December 2013 – UPDATE:
Nearly one year after putting out a proposed guidance on social media use for financial institutions, the FFIEC issued “Social Media: Consumer Compliance Risk Management Guidance.” This guidance has been adopted by FFIEC member organizations, including the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB) (collectively, the Agencies), and the State Liaison Committee (SLC).
These regulatory bodies overseeing financial institutions recognize the importance social media plays in marketing, customer service, and audience engagement – but stress the importance of banks, credit unions, and saving institutions to remain compliant while participating.
When the guidance was first published, the FFIEC requested comments – specifically asking if other types of social media or methods for using social media should be included; if other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media should be discussed; and if any technological or other impediments to financial institutions compliance with otherwise applicable laws, regulations, and policies when using social media should be brought to the agencies attention.
The guidance is nearly identical to the original version – though one line is noticeably missing. In the original version of the “Employee Use of Social Media” section, the guidance suggested “even … employees’ own personal social media accounts may be viewed by the public as reflecting the financial institution’s official policies….” The current guidance does not include mention of employee’s personal social network accounts, likely due to the number of employee privacy laws that have gone into effect over the past year.
The key takeaways from “Social Media: Consumer Compliance Risk Management” are that financial institutions and representatives across the field (credit unions, banks, saving associations, and financial advisers, among others) are continuing to include social media as a channel for communication – whether through information sharing, marketing, or customer service. As such, certain risks must be addressed in order to participate safely and compliantly – especially when it comes to protecting the institutions’ reputation, as well as monitoring and archiving business communications.
If you missed GREMLN’s breakdown of the FFIEC’s social media guidance, or simply need a refresher, here's our original post:
On January 23, 2013 the FFIEC (Federal Financial Institutions Examination Council) released proposed guidance for social media use by institutions within the regulated banking industry, including banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB). Knowing the financial industry has much to gain from a strong social presence, the FFIEC’s guidance provides an outline for financial institutions to monitor & manage the risk associated with becoming active with social media.
It is no secret that social media is a great way to find and interact with your customers online. It’s a great marketing tool. It’s an incredibly helpful customer service tool. And yes, it’s also a brand awareness tool. In fact, social media helps businesses interact and engage with their audiences in so many ways that it really makes a lot of sense to have a social presence. The FFIEC’s guidance is meant to help financial institutions understand and manage the risks associated with a social media presence. So, what are the risks? And is your bank taking the proper course of action to stay compliant with the FFIEC?
Compliance and Legal Risks
The compliance and legal risks associated with financial institutions’ presence on social media are many given the industry’s laws, regulations, internal policies and procedures, and ethical standards. Banks must ensure the rules outlined in all acts and regulations surrounding deposit and lending products, payment systems, community reinvestment, and privacy are met – and all privacy policies are clearly disclosed – when operating a secure social media presence. For example, the Truth in Savings Act mandates certain disclosure requirements for advertisements using trigger words such as “bonus” or “APY” (customers need to be able to make informed decisions when it comes to deposit accounts).
In keeping with the Bank Secrecy Act (BSA) financial institutions must have a compliance program in place that incorporates training – not only for the operational staff but for the board of directors, too – and includes internal controls to ensure effective risk management and compliance, record keeping, and reporting.
Even if you aren’t currently active on social media, someone is probably talking about your bank online. In order to protect your reputation, you need to be a part of the conversation.
Fraud and Brand Identity
Protect yourself against fraudulent behavior and mistaken brand identity. Even if you haven’t decided exactly how you are going to run and manage your social presence, make sure you sign up for the desired Twitter handle(s), Facebook page(s), etc. so you avoid the risk of someone else masquerading as your bank. Soon after Google+ launched as a social network, someone created a Bank of America profile and began posting erroneous and damaging messages.
UK bank Tesco was the victim of Twitter fraud in February 2012, when someone created the Twitter handle @TescoBankCC, posing as the bank’s customer service team, and began asking users for their personal information. The errant account was up and running for several weeks before it was shut down.
To safeguard yourself against instances like these, be sure you know what security measures you can take. Adding Twitter’s “Follow” or Facebook’s “Like” buttons to the company website is one way to verify the legitimacy of your brand's official social media presence.
Third Party Concerns
The FFIEC recognizes that banks may need to involve a third party to help set up, maintain, and execute their social media presence. In doing so, each institution inherently opens itself up to reputation risk. It is each institution’s responsibility to monitor and control the content that is pushed out from its social media feeds, and to confirm the privacy regulations and other policies connected to the social media network and any other third party involved in the financial institutions’ social media presence.
Consider adding procedures to your social media policy for what to do in case confidential/sensitive information appears on your bank’s social media sites. Let’s say, for instance, that a well-intentioned (though not particularly responsible) customer posted a question regarding her account on Facebook, and included her account number for all to see. The financial institution may have a general “do not delete” policy when it comes to Facebook wall posts in an effort to be transparent, but this would be an important exception to that rule. Taking advantage of Facebook’s privacy settings, you can choose have all posts be approved before they are publicly posted on your wall. It may be difficult to think ahead to potential pitfalls, but a solid game plan outlined in your social media policy can protect your bank and your customers from privacy disasters.
Consumer Complaints and Inquiries
There is risk associated with leaving customer complaints or questions unaddressed; if you aren’t paying attention to (and using!) social media, you are unable to assess and manage this risk to your bank’s reputation. Time plays an important role, so schedule regular searches of your brand and product names, being careful to include common misspellings or nicknames.
Employee Use of Social Media Sites
The FFIEC recognizes employee social media use (including personal use) can be viewed by the public as an extension of the institution. According to the FFIEC, “employee communications can subject the financial institution to compliance risk as well as reputation risk,” so it is vitally important to address social media use with your employees. Having a social media policy in place and offering employee training will help mitigate potential for reputation risk.
A St. Louis doctor took to her personal Facebook page to complain about a frequently tardy patient. She did not disclose patient’s name, but mentioned the patient’s condition to the doctor’s own public profile. The post was then copied and shared on other Facebook pages, and soon became national news. While the hospital she works for admits that the doctor’s comment was unprofessional, it did not break the hospital’s privacy laws. A social media policy, proper training, and conversations surrounding best practices when using social media will certainly help your employees understand how to stay professional even when on their personal social media profiles. The FFIEC recommends each institution decide for itself the best policy to address its personal employee social media risks, provided the policy not interfere with any employment law principles, such as those put forth by the National Labor Relations Board.
Certain operational risks can also be associated with a bank’s social media presence, and are closely related to those posed by information technology. Information on outsourcing technology services and information security already made available by the FFIEC should be consulted when using social media, as it opens the institution up to potential account takeover and malware distribution.
Security breaches can happen, and major social media networks are not immune. It is each financial institution’s responsibility to safeguard itself against potential security risks by exercising careful security measures and having a proactive response to security incidents as they relate to social media.
The FFIEC recognizes the importance social media can play in the banking industry, and has provided these guidelines to help financial institutions know what is expected in order to stay compliant. Knowing the existing laws and how current customer procedures relate to social media activity will get you on the right foot to social media compliance.