The final guidance from the FFIEC on social media risk management for financial institutions has been promulgated. It is effective immediately. As I mentioned earlier this year, regulatory guidance of this sort is not optional.
I did a study recently on the public comments for my doctor in law and policy program at Northeastern University– if you’d like some rather poor entertainment I did a 7 minute youtube video summary of the analysis of public comments. Through the analysis of public comments, perceptions of cost and complexity emerged as consistent themes. Cost was expressed by the commenters in terms of both time and expense that would be needed to comply with the regulations, as well as technology investments that could be required. Complexity was expressed as the breadth of proposed guidance with concerns that it attempted to offer a broad-brushed overlay on existing regulations without actually modifying the regulations. Examples of complexity cited in the public comments included having to comply with the proposed guidance as well as existing social media guidance from other regulators which could conflict, the question of the legality of monitoring employees’ personal use of social media, concerns with respect to ensuring consumer privacy, and the challenges with the means of presenting mandatory disclosures to consumers within the technical limits of social media.
While the most common public comments from the financial institutions look to have been addressed in some fashion, it is indubitable that the guidance will require more strict attention to social media compliance, which will require more investments in time, process and, in some larger firms, technology. One issue that remains particularly salient for Gartner clients is the issue of employee monitoring.
I am working through the final guidance with the goal of publishing a Gartner impact analysis. After you read through the guidance, if you identify a particular aspect you would like to make sure is addressed, then please comment here in this blog.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.