Crafting a Social Media Risk Management Program

By: (CISA, CISSP, CRISC)

Publication: Nebraska Banker , March/April 2014

Nebraska Banker Magazine March April 2014 In December 2013, the FFIEC issued final guidance on Social Media entitled “Social Media: Consumer Compliance Risk Management Guidance.” The purpose of the guidance was to help financial institutions better understand the risks of social media and provide some expectations for managing those risks. The FFIEC points out that “the guidance does not impose any new requirements on financial institutions;” however, the guidance does provide considerations financial institutions may use in crafting a risk management program.

Under Section III, titled “Compliance Risk Management Expectations for Social Media,” of the final guidance, it states: “A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media.” Section III goes on to define seven components that should be included in a bank’s social media risk management program. Let’s take a look at these components.

Governance

“A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities.”

As with any new product, service or technology, financial institutions must be diligent in the risk management process and intentional with its use. A comprehensive governance structure with clear goals, roles and responsibilities is the foundation for a strong risk management program.

Policies and Procedures

“Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.”

It is clear that financial institutions must have policies and procedures in place related to social media. Throughout the guidance, the FFIEC has provided considerations institutions may find useful in crafting and evaluating these policies and procedures.

Third-Party Management

“A risk management process for selecting and managing third-party relationships in connection with social media.”

In an interagency teleconference call on December 19, 2013 regarding the new Social Media: Consumer Compliance Risk Management Guidance, representatives on the call confirmed social media sites (like Facebook) used by financial institutions require a risk management process for selecting and managing them.

Employee Training

“An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.”

Employees must receive training and guidance regarding the proper use of social media, particularly when employees communicate officially on behalf of the financial institution.

Monitoring

“An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.”

The final guidance requires financial institutions to monitor communications on sites maintained by or on behalf of the institutions. In addition, monitoring must also include any sites presenting a risk to the bank as identified in the risk assessment process.

Audit and Compliance

“Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate.”

In Section IV, Risk Areas, the guidance examines many different laws and regulations that may apply to the use of social media. While this information can be very helpful from an audit and compliance standpoint, it is not intended to be an exhaustive list.

Reporting

“Parameters for providing appropriate reporting to the financial institution's board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.”

Good reporting is essential to effective governance. Reports must be developed and delivered in a manner to ensure the goals and objectives are being met and risk is being identified and addressed.

Conclusion

Financial institutions should have a social media risk management program designed specifically for their institution, taking into account size, complexity, social media activities, and third party relationships. The risk management program should be designed with participation from all applicable areas, such as compliance, technology, information security, legal, human resources, and marketing.