UPDATE 1/22/2014 – Compliance Framework Checklist added (scroll down)
Originally proposed back in January 2013, and following a comment period in which they received and evaluated 81 official comments, the FFIEC has at last released their final guidance for financial institutions engaging in social media activities. I expect all the regulatory agencies to adopt it soon (the FDIC has already, and pretty much verbatim).
According to the FFIEC, this final guidance is “…substantially as proposed, but with some changes“. I wrote about this when it was first proposed and I encourage you to read my original post for the specific components of a social media risk management program. This post will focus only on the major changes between the two, and four main “grey” areas that I felt required clarification for institutions.
I did a word-for-word comparison of the verbiage in the proposed with the final, and there seemed to be some softening of the verbiage in some areas (no doubt due to the comments received). For example, originally the guidance said that “…this form of customer interaction…occurs in a less secure environment, and presents some unique challenges…”. This was changed to “…Since this form of customer interaction…MAY occur in a less secure environment, it CAN present some unique challenges…”. Other areas were expanded, for example the requirement to provide “guidance” for employees was expanded to “guidance AND TRAINING“. Also, the risk management component that included “…A DUE DILIGENCE process for selecting and managing third-party service provider relationships” was changed to “…A RISK MANAGEMENT process for selecting and managing third-party relationships….”.
There were minor clarifications to Reg Z and UDAAP expectations, and a fairly considerable expansion of the CRA requirement to retain public comments. Fortunately this was limited to comments received only through social media sites run by, or on behalf of, the institution. Comments made elsewhere would not have to be retained, as they are “not deemed to have been received by the institution”. (Unfortunately this “not deemed to have been received” concept applies only to CRA comments, not complaints or disputes. See #2 below.) Finally the guidance makes it clear that email and text messages on their own do not constitute social media…unless (presumably) they are facilitated through a social media platform.
Here are the four “grey” areas that I think needed the most clarification for financial institutions, and my interpretation of the guidance:
- Does the guidance impose a single standard of expectations for all institutions regardless of their degree of involvement in social media activities?
- No. Although all institutions are expected to implement a risk management program, it should be consistent with breadth of the institutions involvement in social media activities. And it should be designed with input from folks in compliance, technology, information security, legal, human resources, and marketing. However, even institutions who choose to not use social media should be aware of the risks of not being able to respond to negative comments or complaints that may arise elsewhere. (More on that in the next bullet.) So it looks as if a policy and a risk assessment are required regardless of the level of your involvement in social media activities, even if you choose to opt out.
- Would institutions be required to monitor and respond to all communications about the institution throughout the Internet?
- No, but institutions are expected to understand the risks of NOT being able to respond, particularly the reputation risks of not being able to respond to complaints or disputes originating from other channels. They also mention the “challenge” for institutions to protect their brand identity by being aware of the risk of someone “spoofing”, or masquerading, as the institution. All these risks exist regardless of the institutions decision to engage in social media activities. In fact, responding to a negative comment or spoofing attack may be much more challenging if you’ve decided to not engage at all, or even not to engage on a particular platform. For example, if a comment is made on Twitter and you don’t have a Twitter account. The guidance still recommends the use of social media monitoring tools and techniques to identify potential risks but leaves the procedural specifics, and any actual response, up to the institution.
- How much control would be required over employee use of social media, both during business hours, but more specifically on their own time?
- Not as much as the proposed guidance first indicated. The final guidance makes a clear distinction between employee “official” use, and employee “personal” use. Institutions must establish policies and training that clearly outline what employees are, and are not, allowed to communicate in their official capacity. But the guidance stopped short of requiring institutions to impose any restrictions on employee personal use of social media, saying only that institutions evaluate the risks for themselves and determine appropriate policies. Since the potential for reputation risk exists regardless of whether employees are posting officially or personally, I believe you should strongly consider including guidelines for employee personal use in your training, even if it’s not covered in your policies.
- How much due diligence is required by institutions for social media providers?
- Plenty. And in my opinion vendor management is where the biggest challenges lie for financial institutions. The guidance states that “…Working with third parties to provide social media services can expose financial institutions to substantial reputation risk.” (emphasis mine) And they point out that this guidance “…does not impose any new requirements…”. So the regulators require the same degree of due diligence for social media vendors that they require for all other potentially high-risk service providers, and just as with any other outsourced relationship, you are expected to complete it prior to engaging with the provider.
But selecting and risk-managing social media vendors is much more challenging. First of all, unlike with other initiatives, once you’ve selected your platform you don’t have a choice of providers. If you choose to utilize Facebook or LinkedIn or Twitter for example, the provider is the platform. It’s not as if you can select among multiple Facebook vendors! Furthermore you are expected to be aware of matters such as the vendor’s reputation, their policies regarding use of your (and your customers) information, how (and how often) their policies might change, and what (if any) control you have over the vendors policies and actions. So let’s take a look at these expectations in order:
- The vendor’s reputation?
- Their policies?
- How often might social media vendors change policies?
- As often as they like, and without prior notification.
- What control do you have over the vendors’ policies and actions?
Once you’ve assessed all potential risks, your next challenge is to try to mitigate them. Standard vendor risk controls for vendors consist of requesting, obtaining, and reviewing documentation such as financial reports, third-party audits, contractual confirmation of GLBA adherence, BCP testing results, etc. But often requests for this type of documentation are either ignored or refused by social media providers, and even when documentation is provided, it doesn’t directly address your privacy, confidentiality, and security concerns. Social media service providers are simply not used to dealing with the unique regulatory reporting requirements of the financial industry. And accord to the FFIEC “…a financial institution should thus weigh these (residual risk) issues against the benefits of using a third party to conduct social media activities.” Unfortunately, social media is one activity that must be outsourced.
One more thing to consider is that all social media providers are also (by FFIEC definition*) cloud service providers, and as such subject to all of the guidelines for Outsourced Cloud Computing as well. Given the risk management challenges of social media, institutions may want to remember what the FFIEC had to say about providers that are unfamiliar with the financial industry, or unwilling to implement changes to their policies or procedures to meet changing regulatory requirements: “Under such circumstances, management may determine that the institution cannot employ the servicer.”
So in summary, the FFIEC seems to be telling financial institutions “proceed if you must, but proceed cautiously…and don’t take any shortcuts”. And I will repeat what I first said back in 2011…the challenge of risk managing social media boils down to this: You are accepting an either (at best) higher level of residual risk or an (at worst) unknown level of risk, to achieve an uncertain amount of benefit. Oh, and risk avoidance is not an option.
[pardot-dynamic-content id=”388″ default=”%3Ch4%3E%C2%A0UPDATE+%26ndash%3B+I%26rsquo%3Bve+created+a+Social+Media+Compliance+Framework+checklist+to+help+you+assess+your+own+compliance+posture+and+align+with+current+guidance.+Just+fill+out+the+form+below.%3C%2Fh4%3E%C2%A0%3Ciframe+allowtransparency%3D%22true%22+frameborder%3D%220%22+height%3D%22180%22+src%3D%22http%3A%2F%2Fwww2.safesystems.com%2Fl%2F10312%2F2014-01-22%2F2sznyr%22+style%3D%22border%3A+0%22+type%3D%22text%2Fhtml%22+width%3D%22100%25%22%3E%3C%2Fiframe%3E”]
*”…cloud computing is a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.'” – FFIEC Statement on Outsourced Cloud Computing, July 10, 2012