Social Media Security
Last Reviewed: May, 2018
Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing. Since this form of customer interaction tends to be both informal and dynamic, and may occur in a less secure environment, it can present some unique challenges to financial institutions. (from “Social Media: Consumer Compliance Risk Management Guidance,” published by the Federal Financial Institution Examinations Council, December 2013)
The FFIEC published the Guidance to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by financial institutions. It didn’t impose any new requirements on financial institutions - it is a guide to help financial institutions understand the applicability of existing regulations associated with the use of social media.
Financial institutions are expected to manage risks associated with all types of consumer and customer communications, no matter the medium. The Guidance provides considerations to use in conducting risk assessments and crafting and evaluating policies and procedures regarding social media, and is intended to help financial institutions understand and successfully manage risks in this area.
Definition of Social Media
Social media is a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille).
Social media can be distinguished from other online media in that the communication tends to be more interactive. For purposes of the Guidance, messages sent via email or text message, standing alone, do not constitute social media, although such communications may be subject to a number of laws and regulations discussed in this Guidance. Social media is a dynamic and constantly evolving technology and thus any definition for this technology is meant to be illustrative and not exhaustive. In addition to the examples of social media mentioned above, other forms of social media may emerge in the future that financial institutions should also consider.
Social Media Risk Management Program
Credit unions should have a “risk management program” that permits it to “identify, measure, monitor, and control the risks related to social media.” The risk management program should also include the involvement of “compliance, technology, information security, legal, human resources, and marketing” departments. According to the FFIEC, these risk management programs should have the following components:
- A governance structure with clear roles and responsibilities;
- Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance;
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Even if the credit union does not participate in social media, it should be prepared to respond to potential negative comments or complaints that may be posted on social media platforms. Credit unions must also provide guidance to employees regarding use of social media.Go to main navigation