FFIEC Social Media Proposed Guidance - the Reader’s Digest Version

By: (CISA, CISSP, CRISC)

Publication: VACB (Virginia Association of Community Banks)The Community Banker , Spring 2013

The Community Banker, Spring 2013 In January, the Federal Financial Institutions Examination Council (FFIEC) released proposed guidance titled, Social Media: Consumer Compliance Risk Management Guidance.  According to the FFIEC, the proposed guidance "is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks."

Definition:

The term "social media" can mean many different things to different people.  For the purposes of the guidance, the FFIEC defined social media as "a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video."  They also included the following examples of social media:

  • Micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter)
  • Forums, blogs, customer review websites and bulletin boards (e.g., Yelp)
  • Photo and video sites (e.g., Flickr and YouTube)
  • Sites that enable professional networking (e.g., LinkedIn)
  • Virtual worlds (e.g., Second Life)
  • Social games (e.g., FarmVille and CityVille)

The Agencies suggest social media "can be distinguished from other online media in that the communication tends to be more interactive."

Compliance Risk Management Expectations:

The proposed guidance identifies four key expectations:

  1. Financial institutions should have a risk management program to identify, measure, monitor, and control risks related to social media.
  2. The program should be based on the institution's size, complexity, and involvement in social media.
  3. The program should have participation from compliance, technology, information security, legal, HR, and marketing.
  4. Even if an institution has chosen not to use social media, they still should address negative comments/complaints and employee training.

Risk Management Program:

The foundation of the guidance is based around the concept of a Risk Management Program.  Suggested components of the Program include:

  1. Governance structure - directed by the board of directors or senior management, based on strategic goals, and used to establish controls and ongoing risk assessment activities.
  2. Policies and procedures – regarding use and monitoring of social media.
  3. Third-party oversight – including a due diligence process for selecting and managing vendors associated with social media.
  4. Employee training – covering policies and procedures, appropriate usage, and impermissible activities.
  5. Monitoring – a process to review information posted to social media sites.
  6. Audit and compliance – to ensure ongoing compliance with policies, laws, regulation, and guidance.
  7. Reporting – a reporting process to the board of directors or senior management to ensure social media is evaluated for its effectiveness and to see if it is achieving its stated objectives defined in the governance structure.

Risk Areas:

The proposed guidance includes a section titled "Risk Areas."  This section is designed to help identify potential threats, vulnerabilities, and general risks that might arise from using social media.  Three core risk areas are identified: Compliance and Legal Risks, Reputation Risks, and Operational Risks.  Each risk area also includes different laws, regulations, and guidance that might apply.  This is an excellent resource to use when creating a social media risk assessment.

Conclusion:

The Agencies state they recognize financial institutions are using social media and suggest that, as with any new product or service, a risk management process or program must apply.  Even if a financial institution has chosen not to use social media, the proposed guidance suggests the institution should still provide guidance to employees around the use of social media and monitor social media sites for negative comments or complaints.

To read the proposed guidance in its entirety, visit http://www.ffiec.gov/press/pr012213.htm