RSS feed for commments on this article
Blergh…my compliance people forwarded this to me this morning. Thank you for reporting on it in a language I can actually understand.
Dear FFIEC — Very nice..
The idea of having this type of compliance let’s us into the minds of the people that almost sent us to our ruin, economically..
This might as well have been written by our friends, “The Borg”..
Stay out of it, so we can resist our mock and scorn for your incompetence and lack of understanding about social media..
Wow… where to begin? This is a reactive and obviously out of touch group of people enacting “law” without fully thinking it through. However there are some positive aspects as well that I think may be for the best for everyone. My take below:
Social Media Strategy Now Required – Totally down with this. It will help eliminate the majority of the crappy posts/updates many credit unions are making about rates, weather and closings. But a strategy takes time and I thought social media was free. Wrong: social media is not free
Regular Reporting of ROI – Makes sense. If you take the time to do an actual strategy beyond “we’re going to post 2 times a day, once in the morning and once in the afternoon” you may actually be able to show some kind of return. But I thought social media was free and we don’t have the time/resources to implement the strategy AND report on if its working. Wrong: social media is not free
Monitoring of Social Channels Mandated – I can dig this if it means that a credit union must do more than just one way communication about rates, weather and closings. Taking the time to actually listen (monitor), learn and engage could be a good thing. But I thought social media was free and we don’t have the time/resources to monitor our social channels. Wrong: social media is not free
Put Formal Social Media Policies & Procedures in Place – I am all about creating policies and guidelines which is very much needed in this realm as it will help to clean up alot of the social BS and for sure kill the idea that “social media is free”.
Tightly Manage Third-Party Vendors to Ensure Customers Are Protected – I see this is where it can get very tricky very quickly. Does this mean Hootesuite will have to be managed by every single credit using them? What about Facebook, Twitter, YouTube or any other social integration app? How about Hubspot? MailChimp? What about Currency Marketing and their relationships with credit unions running the Young Free program.
You Have to Tell Employees What’s Okay and What’s Not – Having guidelines is good but at the same time it can not be pre-written robotic scripts. Keep in mind the first word of social media is “social”. Someone may have to go off script from time to time to be human.
Compliance Protocols – And this is where it just gets downright stupid. The compliance you noted makes any social media effort at this point useless due to the amount of time needed to “audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.”
Many good points I agree with from a strategic side however I think a reactive stance on this from a government regulatory body might take things to far without thinking things all the way through.
Before you know it, we could be back to sending letters through the mail. Oh wait… now there is a real conspiracy theory behind all this. Let’s make it almost impossible for FIs to use or want to use social media so that we force them to send mail once again and resurrect the US Postal Service.
Thanks for the great recap Jeffry. I’ll have to dig in and read the full proposal document. I agree with James Robert’s points. As a starting point, all FIs should get their social media policy in place. There’s a great free tool, http://policytool.net that can help you get started. The end product should be vetted by HR and compliance.
I also like the idea of posting your policies directly on your public website as well. Vancity in Canada does a nice job of this. Here https://www.vancity.com/AboutUs/OurNews/SocialMedia/ and here https://www.vancity.com/AboutUs/OurNews/SocialMedia/Guidelines/ Straight forward language that everyone can understand.
James, good questions about managing social media vendors.
The primary issues are privacy and data security. The final, formal wording of the policy will probably say something along the lines that a “financial institution will take the steps necessary and perform proper due diligence to ensure consumer data remains private and secure.” Regulators will probably extend a lot of leeway to major sites like Twitter and Hootsuite. But what about Facebook…? Well, that could be an entirely different story. As we all know, Facebook could care less about people’s privacy.
The spirit of the regulation is that financial institutions should be asking questions and investigating the security of their social media vendors. How can you be sure the vendor isn’t accessing the data as well, perhaps using it for some other purpose (maybe not even intentionally)? Do you know their servers are reasonably secure?
The easiest workaround would be to exchange no sensitive customer data. This would seem to be the case with Young & Free, which is primarily a marketing program. The biggest concern the Young & Free folks will probably have is making sure no one can get a hold of members’ contact info like email addresses (which Y&F is probably already doing sufficiently).
Really, the regulations are effectively calling for more stringent due diligence when customer service is provided in social channels (okay, really we’re just talking about Twitter, and maybe Facebook). Essentially no customer data is exchanged in YouTube, Hootsuite, Hubspot, and other sites. If you just publish a blog, some YouTube videos, a few tweets and some Facebook posts (like most FIs), you probably won’t have to worry. You can even exchange information publicly with people — like answering common questions — without raising red flags.
The sad truth is: Very few banks and credit unions get ANY customers saying ANYTHING to them, so most won’t have to worry about this at all — whether they use social media vendors or not.
Bottom line? What regulators seem to be saying is, “If what you’re doing anything that triggers any compliance laws, rules or regulations, then you need to hold your social media vendors accountable at the same standards as you would yourself.”
Protect customer data, obey the laws and make sure your vendors do the same, and everything should be alright.
As an example, think about some of the banks that are toying with “virtual branches” on Facebook. The bank has to partner with a developer to build the Facebook app. It’s the bank’s responsibility to ensure the app developer can’t access to sensitive customer data, and that the app is built in secure manner — something that can’t be easily hacked. The bank needs to understand how the vendor intends to “route” data through the web — how many nodes, how many servers will data be stored on, where are these servers and who has access to them? What kind of encryption is involved?
Helpful article. These types of conversations have been happening for several years within the securities industry, so there are key learnings that may be applied to the retail banking world. There are four areas of risk that need to be mitigated before deploying social media:
1) Data leakage – need to prevent firm and client information from being leaked out either inadvertently or maliciously from the enterprise.
2) Incoming threats – social media users are susceptible to malware as they view themselves as part of a tribe and tend to click on any link sent by a “friend.”
3) Compliance – there are thousands of rules and regulations that govern the communications of publically held corporations, banks and firms in general. For example, Securities regulators didn’t issue new rules and regulations around social media — as it’s viewed as just another form of written communications. In short, business communications need to be captured, archived and made available for ediscovery. Firms also need to demonstrate to the regulators that they are supervising these communications to make sure they are appropriate.
4) User Behavior – now that every employee can be the face of the business, you either have a powerful marketing tool or your worst nightmare.
All these risks can be mitigated by strong corporate polices, backed up with technology and training.
You may find my blog about FFIEC Guidance helpful for more details.
“Upcoming Guidance for the Use of Social Media for Retail Banking from FFIEC”
Great insights. Thanks for sharing Joanna.
I appreciate all the comments here, as well as the recap article that is provided. James Robert, I agree with all of your points and think that a lot of this is fine and a good idea to implement. At Verity, we do a lot of social media, but we do have written guidelines in place and every employee is required to sign a social media policy. Considering the goals of social media are important, but what if you don’t think it is about ROI through the channel and your board is ok with that? Do we need to show that “I spent x amount of time and that generated x new accounts” or something like that? It is so difficult to track that sort of thing and determining ROI in this channel is incredibly difficult and up for interpretation. As long as it stays in the broad scope and just requires everyone to think and plan what they want to do and hope to accomplish through the channel, I think it is ok. Editor, I really liked the comments you provided as well. The one thing that really concerns me is the potential impact of all those regulatory acts and things that may need to be taken into account on every post…
What’s really important here is “who” is actually behind this draconian legislation, “who” stands to gain if it becomes law, and “what” do they stand to gain. I see it as a “follow the money” exercise.
Thanks for breaking down the 31 pages. And, thanks to those who’ve commented thus far. The insight is most helpful.
Right on, James Robert! Social media is NOT free. (Or rather, it CAN be. And we all know “you get what you pay for”, right?)
If the acronyms TOS, RT, HT, MT, PRT, DM, ROI and SEO can’t be explained by your social media manager, you might want to consider another employee for the position. And, if NO ONE on staff has any experience with social media besides their own personal FB accounts, you just might want to look to a social media marketing firm to manage your accounts for you.
Many FIs have flocked to social media as they perceive it as a “free medium” to advertise. (Yawn.) While the tools are free, you need to know how to use them. And sadly…a lot of marketers don’t understand that this medium operates unlike any platform we have seen before.
While there has most likely been a lot of “eye rolling” going on in the last week, let’s face it…we NEED these regulations as desperately as we need qualified social media managers/marketers.
You are absolutely right: “following the money” would almost always lead you to the real motives and characters behind any political decision. But that doesn’t seem to be the case here. It’s hard to see where there’s any money involved. While some folks will find the proposed regulations annoying, even perhaps “draconian,” it seems this is just another instance of run-of-the-mill bureaucracy. You’ve got a committee — the FFIEC — comprised of other committees, all tasked with regulating the financial industry. So that’s what they’re trying to do… “regulate.”
The creation of the FFIEC traces back to March 1979. The FFIEC has six voting members:
• one Governor from the board of the Federal Reserve System
• the Chairman of the FDIC
• the Chairman of the NCUA
• the Comptroller of the Currency
• the Director of the CFPB
• the Chairman of the State Liaison Committee
Certainly a broad and overwhelming guideline given the number of regulations it touches and broad mix of technologies that could potentially be classified as “social media.”
Regardless the spirit of the guideline is in the right place given the potential risks financial institutions face from regulatory, liability and brand perspectives if they don’t set a cross-organization governance program to control and manage their social media efforts. Clearly a flexible framework that addresses the various forms and touch points of social media is required to bring transparency and accountability to this area regardless on whatever emerges as the final set of guidelines and invariably resultant additional regulations. Working with clients we have found the following as some of the key points to address.
- Not taking a wait and see approach – social media is already being used within your organization and outbound to the market, whether you know about it or like it or not
- Understanding the different roles in defining and executing a social media strategy – boards members, executives, risk, marketing, IT, third-party vendors/suppliers and rank and file staff
- Balancing rules based and principles based social media policies and procedures that remain enforceable as social media continues a rapid evolution
- Clearly articulating rules, policies and procedures and training the workforce on social media compliance; note this is an ongoing and recurring process
- Developing contingency, remediation and enforcement plans for when policies and procedures lapses invariably occur, from small scale infractions to major breaches
We have produced a series of articles collectively entitled The Social Banker that address these and other key points in managing and exploiting (in a good way!) social media’s usage in financial institutions, including some good real world case studies and examples. Follow the this link to access these articles. http://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/social-banker/Pages/remaining-compliant.aspx
Credit unions using social media should already have a written policy that contains guidelines and rules. That part of any new legislation shouldn’t be difficult to handle.
As for ROI – it looks as if the credit union itself will define the “investment.” As long as the rules are being followed and the credit union’s management can show the board that members are being better engaged, this shouldn’t cause an issue either.
The section above “Don’t Show This List To Your Compliance Department” states that there could be thousands of pages involved in regulations like this. TRANSLATION: credit unions have plenty of time to prepare for all of this.
And as James Robert seems to suggest – if the burdens become too heavy, credit unions will simply not use social media anymore – THEN the FFIEC will probably hear from the members – 93 million or so at last count – many of which subscribe to their credit union’s social media feeds.
Does anyone have any general idea when the final approved guidance will be released?
This article covers all the touch points for prudent risk management within a financial institution. I wholeheartedly agree with the proposed regulations, which address some of the risk factors and internal controls necessary to mitigate social media activities. As a former banker who has integrated emerging technologies into organizations, rolled out new products, and established infrastructures for efficiency purposes, all functional areas impacted by the change require attention.
What I find interesting in this proposal is that whether the entity participates in social media or not, a program still needs to be created to address the negative comments for brand management purposes.
Good job FFIEC in covering most of the basis.
One point of clarification, Cathy. The proposed regs say you have to have a plan, but it doesn’t say you have to respond to negative comments. A plan might include monitoring the social web for negative comments, capturing any and circulating among management to see if a response is warranted, then respond within 24 hours if necessary/appropriate. It’s possible that a plan could be to not respond to any comments — positive or negative.
Do you have any helpful information in reference to a person identifying themselves as a customer of your bank on social media? Are there rules against this? We are being told we should delete this post because the customer said they had several CD’s with us.
Compliance people and lawyers are going to tell you to do anything and everything to protect customers, even if it isn’t required by regulators. Is it a little risky for a customer to announce on the internet where they have their banking relationships? Yes, because they are setting themselves up to get phished. But it’s also their own fault/decision. Personally, I don’t think it’s very smart and I wouldn’t do it, but I don’t think there are any regulations against it. I think that posting personal information like account numbers and SS# is something you’d be expected to delete, and quickly. But if you look around the web, you’ll see tens of thousands of people declaring they have [financial product X] at [bank Y].
If what your compliance people are saying is true, then all the Twitter accounts like @BofA_Help @Ask_Citi and others couldn’t even exist. They have people flooding in daily announcing they have some sort of relationship with those institutions, and those tweets aren’t deleted.
Jeffry Pilcher, The Financial Brand
Thank you so much for your response! I have done a good bit of research and I haven’t found any regulations against it either, but I understand that protecting our customers privacy should be number one. I am from a Marketing backgroud though, and I think from the perspective of as far as social media is concerned, deleting comments (negative or positive) is frowned upon.
Email (required, will not be published)
Notify me of followup comments via e-mail
If loan growth is hot on your agenda for 2013, don't miss BlueSpire’s exclusive “Tips for Accelerating Loan Growth,” filled with interesting info on the top lending products, along with three helpful tips that will help you meet or exceed your institution’s 2013 goals. Download this free tip sheet.
Aussie Bank Unveils New Social Media Command Centre