In December 2013, the Federal Financial Institutions Examination Council (FFIEC) agencies released guidance on managing the compliance risks associated with using social media.
The guidance doesn’t impose any new requirements on financial institutions. Rather, it’s intended to “help institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational associated with the use of social media, along with expectations for managing those risks.”
Social media can take many forms beyond the usual suspects—such as Facebook, Twitter, and LinkedIn. These include customer review websites (Yelp) and even social games (FarmVille), FFIEC says. And using social media can affect your credit union’s risk profile.
That’s why you should implement risk management programs that allow you to identify, measure, monitor, and control the following risks related to social media:
♦ Compliance and legal risks as a result of violations of, or nonconformance with, laws, regulations, prescribed practices, internal policies and procedures, or ethical standards. The potential for defamation or libel risk exists where there is broad distribution of information exchanges. Failure to adequately address these risks can expose your credit union to enforcement actions and/or civil lawsuits.
♦ Reputation risks arising from negative public opinion. Activities that result in dissatisfied members and/or negative publicity could harm your credit union’s reputation, even if you haven’t violated any laws. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments. Be sensitive to, and properly manage, the reputation risks from those activities.
♦ Operational risks resulting in losses from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Social media is one of several platforms vulnerable to account takeover and malware distribution. Your credit union should make sure the controls it implements to protect its systems and safeguard member information from malicious software adequately address the use of social media. The credit union’s incident-response protocol regarding a security event should include social media, as appropriate.
Employee communications also can subject the credit union to compliance and reputation risks.
Minimize these risks by establishing policies and training that address employees’ participation in social media.