loan officers or other E2C avenues (e.g., employee to consumer
Step Two: Define Your Social Media Risk
outreach) or C2E (e.g., consumer discussions, feedback, com-
plaints to an employee)—and this engagement can be with existing
or potential customers. This form of instantaneous, interactive
consumer dialogue tends to be both informal and dynamic, and
because it occurs in real time—in a less secure environment—it
presents some unique challenges to financial institutions.
Social media and other websites also frequently enable the
use of “native advertising,” where advertising content matches
the form and function of the platform on which it appears. This
may make it difficult for a consumer to discern that this is actu-
ally advertising, so it could be misleading or deceptive without
the FI realizing the potential for inadvertently creating a UDAAP
(unfair, deceptive or abusive act or practice) issue.
Institutions often engage third parties to assist in spreading
their social media footprint, and those vendors may generate
posts or replies to consumers. Social media presence might also
be generated by social media sites without the FI’s knowledge.
For example, LinkedIn might associate the institution’s brand and
logo in communications that an employee otherwise perceives
as personal or private. Facebook could generate a page by web-
crawling for information purposes (compliments of Facebook)
and tag it as an “unofficial” page. However, once “someone” at
the FI validates the page, Facebook will replace the “unofficial”
tag with a checkmark, meaning it is now an official page.
While this blend of technology and personal interaction can create
value for an institution, social media can also significantly impact
an FI’s risk profile. The speed and spread of information can be
extraordinary—in a matter of minutes, an FI’s brand and reputation,
consumer confidence, and stock value could all plummet. Does
your institution have a “what if” scenario in place to respond?
The FFIEC guidance is intended to help FIs identify social media
risk across every regulation, and encourages oversight and risk
management by specialists from Compliance, Legal, Technology,
Information Security, and Human Resources—all in addition to
Marketing. This goes beyond simple training to avoid obvious
risks such as RESPA kickback violations. This requires a top-down
approach, with a governance structure set by the Board of Directors
and senior management to direct clear roles and responsibilities
for how social media should be used to align with strategic goals.
Therefore, it is not surprising that some institutions go beyond
wrapping social media risks within a generic “marketing” risk,
or carrying just a single line item for “social media” on their Risk
Assessment. A focused Social Media Risk Assessment will be
specific in identifying who is posting, where, and what is being
posted. This includes:
■ ■ ■ Identification of all potential risks impacted by social media,
including but not limited to risks related to Complaint Management systems, Deposit and Lending products, Payment
systems , BSA/AML programs, CRA programs, privacy issues,
fraud, brand and identity concerns, third-party management
systems, operational risks, and related fraud, identity, brand,
and reputation concerns.
■ ■ ■ A situational analysis of social channels currently in use that
may impact risks, documentation of activity, and methods for
monitoring to identify where communication pops up across
social media. .
■ ■ ■ The identification of controls to mitigate risks, including detailed PnPs and training that set forth the institution’s “rules
of engagement”—clearly helping employees understand what
is, and is not, permitted; a review and approval process; and
how to escalate issues and observations.
■ ■ ■ A Risk Management Plan tailored to the FI’s size, activities and
risk profile. It should also provide for a defined record retention
component, which can get complicated with an ever-changing
■ ■ ■ The institution’s Complaint Management and Third-Party Vendor Management programs should integrate issue identification
and response controls to follow social media communications
throughout the institution’s processes and social footprint.
(Guidance can be found at www.ffiec.gov/press/pdf/2013_
Step Three: The Feedback Loop—
Monitoring, Fraud and IT Security
FFIEC specifically requests that FIs consider the use of monitoring tools and software that monitor not only for consumer
complaints, but also for other mentions, including the fraudulent
use of the institution’s brand. It is critical to set up your “listening
channels”,—and there are a wide variety of automated tools to
help you, such as:
■ ■ ■ A dedicated email address to help sort through updates, and
then identify a variety of automated solutions to cast a wide
net tailored to your institution’s footprint;
■ ■ ■ Google Alerts to track where and when your institution’s name
■ ■ ■ LinkedIn Connections, Facebook and Twitter profile settings
and services to notify you about mentions; and
■ ■ ■ Paid services such as Cision, can be used to monitor when your
FI is mentioned in the press. It can also be used to monitor
key words or phrases that are important to your institution.
Additionally, FIs may be exposed to or have access to a con-
This form of instantaneous, interactive
consumer dialogue tends to be both
informal and dynamic, and because it
occurs in real time—in a less secure
environment—it presents some unique
challenges to financial institutions.