Author: Jill Emerson, Integrity One Consulting
Recently, the FTC announced that Google LLC and its subsidiary, YouTube LLC, will pay a jaw-dropping $170 million fine to settle FTC and New York Attorney General allegations that the YouTube video sharing service collected personal information from children without parent consent. They claim that the Children’s Online Privacy Protection Act (COPPA) was violated. Apparently, YouTube earned millions of dollars by using persistent identifiers, or cookies, to deliver targeted ads to viewers of child-directed channels, without first notifying parents and getting their consent. While this penalty is by far the largest amount the FTC has ever obtained in a COPPA case, it does present an opportunity to make sure that, as a compliance professional, you have your social media ducks in a row.
Do You Know Your Financial Institution’s Social Media Risks?
Have you considered, discussed, and documented what your financial institution’s social media risks are? Similar to other areas of compliance, have you conducted a risk assessment to better understand what inherent risks are present and what controls need to be in place to mitigate those risks? If you can’t answer these questions affirmatively, now, rather than later, is the time to take action.
What Are Social Media Risks?
In 2013, the Federal Financial Institutions Examination Council (FFIEC) published guidance on this topic. While the guidance does not impose any new requirements for financial institutions, it does discuss federal regulatory expectations associated with the use of social media.
Before diving into the identification of those risks, it’s important to know how federal regulators define social media. Based on the guidance, “social media is considered to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille). Social media can be distinguished from other online media in that the communication tends to be more interactive.”
The guidance further states that, while subject possibly to other regulatory requirements, messages sent via email or text message, standing alone, are not considered social media. Because social media is fluid and technology is constantly evolving, your financial institution will need to consider other forms of social media not defined by federal regulators.
Now that there is a clear understanding of social media and its forms, what are the risk areas? Because financial institutions can now interact with consumers and customers in many different ways for different purposes, including social media, surveying the land of risks particular to your financial institution must be documented in your financial institution’s risk profile. Just like other areas within your financial institution, you need to identify, measure, monitor, and control risks related to social media. Risks to take into account include compliance and legal risks, reputation risk, and operational risk. The risks listed seem short. By no means at all! The goal of this article is not to regurgitate the guidance, but to point you in the direction of ruminating over the guidance to ensure that your financial institution has adequately addressed its social media risks. Action is the key step here in protecting your financial institution and the consumers and customers it serves.
What is Your Strategy in Managing Social Media Risk?
It’s all about planning. And knowing the expectations of federal regulators. It’s creating and implementing a social media risk management program. This can’t be stated enough that you need to identify, measure, monitor, and control risks related to social media, which is the first step in developing and implementing a social media risk management program. You also need to take into consideration the following factors:
- Identify your financial institution’s involvement with social media. In doing so, you will be able to define the size and complexity of your social medial risk management program.
- In developing your social media risk management program, make sure the right people are sitting at the table, such as:
- Information security
- Human resources
So, what does a social media risk management program look like? After weighing the above factors and conducting a social media risk assessment, this program needs to be comprised of the following, according to the guidance:
- Governance structure
- Policies and procedures
- Management of third-party relationships regarding social media
- Employee training
- Oversight for monitoring information
- Audit and compliance checks and reviews
- Reporting mechanism for senior management and board
Again, review the guidance to delve into more of federal regulators’ expectations regarding the above components of a social media risk management program.
To Sum it All Up
Not one of us wants to be caught off guard during an examination or responding to a consumer complaint. Being prepared in knowledge and action is key in managing your financial institution’s social media risks, and risks overall. Social media can be great tool to interact with customers and attract new customers. Use the tool wisely with appropriate oversight and control to mitigate risks.
Jill Emerson, owner of Integrity One Consulting, maintains over 30 years’ experience in the financial services industry, both as a practitioner and as a federal regulator. She enjoys sharing her experiences and expertise through writing.
Jill can be reached at firstname.lastname@example.org.