Out-Law News 3 min. read
23 Jan 2013, 4:06 pm
The Federal Financial Institutions Examination Council (FFIEC) said banks should have a "risk management program" that allows them to "identify, measure, monitor, and control the risks related to social media".
In new draft guidance (31-page / 113KB PDF) the FFIEC has issued to US banks it said that the 'risk management programme' banks should operate should include the adoption of an "oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party". In addition, it said senior officials within the banks should have "clear roles and responsibilities" for establishing "controls" and for the "ongoing assessment of risk in social media activities".
The FFIEC also said that banks should have "audit and compliance functions" to ensure their social media use is legally compliant. It said that banks' use of social media did not diminish their responsibilities to adhere to legal obligations, such as in relation to rules on privacy, the advertising of financial products and on consumer protection.
In addition it said banks should consider using "social media monitoring tools and techniques" to review whether fraudsters are using their brand to "masquerade" as them.
The FFIEC also warned of the reputational risk of failing to respond to consumers' complaints raised via social media channels in a "timely or appropriate manner". Banks should have monitoring systems in place to identify when complaints require further investigation, whilst there should also be "procedures to address risks" that occur if individuals post confidential or sensitive information on its social media page, it added.
Financial institutions should also have "appropriate policies" in place that address that fact that employees may use personal social media accounts in a way that "implicates the financial institution", the FFIEC said.
"Each financial institution should evaluate the risks for itself and determine appropriate policies to adopt in light of those risks," the regulator said.
In addition, the firms should also have security protocols in place that allow them to respond to incidents where their social media accounts have been hijacked or where a data breach has occurred via the firms' social media channel, it added.
"The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing," the FFIEC said in its draft guidance. "A financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media."
The FFIEC said that the guidance, when finalised, should be used by US banks "to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media."
"Although the guidance does not impose additional obligations on financial institutions, the FFIEC expects financial institutions to take steps to manage potential risks associated with social media, as they would with any new process or product channel," the FFIEC said in a statement.
Last month a study by Virgin Media Business revealed that 63% of banks now respond to customer complaints and queries received through Twitter within an hour. In addition, accountancy firm KPMG previously said that research it had conducted had revealed that many businesses lack sufficient controls to prevent staff breaching client and company confidentiality through postings they make via social media.
In 2010 the UK's City regulator, the Financial Services Authority, warned that it had observed that some social media communications from banks had lacked compliance with rules governing communications and financial promotions. Those rules require financial services firms' communications and financial promotions to be fair, clear and not misleading.
At the time it said it had seen examples of companies having published Twitter updates or commented on discussion threads without providing the usual disclaimers and risk warnings. Some firms had also engaged in behaviour that acted as promotional activity without complying with all the FSA's rules, it said.
Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, has previously said that there are particular considerations financial services firms need to give when communicating on Twitter.
"As Twitter limits the number of characters used to 140, a bank, for instance, would want to ensure that it has robust policies in place which seek to prevent staff from failing to provide sufficient product information to customers to enable them to make informed choices where required to do so," he said. "It would also want to mitigate the risk of creating unrealistic impressions of the benefits of its services which could be a consequence of the limitations imposed on the amount of characters that can be used and otherwise ensure that it is presenting information in a manner that does not mislead customers."