Ever since the FFIEC released its social media guidance for banks in January, bankers have been concerned about several requirements, such as the difficulty of monitoring employees' social media activities and the challenge of calculating an ROI for social media. Elizabeth Khalil, senior policy analyst supervisory policy at the FDIC and one of the authors of the FFIEC's social media compliance rules, spoke with us and cleared up some common misconceptions.
Myth #1: It's a regulation.
"It doesn't create any new obligations or burdens," Khalil says. "To create any new obligations we would have to issue a regulation. We can't impose new obligations through the guidance. That's important to emphasize, because a lot of people have been referring to this document as a regulation or as rules, and that is not correct."
A bank's examiners could not cite violations of the guidance, she says. "You can't technically violate guidance. You can violate the laws and regulation referred to in the guidance, but not the guidance itself."
And bankers actually asked for this, according to Khalil. "The agencies had been hearing from regulated institutions that were interested in using social media that guidance from the regulators would be helpful in putting together risk management approaches to social media," she says. "Because there's an absence of guidance from the agencies, some institutions were concerned they didn't fully understand the risks social media could raise and all of the regulations that could apply."
Myth #2: It's meant to discourage banks from using social media.
Not so, Khalil says. "The guidance was not put together in response to any problem or issue we were seeing. It was not motivated by a desire to discourage banks from using social media. But we hope that it raises issues FIs will find helpful to consider when putting together social media programs."
Myth #3: The guidance requires all banks to have the same risk management program for social media.
Among the 80 comments the FFIEC received about its proposed guidance, "some commenters raised concerns that we were advocating a one-size-fits-all risk management approach," she says. "We are not advocating a one-size-fits all risk management approach. Financial institutions should develop a risk management approach that works for their risk profile."
Myth #4: The guidance prohibits bank employees from having their own social media pages.
In drafting the guidance, the agencies wanted to avoid wading into the waters of employment law, Khalil says. "We're not being prescriptive regarding the policies financial institutions should have around their employees' use of social media," she says. "We did raise the issue that employee use of social media can raise certain risks for financial institutions that it may be useful to consider." But the FFIEC does not say precisely what banks should do about it.
Myth #5: Banks are now required to monitor everything said about them on social media networks.
"A financial institution should regularly monitor the information it places on social media sites," Khalil says. Banks should also consider whether and how to respond to communication about them on social media sites. "But we did not propose requiring the financial institution to monitor everything said about it on social media," she says.
Myth #6: The guidance requires the board of directors and/or senior executives to directly oversee social media initiatives.
"We're not creating any new or special reporting requirements or board oversight requirements that are specific to social media," Khalil says. "As with any risk, any activity, board and senior management have oversight responsibilities generally." The board and senior management should be informed and aware of a bank's social media activities and risk management generally, she says.
Myth #7: Banks need to constantly monitor the social media activity of any third parties they work with, to make sure they're not discussing the bank in an inappropriate way.
The FFIEC guidance on third party contractors is directed at due diligence on companies used for social media, contractual provisioning, and ongoing monitoring of the third party during the course of the relationship, Khalil says. "With social media, financial institutions may be working with a number of third parties that are not traditional service providers or vendors, e.g. a provider of a social media platform. Why not conduct the same type of due diligence and engage that they would do for any third party?"
Myth #8: Banks have to be able to calculate a return on investment on their social media efforts.
The FFIEC says banks need to have their board or executive officers set social media strategy, review the effectiveness of the strategy at least once a month, and receive reports on social media results.
Some bankers worry about this requirement, believing that return on investment is too hard to measure on fledgling social media programs.
"The proposed guidance does not offer any metrics or calculations," Khalil says. "There's no specific metric calculation that we're imposing."