Matt Gunn, Managing Editor | TechComply
Since the Federal Financial Institutions Examination Council released its final social media guidance late last year, financial institutions have been left to interpret how it affects their existing or planned use of the social media channels. For those banks and credit unions looking for a little extra help, Compliance Guru Tom Hinkel has gone the extra mile.
Hinkel, Safe Systems’ vice president of compliance, recently combed through the FFIEC’s final guidance to see what changed since it was proposed in Jan. 2013, and to understand the implications the guidance has on financial institutions. Read his post on ComplianceGuru.com for an analysis of four “grey areas” that needed the most clarification for financial institutions, as well as expectations for risk management.
Once you’ve assessed all potential risks, your next challenge is to try to mitigate them. Standard vendor risk controls for vendors consist of requesting, obtaining, and reviewing documentation such as financial reports, third-party audits, contractual confirmation of GLBA adherence, BCP testing results, etc. But often requests for this type of documentation are either ignored or refused by social media providers, and even when documentation is provided, it doesn’t directly address your privacy, confidentiality, and security concerns. Social media service providers are simply not used to dealing with the unique regulatory reporting requirements of the financial industry. And according to the FFIEC “…a financial institution should thus weigh these (residual risk) issues against the benefits of using a third party to conduct social media activities.” Unfortunately, social media is one activity that must be outsourced.
And, by the way, don’t forget that social media vendors are, by definition, cloud service providers as well. Hinkel reminds bankers that these services are subject to the FFIEC’s Outsourced Cloud Computing guidelines, and cautions that the popular social networks don’t provide services with the strict security standards of banks and credit unions in mind. As the FFIEC states: “Under such circumstances, management may determine that the institution cannot employ the servicer.”
In other words, if you do venture into the world of social media for marketing, customer service or other business-related purposes, tread carefully.
Finally, as you begin to analyze your institution’s existing social media efforts, or consider taking the first steps into this arena, Hinkel has created a helpful Social Media Compliance Framework checklist covering essential risk management and risk assessment components. Fill out the form below for a free copy