Third Party Concerns

Working with third parties to provide social media services can expose financial institutions to substantial reputation risk. A financial institution should regularly monitor the information it places on social media sites. This monitoring is the direct responsibility of the financial institution, as part of a sound compliance management system, even when such functions may be delegated to third parties. Even if a social media site is owned and maintained by a third party, consumers using the financial institution's part of that site may blame the financial institution for problems that occur on that site, such as uses of their personal information they did not expect or changes to policies that are unclear. The financial institution's ability to control content on a site owned or administered by a third party and to change policies regarding information provided through the site may vary depending on the particular site and the contractual arrangement with the third party.

A financial institution should thus weigh these issues against the benefits of using a third party to conduct social media activities. A financial institution should conduct an evaluation and perform due diligence appropriate to the risks posed by the prospective service provider prior to engaging with the provider. To understand the risks that may arise from a relationship with a given third party, the institution should be aware of matters such as the third party's reputation in the marketplace; the third party's policies, including policies on collection and handling of consumer information, including the information of the institution's customers; the process and frequency by which the third party's policies may change; and what, if any, control the institution may have over the third party's policies or actions.

Source: FFIEC