Auditing Social Media Risks for Financial Institutions

Auditing Social Media Risks for Financial Institutions

Internal auditors should pay attention to regulators’ guidance addressing social media when assessing their risk management program. 

 
Tom Giltrow, CRCM
Senior Manager
Protiviti
 
Eujin Kwak
Senior Consultant
Protiviti
 
Nicole Johnson
Senior Consultant
Protiviti
 

In a competitive financial services landscape, financial institutions increasingly rely on social media as an avenue to attract, engage, and retain customers. These outlets present financial institutions with unique opportunities to promote products and services to targeted audiences, monitor reputational risks, and engage potential customers interactively. As financial institutions expand their social media presence, they increase their exposure to an array of operational, compliance, reputational, and strategic risks. To address these risks, federal securities and banking regulators have issued or proposed guidelines regarding the use of social media. Broker-dealers are subject to guidelines published in January 2010 by the Financial Industry Regulatory Authority (FINRA) regarding communications with the public through social media sites. In January 2013, the Federal Financial Institutions Examination Council (FFIEC), which represents the legacy federal banking regulators and the Consumer Financial Protection Bureau (CFPB), issued proposed risk management guidance related to the use of social media by banks, savings associations, credit unions, and nonbank institutions. Though this guidance is not yet final, it marks the first time that these federal banking regulators have formally addressed social media, and the guidelines serve as a strong basis for internal auditors of depository and other CFPB-supervised institutions to consider in evaluating their social media activities for compliance with applicable laws and regulations and prudent risk management. 

 

SOCIAL MEDIA DEFINED AND KEY RISKS
According to the proposed guidance, social media is defined as a form of online communication that involves a high degree of interaction with consumers, such as the exchange of text, pictures, audio, or video. The guidance allows for a broad interpretation of the types of online activities that may be classified as a form of social media, but provides as examples an array of social media websites, including common personal networking sites and other websites less frequently considered as types of social media, including: 

  • Photo and video-sharing websites.
  • Customer review websites.
  • Professional networking websites.
  • Virtual reality games.
  • Social networking games.

As consumers and financial institutions increasingly rely on social media as a means of interaction, internal auditors at these institutions should be alert to key risks related to the use of social media:  

  • Strategic Risks. In the absence of standards that provide direction regarding social media and active oversight to monitor usage, social media activities could easily become poorly aligned and send unclear, inconsistent, or inaccurate customer messaging or result in missed opportunities to promote products and services.

  • Legal and Compliance Risks. Legal and regulatory requirements regarding consumer disclosures, privacy, and advertising apply equally, but in a less obvious way, to social media usage. Depository institutions that promote deposit account products through social media, for example, may be required to comply with advertising requirements and restrictions found in the Truth in Savings Act. Institutions must take care to avoid disclosing customer-specific information or risk criticism for disclosing non-public personal information inappropriately. Because social media by design limits the length of a given message, institutions have to consider whether those messages leave out important terms such that they could be considered deceptive. Failure to identify and comply with applicable legal and regulatory requirements could result in regulatory actions, monetary penalties, and consumer litigation.

  • Operational Risks. Institutions may interact with consumers through multiple social media outlets and technology platforms, which may increase the risk of misaligned activities, inconsistencies in direction, and ultimate failure of the processes and technology supporting the institution’s social media activities. Further, with multiple stakeholders involved in customer interaction across an organization, poor interdepartmental coordination and communication may result in the same. As a prominent fast food chain, among many others, recently learned the hard way, inadequate information security and user access controls may expose the institution to hackers with malicious intentions.

  • Reputational Risks. Social media outlets typically involve frequent and far-reaching exchanges with consumers and customers — a simple message or one consumer complaint handled poorly will be seen by many people. Failure to control for the accuracy and integrity of such exchanges, and even limit the interaction by taking it offline, could quickly damage an institution’s reputation and brand. Unfavorable changes to products and services may also return to haunt institutions through social media. For example, a prominent bank that announced plans to charge new fees for using debit cards was forced to withdraw those plans in the midst of a flurry of consumer criticism, much of which was escalated through forms of social media.   

SOCIAL MEDIA RISK MANAGEMENT PRACTICES 
Financial institutions should establish a social media risk management program that is appropriate to the size and complexity of its operations and planned and actual social media efforts, and that is consistent with the institution’s strategic goals. In establishing a social media risk management program, institutions should:  

  • Assign accountability for oversight of social media activities, clearly documenting employee roles and responsibilities.

  • Define and align social media objectives with enterprisewide strategy.

  • Establish clear, enterprisewide policies and procedures that effectively implement the institution’s strategic goals and establish clear parameters for acceptable use, including employee use of social media in and outside of the workplace.

  • Inventory social media activities across the enterprise.

  • Consult with legal counsel and compliance personnel to inventory and assess the applicability of state, federal, and local laws and regulations.

  • Periodically assess the risks of social media activities across the enterprise.

  • Identify and administer customized training to personnel with operational responsibilities for, and compliance oversight of, social media activities.

  • Monitor and report to senior management and the board of directors' social media activities, related risks, and qualitative and quantitative metrics.

  • Provide oversight of third-party vendors employed for social media activities.

  • Establish standards regarding access to the institution’s social media pages and internal or third-party tools used to manage social media. Access management for social media activities should align with the institution’s access standards for other sensitive applications.

  • Define and establish procedures to track complaints received through social media platforms, employee usage, and social media incidents (e.g., the posting of sensitive or inappropriate information to the institution’s social media page). More broadly, institutions also should monitor social media pages maintained by competitors for complaints, brand mentions, and industry trends.


ROLE OF INTERNAL AUDITING

Internal auditors should be mindful of the risks associated with social media, and take steps to validate that the institution has established an effective social media risk management program commensurate with the degree of the institution’s use of social media. In auditing social media, internal auditors should consider the following steps:         

 

Program Governance and Oversight

  • Evaluate how the institution assigns accountability for social media activities.
  • Review social media-related policies and procedures for consistency with stated social media objectives.
  • Assess the institution's process to stay informed of actual and proposed social media activities.
  • Evaluate procedures to review and approve social media content before publication.
  • Determine how social media risks are periodically assessed and documented.

Alignment of Activities with Enterprise Strategy

  • Determine if the institution has documented formally an enterprisewide social media strategy.
  • Review the documented social media strategy for specific objectives and defined metrics against which progress is measured, including risk appetite.
  • Evaluate the process by which business line social media practices are reviewed for consistency with the institution's enterprisewide social media strategies.

Compliance with Laws and Regulations

  • Discuss with legal and compliance personnel how legal and regulatory requirements are assessed for applicability to social media activities.
  • Assess the completeness of the institution's inventory of laws and regulations applicable to social media activities.
  • Evaluate how legal and compliance are involved in the use of new social media technologies that may impact compliance with legal and regulatory requirements.

Operational Risk Management

  • Determine if technological tools have been used to monitor and restrict social media usage, and consider opportunities to automate new and existing preventative and detective controls.
  • Evaluate how the institution provides and rescinds access to social media platforms, including standards for reviewing and approving access as appropriate.
  • Discuss with management the types of training provided to employees with access to the institution's social media platforms.
  • Determine if third-party social media tools and software solutions are evaluated for operational and compliance impacts in accordance with the institution's documented vendor management program, if applicable.
 

Reputational Risk Management

  • Evaluate whether management distinguishes consumer complaints received through social media platforms from social media incidents.
  • Determine if management has identified complaint and incident scenarios that require escalation to legal, compliance, senior management, or other parties.
  • Assess how social media exchanges are monitored for integrity and fairness to consumers.
 

As financial institutions expand social media activities, internal auditors have an increasingly important role to play in validating that risk management programs and controls evolve adequately. By proactively evaluating social media risk management, internal auditors assist their institutions in mitigating reputational, regulatory, operational, and strategic risks. 

To comment on this article, email FSA Times Editor Shannon Steffee at Shannon.steffee@theiia.org.