FFIEC Proposes Social Media GuidanceRegulators Address Emerging Risks to Banking Institutions
See Also: Threat Briefing: Ransomware
"Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter.
George Tubin, a financial fraud and security expert at anti-malware vendor Trusteer, says the guidance will likely be welcomed by security and privacy officers, who have struggled to keep social media risks in check.
"Employees could be using social media from different devices or from home at night," Tubin says. "If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site. There certainly are a lot risks banks need to think about when they start to use social media."
Tubin's take: The proposed guidance is really about risk assessment. "It's meant to put banks on notice that that social media is another area they have to focus on and think about," he says.
The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.
Why Guidance Developed
The proposed guidance was developed to help financial institutions understand the legal, reputation and operational risks associated with social media and provide best practices for managing those risks, the FFIEC notes. And while the guidance does not impose additional obligations, financial institutions will be expected to take steps to manage their risks.
"Financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing," the guidance states. "Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions."
The proposed guidance outlines social media risks banks should address, including compliance and legal considerations, payments, consumer privacy and reputational and operational concerns.
Among the advice offered in the guidance:
- Implement a risk management program that enables the institution to "identify, measure, monitor and control the risks related to social media." The FFIEC spells out what risk management programs should include, such as a governance structure as well as policies and procedures for employees, a due diligence process for third-party service providers connected with social media and regular audits for compliance with applicable laws and regulations.
- Periodically evaluate and control the use of social media to ensure compliance with all applicable federal, state and local laws, regulations and guidance. That includes, for example, the Truth in Savings Act, the Equal Credit Opportunity Act, the Truth in Lending Act, the Electronic Fund Transfer Act and the Gramm-Leach-Bliley Act.
- Properly manage risks to the institution's reputation. The FFIEC notes that posts from dissatisfied consumers on social networking sites, as well as negative publicity, could harm a bank's or credit union's reputation, even if the institution has not violated any laws. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments, regulators point out. To mitigate risks to reputation, banking institutions should monitor posts facilitated by third parties hired to oversee social media programs.
- Manage operational risks. "A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage," the proposed guidance states. To address operational risks, institutions should treat social media like they would any other information technology platform, as noted in the FFIEC Information Technology and Examination Handbook. Other guidance, such as the Outsourcing Technology Services booklet, also should be followed.
Tonya Sweat, the director of consumer compliance policy and outreach for the National Credit Union Administration, an FFIEC agency, says banking institutions need to carefully consider the risks communications with consumers create.
"The use of social media by a financial institution to attract and interact with customers can impact a financial institution's risk profile," she says. "The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk and reputation risk. Increased risk can arise from a variety of directions, including poor due diligence, oversight or control on the part of the financial institution."
A Helping Hand?
While any new guidance is likely to get mixed reactions from banking institutions' management, many privacy and security officers will likely welcome the advice, Tubin says.
"I have heard a lot of concerns from privacy and security officers, so I think this will help," he says. "A lot of times the direction from privacy and security is just to say, 'Let's not do it,' rather than coming up with a good risk plan with controls in place."
Avivah Litan, a financial fraud expert and analyst at Gartner, says banking institutions have failed to address a number of risks posed by social media, including internal risks, which the guidance does not directly address.
Litan says hackers often use social media sites such as LinkedIn to identify employees who have privileged access or administrative rights. Once identified, hackers then target these employees and convince them, through messages or posts, to provide critical network and/or network access details, she explains.
Employees too often fall for these schemes, Litan says, and provide everything from administrative credentials to network configurations that hackers then use to infiltrate internal systems.
Still, the fact that regulators are asking institutions to consider consumer risks is a step in the right direction, Litan says, because the same takeover schemes also are targeting online-banking users on sites such as Facebook. "Social networks have been a really weak link and an open door for criminals for a long time now," she says.