Recently, the Federal Financial Institutions Examination Council (FFIEC) proffered risk management guidelines ("Guidelines") for financial institutions that use social media to connect with their customers and bolster their brand online.
The new Guidelines are meant to address prominent questions and concerns regarding social media use within the financial services industry. The Guidelines divide the risk landscape into three categories:
Compliance and Legal Risks that arise as a result of "potential violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards." Compliance risk necessarily contemplates a financial institution's potential to violate their own internal policies and guidelines as well as established laws and regulations, including:
- Truth in Savings Act / Regulation DD
- Fair Lending Laws
- Truth in Lending Act / Regulation Z
- Electronic Fund Transfer Act / Regulation E
- Gramm-Leach-Bliley Act
- CAN-SPAMM Act
Reputational Risks that arise from negative public opinion resulting in unsatisfied customers and/or negative publicity. Unlike compliance issues, harm to reputation can occur even if the financial institution has not violated any law and has diligently complied with applicable regulations. Reputational Risk can present in the following contexts:
- fraud and brand identity
- third party concerns such as the data collection practices of the hosting site
- privacy concerns
- consumer complaints and inquiries
- Operational Risks that arise from inadequate or failed processes, people or systems. Such risks primarily contemplate IT vulnerabilities to malware attacks, DDoS attacks and system intrusion. Financial institutions should develop and maintain a current incident response protocol to address data breach, system intrusion, and/or malware attacks.
Top Ten Steps Financial Institutions Should Take To Ensure Sound Social Media Policies and Procedures
- Identify all social media platforms used by your financial institution.
- Classify all social media activities within the various platforms so that you may better assess the attendant risks and compliance requirements.
- Identify the regulatory requirements that accompany your social media activities.
- Create policy and procedural guidelines for those social media activities that trigger compliance requirements.
- Develop monitoring tools and schedules to identify and eliminate possible fraud and brand identity risks.
- Prominently display links and/or directions for consumers to reach approved channels in order to voice legitimate concerns, complaints and questions.
- Develop incident response plans to address operational risks such as data breach, system intrusion and/or other cyber attacks and practice implementing the response plan.
- Develop a schedule for regular assessment and modification of all social media policies and procedures as well as the incident response plan to ensure relevant practices and procedures.
- Implement social media policies and procedures in employee training and continuing education programs.
- Provide reminders for all personnel that communications posted to social media platforms are intransient, as well as, imminently transferable and searchable.