There's a little something going on right now in the world of financial institutions. Even if your only involvement with financial institutions are the overdraft notices you throw away because you are almost certain they were sent to you in error, you may want to pay attention.
At the end of last year, after a year of discussion and feedback, the FFIEC issued their final guidance on social media
. "What", you may ask, "is the FFIEC and why should I care?"
The FFIEC is the Federal Financial Institution Examination Council and to understand what that really means, it is probably best to quote, at some length from their website.
"The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions."
Did you make it all the way through that? If so, I think you now understand that this is kind of an important group of regulators, particularly if you are in the finance business.
"Okay," you may say, "But I still stand by my second question; why should I care?"
Because what the FFIEC has done is, to the best of my knowledge, become the first major regulator to take on social media – more importantly, the risk of social media and the way organizations should respond. What they have done is some of the initial trailblazing that all regulators will be following. And that means that, even if you don't have a dog in the FFIEC fight, the group of regulators to whom you have to respond (and is there anyone out there who doesn't have some regulatory group to worry about) will be watching closely and borrowing from this set of regulations.
Because contained within the 19 pages of "Social Media: Consumer Compliance Risk Management Guidance" is a very comprehensive review of what social media is, what the potential risks are, and what actions might be expected of an organization.
Here's a few of the top hits:
· Social media defined: "...a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video." (Again, to the best of my knowledge, the first time a major regulator has attempted such a definition.)
· Social media cannot be ignored: "A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media."
· Social media risk mitigation spans the organization: "The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing."
· Social media risk management program components: These should include a governance structure, policies and procedures, a risk management process, an employee training program, an oversight process, audit and compliance functions, and parameters for appropriate reporting to the board of directors or senior management.
· Social media risk areas defined: These include compliance, reputation, and operational. As would be expected, there are significant details about compliance. But there is a good deal of information on reputation risk also, including information related to fraud and brand identify, third party concerns, privacy concerns, consumer complaints and inquiries, and employee use of social media sites.
In case you missed it, there is a lot of there there; this is pretty darned comprehensive. And, in case you missed it, there are some very broad impacts to the way financial institutions will have to look at social media. And, in case you missed it, the tone has been set for regulators everywhere. The FFIEC has effectively set the standard for all other regulators to meet or exceed.
No matter what your organization does – service, manufacturing, even governmental – you will want to get this document
and read it closely.
First, your regulators are probably looking at the same thing. And they are getting ideas.
Second, if nothing else, there are some real good ideas on how any organization (and any internal audit department) can help assure that the risks of social media are being reviewed and addressed.