Last week, the FFIEC released proposed risk management guidelines for financial institutions using social media. The guidelines did not delve too much into specifics, offering more of a broad outline of the potential risk and compliance issues that can arise in the burgeoning social media channel.
"Financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing," reads a portion of the FFIEC paper. "Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions."
The FFIEC continues, "A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing."
The FFIEC cautioned banks that there are several areas of risk when engaging customers in social media. For example, if a bank uses social media to market products or originate new accounts, it must make sure all its communications are in accordance with laws such as the Truth in Savings Act, Truth in Lending Act, and Section 5 of the Federal Trade Commission (FTC) Act. which prohibits “unfair or deceptive acts or practices in or affecting commerce.”
These are but a few of the myriad of risk concerns banks must take into account when engaging in social media.
Matt Putvinski, director of Wolf & Company's IT Assurance Services group, says the guidelines "are a good first step" and expects to see more robust guidance offered by the FFIEC when it publishes its final version of the report after receiving feedback from financial institutions.
"I did like the fact that the paper talked about the inventory of social media channels and looked at the risk indicative in each one," he adds. "There is some differences in the way you use Facebook as opposed to Twitter."
Ultimately, Putvinski believes the bets way for financial institutions to mitigate risk related to social media is to have a clearly stated social media policy and to educate employees on the proper use of social media.
"Some might want to block access to social media sites from computers within the institution, but that can't stop someone from going on their phone and accessing them," he says. "At the end of day it is a matter of education in this area, the best thing you can do is tell people the best practices and most people will follow them."