Pub. 8 2013-2014 Issue 6

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. I n December 2013, the Federal Financial Institutions Examina- tion Council (FFIEC) issued final guidance on social media entitled “Social Media: Consumer Compliance Risk Management Guidance.” The pur- pose of the guidance was to help finan- cial institutions better understand the risks of social media and provide some expectations for managing those risks. The FFIEC points out that “the guidance does not impose any new requirements on financial institutions;” however, the guidance does provide considerations financial institutions may use in crafting a risk management program. Section III, titled “Compliance Risk Management Expectations for Social Media,” of the final guidance, states: “A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media.” Sec- tion III goes on to define seven compo- nents that should be included in a bank’s social media riskmanagement program. Let’s take a look at these components. Governance “A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities.” Crafting a Social Media Risk Management Program Russ Horn, CISA, CISSP, CRISC, President, CoNetrix tech talk As with any new product, service, or technology, financial institutions must be diligent in the risk management process and intentional with its use. A comprehensive governance structure with clear goals, roles, and responsibilities is the foundation for a strong risk management program. Policies & Procedures “Policies and procedures (either standalone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliancewith all applicable consumer protection laws and regulations, and incorporationof guidanceasappropriate. Further, policies and procedures should incorporate methodologies to address risks fromonline postings, edits, replies, and retention.” It is clear that financial institutions must have policies and procedures in place related to social media. Through- out the guidance, the FFIEC has pro- vided considerations institutions may find useful in crafting and evaluating these policies and procedures. Third-Party Management “Ariskmanagement process for selecting andmanaging third-party relationships in connection with social media.” In an interagency teleconference call on Dec. 19, 2013, regarding the new Social Media: Consumer Com- pliance Risk Management Guidance, representatives on the call confirmed social media sites (like Facebook) used by financial institutions require a risk management process for selecting and managing them. Employee Training “An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.”