Drafted guidance issued by the Federal Financial Institutions Examination Council now details how banks and credit unions can prepare to mitigate the new and emerging risks social media poses.
The drafted guidance, issued in January, references applicable laws and regulations banking institutions should consider when planning and conducting their activities related to social media, says Elizabeth Khalil, of the Federal Deposit Insurance Corp., which is part of the FFIEC.
"We're not trying to discourage financial institutions from using social media," Khalil, a senior policy analyst within the FDIC's Supervisory Policy Branch of Depositor and Consumer Protection, says during an interview with Information Security Media Group [transcript below].
As more banks utilize social media, they're faced with compliance issues and reputational risks, Khalil says. Among some of the challenges institutions face: phishing attacks that harm the bank's brand; misuse of consumer data; privacy; and third-party risks.
"It's definitely not our intent to create a new regulatory burden," Khalil says. "We would encourage financial institutions to evaluate the risks for themselves."
During this interview, Khalil discusses:
- Third-party breach and vendor management considerations;
- Reputational risks, even for institutions that don't have their own social media presence;
- Why more feedback from institutions related to the proposed guidance is needed.
Khalil serves as a subject matter expert in numerous areas, including mobile financial services, prepaid products, payments systems, and privacy and data security. She previously served as a senior associate in the financial institutions group at Hogan Lovells US LLP (formerly Hogan & Hartson), where she also was a member of the firm's privacy working group. Before joining Hogan, Khalil was a senior attorney with the Office of the Comptroller of the Currency. She is a member of the International Association of Privacy Professionals, the American Bankruptcy Institute, and the Federal Communications Bar Association.
Social Media Guidance
TRACY KITTEN: What can you tell us about the timing of this proposed guidance?
ELIZABETH KHALIL: Before I jump into answering your questions, I wanted to say from the outset that my remarks today are my own and don't necessarily reflect the official position of the FDIC.
That said, on the timing, I would say that we've been receiving a lot of requests from the industry for a while to come out with some sort of guidance in this area. In the past few years, financial institutions have been using social media more and more, and new types of social media have been developing. As financial institutions were considering whether to jump in and use social media, their concerns were also increasing.
For instance, here at the FDIC we kept hearing concerns from lots of smaller institutions, which make up the majority of the banks we supervise. They were saying, essentially, "We don't have a huge number of compliance staff. We don't have lots of resources. We're reluctant to dive into social media without having a better sense of what the potential compliance issues are and what the potential risks are that we need to understand and figure out how to address."
In crafting the guidance, our approach was to basically gather together a list of potentially relevant laws and regulations for financial institutions to refer to when they're planning and conducting their activities related to social media. It's not necessarily an exhaustive list, but as you can see, when looking at the proposed guidance, it includes many of the major laws and regulations that could come up.
Social Media Risks
KITTEN: What unique social media risks would you say banking institutions face?
KHALIL: I would say compliance issues. On the pure compliance side, financial institutions are subject to an array of laws and regs that other types of companies might or might not be. We have the Graham-Leach-Bliley Act privacy rules, for instance, applicable to financial institutions, [along with] a number of other laws and regs that we mention in the guidance. It's a fairly lengthy list, as you can see from reading the guidance.
Next [is] reputation risk. That can be particularly acute for financial institutions, and you have to consider first that banks have occupied a certain place in our society for quite a while. They've occupied this place of trust in the public's mind, and yet, at the same time, they've also been coming under some public scrutiny - where people have questioned whether they're engaging in consumer-unfriendly practices. There's not a lot of public interest lately in how consumer information is being used by businesses in cyberspace, and this is an issue that affects not only the banking sector, but, more broadly, any company dealing with consumer data.
Against that backdrop, financial institutions have to be especially mindful of reputation risk. They should be aware of activities they might be engaging in that could harm that place of trust. People are paying a lot of attention to how consumer information is used within the social media context.
I would also say third-party issues are a concern. Social media raises some novel third-party issues for financial institutions. Institutions are used to going through the steps that we banking agencies have advised for a long time, like due diligence, proper contractual provisions, oversight monitoring, auditing and that sort of thing. But social media often involves third parties of the type that aren't your traditional service providers or vendors.
For instance, you have a third party that develops a social platform that the financial institution can choose to establish a presence on if it wants. If so, the financial institution, more or less, has to play by that platform's established rules if it wants to use that platform. The platform doesn't work for the financial institution as a traditional vendor under contract. The financial institution isn't going to have that same opportunity to conduct traditional due diligence, engage that third party by contract, oversee them and audit them. But being associated with that third party will still pose risks. At the very least, there will be reputation risk.
If something goes wrong - say there's a breach or use of consumer's personal information that consumers didn't expect - and if consumers feel their information was not handled with care, consumers could blame the financial institution as well. In cases like these, when you're dealing with a third party that's not your service provider, we would encourage the financial institution to do as much on the due diligence side as feasible - like what's the reputation of that third party, what are their policies, how do they handle consumer information and so on - to determine whether the financial institution can get comfort around the risks posed by that third party and sufficiently mitigate the risks.
Key Points of Proposed Guidance
KITTEN: What key points are regulators most interested in conveying through this proposed guidance?
KHALIL: First, we're not imposing any new requirements on banks and credit unions. That's an important point to get out. This is guidance, not a regulation. We intend for this to be helpful, not to impose any new regulatory burdens. We're also not trying to discourage financial institutions from using social media. We recognize that social media can be a useful tool for financial institutions. It can allow them to reach a wider universe of consumers. It can let them spread their brand identity more widely. It can let them deepen their relationships with existing customers and so forth. There are definitely good reasons for financial institutions to use social media.
KITTEN: Have there been any recent events, such as the DDoS attacks against U.S. financial institutions or upticks in phishing schemes aimed at Facebook users, that spurred the FFIEC to address social media risks?
KHALIL: We weren't reacting to a specific incident or threat. That said, we recognize that new threats are being developed all the time. We want our regulated institutions to stay on top of security as social media and other technology continues to be more widely adopted. Fraudsters are going to go where the potential victims are and where appealing prey is. As social media is used more and more, including in the financial institution context, fraudsters are probably going to continue to see it as an attractive target.
KITTEN: What security challenges would you say banking institutions face when it comes to social media?
KHALIL: Phishing and spoofing schemes remain potential concerns. I would say there are also some particular security challenges that arise from working with third parties that the financial institution has little or no control over. For instance, what if a hacker hacks a social-media platform that the financial institution is using but doesn't own and isn't operated by the financial institution's service provider? In that case, the financial institution is going to have to deal with the fallout, even though it wasn't necessarily in a position to prevent the incident in the first place. Those are the types of situations that financial institutions need to be aware of and prepare for.
Consumer Security/Privacy Concerns
KITTEN: What would you say are some of the specific security and privacy concerns for consumers?
KHALIL: In going through the comments the past few days, I saw one from a commenter who said you can't expect consumers to be data security experts, and that's a valid point. In response to that, financial institutions could consider engaging in some consumer education; for example, how to recognize a site as a valid site of the financial institution, and to warn consumers against posting sensitive information on social-media sites.
It's important to note that financial institutions that want consumers to use their social-media sites have a built-in incentive to ensure not only that consumers' data actually is protected and secure, but that consumers understand and believe that's the case. Because if consumers aren't confident that their information will be secure and handled with care, or they don't understand or agree with the privacy policies that govern use of their information on a social-media site, that's going to potentially interfere with adoption of the social-media product. It's important to consider how consumers are likely to feel about the use and security of their personal information through the social-media site that the financial institution is using, and how that's likely to impact whether consumers will use the site in the first place.
KITTEN: How could a financial institution's brand be affected by social media?
KHALIL: We recognize that use of social media can be helpful to a financial institution's branding, and that's something we want to underscore again. It can be a useful way to get the financial institution's name out there, interact with consumers, get feedback and so on. But at the same time, financial institutions definitely have to consider the risks to their brand that can be posed by social media.
For instance, phishing and spoofing attacks could harm the financial institution's brand and then decrease consumer confidence. The financial institution should address how it will monitor for and address such issues, as well as how it will communicate with consumers about ensuring the financial institution site is genuine, legitimate.
Data breaches can also be a risk to the financial institution's brand. People often put a lot of personal information up on social-media sites, and that can provide a treasure trove for wrongdoers who want to access that information and do various things with it. And it's not just breaches. It's any situation where consumers feel their data hasn't been handled with care or in the way they expect or in the way they feel they were promised.
On the privacy side, if consumers' photos or other personal information are used or incorporated into ads, for example, and used in ways they feel happened without their permission, it can result in reputational harm to the financial institution, even if the financial institution wasn't directly responsible for that situation.
Again, I just want to note that this risk can be heightened when working with a third-party platform that the financial institution has only limited control over. In effect, the public is going to probably consider the third-party policies to be the financial institution's policies as well in many cases. If the third party didn't properly safeguard the data that was the subject of the breach or the misuse or the perceived misuse, that can taint the financial institution's reputation, too.
It's also important to remember that social media provides a channel for people to say basically whatever they want. We wanted to call financial institutions' attention to that, to say that even if the financial institution thinks it's not involved in social media, in the sense that it doesn't have a Facebook page or a Twitter account or so forth, people may still be using social media to talk about the financial institution. It could be customers of the bank, consumers in general, even the financial institution's own employees. The question is: How do you anticipate that and address that? Are you going to respond to posts about you, and how are you going to do that? Financial institutions should be asking these questions and deciding for themselves.KITTEN: Do you have any thoughts about when the actual guidance might be issued?
KHALIL: It's our hope that it will come out sooner rather than later this year. A threshold issue to address: we have to go through the comments [which had to be filed by March 25]. We will read all the comments, and we want to make sure we've considered them all thoroughly and the issues they raise. We really do want to be responsive to concerns and make this the best and most useful and helpful guidance it can be. We don't plan to rush through the comments; we plan to consider them all very thoughtfully.
KITTEN: How will conformance with this guidance, once it's issued, be evaluated by regulators?
KHALIL: Conformance is going to be evaluated in at least two ways: first, compliance with all relevant individual laws and regulations, and conformance with safety and soundness requirements, generally. Again, here we want to emphasize that this guidance doesn't impose new requirements. Instead, it states what financial institutions should already be considering. Each agency tends to have a little different approach to its examination process, but generally examiners would be looking for whether the financial institution has appropriate compliance management systems and risk management systems in place to identify and address relevant risks, just as they would for any other delivery channel.
Steps to Prepare
KITTEN: How should institutions be preparing now for this guidance?
KHALIL: Financial institutions that have been using social media should already have policies and procedures in place addressing social-media use. To the extent a financial institution hasn't been using social media and plans to, we hope the guidance provides a useful tool to assess what components to incorporate into their social-media approaches, into their policies and procedures, to understand what laws and regs might apply, and plan a compliance strategy accordingly. We do want them to feel free to comment. We want this to be helpful guidance and responsive to all relevant concerns, so we do want to hear from people.
Addressing Social Media Risks
KITTEN: What steps should they be taking to address risks and what should they be doing with their risk-assessment strategies?
KHALIL: As with any risk assessment, the financial institution should consider taking into account a number of things, like, for example, the type of social media the financial institution will be using or not using; the types of third parties the financial institution will be using and interacting with, not just traditional service providers that are under contract, but third parties like social-media platforms over which the financial institution might have little or no control; and what information the financial institution or any third-party site that it's working with will be collecting from the institution's customers or other consumers, and how that information will be used. Look at the list of compliance laws and regs, including the one that we provide to evaluate which might apply.
If the financial institution will not be using social media itself, at least in the sense of not having an account on a platform like Facebook, Twitter or YouTube, consider, still, whether and how to address social-media postings about the bank, particularly those that are incorrect or otherwise potentially harmful to the financial institution's brand or to its customers.
KITTEN: What tips do regulators have to offer for assessing the risks?
KHALIL: We hope the guidance will pretty much speak for itself as to controlling the risks associated with the use of a new platform like social media. But again, there are some fairly novel risks that come up, especially the involvement of third parties that are not traditional vendors. The financial institution doesn't necessarily have the traditional service provider-vendor type of control over.
KITTEN: Do you think that additional investments will be needed?
KHALIL: We believe financial institutions already should have been addressing these issues. The guidance is intended as a helpful guide to considerations to consider, including in a financial institution's approach to social media, and it's definitely not our intent to create new regulatory burden. We would encourage financial institutions to evaluate the risks for themselves and, to the extent they feel additional investments in personnel or training is needed, that's going to be the financial institution's call ultimately.
KITTEN: What advice would you like to offer?
KHALIL: I first would encourage our institutions to consider their use of social media thoughtfully. We're happy for financial institutions to use social media in ways that make sense for them, are useful to consumers and so forth, as long as they're also compliant with all applicable laws and regs and that they properly manage the associated risks. I would also encourage them to read the proposal carefully and provide us with any useful comments prior to the end of the comment period. We really do want to get a robust set of comments and hear from a wide variety of commenters and make sure we address all relevant issues.