How much due diligence is required by institutions for social media providers?
Plenty. In this regard, vendor management is where the biggest challenges lie for financial institutions. The guidance states that “…working with third parties to provide social media services can expose financial institutions to substantial reputation risk”, pointing out that this guidance, “does not impose any new requirements…” Regulators are requiring the same degree of due diligence for social media vendors that they require for all other potentially high-risk service providers. Just as with any other outsourced relationship, you are expected to complete it prior to engaging with the provider. Unlike most other vendor relationships managing social media vendors is much more challenging. First of all, unlike with other initiatives, once a bank has selected the platform, there is no choice of providers. When choosing to utilize Facebook, LinkedIn or Twitter, the provider is the platform. It’s not as if you can select among multiple Facebook vendors! Furthermore, the bank is expected to be aware of matters such as the vendor’s reputation, their policies regarding use of its information and the customer’s information, how and how often their policies might change, and what, if any, control the bank has over the vendor’s policies and actions.
Does the guidance impose a single standard of expectations for all institutions regardless of their degree of involvement in social media activities?
No. Although all institutions are expected to implement a risk management program, it should be consistent with the breadth of the institution’s involvement in social media activities. The program should be designed with input from folks in compliance, technology, information security, legal, human resources, and marketing. However, even institutions that choose to not use social media should be aware of the risks of not being able to respond to negative comments or complaints that may arise elsewhere. Both a policy and a risk assessment are required regardless of the bank’s level of involvement in social media activities, even if it chooses to opt out.
Will institutions be required to monitor and respond to all communications about the institution throughout the Internet?
No, but institutions are expected to understand the risks of NOT being able to respond, particularly the reputation risks of not being able to respond to complaints or disputes originating from other channels. The FFIEC also mention the “challenge” for institutions to protect their brand identity by being aware of the risk of someone “spoofing”, or masquerading, as the institution. All these risks exist regardless of the institution’s decision to engage in social media activities. In fact, responding to a negative comment or spoofing attack may be much more challenging if the banks has decided to not engage at all, or even to not engage on just a particular platform. The guidance still recommends the use of social media monitoring tools and techniques to identify potential risks, but leaves the procedural specifics, and any actual response, up to the institution.
How much control will be required over employee use of social media, both during business hours, but more specifically on their own time?
Not as much as the proposed guidance first indicated. The final guidance makes a clear distinction between employee “official” use, and employee “personal” use. Institutions must establish policies and training that clearly outline what employees are, and are not, allowed to communicate in their official capacity. The guidance stopped short of requiring institutions to impose any restrictions on employee personal use of social media, saying only that institutions evaluate the risks for themselves and determine appropriate policies. Since the potential for reputation risk exists regardless of whether employees are posting officially or personally, institutions may want to consider including guidelines for employee personal use in training, even if it’s not formally covered in policies.
Once a bank has assessed all potential risks, the next challenge is to try to mitigate them. Standard vendor risk controls for vendors consist of requesting, obtaining, and reviewing documentation such as financial reports, third-party audits, contractual confirmation of GLBA adherence, BCP testing results, etc. But often requests for this type of documentation are either ignored or refused by social media providers, and even when documentation is provided, it doesn’t directly address privacy, confidentiality, and security concerns.
Social media service providers are simply not used to dealing with the unique regulatory reporting requirements of the financial industry. According to the FFIEC “…a financial institution should thus weigh these (residual risk) issues against the benefits of using a third party to conduct social media activities.” Unfortunately, social media is one activity that must be outsourced.
One last thing to consider is that all social media providers are also by FFIEC definition, cloud service providers, and as such subject to all of the guidelines for Outsourced Cloud Computing as well. Given the risk management challenges of social media, institutions may want to remember what the FFIEC had to say about providers that are unfamiliar with the financial industry, or unwilling to implement changes to their policies or procedures to meet changing regulatory requirements: “Under such circumstances, management may determine that the institution cannot employ the servicer.”
Essentially, the challenge of risk managing social media is this: Banks are accepting either a higher level of residual risk or an unknown level of risk to achieve an uncertain amount of benefit. Proceed if you must, but proceed with caution and don’t take any shortcuts.
Tom Hinkel is VP of compliance services for Safe Systems