The Regulatory Risks of Social Media — Evolving Interpretations
Three social media case studies give a preview of what new regulations may be on the horizon.
MIKE JACKA, CIA, CPCU, CLU, CPA
COFOUNDER AND CHIEF CREATIVE PILOT
With banks using social media to communicate with new and existing customers, market products and services, and solicit customer feedback, they are at increased risk of noncompliance with recently proposed risk management guidance from the Federal Financial Institutions Examination Council and the Consumer Financial Protection Bureau. These new laws and reinterpretations of existing regulations should give heed to financial institutions to gain better control over all social media activities.
The good news is that the financial services industry can learn from issues that are arising in other areas. It is merely a function of seeing what has occurred, understanding the underlying risk, and translating those issues into the financial services environment. Three examples can provide lessons in what may be on the horizon.
WHEN IS AN ANNOUNCEMENT OFFICIAL?
On March 7, 2010, Gene Morphis, chief financial officer (CFO) for fashion retailer Francesca’s Holding Corp., tweeted from his personal Twitter account (@theoldcfo): “Board meeting. Good numbers=Happy board.” — two days before the actual numbers were released. In addition, he had sent out other tweets that took shots at the board, talked about secondary share sales, and in general, violated any number of communication “rules” most CFOs would be expected to know.
Executives in all organizations have the potential, in any social media venue, to become the unofficial spokesperson for the organization. It is important for executives to recognize this risk and take personal responsibility to avoid such issues. This includes the use of any private social media communication.
The Morphis example raises additional questions about communications of employees throughout the organization. Can lower-level employees inadvertently become spokespeople for the organization? Imagine the situation where a slot supervisor at a casino, after a particularly hectic day, tweets from a personal account: “Crazy day today. Feels like we were paying out over 100%.” If it is known that the person is an employee of the organization, could this be interpreted as an official announcement by the casino that its slots are paying out at more than 100 percent?
This has not occurred, and there does not appear to be any regulatory body that is pursuing such issues. However, one complaint could be enough for the regulators to start examining this issue more closely — and recent history of regulatory bodies show that such interpretations are becoming more prevalent.
IS THIS A COMPENSATED SPOKESPERSON?
Various U.S. federal regulators are taking their own closer look at social media and, through new regulations and interpretations, are having a broader impact than in the past. For example, the Federal Trade Commission (FTC) issued new endorsement guidelines in 2009 that included social media. An important element of these guidelines relates to reviews or comments made by people who have received compensation for those statements. In particular, the ruling stipulates that anyone (e.g., a blogger) receiving a free item is considered an endorser. The further interpretation is that the person must, in completing a review related to the free item, include the fact that compensation (i.e., the free item) was given to the reviewer.
To help ensure enforcement, the FTC is focusing on the organizations that provide the free goods and services. It is their interpretation that the organization providing the complimentary items is responsible for advising bloggers and reviewers that a disclosure must be made.
In 2010, the FTC took a public approach to enforcement. During a blogger event held by Ann Taylor stores, anyone in attendance who posted about Ann Taylor would be entered in a drawing for gift cards. The FTC conducted an investigation of the company’s potential violation of the regulations. Based on information gathered during the investigation, the FTC determined that no enforcement action would be taken. But this sent out a warning to all organizations that the FTC was serious in its approach. How serious? If action had been taken, the result could have been anything from a written warning to a US $11,000 fine per incident. (That is $11,000 per blogger, not per event.)
COMMUNICATION NOW MEANS ALL KINDS OF COMMUNICATION?
The other important factor to be aware of in relation to regulatory agencies is that many existing regulations are being reinterpreted for social media. This is a function of any regulation that might be considered “communication” being extended to include communication through social media.
For example, the U.S. Financial Industry Regulatory Authority (FINRA) requires registered representatives to maintain copies of all written correspondence with clients. FINRA has extended enforcement of this requirement to any social media communication. Much like the FTC has done, FINRA has made it the responsibility of the broker-dealer to ensure registered representatives comply. Many of the extensive fines and penalties will be borne by the organization.
WATCHING ALL REGULATORS
These are just three examples that speak to the regulatory risks financial services organizations may face. Considering only the financial services risks in the regulatory environment may result in significant issues being missed. Therefore, financial services organizations must take a broader look at regulations, watching in particular for those that focus on communication issues.
This also means that internal auditors cannot sit back and complacently accept that the organization’s current work and procedures will be sufficient. With this changing landscape, it is necessary for internal audit to work closely with the business to ensure that there is appropriate monitoring of all regulations as well as recognizing the full impact. Internal audit also should be vigilant to ensure the organization has developed appropriate surveillance to mitigate the risk.
It is important to remember that regulators are in the same position as everyone else — still trying to get a handle on what social media means and how best to protect the public. That is why an organization’s No. 1 protection related to regulatory risk in social media is constant vigilance.
Mike Jacka, CIA, CPCU, CLU, CPA, who recently retired from Farmers Insurance Group after 30 years, is cofounder and chief creative pilot with Flying Pig Auditing, Consulting, and Training Solutions (FPACTS). He is the co-author of Auditing Social Media: A Governance and Risk Guide and the author of Internal Auditor (Ia) magazine’s popular “The Mind of Jacka” column.