this guidance do not contain exceptions regarding the use of social media. Therefore, to the extent that a financial institution uses social media to engage in lending, deposit services, or payment activities, it must comply with applicable laws and regulations as when it engages in these activities through other media.”
The majority of the FFIEC’s issued guidance is simply referencing a wide range of existing legislations from the Truth in Savings Act to the Children’s Online Privacy Protection Act. Essentially, if any prior regulatory guidance didn’t mention a social media exemption, they all apply to social media as well. The list may appear overwhelming at first; however, these items should already be handled by existing compliance efforts and need to simply be considered in case the bank’s social media accounts start being used for communications such as deposit rate advertising.
Formal Procedures — “Policies and procedures should incorporate methodologies to address risks from online posting, edits, replies, and retention.”
Based on discussions we’ve had with bankers over the last few years, the majority have had informal discussions about monitoring for unfavorable posts and managing their own accounts but have not formally documented procedures. The guidance recommends documenting procedures to include the board oversight process, employee monitoring responsibilities, post response alternatives (for positive, negative, and inappropriate comments), bank-wide training, and vendor management procedures.
The guidance will be open for comments until March 25, 2013. Once the final guidance is released, you should anticipate regulators will inquire about social media during exams. Please feel free to contact our team of IT consultants with any questions related to this proposed guidance or other aspects of social media activities.