I’ve read through new draft guidance from U.S. financial services regulators on the use of social media. What struck me most is that instead of taking a compliance and control point of view, it talks instead of risks, and the need to ensure that social media risks are included in your risk management program. That’s not to say that FSIs should take the guidance as merely advisory – as I learned in the Navy, a suggestion from a senior officer is an order.
So here a few of the orders from the draft guidance:
- Although this guidance does not impose additional obligations on financial institutions, as with any new process or product channel, financial institutions must manage potential risks associated with social media usage and access
- The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing
- Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate
- Components of a risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance
- A due diligence process for selecting and managing third-party service provider relationships
- An employee training program
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance
- Appropriate reporting to the financial institution’s board of directors or senior management
And the last sentence of the draft is a comprehensive mandate — As with any product channel, financial institutions must manage potential risks to the financial institution and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance.
What this all means for FSIs is that in the next couple of years, you will have regulators examining your social media risk management programs. Sure, right now they’ve got plenty to keep them busy – Dodd Frank is only about a third done. But let’s not forget, there’s a new kid in town, the Consumer Finance Protection Board; in the social media risk area they don’t face a lot of competition from other regulators – what a great place to carve out quickly some new turf.
CIOs, start working now with your legal counsel and government affairs to draft your comments. And for Gartner clients, I’d recommend that before you submit the comments, you run them by us. My colleagues, Stessa Cohen, Carol Rozwell, Andrew Walls, and I who are tracking social compliance and risk management are pleased to talk with you and provide our feedback.
Some Recommended Reading: