Editor’s Note: For information about effectively intervening in federal cyber regulation, see Regulatory Cyber Security: The FISMA Focus IPD.
By Margaret Paradis, Thomson Reuters Accelus Contributor
The pace of social media usage by the U.S. financial industry has begun to rapidly accelerate. One drag on broader and deeper usage, especially by banks, continues to be uncertainty about regulatory compliance standards. Not all segments of the industry have been moving at the same pace. The broker-dealers and insurance companies have forged ahead in this area, relying on issued regulatory guidance. Additionally, asset management is catching up with the benefit of regulatory guidance issued early in 2012. Banking organizations, however, have been acting without specific guidance in this area, creating an extra risk.
In January 2013, the Federal Financial Institutions Examination Council (FFIEC) addressed this risk by proposing specific guidance for the use of social media by federally supervised banks, and certain nonbank entities (collectively, banks), called Social Media: Consumer Risk Management Guidance (PDF).
This is a significant development for all segments of the financial industry. It completes the set of guidance available and confirms that all major regulators are adopting a similar risk-based approach to adaptation of traditional rules for social media. Securities and insurance firms should also review this guidance and the publications it references. Its detailed outline for a risk-based approach is valuable for any financial firm incorporating social media.
This note provides a brief overview of this latest addition to the regulatory guidance available to the financial industry. Securities, insurance and banking regulators have taken a similar approach in their guidance on the use of social media. They make 2 points:
- 1. The same traditional standards apply that have applied to pre-electronic forms of communication, and
- 2. The financial firm must apply a risk-based approach in building a compliance program to manage the new, largely operational risks created by social media.
The Proposed Guidance defines social media broadly, without limiting it to a particular technology, as: “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.” Social media is characterized as “more interactive” than other forms of online media, covering a wide range of sites: micro-blogging sites, forums, blogs, consumer review websites, bulletin boards, professional networking sites, virtual worlds, and social game sites. This can be a useful definition in a firm’s policy, provided that it is further customized to reflect a firm’s particular choice of approved sites.
The Proposed Guidance acknowledges the value of social media to banks as a tool to generate new business and interact with consumers. It emphasizes the need for a risk-based approach and is consistent with the general approach in bank regulation.
The FFEIC’s proposed guidance would not impose any new obligations on a firm. The use of social media is compared to the use of any new “process or product channel”. The social media risk-management program would need to reflect the size and complexity of the bank’s social media policy. An effective policy cannot follow a “one size fits all” approach by regulators or firms.
The proposed guidance identifies the following key components of an effective risk management program:
- Governance Structure: clear roles for the board and senior management to set the bank’s strategy and set the controls
- Policies and Procedures: These could be separate for social media or incorporated into existing policies and procedures.
- Due Diligence Process: This is essential for selection and management of any third-party service providers.
- Employee training
- Oversight of Content: The bank is responsible for monitoring information posted by, or on behalf of, the bank at the social media sites.
- Audit and Compliance Process: The additional risks posed to legal compliance by the new activity need to be managed.
- Success Measurement: The procedures need to set the parameters to track effectiveness of the social media efforts and the timing for reporting on them back to the board and senior management.
The key areas of risk include operational risk, reputation risk, and risks related to dependence on third parties.
One surprise in the FFEIC proposal was a question raised as to whether there are any technological or other impediments to the compliant use by banks of social media. This question is surprising because the availability of third party compliance technology for social media usage has fueled the rapid integration of social media by other segments of the industry. Although the technology is available, the real impediment may be one of financial resources. To use social media, most financial firms must expect to enter into strategic relationships with third-party technology service providers for compliance-related capability. Depending on the scope of the planned usage and the size of the firm, the financial cost should be considered.
The cost can become a non-issue through creation of reasonable risk parameters, smart integration with current systems, and selection of the right technology partner in an increasingly competitive market.
In conclusion, financial firms, both banking and non-banking firms alike, should refer to the FFEIC proposed guidance(PDF) in order to build effective risk management programs for social media. It provides valuable support in a high-risk area where regulatory guidance remains sparse.
This regulatory development will support the ongoing acceleration of the integration of social media by the financial industry. Now that the regulators have spoken, accepting the role of social media, the focus is likely to shift to the now-key driver: the third party technology. Stay tuned!
(Margaret Paradis designs effective social media and technology regulatory risk management programs for financial firms. She offers firms a special perspective, reflecting several years in-house in global banking and securities firms. Margaret is a special counsel with Morris, Manning & Martin, LLP.)