By Sharon Blanchette, CPA, CIA, MBA and Pamela C. Buckley, CRCM
The following is the entirety of a 3-part article that examines the benefits of social media along with the risk and compliance issues inherent in this exploding networking opportunity.
We are seeing rapid growth in terms of the number of financial institutions engaging in social networking in their marketing and communications efforts. Those who aren’t on Facebook, LinkedIn or MySpace, for example, are thinking about it and many have plans to establish such a presence over the next three to six months. Some banks have even put marketing videos on YouTube. Others are tweeting – posting messages of 140 characters or less on Twitter.com. Banks are establishing presences on social networking sites to appeal to a growing demographic and to control the conversation about their brands. They’re also trying to reach customers anyway they can during these times of economic turmoil. Proven results of the benefits of social networking are now being reported as well (case in point, Charles Schwab).
Social media is typically thought of as being one-way communication tools such as podcasts, e-newsletters, and feeds, while social networking (a/k/a Web 2.0) is typically thought of as being two-way user-centered communication venues such as those listed in the above paragraph. Because some venues straddle the definition, this article will use the term “social media” generically to refer to all of the above.
Much has been written on why some financial institutions, when it comes to social media, seem to ‘get it’ and others do not, and we will leave that conversation for the bloggers who are aptly discussing it. Suffice it to say that social media can present tremendous opportunity and tremendous risk simultaneously. In this article, we will discuss some benefits to having a social media presence, identify some compliance and risk issues inherent in social media, and present a framework for addressing those compliance and risk issues.
Connecting to Customers/Building Community
The most obvious benefit to having a social media presence is having the ability to connect to customers. Customer connections lead to business development. There’s a reason why the local community bank advertises at the town’s little league fields and supports the annual harvest fair – it’s because that’s where community members gather. Community members are also gathering on Facebook and Twitter posting comments about banks, their products, services and fees. Institutions need to appreciate the fact that with social media, the power has shifted from their own marketing and communications departments to the general public as individuals connect and communicate online. It only makes sense for banks to join the conversation too in order to build relationships, learn what customers are thinking and to provide customer service.
Notice that “to advertise products and services” wasn’t included in the previous sentence. The business purpose for venturing into social media should be focused on what you can learn from customers. To truly build community, the institution has to give the user a reason to return to the site and participate, and that participation has to be somewhat open and flexible, and there has to be room for trust. Institutions will quickly see that users are more interested in commenting on what other users have to say, as opposed to what the institution has to say, and this is a sign of a healthy social community. But the ‘open and flexible’ feature is at the very heart of what makes compliance officers and legal counsel raise an eyebrow.
Perform Research, Define Purpose, Define Mechanics
Before diving into a social media project, the institution should have assembled a social media committee and conducted its own research to determine the types of social media platforms available and the customer service models of each. (See Box for sample areas to consider and criteria to evaluate). It’s important, however, not to let the social media venue drive the process. In other words, don’t decide “hey, let’s go start a blog” and then find a business purpose for it. The business purpose, as described below, should drive the endeavor.
Concurrently, the institution should formulate a clearly defined business purpose and should let that purpose drive the operational details of the project. At the macro strategy level, what is it that the institution expects to achieve from a social media presence? How does the institution plan to portray its branding and mission? Does the institution know its customers and community well enough to anticipate what customers will want from a social media site? Is the institution aware of how its employees, customers, and community perceive its ethical behavior?
At the micro operational level the institution should then use the information gathered via social media research and the formulated business purpose to develop the “who”, the “what”, the “why”, and the “how” of its social media presence, such that its business purposes are met. For example, the institution will have a:
· Facebook page (the what)
· With content written by the AVP of retail (the who)
· That is monitored by the marketing officer (the who)
· To determine customer preferences to tailor product offerings (the why)
· Via surveys and social discussions (the how)
The “how” is what will lead to the operational success of social media for the institution. How will the discussions be generated? How will the institution encourage users to participate and return?
When the research is complete, the social media committee should communicate what they have learned to senior management, the Board, and to specific committees such as the IT governance committee, the compliance committee, the audit committee, and the risk management committee. Their perspectives as part of the institution and as part of the community are valuable to the endeavor.
Sample Areas to Consider When Researching Social Media Platform Options: What is your competition doing? What is the site's functionality: Membership types, Collaborative tools (members/groups), Search tools, Advertising, Simplicity/Ease of use, Customization & control over content, Managing inappropriate content, Uploading external content, Exporting content out, Safety, Profile privacy & settings, Safety warnings, Privacy policy, Terms of use; How long will it take to roll out the site? What is the site's staying power? Cost vs. benefit analysis?
Rolling out Social Media = Rolling the Dice
As with any endeavor that is new to your financial institution, there are risks and there are compliance issues to consider. The “upside of risk” has been discussed above. With respect to the more traditional side of risk – the risk that something untoward occurs – there are four overarching elements that come to mind when considering what sets the stage for compliance and risk issues with social media.
1. The fact that fraudsters and hackers are always one step ahead of security gurus and educated users;
2. The relative ease with which any form of electronic message can be re-distributed in an uncontrolled manner;
3. The fact that open and flexible two-way communication occurs between the institution and customers, and between customers (also known as person to person communication or P-to-P) – and this communication takes place in an imperfect world; and
4. The casual and informal nature of many social media communications could cause an author to forget that a business correspondence is taking place and regulations might apply to the “message.”
The above elements can translate into many concerns for financial institution executives.
Elements and Impacts of Compliance & Risk
Last quarter we introduced four overarching elements of social media that translate into concerns for financial institution executives. Those concerns and comments include the following:
“We can’t possibly have a Facebook page,” said one bank executive to another. “Think about the reputation risk if someone intentionally posted something of an illegal or harassing nature on the site, and it was forwarded a thousand times before we were able to remove it. Or even if someone didn’t intentionally post something ‘bad’, but instead innocently posted something extremely negative about us based on incorrect information they’d received? We all know you cannot un-ring a bell.”
“I heard that social media sites are often used to launch phishing attacks to get customers to click links that lead to malware,” said a network security officer. “How do we protect our customers and our infrastructure from that?”
“I feel uncomfortable with creating a corporate blog,” explained another bank executive. “What happens if we discuss a lending product and fail to include the appropriate disclosures?”
“I couldn’t agree more about the blog,” chimed in an executive from the wealth management division of a mid-sized bank. “Imagine if one of our representative’s blogged statements was used as investment advice by a reader?”
“I’m concerned about documentation issues in general with social media,” mused a marketing officer. “What if I miss a customer’s complaint or I don’t document it properly. Can the bank be cited for a compliance violation?”
“From a privacy and ID theft/fraud perspective, I’m concerned with what our customers could write about themselves,” explained the Information Security Officer. “How do we prevent customers from disclosing so much personal information that another reader can perpetrate a fraud against the customer and us?”
Given the issues and risks set forth above, does a financial institution have to stand on the sidelines and watch the market unfold? Not necessarily, especially if the institution is willing to address the issues and risks no differently than it does any of the other multitude of risks facing the institution. Most of the risks inherent in social media are reputational risks, regulatory risks, and financial risks. Reputational risks and compliance risks can lead indirectly to financial risks, but there are also some direct financial risks to consider if a reader learned enough information about an institution or a customer’s account to perpetrate an online fraud against the institution.
A comprehensive risk assessment would uncover the issues and risks discussed above.
The Risk Assessment
The risk assessment performed should be similar to one that the institution would conduct prior to rolling out a new product or service offering. It should involve a thorough review of all of the threats and vulnerabilities possible from social media use, and an assessment of the impact and likelihood. This can be tricky with an endeavor that is not just new to the institution, but fairly new to the industry as a whole. A significant part of the risk assessment should be comprised of monitoring other financial institution’s blogs, Facebook pages, etc. to witness threats being acted out as they occur. Posing questions to compliance officers, marketing directors, and IT Directors from other non-competing institutions that are using social media can accomplish the same goal.
The risk assessment should also encompass a review of all of the information gained during the “perform research” section above, as well as the decision to use a certain venue. Interview any third-parties that will be assisting with the social media project, including marketing and technology firms.
Documenting controls in place in the social media space might be cumbersome because the controls will probably be either new controls, or controls that are still in the design process. The intent is to document what can be documented and revisit topics many times before the risk assessment is complete.
From this point, the remaining risk assessment mechanics are fairly straightforward. Consider breaking the risk assessment into two parts – the IT part and the non-IT part – if the person conducting the risk assessment doesn’t have the experience and expertise to complete both. The risk assessment should involve internal discussions with every member of the social media committee to gather their input on threats and vulnerabilities, likelihood and impact. Finally, the risk assessment should result in a written report that is reviewed by the social media committee, senior officers, the compliance committee, and either the full board or a subcommittee of the board.
After the risk assessment is complete, the institution should implement the necessary controls to reduce (mitigate) risk to an acceptable level.
Compliance Issues
Information Security Compliance: First and foremost, an institution has to consider the information security compliance issues inherent in social media. Information security compliance can be compromised by phishing attacks, social engineering attacks, and web application attacks, all of which can:
· enable a fraudster to hijack a personal social media account and allow unofficial posts or tweets to be seen as ‘official’ institution messages; and
· be used to spread malware by having users click links or unwittingly download applications.
Consider a disclosure such as the following:
Never disclose account or personal financial information on Twitter. The [institution name] will never ask for your account information, password, Social Security number or other identifying information via Twitter. This page and the [institution name] links are presented by [institution name], but the web site is controlled by Twitter, which has established its own privacy and security policies. You are urged to read those policies before proceeding. The [institution name] web site privacy and security policies do not apply to your activity on Twitter.
Also, be sure to incorporate any social media presence into your next Information Security Risk Assessment Update.
Advertising Compliance: Equally noteworthy is the fact that a bank’s social media communications are considered to be advertisements, so make sure that all such communications comply with the advertising requirements contained in each of the following laws and regulations:
· Advertisement of (FDIC) Membership
· Equal Credit Opportunity Act (Regulation B)
· Fair Housing Act
· Interagency Statement on the Retail Sales of Non-deposit Investment & Insurance Products
· Truth in Lending (Regulation Z)
· Truth in Savings (Regulation DD)
· Unfair & Deceptive Acts & Practices
It’s especially important that social media communications not be misleading. Given the informal nature of social media, it’s easy to understand how some communications could be construed as misleading, even if there was no intent to be so.
Recognize, too, that the institution not only has to control the information that it posts, but might also be responsible for information others post to its social media sites – specifically any information of a discriminatory or deceptive nature.
Also, don’t forget about record retention requirements! Generally speaking, you need to retain advertisements for a period of 25 months to evidence compliance. Accordingly, the institution must have a way to archive every communication either through imaging/archiving software or screen shots.
Complaints:
· Customer Complaints: Will your institution consider complaints received via social media to be “in writing?” Even the smallest complaint could be couching a Fair Lending issue or a Regulation E issue, and you will want to have trained personnel monitoring the site for these and documenting them. Determine whether you wish to create a separate complaint policy for complaints received through social media sites or through your traditional complaint handling process. Be especially vigilant regarding any complaint that alleges discrimination and have processes in place to address them immediately.
· Whistleblower Complaints: How will your institution respond to complaints of institutional wrong-doing that materialize online?
Compliments: If your social media efforts are successful, you’ll no doubt receive many compliments. Be sure to record in some manner (screen shots, perhaps) any compliments that specifically relate to the bank’s performance in helping to meet community credit needs, along with any response to the comments by the bank.
Document Retention and eDiscovery: All of that information being tweeted and posted could represent official communications of the institution where you have to follow institution document retention policies and procedures. How will the institution capture and archive this information?
Human Resource Issues
Recognize that members of the community at large are already blogging and posting messages about your institution – and some of those folks may be your own employees. Just like you can indicate what is acceptable use by an employee of your bank’s internet, email, and other computing devices, so too can you indicate what is acceptable posting or tweeting about your institution in social media venues. Start with an overall “Social Media” policy as opposed to simply incorporating social media into existing policies. By implementing a social media policy, an institution can define and describe what the term ‘social media’ is, and this serves to educate employees who might not be as internet savvy as others. Many institutions have blocked employee access to these kinds of websites during business hours.
The social media policy should be clear that tweets and postings on company-sponsored social media are examples of business correspondence and “official communications” of the company and require official accounts, which are the property of the company. The policy should address which employees are authorized to post and tweet, and whether specific communications require approval (and from whom.) This is similar to how an institution defines who can speak to media on behalf of the institution. The policy should also indicate what topics can be discussed; however, institutions should not overly limit topics because this could dampen users’ interest in returning to the venue. The policy should also be clear about copyright issues, intellectual property issues (trade secrets, etc.), and privacy/security issues.
Social media tweets and postings by institution employees on non-company-sponsored social media venues should be addressed in the social media policy as well – both during work hours and on personal time. Employees must understand that their activities on social media venues can easily be associated with the institution if the employee includes his/her employer, job title, contact information, etc. in their demographic/account information.
The institution has to consider and make decisions about many other issues before writing a social media policy. For example:
· Can employees include institution information, including a logo or trademark, on personal social media accounts, and if so, is any disclaimer required?
· For those employees who are allowed to post and tweet official institution communications, will user names, account names, or passwords have to be provided to institution management? Will employees be informed that anything they write for the institutionally-sponsored blog or site belongs to the institution? Will employees have to sign agreements?
· Will the institution allow employee use of non-company-sponsored social media applications using institution systems on institution time?
· Will the institution allow endorsements and recommendations of other companies or other people on institution-sponsored social media venues? How about for non-institution-sponsored venues? How will all of this activity be monitored, if at all?
· Will the institution make ‘mandatory reporting’ a policy if any employee discovers another employee posting or tweeting inappropriate or prohibited content about the institution using any social media? How will the institution discipline employees who post defamatory, pornographic, proprietary, harassing, or libelous material, or generally violate the privacy rights of other employees/customers/vendors?
· How will the institution dovetail these employee policies into its Code of Ethics/Conduct, employee handbook, and other written social media guidance?
Mitigation
As with any risk issue, institutions can ignore the risk, mitigate the risk, or avoid the risk altogether. Below are some suggestions for mitigating the risk.
· Measure and solidify the institution’s ethical culture:
-
-
Before embarking on the social media journey, ensure that the financial institution is perceived by its own employees as being an ethical organization. The general public will care about what other members of the general public say, but they will care much more about what the institution’s own employees (and former employees) say. Perhaps consider administering a 3rd-party confidential survey about the institution’s ethical climate. The results of these surveys can be helpful in the institution’s risk assessment.
-
Ensure that ethical behavior is an important part of leadership at the institution.
-
Implement or formalize an existing whistleblower procedure for employees and the public to raise issues. Most institutions would prefer to have the opportunity to research and investigate complaints, allegations, or misinformation long before it becomes public.
· Develop written policies, procedures, processes, and other guidance regarding social media use.
· Develop a Quality Control program for ‘content’. The institution has to make sure that content uploaded or posted to social media, especially institution-sponsored venues, is accurate, verifiable, compliant, and not misleading in any manner (most importantly) as well as timely and current.
· Have a definite plan, and test the execution of the plan, for how to respond to an untoward event.
· Provide overview training to all staff, and specific training to staff who:
· Implement or enhance network controls.
· Perform ongoing risk assessment updates, perhaps every 6 months for the first 2 years.
· Implement a robust and continuous self-monitoring program, and engage a third party to perform independent periodic spot-checks of what is being posted or twitted on institution-sponsored social media.
· Perform compliance reviews at least annually.
· Add Social Media to the Audit Universe.
Conclusion
Every risk has an opportunity, and every opportunity has risks. There was a day when an article similar to this was written about the concept of institutions having a website or institutions allowing remote IT access to employees. Initially the risks will seem overwhelming. Some institutions will avoid the risk; others will assess and manage the risks. Those institutions that have a strong community presence and enjoy a positive reputation in their community will probably be the biggest beneficiary of social media communication. If your institution does not yet have a social media presence, consider forming a social media committee and let the project planning begin!
Sharon Blanchette serves as a Compliance Manager in Connecticut for ICS Compliance and Pamela Buckley serves as the Regional Director for New England.
