Avoiding A Digital Catastrophe: Considerations for Managing Social Media Risks
Social media have revolutionized how financial institutions interact with customers and the public. Facebook, Twitter, Google Plus, LinkedIn, Flickr, YouTube, Yelp and other social media sites permit institutions to market products and services, provide incentives, facilitate new account applications, invite performance feedback, recruit employees, and receive and respond to complaints in new and effective ways.
The benefits of leveraging social media are enormous, but not without corresponding risks. The dynamic and informal nature of financial institution interactions with customers and potential customers through social media creates risks of harm to consumers, plus compliance/legal risks, operational risks, and reputational risks to institutions.
FFIEC Guidance Requires Attention
Five members of FFIEC – the OCC, the Fed, the FDIC, the NCUA and the CFPB – will apply the Guidance when exercising their supervisory functions, and the sixth FFIEC member, the State Liaison Committee, is encouraging its state regulatory agency members to adopt the Guidance as well. Board members, senior management, and compliance officers of financial institutions will be expected to develop social media risk management programs that address the Guidance.
FFIEC Guidance Summary
The Guidance provides that a financial institution should have a risk management program that allows it to "identify, measure, monitor and control the risks related to social media." The size and complexity of the program should be commensurate with the institution's use of social media. The Guidance recommends that any social media risk management program should be designed with participation and input from specialists in technology, information security, legal, compliance, human resources, and marketing.
The Guidance identifies three main risks that should be addressed by a financial institution's social media risk management program: (1) compliance/legal risk, (2) reputational risk, and (3) operational risk.
Compliance/legal risk arises from a financial institution's noncompliance with laws, regulations, guidance, ethical standards, and internal policies and procedures. This risk is heightened when an institution's internal policies and procedures do not keep pace with changes in the marketplace.
An institution's compliance/legal risk does not come from new requirements imposed by the Guidance. Rather, the Guidance makes clear that existing banking laws and regulations apply even though most predate the existence of social media. As a result, an institution needs to carefully consider its obligations under all existing laws and regulations as a result of social media usage, including the following:
- TISA/Reg. DD (for example, an institution's communications to consumers through social media must include all necessary disclosures and avoid misleading or inaccurate information regarding the institution's deposit accounts);
- Fair Lending Laws (ECOA/Reg. B and Fair Housing Act) (an institution generally must not use social media to collect, request or otherwise use information regarding an applicant's race, color, religion, national origin, or sex);
- TILA/Reg. Z (any advertisements made or consumer credit application received through social media must include all necessary disclosures);
- RESPA (an institution must not accept any kickbacks or other value in exchange for referrals made through social media for settlement service business);
- FDCPA (if acting as a debt collector, an institution must avoid communications through social media, to a consumer or otherwise, that publicly disclose a consumer's debt or inappropriately attempt to collect a debt);
- Federal Trade Commission Act;
- Dodd-Frank Wall Street Reform and Consumer Protection Act;
- Electronic Fund Transfer Act/Reg. E;
- Bank Secrecy Act;
- Gramm-Leach-Bliley Act (for example, an institution using social media must clearly disclose its privacy policies to consumers and protect any consumer information collected through social media); and
The use of social media also increases a financial institution's reputational risk, which can arise by virtue of fraudulent impersonations of the institution on social media, direct attacks against the institution's brand, failure of third-party service providers to properly perform services, privacy and security breaches, failure to timely and appropriately respond to consumer complaints, inquiries or comments, or an employee's inappropriate use of social media that is perceived by the public to reflect the views of the institution. An institution should consider the use of monitoring tools to identify these and other risk factors and to respond to problems timely and appropriately.
Finally, the use of social media increases operational risk – the possibility of losses from human error or inadequate or failed processes or technology. The root cause can be internal or external events. Social media are vulnerable to account takeover and the distribution of malicious software, or "malware." A financial institution should ensure that the controls it has in place (or implements) to protect its systems and safeguard customer information from malware include a social media usage component.
The identification, monitoring, and management of IT-related security risks is addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance and general IT security publications.
Recommended Elements of a Social Media Risk Management Program
The following elements should be included in a financial institution's social media risk management program:
- A governance structure that establishes clear roles and responsibilities whereby the board of directors or senior management determine how using social media contributes to the strategic goals of the institution and shape the institution's policies in this regard.
- Policies and procedures regarding the use and monitoring of social media and compliance with applicable law, and incorporation of the Guidance as appropriate. Such policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
- A risk management process for selecting and managing third-party relationships in connection with social media (see Managing Third Party Relationships: New Regulatory Guidance for Banks in the January 14, 2014 edition of Commercial Law Update).
- An employee training program for official, work-related use of social media, and potentially for personal use of social media.
- An oversight process for monitoring information posted to proprietary social media sites administered by (or on behalf of) an institution.
- Audit and compliance functions to ensure ongoing compliance with internal policies and procedures and applicable law, and incorporation of guidance as appropriate.
- Parameters for providing appropriate reporting to an institution's board of directors or senior management that enable periodic evaluation of the social media risk management program's efficacy.
- A plan for responding to security events such as a data breach or account takeover through social media or otherwise. Such planning should include provisions for insurance coverage for breach and compliance costs, breach notification protocols and budgets, pre-selected and retained credit monitoring services, a definition of who will be in charge of an incident response and internal reporting channels, public relations and media management, and breach incident response exercises to test the efficacy of the plan.