In January, the Federal Financial Institutions Examination Council (FFIEC) proposed guidelines for the use of social media by financial institutions (including banks, savings associations, credit unions, mortgage lenders, and other nonbank entities supervised by the Consumer Financial Protection Bureau and state regulators). Once finalized, the FFIEC guidance is expected to be adopted by the agency members of the FFIEC including the CFPB.
The proposed guidance is far more encompassing than existing federal rules and other regulations that address the use of social media for regulated financial entities. It says the use of social media requires compliance with all federal, state, and local regulations and guidance, instead of just rules around advertising and communication. With the FFIEC's guidelines adding to the long list of existing governance rules for financial institutions, where should the financial institutions start? Certainly, abandoning the use of social media is not a viable solution, as social media is becoming a standard medium for public communication.
Here are steps that financial institutions can take to prepare for social media compliance with the impending regulation.
1. Set social media objectives. As with any corporate initiative, it is important to establish the company's overall objective for its social media program. Too many companies are so focused on just getting a presence on LinkedIn, Twitter, and Facebook that they skip this critical step of asking "why?" Social media provides great opportunities to reach more people and outwardly share the company's values. As an organization decides to embark on social media, it's important that it set objectives for what it wants the social media program to achieve and that these goals align with company values and the strategic vision for the organization.
In defining the goals, it is also important to identify the target audience, the target engagement from this audience, and who or which cross-functional teams at the company will be responsible for the initiative. For example, an organization may launch a social media program only to demonstrate its community involvement or commitment to community services.
One of the unique suggested guidelines from the FFIEC includes a measuring and reporting on the ROI of a program. In addition to providing direction for your social media initiative, setting goals gives an organization a way to measure and report on success.
2. Draft a social media policy. Once the objectives are set, a clear and concise policy that defines how the organization should be using social media should be drafted. An organization's social media policy should be tailored to the organization's use case for social media, incorporating the entity's goals and objectives (as already identified in the first step). There is no one-size-fits-all to social media! It's appropriate for the policy to address the institution or brand presence on social media, as well as how employees use social media for business purposes. Employees' use of social communications for business purposes must be aligned with company values and this policy.
Specifically, most policies should define who can use social media on behalf of the business, the process and technology appropriate for using social media and specific activities and content that are inappropriate on social media, including those that would be misaligned with company values. Keep in mind that recent NLRB rules state that employees have a protected right to communicate about their compensation and working conditions, even when those communications may be disparaging to the employer and cast a negative on its brand.
The policy should describe the types of content that cannot be published, such as private customer information (same policy as other channels); profanity and derogatory language (as per the bank's human resources policy); the institution's trade secrets and financial information; and copyrighted material. It should identify clear roles and responsibilities for supervision and process workflow for approval, monitoring and enforcement.
Putting this policy into place not only guides employees, it also an important tool to demonstrate regulatory compliance. The top reason that financial services companies failed FINRA social media audits in 2012 was a lack of social media policy.
3. Create a content plan and approval process. The continuous need for new content and posts is what makes social media different than other marketing and communication channels. Most successful social media programs include multiple posts a week, if not per day. But all of this content must be monitored and reviewed by compliance teams. With the review step often being a roadblock, it is valuable for a regulated organization to plan ahead with a content plan and defined review/approval process. In conjunction with the goals and policy mentioned above, an identified team for content curation and review will help keep the social media site fresh and the institution prepared for audits. In addition to identifying individual roles, this process typically defines what type of content will be published (aligned with goals), the frequency at which it will be published, and the required review steps for each type of content. As with any public communication, financial institutions will want to have social media posts and activities reviewed by internal and sometimes external teams, depending on the nature of the content. The approval process might define how content, including profiles and static content, will be approved, and by whom (including, regulatory compliance teams, marketing, branding compliance etc.). Technology can help manage the process.
4. Consider technology to enable goals and enforce policies. As an institution gets started on social media, it may need to implement technology to monitor activity and ensure compliance with the established company policy. Such technology could potentially secure privacy settings, establish a recordkeeping system to archive activities, distribute approved content, enable a monitoring and approval workflow, provide analytics to measure the effectiveness of social media initiatives, and help retrieve content for audits. The FFIEC guidance requires due diligence of any third party vendors a bank considers for help in its social media efforts.
5. Train and enforce. The guidelines also call for employee training on social policy and processes. The best practice is to conduct training on regular basis with refreshers when policy or technology changes. More than just the social-media task force needs to be trained. All employees could represent an institution on social media, so some level of policy training might reach everyone from administrative staff to the board of directors.
And no policy is effective if not enforced. Employees must know that the company takes its policy seriously, and that it will follows through with the stated consequences for violations. In audit situations, companies may not only be asked to produce policy documentation, but also proof of training and enforcement.
Social media is too big an opportunity to pass up. The best practices to protect from legal, regulatory, operational or brand risks on social are to build a plan and policy that represents the company mission while protecting consumers.
Yasmin Zarabi is senior director, legal and compliance, at Hearsay Social.