We previously took a dive into the Federal Financial Institutions Examination Council (FFIEC) social media guidelines for financial institutions, which transformed the seemingly grey social media questions into clearly defined answers for this regulated sector. If you read through the guidelines, there was lots of information regarding compliance and best ways to manage and assess risk; all of which can dramatically affect the way a bank conducts social customer service and social conversations.
A risk management program should be designed to identify, measure, monitor and control the risks related to social media. The guidelines suggest consulting specialists from the following areas: compliance, technology, information security, legal, human resources and marketing. We also recommend consulting customer service and operations, as essential parties to carrying out the program. This blog post outlines seven key areas to cover in a successful risk management program for regulated industries operating in social media.
1. Governance Structure: Strategic goals and on-going risk assessment measures should be set by senior management and the board of directors, and align with existing business initiatives. It should be clear who is responsible for approving content or replies, and the chain of command in case of a crisis.
2. Policies and Procedures: There should be clear policies and procedures to address risks from online postings that are compliant with consumer protection laws and regulations. For example, financial institutions cannot ask for personally identifiable information over non-secure channels, even if private (e.g. a Twitter DM). There must be a process to request this information over a secure channel. Additionally, a file that includes all written comments received from the public for the current year and each of the prior two calendar years relating to performance must be stored for full audit compliance.
3. Third Party Relationships: Any relation with a third party vendor is the responsibility of the financial institution even if the third party is managing content and responses. Information the third party places on social media sites needs to be regularly monitored, with due diligence conducted where appropriate. Financial institutions should be aware of the third party’s reputation in the marketplace, their policies around collection and handling of consumer information, the process and frequency by which the third party’s policies may change, and what protections the institution may have over the third party.
4. Employee Training Program: A guidance for official, work related use of social media is essential for any effective social media program. Permissions and approval workflows should be put in place for proper training and to moderate operational, compliance and reputation risk. For example, if an employee is approved to communicate with a customer regarding a loan product, the training program needs to include steps to ensure the customer is receiving all the required disclosures.
5. Oversight Process: Everything posted to your social media sites needs to be monitored by the financial institution or third party. It is essential that team members are set up with relevant permissions, roles and approval functions in place. This allows for senior management to review and see what is happening at the front line.
6. Audit and Compliance Functions: To ensure ongoing compliance with all internal policies and applicable regulations, audit and compliance functions need to be up and running before the deployment of a social media plan. It’s essential for relevant analytics and a full data export/archive (with complete audit trail of all staff actions) to be in place from day one.
7. Reporting Parameters: In order to achieve desired objectives, a periodic evaluation of effectiveness of the social media program needs to be installed. The board of directors and senior management should regularly review the success of this program and make appropriate changes to see results. Figures around average handling time, first response times, and service level agreements are very important to manage a scalable social customer service operation.
Did you have to make any changes to your risk management program with the release of the FFIEC guidelines? What steps has your organization taken to remain compliant? With the implementation of a successful risk management program, room for error is drastically reduced and you can ensure you are remaining compliant.
Social media presents a world of opportunity but also the potential of brand damage due to social media crises. Are you prepared?