The Federal Financial Institutions Examination Council (FFIEC) said upon its release of Social Media Guidance in December 2013, “the guidance does not impose any new requirements on financial institutions. Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks, associated with the use of social media, along with expectations for managing those risks.” The FFIEC also told us “…the Guidance is intended to help financial institutions understand and successfully manage risks in this area.”
The FFIEC guidance defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” It also states that, “For purposes of this Guidance, messages sent via email or text message, standing alone, do not constitute social media.”
Bank examiners since at least 2010 have included in their exam questions pointed questions about bank use of social media. These include: do you offer and maintain a social media presence? If you do, describe the use of the presence and whether or not you’re using social media to promote products and services. And what are your controls, and, specifically, do you have policies and procedures?
Regulatory expectations are:
- An authority structure for the use of social media should be established. This may include direction from the board of directors or senior management on how social media will contribute to the goals of the financial institution. The direction would also establish controls and risk guidance for social media.
- Policies and procedures should establish the use and controls of social media within the financial institution. It is advisable to post an online posting policy that details amongst other requirements, acceptable language.
- A risk management process is put in place for selecting and managing third party relationships as they pertain to social media as these providers can potentially expose financial institutions to considerable reputation risk.
- An employee training program should include the financial institution’s policies and procedures for the work-related use of social media. The employee training should also identify what use of social media is not permitted. Employee interactions with financial institution customers via social media can be viewed by the public as being reflective of the financial institution’s official policies and as such subject the financial institution to reputation risk.
- A process designed to monitor and respond to information posted to proprietary social media sites should be implemented.
- Effective audit and compliance oversight should be defined to ensure compliance with internal policies, laws and regulations.
- Appropriate reporting to the financial institution’s board of directors or senior management that permits the periodic evaluation of the financial institution’s social media efforts should be put in place.
Social Media can be used for a number of things including marketing, incentives, applications for new products and services, public feedback, engaging prospective and existing clients, complaints, loan pricing, and deposit interest rates. You can also make good use of Social Media by using it as part of your complaint monitoring. There are some additional aspects of the Social Media Guidance you should be aware of:
- The guidance is flexible. It recognizes that banks vary widely in their complexity, usage, where and how they are operating, and who is permitted to post.
- The FFIEC guidance does not provide a complete review of the applicable rules and regulations. All advertising requirements apply to social media.
- The guidance applies to banks that are active in social media and to those that are not. Even if you’re not active on social media there are expectations that you will address social media in your policies and procedures and that you have some amount of employee training.
- The guidance provides a definition of social media which is slightly new, though it has a noteworthy exception for the standalone use of email in its normal daily use.
- Social media records should be maintained for two years from after the date of release.
In summary, if used appropriately Social Media can be an exciting tool that can yield immediate and measurable results. If it is not used properly and thoroughly monitored, however, it can result in serious reputational exposure accompanied by compliance, legal, and operational risks which need to be thoroughly documented at the outset.
Social Media is relatively new and its use is very fluid. What customers like and use today may not be ‘new enough’ for customers tomorrow. It is critical to stay informed because there are still many unknowns. A decision to enter and/or stay in this aspect of customer communications should be well thought out and deliberate.
This article was written by Nanette Stanley.