Consumer protection and compliance changes are coming for financial organizations that use social media as part of their marketing or customer relations strategies, according to the Federal Financial Institutions Examination Council (FFIEC).
New guidance will impact banks, savings associations and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau and state regulators.
The FFIEC says the guidance is intended to “help financial institutions understand potential consumer compliance, legal, reputation and operational risks associated with the use of social media, along with expectations for managing those risks.”
The council’s concern is that social media’s informal nature in a less secure environment creates “the risk of harm to consumers, compliance and legal risk, operational risk and reputation risk.” These risk factors can arise from poor due diligence, oversight or lack of control from within the financial institution.
The guidance does not impose regulations at this point, but the FFIEC recommends that financial institutions should begin to mitigate their risks now. Recommendations include:
- Create policies and procedures for employee use of social media
- Regularly audit social media interactions and messaging for compliance with relevant laws and regulations
- Monitor risks associated with reputation by monitoring posts and having a crisis communications plan for dissatisfied customers on social media platforms
- Address operational risks by treating social media like any other IT platform
Many other types of businesses are not dealing with risk management issues created by social media, according to a recent survey of internal auditors by Protiviti, a risk and business consulting firm.
More than half of organizations (51 percent) do not address social media risk as part of their risk assurance processes, and 45 percent said they had no plans to do so in the future.
Of those companies that do address social media risk, 84 percent of organizations’ risk assessment capability was “not effective” or “just moderately effective.”