Social Media Risk Management Establishing a Risk Management Program

By: (CISSP)

Publication: The Kansas Banker , February/March 2013

The Kansas Banker February/March 2013 Does your bank have a social media risk management program?  If you answered "no" to the previous question then you might have some work to do.  Your financial institution faces risks associated with social media whether it is officially using social media as a communication channel or not.  A risk management program should be implemented to identify, measure, monitor, and control the risks related with social media.  There is now some information from the FFIEC that can assist you with controlling social media risks.

In January of this year, the FFIEC released proposed guidance on the applicability of consumer protection and compliance laws, regulations and policies to activities conducted through social media.  These activities include publishing and even just accessing information through social media.  There are no additional obligations imposed on financial institutions from the proposed guidance, but it does include expectations for managing social media risks.  The proposed guidance is entitled "Social Media: Consumer Compliance Risk Management Guidance," and it's open for public comments until March 25th.  Once the guidance has been completed, it will be issued as supervisory guidance to financial institutions.

There are many forms of interactive communication online that would be considered social media.  Through these websites and apps, users can generate and share content via text, images, audio, and/or video.  Uses of social media include marketing, monitoring public feedback, and engaging with existing or potential customers.  The proposed guidance lists examples of social media including "micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review websites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille)."  

If the bank chooses to conduct official communications through social media, there are definitely risks involved.  Potential risk areas include compliance, legal, reputation, and operational.  The FFIEC's proposed social media guidance explains the risk areas and provides specific examples for each area.  It also expresses the need for a bank to "have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media."  A solid risk management program will help avoid enforcement actions and/or civil lawsuits.  According to the proposed guidance, your institution's risk management program should include:

  • A governance structure with clear roles and responsibilities
  • Policies and procedures covering the use and monitoring of social media
  • A due diligence process for selecting and managing third-party service provider relationships
  • An employee training program
  • An oversight process for monitoring information posted to social media sites
  • Audit and compliance functions to ensure compliance
  • Parameters for providing appropriate reporting the institution's board of directors or senior management

Social media related risks also cannot be dismissed simply because your bank has chosen to not actively participate on social media sites.  Regardless if your bank has created official accounts on any social media sites, it's likely the majority of your current customers, potential customers, and employees are using some form of social media for personal and/or professional purposes.  The institution could be negatively affected by disparaging comments made by customers or past customers.  Fake accounts masquerading as the institution can be created to harm the institution's brand or conduct phishing attacks.  Even your employees' personal communications through social media can damage the bank because they may be seen as a reflection of the bank's values, attitude, or policies. Your employees could be sharing information with your customers that is inappropriate, controversial, offensive, confidential, or even illegal.

In summary, there is at least some risk to every bank arising from social media.  A social media risk management program needs to be implemented at your bank to ensure proper oversight and controls are in place.  Your controls need to align with the risks presented by the types of social media activities being conducted.  The FFIEC's new guidance should prove to be a helpful resource when attempting to develop your risk management program even before its final version is published, so use it as a resource to help mitigate the risk to your bank.