FFIEC FAQ: What Social Media Guidance Means for Financial Services

2 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 2 Pin It Share 0 Email -- 2 Flares ×

ffiec_blog
By now it’s no secret that financial services companies need to adhere to FFIEC guidance regarding social media use. GREMLN customers are not only looking for social media compliance tools, but also guidance on how the tools specifically address their compliance needs. Here we’ve broken down the FFIEC rules into frequently asked questions, and shed some light how the rules apply to your social media and risk management programs.

1. What is Social Media According to the FFIEC?

“[S]ocial media is considered to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille). Social media can be distinguished from other online media in that the communication tends to be more interactive. For purposes of this Guidance, messages sent via traditional email or text message, standing alone, do not constitute social media, although such communications may be subject to a number of laws and regulations discussed in this Guidance. However, messages sent through social media channels are social media. Social media is a dynamic and constantly evolving technology and thus any definition for this technology is meant to be illustrative and not exhaustive. In addition to the examples of social media mentioned above, other forms of social media may emerge in the future that financial institutions should also consider.”

According to the Federal Financial Institutions Examination Council (FFIEC) social media is any “interactive online” forum where communication takes place with or among customers, potential customers, the community at large, about or with financial institution. In our view, responsibility associated with the communications is directly related to the reasonable expectation of the people involved in the communication. It is reasonable for people who post on Yelp to think that their peers and the financial institution discussed will see and potentially respond to posted comments. It is probably not reasonable for people discussing customer service at their local bank while playing an online game, to expect that the bank would interact with and potentially respond to that communication.


2. Can a Financial Institution “Just say No” to Social Media?

“A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media…. [A] financial institution that has chosen not to use social media should still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them.”

This provision of the FFIEC guidance says that a financial institution should have a social media risk management program. It also says that even if the institution opts out of active participation in social media that it should be able to evaluate and respond to negative comments and complaints on social media.

It seems clear that the FFIEC does not think it is reasonable for a financial institution to ignore social media. While the guidance appears to leave the door open to the idea of “opting out”, in practice, it will be impossible to “identify, measure, monitor and control risks related to social media”, much less to “evaluate and respond to negative comments and complaints” without a tool like GREMLN.


3. What Should an FFIEC Compliant Social Media Risk Management Plan Include?

“The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Financial institutions should also provide guidance and training for employee official use of social media. Components of a risk management program should include the following:

  • A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;
  • Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
  • A risk management process for selecting and managing third-party relationships in connection with social media;
  • An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
  • Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.”

4. How Can GREMLN Help My Financial Institution Implement an FFIEC Compliant Social Media Risk Management Plan?

GREMLN software is designed to allow financial institutions to align the team and the team’s engagement on social media with the FFIEC Social Media Risk Management Plan guidance. While GREMLN doesn’t provide risk management consulting services, setting your team up on GREMLN is an effective means of putting an FFIEC compliant Risk Management Plan into practice.

I.  Governance Structure:  Governance structure should include:

  1. Clear roles and responsibilities to communicate how using social media contributes to the strategic goals of the institution and
  2. Establishes controls and ongoing assessment of risk in social media activities.
GREMLN’s software platform allows management to assign roles for the use, management and reporting of social media interaction, with filters, oversight and permission based controls designed to align with this requirement.

 

II. Policies and Procedures: Policies and procedures regarding

  1. The use and monitoring of social media and
  2. Compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate.
  3. Methodologies to address risks from online postings, edits, replies, and retention;
Managing social media over GREMLN, with filters, permissions, monitoring, archiving and is an easy and effective way to implement the FFIEC Policy and Procedure requirements.

 

III. Third Party Due Diligence:

Risk management process for selecting and managing third-party relationships in connection with social media;

While GREMLN doesn’t provide third party diligence services, we provide a complete diligence package when working with financial institutions that complies with the FFIEC Due Diligence Guidelines.

 

IV. Employee Training:

An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;

Through automated filters, roles, permissions and review processes, training and oversight “happen” on GREMLN. We also provide social media training services.

 

V.  Oversight Process for Monitoring Information on Social Media:

An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;

GREMLN automates oversight, monitoring and reporting on all proprietary social media sites.

 

VI.   Audit and Compliance:

Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and

Through automated filters, roles, permissions and review processes, as well as comprehensive archiving services, audit and compliance is as easy as exporting a report.

 

VII. Reporting:

Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

Gremln has a complete suite of marketing and performance tracking tools built into the platform and integrated with easy to use “drag and drop” report building.

 

Do you have more questions about secure social media? Subscribe to the GREMLN blog here. Ready to see what the GREMLN Social Guardian compliance toolkit in action? Schedule a demo!

 

Read More Articles Like This
Updated Social Media Guidance from the FFIEC: Is Your Bank Still Compliant?
SEC Update: 6 Ways For FinServ To Safely Use Social Media
FINRA: 5 Guidelines and Hacks For Compliant Social Media

2 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 2 Pin It Share 0 Email -- 2 Flares ×
2 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 2 Pin It Share 0 Email -- 2 Flares ×