FDIC – Social Media: Consumer Compliance Risk Management Guidance
By: Kseniya (Kate) Strachnyi
On December 11, 2013, the Federal Deposit Insurance Corporation (FDIC) issued FIL-56-2013 – Social Media: Consumer Compliance Risk Management Guidance (the “Guidance”). It provides guidance around conducting risk assessments and developing/ evaluating policies and procedures related to social media; applicable to all FDIC-supervised institutions.
Key objectives of the Guidance include:
- To help FDIC-supervised institutions understand and manage potential risks arising social media use
- To provide clarity on applicable consumer protection and compliance laws and regs around activities conducted by financial institutions through social media
- To act as a reminder that financial institutions must properly manage risks that arise in connection with social media activities
The Guidance defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Some examples of the types of social media include Facebook, Twitter, Yelp, YouTube, and LinkedIn. Social media is commonly used to grow businesses, interact with consumers, advertise, improve efficiency, distribute information, and match products and services with users’ needs.
Financial institutions must ensure that their risk management programs provide proper oversight and controls to manage the potential risks that arise when using social media (commensurate with their size, complexity, and use of social media). The Guidance states that the risk management program should have the following components:
- Governance Structure – defined roles and responsibilities, controls, and ongoing assessment of risk in social media activities
- Policies and Procedures – documented policies and procedures around the use and monitoring of social media, and compliance with all applicable consumer protection laws and regulations. Policies should define who can use social media on behalf of the financial institution, and describe the process for using social media and specific activities and content that are inappropriate, including those that would be misaligned with company mission, vision, or strategy. A social media policy is a key requirement; one of the reasons that financial services companies failed FINRA social media audits in 2012 was because they did not have a policy around social media
- Third Party Relationships – documented risk management process for selecting and managing third-party relationships in connection with social media. Third party relationships may expose firms to reputational risk. The firm remains accountable for monitoring information on social media sites even if they outsource / delegate to third parties. Financial institutions should perform proper due diligence on potential service providers prior to engagement
- Employee Training Program – develop a training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities. It is recommended to conduct training on a regular basis; consider adding this training as part of a mandatory annual training program and as part of the new hire onboarding process. Training helps to enforce the policies and procedures which in turn helps to manage potential risks
- Monitoring Process – oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party. Social media is one of several platforms at risk of being hacked (account takeovers, distribution of malware, etc). Therefore, even if a financial institution is not very active in social media, it is still important to monitor activities. A potential method for monitoring is to set Google Alerts with your company name and receive daily notifications about firm activities (including news articles, Twitter posts, etc.)
- Ongoing Compliance – Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate
- Reporting – develop parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives
Financial Institutions – Social Media Consumers
Social media has become an integral part of doing business and can trigger a wide variety of risks to your organization (e.g. unauthorized posts, account hacking, inappropriate authorized posts, etc). The immediacy of social media is an added factor to the risk level. Fiserv recently conducted a survey, “Financial Institutions and Social Media”, which uncovered that the even though the number of consumers connecting with businesses through social media has been growing; only about 10% of consumers have connected with their banks. Consumers which have connected with their banks use social media primarily to receive information about financial services (66%), receive information about offers/ promotions (32%), review other consumers opinions, complaints or questions (31%), and conduct customer service related activities (30%). The statistics highlight areas that financial institutions can focus on for providing consumers with useful information via social media.