Previous Page  18 / 24 Next Page
Information
Show Menu
Previous Page 18 / 24 Next Page
Page Background

The Comm

unity

Banker

18

Social Media Risk

Management Program

By Russ Horn, CISA, CISSP, CRISC

n December 2013, the FFIEC issued final guidance on

Social Media entitled “Social Media: Consumer Compli-

ance Risk Management Guidance.” The purpose of the

guidance was to help financial institutions better under-

stand the risks of social media and provide some expec-

tations for managing those risks. The FFIEC points out

that “the guidance does not impose any new require-

ments on financial institutions;” however, the guidance

does provide considerations financial institutions may

use in crafting a risk management program.

Under Section III, titled “Compliance Risk Man-

agement Expectations for Social Media,” of the final

guidance, it states: “A financial institution should have

a risk management program that allows it to identify, mea-

sure, monitor, and control the risks related to social media.”

Section III goes on to define seven components that should be

included in a bank’s social media risk management program.

Let’s take a look at these components.

Governance

“A governance structure with clear roles and responsibilities

whereby the board of directors or senior management direct

how using social media contributes to the strategic goals of the

institution (for example, through increasing brand awareness,

product advertising, or researching new customer bases) and

establish controls and ongoing assessment of risk in social me-

dia activities.”As with any new product, service or technology,

financial institutions must be diligent in the risk management

process and intentional with its use. A comprehensive gover-

nance structure with clear goals, roles and responsibilities is

the foundation for a strong risk management program.

Policies and Procedures

“Policies and procedures (either stand-alone or incorporated

into other policies and procedures) regarding the use and

monitoring of social media and compliance with all applicable

consumer protection laws and regulations, and incorporation

of guidance as appropriate. Further, policies and procedures

should incorporate methodologies to address risks from online

postings, edits, replies, and retention.”

It is clear that financial institutions must have policies and

procedures in place related to social media. Throughout the

guidance, the FFIEC has provided considerations institutions

may find useful in crafting and evaluating these policies and

procedures.

Third-Party Management

“A risk management process for selecting and managing third-

party relationships in connection with social media.”

In an interagency teleconference call on December 19,

2013 regarding the new Social Media: Consumer Compli-

ance Risk Management Guidance, representatives on the call

confirmed social media sites (like Facebook) used by financial

institutions require a risk management process for selecting

and managing them.

I

B A N K B Y T E S