III. Compliance Risk Management Expectations for Social Media

A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. However, in accordance with its own risk assessment, a financial institution that has chosen not to use social media should still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them.

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Financial institutions should also provide guidance and training for employee official use of social media. Components of a risk management program should include the following:

• A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;
• Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
• A risk management process for selecting and managing third-party relationships in connection with social media; An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party; Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
• Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

Source: FFIEC