Pub. 2 2013 Issue 2

February/March 2013 25 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s D OES YOUR BANKHAVE A SOCIAL media risk management program? If you answered “no” to the previous question then youmight have somework to do. Your financial institution faces risks associated with social media whe ther it is officially using social media as a communica - tion channel or not. Arisk management program should be implemented to identify, measure, monitor, and control the risks related with social media. There is now some information from the FFIEC that can assist you with controlling social media risks. In January of this year, the FFIEC released proposed guidance on the applicability of consumer protection and compliance laws, regulations and policies to activities conducted through social media. These activities in- clude publishing and even just accessing information through social media. There are no additional obligations imposed on financial institutions from the proposed guidance, but it does include expectations for managing social media risks. The proposed guidance is entitled “Social Media: Consumer Compliance Risk Management Guidance,” and it’s open for public com- ments until March 25th. Once the guidance has been completed, it will be issued as supervisory guidance to financial institutions. There are many forms of interactive communication online that would be considered social media. Through these websites and apps, users can gener- ate and share content via text, images, audio, and/or video. Uses of social media include marketing, monitoring public feedback, and engaging with existing or potential customers. The proposed guidance lists examples of social media including “micro-blogging sites (e.g., Facebook, Google Plus, MySpace, andTwitter); forums, blogs, customer reviewwebsites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille).” If the bank chooses to conduct official communications through social media, there are definitely risks involved. Potential risk areas include com - pliance, legal, reputation, and operational. The FFIEC’s proposed social media guidance explains the risk areas and provides specific examples for each area. It also expresses the need for a bank to “have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media.” Asolid risk management program will help avoid enforcement actions and/or civil lawsuits. According to the proposed guid- ance, your institution’s risk management program should include: • A governance structure with clear roles and responsibilities • Policies and proce- dures covering the use andmonitoring of social media • Adue diligence process for se - lecting and managing third-party service provider relationships • An employee training program • An oversight process formonitoring informa - tion posted to social media sites • Audit and compliance functions to ensure compliance • Parameters for providing appropriate reporting the institu - tion’s board of directors or senior management Social media related risks also cannot be dismissed simply because your bank has chosen to not actively participate on social media sites. Regardless if your bank has created official accounts on any social media sites, it’s likely the majority of your current customers, potential customers, and employees are using some form of social media for personal and/or professional purposes. The institution could be negatively affected by disparaging comments made by customers or past customers. Fake accounts masquerading as the institution can be created to harm the institution’s brand or conduct phishing attacks. Even your employees’personal communications through social media can damage the bank because they may be seen as a reflection of the bank’s values, attitude, or policies. Your employees could be sharing information with your customers that is inappropriate, controversial, offensive, confidential, or even illegal. In summary, there is at least some risk to every bank arising from social media. Asocial media riskmanagement programneeds to be implemented at your bank to ensure proper oversight and controls are in place. Your controls need to align with the risks presented by the types of social media activities being conducted. The FFIEC’s new guidance should prove to be a helpful resource when attempting to develop your risk management program even before its final version is published, so use it as a resource to help mitigate the risk to your bank. Brady Cook is the Director of Software Development for CoNetrix, a provider of security and compliance software, security testing, and IT consulting for financial institutions. Learn more at www.conetrix.com .