Before the FFIEC issued the proposed (and now final) “Social Media: Consumer Compliance Risk Management Guidance” in 2013, Temenos’ TriComply team drafted its social media edition of the TriComply Financial Compliance Journal. Today, the edition is a leading resource for social media compliance. Financial institutions leveraging social media to gain a competitive edge, or trying to steer clear of the whole scene, must add yet another slew of regulations and guidance to which it must comply.
Whether you are actively participating in social media or passively letting it go by, financial institutions must assess its compliance, reputational, operational and legal risks with respect to social media. You must still go through the same compliance management process as you would for any other potential impact to your institution.
Identify Compliance Issues
With social media, this includes, at a minimum, privacy, advertisement, membership, fair housing, FCRA, ECOA, UDAAP, AA, NDIPs, Community Reinvestment, to name just a few. Depending on how you anticipate leveraging social media, you mustn’t leave any stone unturned.
Assess the Risks
Once you identify your compliance impact, you must identify and assess the risks involved in participating (or ignoring) social media. The risk assessment should identify appropriate internal controls to mitigate the institution’s risk.
Based on your business model and appetite for risk, you should implement an appropriate policy, and procedures, to support the business model and the board’s directives and guidance with respect to how your institution will play in the world of social media.
A social media policy isn’t intended to be list all of the do’s and don’ts, but rather to provide guidance to mitigate your institution’s risk, (e.g., avoid inadvertent faux pas, endorsements, or advertisement blunders). A laissez faire attitude toward social media will surely land you on the World Wide Web – and not necessarily in the kindest way. Policies and procedures do not eliminate risk, they mitigate it. So, even if you are not actively participating in social media networking, you should still have a policy and procedures to reflect your institution’s position. Like any other regulatory matter, your policy must be championed by the board of directors and senior management. Procedures should be well documented and leave no wiggle room for employees and directors to venture on their own when it comes to your institution. Be sure to include references to your employee handbook and compaint policy where details in those areas apply.
All staff should be trained on your institution’s policy with respect to using social media for work. For those staff members who are designated to post on behalf of your organization, additional detail training regarding compliance with regulations is in order. Additionally, all employees and directors should have annual training on complaints and your process for addressing them.
Once you are up and running, you need to monitor the sites in which you participate. You should check these frequently and thoroughly. You should also monitor sites in which you are not actively participating. Nothing is worse than finding out that you had a customer rant and rave about an issue that has gone viral into the best YouTube video on the web! Avoid customers, or worse, examiners, seeing the issue before you do. Be proactive and have a process in place as to how your institution will respond, particularly to negative comments.
Incorporate an annual independent audit to ensure compliance with all the applicable rules and regulations. Then, report monitoring and audit results to your board of directors, not just to management. After all, the board is ultimately responsible for the management and oversight of the institution. They need to be informed as to the risks and the rewards of engaging in social media.
Be sure to include vendor management in your process. If you are leveraging third party products and/or services, follow your vendor management policy.
When it comes to social media, the compliance officer cannot be an afterthought. She or he must be engaged early and throughout the process. This will save your institution from wasted time and money into activities that had you asked up front, you would have known and understood the feasibility of such activity as well as any corresponding risk.