Abstract
Nowadays social media is being used by financial institutions for advertising and marketing, product research, facilitating applications for new accounts, providing incentives, inviting feedback from the public and engaging with existing and potential customers, for example by resolving customer complaints or providing loan pricing.
As the number of social media platforms grows, so does the presence of social media in consumers’ daily lives.
Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions like harm to consumers, compliance and legal risks, operational risks, reputation risks etc. Due to the probable impact of social media on financial institutions, Federal Financial Institutions Examination Council (FFIEC) has proposed guidance to financial institutions called “Social Media: Consumer Compliance Risk Management Guidance” vide docket no. FFIEC-2013-0001 on 17th January 2013, with the objective to ensure that all financial institutions effectively manage risk associated with social media usage and access.
In this white paper, we will look at the probable risk/impact of social media activities on financial institutions and how technology could play an effective role in managing such risk.
1. Introduction
Organizations have started using social media platform for integrating social activities within the employee lifecycle to encourage ongoing learning, increasing market share and revenue through improved customer relationships, enabling interaction and iteration to foster collaboration and innovation.
Social media technology is turning out to be a force for businesses to reckon with a breathtaking speed considering its far reaching effects across the entire range of business activity, from product development to marketing and sales to customer support.
The change social media has created, is happening so fast and at such large scale that it is posing unique challenges and risks to financial institutions including the potential for employees involved in social media to inadvertently leak sensitive company information, criminal hackers’ ability to “re-engineer” confidential information — log-ins and passwords, for example — based on information obtained from employee posts, employee misuse of social applications while at work, damage to a brand or company reputation from negative employee or customer posts — or even from well-intentioned posts with unintended consequences, loss of customers, revenue or market share from any of the above
In order to ensure effective management of risks associated with usage of social media by financial institutions, the Federal Financial Institutions Examination Council (FFIEC) has proposed a guideline for financial institutions vide docket no. FFIEC-2013-0001 dated 17th January 2013, requiring financial institutions to have an adequate risk management program in place for identification, measurement, monitoring and control of the risks associated with social media activities.
In this white paper, we will look at the probable risk/impact of social media activities on financial institutions and how technology can be helpful in managing such risk.
2. Social Media platforms and their usage by financial institutions
Social Media is continuing to evolve and so thus its definition. Some recent definitions and various social media platforms in usage are as under
Top 20 Performers in social media such as Face book, Twitter and YouTube
Power
100
Rank
Financial
Institution
Country
Face book
‘Likes’
Twitter
Followers
YouTube
Views
Power
100
Score
1
Chase
USA
3,843,994
22,395
112,020
2,621
2
Capital One
USA
2,926,147
68,263
3,386,539
2,364
3
ICICI Bank
India
1,874,808
7,326
766,769
1,763
4
E*TRADE Bank
USA
51,614
11,845
14,898,145
1,578
5
BofA
USA
843,498
121,865
1,194,317
940
6
Axis
India
983,576
1,241
1,066,934
843
7
GT Bank
Nigeria
1,045,292
41,171
226,005
841
8
Wells Fargo
USA
495,175
36,718
4,741,294
759
9
Citi
USA
675,841
29,406
1,797,126
677
10
Commonwealth
Australia
359,812
18,438
1,529,065
476
11
FNB
South Africa
336,669
22,202
626,026
441
12
Navy FCU
USA
520,621
6,795
347,779
434
13
Bank of Nova Scotia
Canada
168,625
13,592
3,926,160
421
14
NAB
Australia
94,611
15,219
3,843,812
385
15
TD Canada
Canada
197,609
19,134
468,896
244
16
Barclays
UK
101,282
10,435
1,825,145
237
17
Ally Bank
USA
79,295
11,837
1,087,401
191
18
RBC
Canada
124,368
3,308
189,176
186
19
PNC
USA
112,390
7,374
1,189,666
178
20
Goldman Sachs
USA
24,844
38,164
435,369
167
Source: Introducing the Social Media Power 100 Rankings for Banks and Credit Unions dated 8th April 2013 in The Financial Brand. Link: http://thefinancialbrand.com/28643/social-media-power-100-banking-launch/
3. Risks emanating from usage of Social media
The influence of social media cannot be denied as they provide a huge opportunity to financial institutions from product development to marketing and sales to customer support.
However poor due diligence, oversight or lack of control leads to risks as usage of social media to attract and interact with customers can impact a financial institution’s risk profile in number of ways such as:
Social media risks
Impact area
Examples
Compliance & Legal risk
Reputation risk
Operational risk
Data
Unauthorized disclosures, Leakage of intellectual property
Technology
Virus, Worms, Trojans, impact on network availability
Employee
HR policy violations, social engineering/impersonation, loss of productivity
Financial institution
Copyright issue, lack of situational awareness, privacy risk, loss of control over content, trademark infringement
Public
Unsatisfied constituents, negative publicity, false impression/misguidance
3.1 Compliance and Legal Risks
Failure to address possibility of infringement or non-compliance with laws, rules, regulations, polices, procedures, ethical values applicable to social media use, emanates following types of compliance and legal risks
Defamation or libel risk
Infringement of copyright laws
Unauthorized disclosure of confidential information
Intellectual property rights leakage
Enforcement actions and/or civil lawsuits for non-compliance with industry regulations etc
3.2 Reputational risk
Negative public opinion, privacy or transparency issues and consumer protection concerns may inflate reputation risks such as
3.2.1 Fraud and brand identity risks
Protecting the brand identity in a social media context can be challenging. Risk may arise in many ways, such as through
negative comments made by other social media users,
Spoofs and fraudsters,
Posting unfavorable or confidential information on a public site.
A financial institution needs to consider the use of social media monitoring tools and techniques to identify and respond to the heightened risk appropriately. Further, an institution’s policies and procedures should include monitoring and procedures for timely addressing fraudulent use of the institution’s brand, such as through phishing or spoofing attacks.
3.2.2 Third-party risks
The proposed guidance states that use and monitoring of an institution’s social media site is a direct responsibility of a financial institution, even if the functions are delegated to a third party. Even if a social media site is maintained by a third party on behalf of a financial institution, a financial institution will not be free of responsibility with regard to social media compliance. As a result, the proposed guidance cautions financial institutions to consider their ability to control content on a third-party site before using a third party to conduct social media activities.
3.2.3 Privacy risks
There can be potential reaction by the public to any use of consumer information via social media. The proposed guidance requires that financial institution should have procedures in place to address risks from other social media users posting unfavorable or confidential or sensitive information (for example, account number) on a financial institution’s social media site or page.
3.2.4 Consumer complaints and inquiry risks
Financial institutions have started using social media to address customer complaints and questions but a reputation risks exist when the financial institution does not address consumer questions or complaints in a timely or appropriate manner. Reputation risk also arises when users post critical or inaccurate statements on a financial institution’s social media site or page. The proposed guidance requires that a financial institution should have monitoring procedures in place to address statements or complaints, any errors or dispute posted on social media sites to which the financial institution must respond under applicable law, such as errors under Regulation E or Regulation Z or disputes under the Fair Credit Reporting Act. Monitoring may pose a real challenge as financial institutions need to ensure that such inquiries, complaints, or comments are addressed in a timely and appropriate manner. Also financial institution needs to consider how and when to address disparaging comments made about the financial institution in the social media.
3.2.5 Employee use of social media risks
Employee’s communications can also subject the financial institution to compliance risk as well as reputation risk, for example; employee’s own personal social media accounts may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. The proposed guidance requires that a financial institution should establish policies to address employee participation in social media that implicates the financial institution.
3.3 Operational risk
The proposed guidance describes operational risk as risk of loss from inadequate or failed processes, people or systems, which can arise from a financial institution’s use of information technology, including social media. Financial institutions are exposed to operational risks when they are on social media. The social media site could be hacked. The hacker could then use the social media site to distribute malware/ malicious software to customers of the financial institution. To minimize such risk, financial institutions needs to have appropriate security safeguards in place to protect systems from hackers and malware. More so, the financial institution could develop an incident-response protocol in the event of a security or data breach.
4. Risk management expectations
The guidance provides that a financial institution must have a risk management program to identify measure, monitor and control the risks related to social media activities that is adequate in size and complexity to the level of the institution’s involvement in social media.
A good risk-management program should include a number of components such as:
5. Usage of Information Technology (IT) for complying with proposed social media rules
Monitoring Software: Helps in monitoring and tracking social media activity, software can help provide examples that illustrate for senior executives how social media can help the business. For example, on Face book, with the help of IT enabled tool for monitoring and tracking social media activity, financial institutions can find out a lot about customer’s’ life events, such as marriage anniversary, getting engaged, having children, buying a house/car, retiring and hospitalization etc. All of these major life events are opportunities to sell financial products.
Financial institutions needs to monitor the data/information posted to third party social media sites, and social media monitoring software/tool will be very helpful.
Due diligence tools : Automated due diligence process can be developed for managing third party vendor relationships related to social media, such as software contracts and marketing services.
Audit tool : By developing an automated auditing tool, financial institutions can monitoring all posts and block those violate a rule, for instance, by using the word “guarantee” or “recommend
6. Conclusion
Financial institutions are using social media as a tool to generate new business and provide a dynamic environment to interact with consumers. As with any product channel, financial institutions must manage potential risks and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance
About Author(s)
Dinesh Darak, a Chartered Accountant with certification in IFRS, has over 10 years of work experience spanning across financial and regulatory reporting, corporate banking operation & functional consultancy. Currently he is working as a functional consultant in Banking and Finance Industry Domain at M/s Tata Consultancy Services Limited. He can be reached at dinesh.darak@tcs.com.