Abstract
Nowadays social media is being used by financial institutions for advertising and marketing, product research, facilitating applications for new accounts, providing incentives, inviting feedback from the public and engaging with existing and potential customers, for example by resolving customer complaints or providing loan pricing.
As the number of social media platforms grows, so does the presence of social media in consumers’ daily lives.
Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions like harm to consumers, compliance and legal risks, operational risks, reputation risks etc. Due to the probable impact of social media on financial institutions, Federal Financial Institutions Examination Council (FFIEC) has proposed guidance to financial institutions called “Social Media: Consumer Compliance Risk Management Guidance” vide docket no. FFIEC-2013-0001 on 17th January 2013, with the objective to ensure that all financial institutions effectively manage risk associated with social media usage and access.
In this white paper, we will look at the probable risk/impact of social media activities on financial institutions and how technology could play an effective role in managing such risk.
1. Introduction
Organizations have started using social media platform for integrating social activities within the employee lifecycle to encourage ongoing learning, increasing market share and revenue through improved customer relationships, enabling interaction and iteration to foster collaboration and innovation.
Social media technology is turning out to be a force for businesses to reckon with a breathtaking speed considering its far reaching effects across the entire range of business activity, from product development to marketing and sales to customer support.
The change social media has created, is happening so fast and at such large scale that it is posing unique challenges and risks to financial institutions including the potential for employees involved in social media to inadvertently leak sensitive company information, criminal hackers’ ability to “re-engineer” confidential information — log-ins and passwords, for example — based on information obtained from employee posts, employee misuse of social applications while at work, damage to a brand or company reputation from negative employee or customer posts — or even from well-intentioned posts with unintended consequences, loss of customers, revenue or market share from any of the above
In order to ensure effective management of risks associated with usage of social media by financial institutions, the Federal Financial Institutions Examination Council (FFIEC) has proposed a guideline for financial institutions vide docket no. FFIEC-2013-0001 dated 17th January 2013, requiring financial institutions to have an adequate risk management program in place for identification, measurement, monitoring and control of the risks associated with social media activities.
In this white paper, we will look at the probable risk/impact of social media activities on financial institutions and how technology can be helpful in managing such risk.
2. Social Media platforms and their usage by financial institutions
Source: Introducing the Social Media Power 100 Rankings for Banks and Credit Unions dated 8th April 2013 in The Financial Brand. Link: http://thefinancialbrand.com/28643/social-media-power-100-banking-launch/
3. Risks emanating from usage of Social media
The influence of social media cannot be denied as they provide a huge opportunity to financial institutions from product development to marketing and sales to customer support.
However poor due diligence, oversight or lack of control leads to risks as usage of social media to attract and interact with customers can impact a financial institution’s risk profile in number of ways such as:
3.1 Compliance and Legal Risks
Failure to address possibility of infringement or non-compliance with laws, rules, regulations, polices, procedures, ethical values applicable to social media use, emanates following types of compliance and legal risks
a. Defamation or libel risk
b. Infringement of copyright laws
c. Unauthorized disclosure of confidential information
d. Intellectual property rights leakage
e. Enforcement actions and/or civil lawsuits for non-compliance with industry regulations etc
3.2 Reputational risk
Negative public opinion, privacy or transparency issues and consumer protection concerns may inflate reputation risks such as
3.2.1 Fraud and brand identity risks
Protecting the brand identity in a social media context can be challenging. Risk may arise in many ways, such as through
a. negative comments made by other social media users,
b. Spoofs and fraudsters,
c. Posting unfavorable or confidential information on a public site.
A financial institution needs to consider the use of social media monitoring tools and techniques to identify and respond to the heightened risk appropriately. Further, an institution's policies and procedures should include monitoring and procedures for timely addressing fraudulent use of the institution's brand, such as through phishing or spoofing attacks.
3.2.2 Third-party risks
The proposed guidance states that use and monitoring of an institution's social media site is a direct responsibility of a financial institution, even if the functions are delegated to a third party. Even if a social media site is maintained by a third party on behalf of a financial institution, a financial institution will not be free of responsibility with regard to social media compliance. As a result, the proposed guidance cautions financial institutions to consider their ability to control content on a third-party site before using a third party to conduct social media activities.
3.2.3 Privacy risks
There can be potential reaction by the public to any use of consumer information via social media. The proposed guidance requires that financial institution should have procedures in place to address risks from other social media users posting unfavorable or confidential or sensitive information (for example, account number) on a financial institution's social media site or page.
3.2.4 Consumer complaints and inquiry risks
Financial institutions have started using social media to address customer complaints and questions but a reputation risks exist when the financial institution does not address consumer questions or complaints in a timely or appropriate manner. Reputation risk also arises when users post critical or inaccurate statements on a financial institution's social media site or page. The proposed guidance requires that a financial institution should have monitoring procedures in place to address statements or complaints, any errors or dispute posted on social media sites to which the financial institution must respond under applicable law, such as errors under Regulation E or Regulation Z or disputes under the Fair Credit Reporting Act. Monitoring may pose a real challenge as financial institutions need to ensure that such inquiries, complaints, or comments are addressed in a timely and appropriate manner. Also financial institution needs to consider how and when to address disparaging comments made about the financial institution in the social media.
3.2.5 Employee use of social media risks
Employee’s communications can also subject the financial institution to compliance risk as well as reputation risk, for example; employee’s own personal social media accounts may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. The proposed guidance requires that a financial institution should establish policies to address employee participation in social media that implicates the financial institution.
3.3 Operational risk
The proposed guidance describes operational risk as risk of loss from inadequate or failed processes, people or systems, which can arise from a financial institution's use of information technology, including social media. Financial institutions are exposed to operational risks when they are on social media. The social media site could be hacked. The hacker could then use the social media site to distribute malware/ malicious software to customers of the financial institution. To minimize such risk, financial institutions needs to have appropriate security safeguards in place to protect systems from hackers and malware. More so, the financial institution could develop an incident-response protocol in the event of a security or data breach.
4. Risk management expectations
The guidance provides that a financial institution must have a risk management program to identify measure, monitor and control the risks related to social media activities that is adequate in size and complexity to the level of the institution's involvement in social media.
A good risk-management program should include a number of components such as:
5. Usage of Information Technology (IT) for complying with proposed social media rules
Monitoring Software: Helps in monitoring and tracking social media activity, software can help provide examples that illustrate for senior executives how social media can help the business. For example, on Face book, with the help of IT enabled tool for monitoring and tracking social media activity, financial institutions can find out a lot about customer’s' life events, such as marriage anniversary, getting engaged, having children, buying a house/car, retiring and hospitalization etc. All of these major life events are opportunities to sell financial products.
Financial institutions needs to monitor the data/information posted to third party social media sites, and social media monitoring software/tool will be very helpful.
Due diligence tools: Automated due diligence process can be developed for managing third party vendor relationships related to social media, such as software contracts and marketing services.
Audit tool: By developing an automated auditing tool, financial institutions can monitoring all posts and block those violate a rule, for instance, by using the word "guarantee" or "recommend
6. Conclusion
Financial institutions are using social media as a tool to generate new business and provide a dynamic environment to interact with consumers. As with any product channel, financial institutions must manage potential risks and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance
About Author(s)
Dinesh Darak, a Chartered Accountant with certification in IFRS, has over 10 years of work experience spanning across financial and regulatory reporting, corporate banking operation & functional consultancy. Currently he is working as a functional consultant in Banking and Finance Industry Domain at M/s Tata Consultancy Services Limited. He can be reached at dinesh.darak@tcs.com
CAclubindia
