FFIEC Issues Proposed Social Media Guidance


FFIEC Issues Proposed Social Media Guidance

(UPDATED – Added link to public comments)

Just out, this document is really a request for comments on the proposed guidance, but final guidance is likely to follow this very closely…and very quickly.  As many financial institutions are probably getting their social media policies together now (or updating existing policies), this is a must read.  Here is an executive summary (and please respond to the poll at the bottom):

  • First of all, the guidance does not impose additional obligations on financial institutions.  The responsibility to properly manage the potential risks associated with social media usage and access is no different than that which is required for any new product, service or process.
  • The FFIEC defines social media as the “…a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video”.  Also, “Social media can be distinguished from other online media in that the communication tends to be more interactive.”
  • Institutions are expected to have a risk management program in place that allows it to identify, measure, monitor, and control the risks related to social media…again, an expectation that exists for every other risk an institution faces.
  • It should be designed with participation and involvement from specialists in compliance, technology, information security, legal, human resources, and marketing.
  • Components of the program should include:
    • Board and senior management approval and involvement, including strategic justification of a social media strategy.
    • Policies and procedures (either stand-alone, or incorporated into other existing policies) addressing the proper use and management of social media.
    • Proper vendor management of social media providers.
    • Employee training, including both proper and improper activities.
    • A process to monitor all social media activity, whether initiated by the institution, or a contracted third-party.
    • Audit oversight.
    • Periodic reporting to the Board and senior management as to whether or not social media activities are meeting strategic goals.
  • Policies and procedures must address the following risks:
    • Consumer Compliance & Legal/Regulatory Risks, including:
      • Truth in Savings Act/Regulation DD and Part 707
      • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 and Fair Housing Act
      • Truth in Lending Act/Regulation Z
      • Real Estate Settlement Procedures Act
      • Fair Debt Collection Practices Act
      • Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
      • Deposit Insurance (FDIC) or Share Insurance (NCUA)
      • Electronic Fund Transfer Act/Regulation E
      • Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)
      • Community Reinvestment Act (CRA)
      • GLBA Privacy Rules and Data Security Guidelines
      • CAN-SPAM Act and Telephone Consumer Protection Act
      • Children’s Online Privacy Protection Act
      • Fair Credit Reporting Act
    • Reputation Risk, including:
      • Fraud and Brand Identity
      • Third Party Concerns where social media activities are outsourced
      • Privacy Concerns arising from the public posting confidential information
      • Consumer Complaints and Inquiries
      • Employee Use of Social Media Sites, including through employees’ own personal social media accounts
    • Operational Risk, paying particular attention to the requirements in the FFIEC booklets “Outsourcing Technology Services” and “Information Security”

As you can see, whether you have separate social media policies, or incorporate the elements into other policies, the requirements have expanded considerably.  Use this summary as a checklist as you draft your new, or update your existing, policies.

I have written before about the unique challenges presented by social media, and how it doesn’t easily lend itself to traditional risk management techniques.  This new guidance recognizes that, and makes it crystal clear that although it is difficult, you must still follow the same basic risk management procedures you use for everything else…Identify, Measure, Control and Monitor.

One final thought…you are expected to tailor your efforts to the breadth of your involvement in this area.  The standard “size and complexity” considerations apply here.  But even if you decide not to engage in a formal social media effort, you must still have a policy because you cannot completely avoid the risks of employees posting on their personal accounts, and third parties posting negative comments.  Unlike other endeavors, risk avoidance is not an effective control!

[poll id=”7″]

Comments are now closed.  If you would like to view comments, here is the link:  http://www.regulations.gov/#!docketDetail;D=FFIEC-2013-0001

Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Write a Comment