Just when you think you have it All Figured out … Something New Comes Along

 Author: Debi Randol, drandol@profitstars.com

After several years of working in a stable compliance environment, I started to notice a change.  Around June 2011 the FFIEC released the Supplement to Authentication in an Internet Banking Environment, and Financial Institutions (FIs) struggled with adopting the new guidelines.  Things were just beginning to settle and then the FFIEC released a new host of proposed guidelines in January of this year for Social Media Communication management.  After reviewing the feedback that FIs submitted to the FFIEC in response to the proposed Social Media guidelines, it appears that FIs are growing jaded from regulatory requirements.  I read quotes like “You are regulating us to death!”, “Adding more laws and entities are ridiculous!”, and “Do we really need another policy?” 

The truth is I can empathize with FIs because IT Regulatory Compliance expectations are high.   I can understand how community banks feel, “overburdened and overregulated”.   I have even heard in jest that, “bankers can’t be bankers anymore because they are too busy with policies and risk assessments”.  However, I also fully understand the importance of IT Regulatory Guidance.  I also know that being unprepared for an exam or audit is not a valid option.  Trust me, I have some experience with assisting FIs prepare at the last minute or the week prior to an exam or audit and they are overwhelmed.  All things considered, preparing for the next wave of guidance would be to the FIs advantage.  Since Social Media Communication is still a new medium, it presents unique risks.  For example:

• How do we keep customers and FI personnel from posting non-public information?
• How do we address record retention and vendor management when the vendors that provide these services are not traditional FI vendors? 
• What do we do if our social media page domain is hacked for the purpose of identity theft that steals FI customer’s credentials? 
• What about advertising regulations and employee acceptable use?

Regulatory bodies have recognized that these questions need to be addressed.  So what does all of this mean?  First of all, it’s important to note that the guidance does not impose additional obligations on FIs.  The responsibility to manage the potential risks associated with social media usage and access is no different from that which is required for any new product or service.  In addition, the pending guidance is expected to require a risk management program to be in place to identify, measure, and control the risks related to social media – even if your financial institution is not actively participating in this arena. 

It will be beneficial for your FI to plan and formalize a strategy now, if you have not done so already.  Is your FI going to actively participate in social media communication?  If yes, what do you wish to accomplish from it, and how are you going to measure those accomplishments?  These can be the building blocks for your policies, procedures, and employee training.

I strongly recommend not delegating this responsibility to one individual, as it merits the attention of more than one stakeholder.  Social media is far reaching and needs to be a group effort.  First, get your board and senior management approval and involvement.  Then, with all the regulations that intertwine with social media (17 and counting) make sure you are involving your compliance department or vendor.  Recognizing the regulatory requirements and guidance for social media communication and involving key individuals is potentially the most difficult step.  Once you have made the commitment to address social media guidance, then you will find that as with anything new it will soon become part of your regular processes and procedures. 

Are you ready to take the next step for planning your social media communication strategy?