Breaking Down the FFIEC’s Social Media: Consumer Compliance Risk Management Guidance
By Mike Stiles on Mar 21, 2014
If ever there was an industry nervous about using social, it’s financial services. There are plenty of ways to get into trouble, as opposed to using social to sell cookies. Today’s blog comes to us from Tom Chernaik, CEO of CMP.LY, a social startup whose CommandPost addresses third-party entanglement and adoption issues, disclosure and other legal and measurement challenges. In addition to the blog, give a listen to the recent webcast with Tom and Oracle Social’s Angela Wells, “Making it all Make Sense – The FFIEC’s Consumer Compliance Risk Management Guidance.” Just register as you would for the live webinar and you'll see the listen on-demand option.
On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) published final guidance to address how federal consumer protection and compliance laws, regulations and policies relate to social media activities conducted by retail banks, saving associations and credit unions.
Social media use is subject to virtually the same legal requirements as other forms of business-related media use; the only exception is social media occurs solely on the Internet. Because of this, financial institutions open themselves up to heightened risk by communicating on social, even if they don’t violate specific regulations. To safeguard against these risks, the FFIEC recommends institutions perform appropriate risk assessments (that take into account the institution’s size, activities and risk profile) and build a risk management program; the higher the risk profile, the more detailed the program.
The guidance offers simple steps for creating a risk management program:
- Understand the reason why your institution is (or is not) using social media.
- Discuss institutional objectives for social media use.
- Align corporate objectives with the strategic vision.
- Enforce a governance structure that emphasizes a strong “tone from the top.”
Financial institutions also need to create clear and concise policies that address social media presence and comply with relevant consumer privacy laws and regulations, along with the laws and regulations applicable to advertising and the proper use of consumer disclosures. (For example, Bank Secrecy Act/Anti-Money Laundering Programs should be incorporated into a financial institution’s policies and procedures to ensure compliance with the Bank Secrecy Act and the Patriot Act’s recordkeeping and reporting requirements.)
Furthermore, policies should address how to manage consumer information and address consumer complaints. While a financial institution doesn’t need to monitor and respond to all Internet communications on social, it should perform an appropriate review based upon previous risk assessments when evaluating how to monitor and respond to such communications.
Once social media policies have been finalized, financial institutions are responsible for policy implementation and oversight. Institutions should:
- Identify who can use social on behalf of the company, along with what can’t be shared (e.g. private customer information or profanity).
- Explain how employees can use social and the processes and technologies available for employee social media use for business purposes.
- Define the frequency of content publication and processes governing workflow for approval, monitoring and enforcement.
- Distinguish clear roles and responsibilities for supervision.
All in all, the FFIEC’s guidance was primarily intended to help financial institutions understand the risks involved with social media use, clarify existing compliance requirements and responsibilities and encourage the implementation of oversight, processes and controls. However, while practical and intended to be relatively easy to implement, the guidance should be tailored to meet a specific institution’s circumstances and needs.