Managing the compliance risk of social media at Banks & Credit Unions


<span style="line-height: 1.5em;">Having recognized that social media is becoming an increasingly important tool in consumer interaction and new business generation; the FFIEC (Federal Financial Institutions Examination Council) recently published guidelines regarding the applicability of federal consumer protection and regulations to activities conducted via social media.</span>

The good news is that this brings some welcome clarity to the area. The bad news is that ignoring the issue is no longer an option. The guidelines go as far as saying that financial institutions who have chosen not to use social media cannot ignore the issue; they should still consider the potential for risks arising from negative comments and complaints from within the many forms of social media.

The guidelines identify <i>five key risks</i> arising from social media:
<li>Reputational risk</li>
<li>Operational risk</li>
<li>Compliance risk</li>
<li>Legal risk</li>
<li>Risk of harm to consumers</li>
The agencies involved (including the FDIC, National Credit Union Administration, Consumer Finance Protection Bureau, The Federal Reserve &amp; the Office of the Comptroller of the Currency) now expect all financial institutions under their supervision to effectively assess and manage risks associated with activities conducted via social media, but the specific inclusion of reputational risk and the breadth of platforms classified as social media have significantly increased the scale of the task.

While the FFIEC specifically exclude email and text messaging from the guidelines, they do include social media that goes well beyond the more commonly used websites, like Facebook, Twitter and Google+, to include Yelp, Second Life and even Farmville. This may come as a major surprise, but it seems that if it’s on the web and it has potential for consumer interaction, whether that’s simply advertising or something more involved, then it has to be part of the social media risk assessment and compliance policy.

The guidelines do a good job of outlining the scope of the policies and procedures required to maintain compliance, but they fail in an important regard. Given the sheer volume of regulation, the possibility of retrospective regulation or application of regulations and the fast-evolving nature of social media, it seems incomprehensible that risk and compliance can be managed in “real time”. It seems inevitable that a cornerstone of any compliance or risk management policy will be the need to archive all social media interaction.

In their defense, the FFIEC provide themselves something of a get out, by suggesting that institutions should be working to implement the new guidelines in conjunction with specialists in this area, such as Hanzo. We’ve been working hard with financial institutions on these issues for more than four years and we understand the issues involved with establishing and maintaining a compliant social media archive that’s defensible in court, should the need arise.

If you’re looking to comply with the FFIEC guidelines on social media, <a href="">get in touch</a>. We’ll talk you through the issues involved, point out the relevant standards and explain how other institutions have managed to maximise the possibilities of social media while simultaneously reducing the risk.

About The Author