Social media is the Wild West of consumer engagement. On one hand, word-of-mouth recommendations across social media channels are driving new business and helping community banks gain a more prominent reputation among larger banks. On the other hand, one bad customer experience, shared by the wrong person at the wrong time, can ignite a firestorm of negative attention.
Banks are being tasked with more regulations and guidelines concerning social media management than ever before. The Federal Financial Institutions Examination Council recently proposed rules that join existing regulations to outline the risk-management process that every bank must adopt regarding social media. Even if a bank has made a decision not to engage in social media channels, the guidelines call for a thorough social media risk management program.
And as banks set off on the social media frontier, they should not let the unknown overshadow the opportunity. Social media can assist banks in growing both market share and customer loyalty. It will just be a matter of taking a strategic, compliant approach to managing the conversations and the risks involved.
Understanding the Rules
According to the FFIEC’s proposed guidance, “A financial institution should have a risk-management program that allows it to identify, measure, monitor and control the risks related to social media.”
The proposed rules require several items, outlined in the January bulletin:
A governance structure with clear roles and responsibilities where the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities.
Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.
Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.
Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
These guidelines provide the framework for helping banks build a risk-management program. However, to mitigate risk, banks also need to understand where the potential risks lie.
Reputational Risk Looms Large
The primary motivator of requiring a plan to handle public comment is the potential for reputation risk. Reputation risk is the risk arising from negative public opinion. A financial institution engaged in social media activities must be sensitive to and properly manage the reputation risks.
First, banks need to be aware of fraud and brand identity hijacking. This would include spoofs, hacked accounts and fraudsters masquerading as institution employees. Banks should consider monitoring tools and techniques to identify and respond appropriately. This also applies to managing operational risk of social media platforms being hacked, subject to account takeover or the distribution of malware.
Another key area is that financial institutions should be aware that an employee’s communications via social media — even through an employee’s own personal social media accounts — can also subject the financial institution to compliance risk as well as reputation risk if the person speaks in a way that could be construed to be representative of the bank. For example, banks also must ensure that privacy concerns are handled appropriately. In no situation should an employee post confidential or sensitive customer information on a financial institution’s social media channels, even in the attempt to solve a customer service issue.
Community banks also are responsible for monitoring and ensuring compliance of third-party services that leverage social media on behalf of the institution.
Managing Complaint Risk
Reputational risk exists when the financial institution does not address consumer questions or complaints made via social media in a timely or appropriate manner. Compliance risk can also arise when a customer uses social media in an effort to initiate such disputes as error resolution or billing errors.
One of the keys to managing social media complaints is to build an archiving process to track both posts made on behalf of the bank and complaints made by consumers. At a minimum, the bank should archive the complaint, the response to the complaint and the final resolution.
Properly addressing social media complaints is vital in light of the Consumer Financial Protection Bureau’s program to publically release consumer complaints on a regular basis. By addressing complaints first made via social media, banks can reduce the number of complaints filed with the CFPB.
Proper Advertising Language
The final area of risk banks should be aware of is the existing rules governing Truth in Lending and Truth in Advertising and fair lending laws. The rules are intended to ensure advertisements are not misleading, inaccurate or misrepresentative of the institution’s deposit contract. For example, the Truth in Savings Act mandates disclosures for any advertisement using such trigger words as “bonus” or “APY.” The FFIEC has ruled that statements made via social media qualify as advertising and must contain those disclosures.
It also is critical that banks be aware of the language used in social media posts. Regulation B prohibits discrimination against certain credit applicants, and images and statements should be carefully scrutinized to avoid potentially discouraging creditworthy applicants.
Need for Automation
While these regulations and steps may seem overwhelming, there are some simple steps to take to ensure compliance. The first is training. Make sure all employees are aware of the social media risks and how they can ensure the bank does not break any guidelines.
Banks also should consider leveraging technology to help manage the vast volume of data generated through social media. Some programs help banks review and approve social media posts, both improving the quality and ensuring compliance. Other programs help financial institutions monitor, analyze and respond to social media comments made by the public.
In the end, the key is flexibility. Social media changes weekly — new platforms, new functions, new threats. Banks must build a framework that mitigates risk and communicates the results of social media activities, both internal and external, clearly to the board and examiners.
James Ferguson is sales manager for CSI Regulatory Compliance. Contact him at jt.ferguson(at)csiweb.com.
Copyright (c) June 2013 by BankNews Media