New Media Compliance Issues: Is Social Media Right for Your Institution?

At the heart of social media – blogs, social networks and other multimedia endeavors –  is a real-time, open and public dialogue accessible by anyone with Internet access. By the time your legal and compliance department has vetted a 140-character tweet, the conversation has changed. The reality of instantaneous engaged marketing with your customers can excite production staff and perplex compliance personnel. It doesn’t help that many of the rules that apply to the use of social media were created long before blogs and social networking consumed our lives. Perhaps this is one reason why the banking industry has lagged behind in the social media movement. But in the new reality, to ignore the movement is to be left behind. That is why financial institutions, regulators and attorneys are starting to get on board. The landscape may be unsettled, but it’s not entirely unmanageable.

Businesses, including financial institutions, are starting to see the vast potential for social media use.  Companies are connecting with their customers almost instantaneously and are receiving the kind of immediate feedback that once would have been obtainable only via costly and time-consuming surveys. Many companies are using social media as a customer service platform to create an online community of connected customers. The bottom line is maximization of advertising dollars. Businesses can reach any number of plugged-in consumers through the click of a button. Unlike television or radio ads, an online advertisement can be accessed any time, day or night, and gives the business the ability to change the course of the marketing communication mid-stream to create a fluid message in tune with current trends.  With all of these benefits, why has the financial industry been so slow to adopt social media?  Blame it on the disconnect between static regulations and innovative technology.

Compliance Issues In Social Media

The rules of compliance haven’t directly changed due to the advent of social media. However, the facts have changed, impacting the application of the rules. The underlying risk to your institution stems from the nature of how social media impacts the delivery and retention of information in addition to the ever-present privacy concerns.

Information Delivery

Deceptive Advertisements: The Federal Trade Commission (FTC) has long been the guardian of the consumer in the advertising arena. The rules are seemingly simple – advertisements have to be truthful and not deceptive. Easy enough, right? What if I told you that an employee blog that you may or may not know about could be considered an endorsement under the FTC Act if the employee is touting one of your institution’s products or services? In this instance, the blog post in question would have to be entirely truthful and the employee would be required to disclose his or her relationship with your institution regardless of whether your institution is aware of, or has authorized the message. (See the FTC’s Revised Guidelines concerning the use of endorsements and testimonials in advertising. This is just one among countless examples of these types of rules, present at the state and federal level.

Advertising Disclosures: What about microblogging ( i.e., the 140 character tweet)? If an interest rate for a consumer loan product is quoted, how can all of the accompanying disclosures required under state and federal law possibly fit? Crafting the message in light of the limitations of the medium is a critical factor in an institution’s ability to comply with the rules. 

Federal Securities Laws and Blue-Sky Laws: For publicly-traded companies, regulators have begun to address social media in the context of securities laws. Forward-looking statements regarding company performance are a delicate issue, even after thorough vetting by legal counsel. Employers will be liable for the statements of their employees, authorized or not.

Information Retention

Your institution already employs some level of technology to assist you in the collection and retention of certain types of information. This may be in the context of advertising retention rules per state law or e-discovery rules under the Federal Rules of Civil Procedure. Additional retention and reporting requirements come into play under the Sarbanes-Oxley Act, USA PATRIOT Act and other related laws. By its nature, social media is harder to capture and catalogue for later recall. However, technology providers have emerged that focus specifically on this type of media. 

Privacy and Security

Some companies use social media sites for customer support. This use requires special attention, especially in an industry as heavily regulated as banking. Institutions must ensure that any use of social media avoids conflict with existing privacy laws and internal security policies. In addition, regulators are growing increasingly concerned about information technology risks and have adopted compliance guidance.

Suggestions for Conquering Your Institution’s Social Media Fears

Demonstrating that you are cognizant of the risks associated with social media and addressing those risks with thoughtful and effective policies and procedures is just as important as the end-result. Here are a few suggestions:

Dedicate significant time and resources to developing current policies and procedures regarding social media. A number of stakeholders will be critical to this process and they should start by analyzing known risks. The results are highly dependent on your institutions risk profile and the process should be thoroughly documented. Show your work. Regulators will want to know that you take these policies seriously and have acted with a sufficient amount of diligence and caution. Make sure your social media policies and procedures are effectively communicated to your employees. Address violations of social media policy swiftly and decisively.

Monitor for compliance and protect your institution’s brand. The social aspect of social media creates the possibility that some users will have less than stellar things to say about your institution. Treat those situations as a customer service teaching moment and a way to gain feedback about your institution. In addition, to the extent that you have protected trademarks or servicemarks, develop guidelines for employees with communication privileges so that they can adequately protect those marks in the public arena.

Consider using third parties to assist you. There are a number of technology companies available to assist you in message search and monitoring, access management and archival solutions. Reach out to those companies. At the very least, you may get some ideas on areas of focus for your policies and procedures. At best, you’ll find a competent vendor partner to automate what would otherwise be a laborious process.

Go slow. Total institutional immersion into social media doesn’t have to happen overnight. Take the time to create a culture that embraces the effective use of social media and the related compliance components. Consider slowly adding mediums and employees into the fold after adequate training and guidance.

Vendor Management

In a recent interview with www.bankinfosecurity.com, Donald Saxinger, senior examination specialist at the FDIC, suggested that social media providers would have to be treated as vendors for purposes of the FDIC’s Guidance for Managing Third-Party Risk (FIL 44-2008). In addition, he suggested that social networking sites could be considered to be the type of vendors that banks must report to the FDIC under the Bank Service Company Act (BSCA) within 30-days after the relationship begins. (12 U.S.C. § 1867(c)).

The basic premise of the third-party risk management is that the board of directors and senior management are ultimately responsible for the activities conducted by third-parties on behalf of the bank to the same extent that they would be if the activity were handled within the institution. The majority of the guidance from the FDIC pertains to “significant third-party relationships”; however, institutions should consider following this guidance for all social media vendors. Until there is more guidance available pertaining specifically to social media vendors, those companies should be treated as any other vendor would. This means completing a risk assessment on the outsourced activity, due diligence in selecting a third-party, contract structuring and review, and continuing relationship oversight.

The BSCA requires institutions to use the FDIC form titled Notification of Performance of Bank Services to report all vendors performing “Bank Services” as defined in 12 U.S.C. § 1863. Institutions should consult with their legal counsel as to what social media vendors fall under this category for reporting purposes. This question could be difficult until further formal guidance is issued.

Two things are certain with social media – it’s inevitable and ever-changing. Some of these same discussions took place with the adoption of email usage. Just read the disclaimers at the bottom of your last email exchange. Caution and innovation don’t often mix, but your institution can make the best of both worlds with a little time and effort.