The recent, and some say extremely onerous, social media compliance rules proposed by the Federal Financial Institutions Examination Council join a bevy of existing rules from regulators such as FINRA and the SEC. Unless a bank has a large pool of employees who can monitor social media activity, it will need to use some kind of social media compliance software to monitor not only what its employees are saying on social media, but what the public is saying about the bank - even if it's made a conscious decision not to engage on Twitter, Facebook and the like. The FFIEC calls for a thorough social media risk management program anyway.
The FFIEC's description of social media includes interactive online communication on Facebook, Google Plus, MySpace and, Twitter, forums, blogs, customer review web sites and bulletin boards (such as Yelp); photo and video sites (such as Flicker and YouTube); professional networking sites (LinkedIn); virtual worlds (Second Life); and social games (FarmVille and CityVille).
The proposed rules require seven main things:
1. Senior executives and/or the bank's board must direct the use of social media to contribute to the bank's strategic goals (such as brand awareness or product sales). Software can't make a CEO take an interest in social media. But by monitoring and tracking social media activity, software can help provide examples that illustrate for senior executives how social media can help the business.
Joanna Belbey, social media and compliance specialist with social media compliance software company Actiance, has seen banks' financial advisors sell products through social media conversations. "People are beginning to think of social media as a way to prospect and gain loyalty from clients," she says. One large wirehouse in New Jersey asked its senior advisors to use social media. An advisor noticed on LinkedIn that one of his clients had retired and wasn't working with a financial advisor. "They had a number of conversations and he won a $3 million piece of business," Belbey says. "If you can share those types of stories with management they're going to be really interested in social media."
On Facebook, financial institutions can find out a lot about customers' life events, such as getting engaged, having children, buying a car, retiring and hospitalization. "All those major life events are opportunities to sell financial products," Belbey points out.
It's hard to imagine customers wanting to link to their financial advisor or mortgage officer on one's Facebook or even LinkedIn page. But "the world is changing, and some people really like to be in touch with business context," Belbey comments.
2. Banks need to create a policy around use and monitoring of social media throughout the organization. This is an exercise in evaluating what employees are currently doing in social media and analyzing all relevant rules. It should probably be done by lawyers, rather than software.
3. Banks should have a due diligence process for managing third party vendor relationships related to social media, such as software contracts and marketing services. Most banks vet providers thoroughly already; they may need to document their efforts in this area.
4. Employees should be trained on the right and wrong use and monitoring of social media. "A lot of organizations just try to block access to social media as a way to manage risk, but we're getting to the point where the market is so saturated that your employees are going to be on LinkedIn and Facebook," says Megan Herfkins, product marketing manager at social media compliance software provider Hearsay Social. "Organizations that are ignoring that are putting themselves at risk." Software may not be used in such training per se, but it can be used to warn or guide employees as they use social media, and reinforce the training.
5. Banks need to monitor data posted to third party social media sites, and social media monitoring software is very helpful, if not necessary. The Big Kahuna here has been Salesforce Marketing Cloud, which used to be Radian6 before its acquisition by Salesforce and it's used by many banks. But there are dozens of products in this space, including compliance-oriented software from Actiance, Gremln and Hearsay Social. These products can look at social media posts before they go live and block anything that violates a rule.
One bank we work with used to have a one-to-two-week email-based approval process before a tweet could go live, according to Ryan Bell, CEO of Gremln. "If it was a customer service problem or timely news, it would take two weeks to get out and the news was stale," he says. That process was replaced by workflow built into Gremlin's product and it's been shortened to about two days.
6. An audit process is needed to ensure compliance with their own policies and procedures and relevant consumer law. The social media compliance products mentioned above can all help with this by monitoring all posts and blocking or quarantining those that violate a rule, for instance, by using the word "guarantee" or "recommend." They can find and block cases where a customer service rep mentions a piece of personally identifiable information about a customer, such as a Social Security number. They can also find less-obvious no-nos.
Robert W. Baird, a mid-size broker/dealer based in Milwaukee, has an advisor who's very active on Twitter and has actually closed business from tweeting. "But one day, after Steve Jobs died, she attempted to tweet: 'Might be a good idea to sell Apple stock,'" Belbey says. "That would be a black mark on her record and it would damage the firm's reputation." Software blocked the tweet and routed it to the compliance officers, who also rejected it.
7. The last broad requirement is that the banks report back to the board and/or senior management on how well social media activities are helping the bank meet its stated goals for them. Social media monitoring software can certainly help with this, especially if the software has the ability to track a social media exchange beyond the initial back-and-forth, into a product sale, for instance.
"Insurance companies and financial advisers use our data to track new business and referrals they get through social media," Herfkins says. "One advisor said the year he signed up for Facebook, 60% of his new business came through the site."
The FFIEC rules also mandate that banks' social media activity comply with existing consumer protection laws, of which there are many. For example, the Truth in Savings Act mandates certain disclosure requirements for advertisements using trigger words such as "bonus" or "APY." Software can automatically identify such words in tweets, blogs or Facebook posts and help provide the disclosures.
The Equal Credit Opportunity Act requires creditors to preserve prescreened solicitations. Social media monitoring software with archiving capabilities can help with this.
Questions are bound to persist around the gray areas of social media. For instance, LinkedIn has a relatively new feature that lets people recommend others for certain skills. "Is that appropriate or a recommendation that's against Finra guidelines?" Herfkins says. "Things like that are a challenge we face in this world of social media as it relates to compliance. As the social networks push out change, how will that affect existing rules?"
Mistakes are often small, innocent things such as mentioning a competitor, Bell notes. "Small banks especially don't have a dedicated person to do social media," he says. "Sometimes it's just one of the tellers, sometimes it's a compliance manager, sometimes it's somebody fresh out of college who's going to be managing that aspect of marketing; they may be new to the banking industry. They're going to make general stumbles, and say, post a tweet about a new free checking product."
One company CEO last year got excited about a board meeting and posted, "Board meeting; good numbers=happy board." "He lost his job within 24 hours with that innocent statement because he released board meeting results about a publicly traded company in a non-standard way," Bell says. "Less than 140 characters ruined his career."