Regulating your credit union’s social media before it starts regulating you
by Jane Pannier
If there’s one thing financial institutions can’t avoid anymore, it’s social media. Whether you’ve hopped on the bandwagon already or you’re hoping it will pass you by unnoticed, the FFIEC recommends the following guidance for considering the effect social media could have on your institution, for better or worse.
Overview
The Federal Financial Institutions Examination Council (FFIEC) has finalized its supervisory guidance on the application of consumer compliance regulations and risk management to the use of social media as a delivery channel. Financial institutions’ increasing use of social media can increase compliance, legal, operational, and reputation risk, as well as increase the risk of harm to consumers if the financial institution exercises poor oversight of its social media program. Financial institutions (FIs) are expected to use this guidance to ensure that their policies and procedures identify appropriate oversight and controls, including the performance of risk assessments that are commensurate with the institution’s size, complexity, activities, and third-party relationships.
Social media is defined as a form of interactive online communication in which users can generate and share content. Social media can take a number of forms from micro-blogging sites—such as Facebook, Google Plus, MySpace, and Twitter—to forums, blogs, customer review websites like Yelp, bulletin boards, photo and video sites like Flickr and YouTube, professional networking sites like LinkedIn, virtual worlds like Second Life, and social games, such as FarmVille and CityVille. This guidance does not include stand-alone messages sent by email or text message in its definition of social media.
Social Media Risk Management Program
FIs should adopt an appropriate risk management program based on a risk assessment of its use of social media that allows the institution to identify, measure, monitor, and control the risks associated with social media. Even if your institution does not use social media, you should consider the negative comments and complaints that could arise from social media platforms that the institution may need to monitor and respond to.
The social media risk management program should include participation from the institution’s compliance, technology, information security, legal, human resources, and marketing staff. The guidance recommends that the risk management program include:
- Clear roles and responsibilities through which the Board and/or senior management direct how social media contributes to strategic goals and establishes controls and ongoing assessments of social media activities;
- Policies and procedures that address the use and monitoring of social media and the methodologies that will be used to address risks from online postings, edits, replies, and retention;
- A process for selecting and managing third-party relationships in connection with social media;
- An employee training program on the official, work-related use of social media that includes impermissible activities;
- Audit and compliance functions to ensure ongoing compliance with internal policies and procedures, as well as all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting so that the Board and/or senior management can periodically evaluate the effectiveness of the social media program.
