FFIEC Proposes Social Media Guidance

Regulators Address Emerging Risks to Banking Institutions

By , January 24, 2013.
FFIEC Proposes Social Media Guidance

The Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media.

See Also: More Threat Vectors, More Security & Compliance Challenges

"Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter.

George Tubin, a financial fraud and security expert at anti-malware vendor Trusteer, says the guidance will likely be welcomed by security and privacy officers, who have struggled to keep social media risks in check.

"Employees could be using social media from different devices or from home at night," Tubin says. "If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site. There certainly are a lot risks banks need to think about when they start to use social media."

Tubin's take: The proposed guidance is really about risk assessment. "It's meant to put banks on notice that that social media is another area they have to focus on and think about," he says.

The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.

Why Guidance Developed

The proposed guidance was developed to help financial institutions understand the legal, reputation and operational risks associated with social media and provide best practices for managing those risks, the FFIEC notes. And while the guidance does not impose additional obligations, financial institutions will be expected to take steps to manage their risks.

"Financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing," the guidance states. "Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions."

The proposed guidance outlines social media risks banks should address, including compliance and legal considerations, payments, consumer privacy and reputational and operational concerns.

Key Advice

Among the advice offered in the guidance:

  • Implement a risk management program that enables the institution to "identify, measure, monitor and control the risks related to social media." The FFIEC spells out what risk management programs should include, such as a governance structure as well as policies and procedures for employees, a due diligence process for third-party service providers connected with social media and regular audits for compliance with applicable laws and regulations.
  • Periodically evaluate and control the use of social media to ensure compliance with all applicable federal, state and local laws, regulations and guidance. That includes, for example, the Truth in Savings Act, the Equal Credit Opportunity Act, the Truth in Lending Act, the Electronic Fund Transfer Act and the Gramm-Leach-Bliley Act.
  • Properly manage risks to the institution's reputation. The FFIEC notes that posts from dissatisfied consumers on social networking sites, as well as negative publicity, could harm a bank's or credit union's reputation, even if the institution has not violated any laws. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments, regulators point out. To mitigate risks to reputation, banking institutions should monitor posts facilitated by third parties hired to oversee social media programs.
  • Manage operational risks. "A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage," the proposed guidance states. To address operational risks, institutions should treat social media like they would any other information technology platform, as noted in the FFIEC Information Technology and Examination Handbook. Other guidance, such as the Outsourcing Technology Services booklet, also should be followed.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

Latest Tweets and Mentions

ARTICLE House Panel Passes Cyberthreat Info Sharing Bill

After beating back amendments by Democratic members to limit liability protections for businesses,...

The ISMG Network