The Federal Financial Institutions Examination Council has issued its highly anticipated final guidance on social media for banks and credit unions.
First announced in January, the FFIEC’s social media guidance quickly became one of the hottest topics in compliance throughout 2013, as it brought the concepts of online social interaction and reputation monitoring — as well as the risks associated — front and center for financial institutions, many of which are still taking the first steps toward understanding social media on their own terms. And while the new guidance doesn’t impose any new rules on financial institutions, it aims to help bankers understand how existing laws and regulations apply in a world where the likes of Twitter, Facebook, LinkedIn, Yelp and YouTube have reshaped how people talk about and do business with companies online.
“Thus, rather than discouraging the use of social media or establishing any new obligations related to the use of this technology, the Guidance is intended to help financial institutions understand and successfully manage risks in this area,” the FFIEC states in the opening paragraphs of the guidance.
Whether a financial institution engages in social media or not, they are expected to manage potential risks associated with its use and access. And, according to the guidance, a financial institution “should have a risk management program that allows it to identify, measure, monitor and control risks related to social media.” Those are fairly broad statements, and something that might pose a challenge for financial institutions that are only just beginning to develop a more sophisticated online presence through their own website, much less a social network.
The FFIEC’s guidance in some ways treats social media similarly to any other outside service or vendor a financial institution might use. That is, a bank is expected to have a risk management program in place to help it identify, monitor and control the risks associated with using social media, and to increase its risk management efforts commensurate to the amount the institution is relying on social media to communicate with customers or grow its business. As we’ve recently pointed out, there’s another side to social media risk management as well: identity management and security.
In the coming days, Safe Systems’ own VP of Compliance, Tom Hinkel will be publishing his interpretation of the guidance, as well as adding additional context on the Compliance Guru blog. In the meantime, you can download the FFIEC’s full guidance here (.DOC).