The release of the 2013 Federal Financial Institutions Examination Council Guidance on Social Media Risk Management brought two things to the forefront of bank marketing, (1) a broad understanding that social media is advertising, and (2) social media risk exists, and must be identified and managed.
Prior to 2013, there was a common misperception in financial services that social media was not advertising. Rather it was promotional, and thus, not subject to the usual rules and regulations controlling bank advertising and communication. In the defense of industry, the pre-2013 advertising rules were written for TV, radio, and print—they did not contemplate the rise of Facebook and Twitter’s 140 character limit. As many a bank marketer lamented, “How do I include all the required disclosures and legal language in 140 characters?” The workaround was embedded web links, but this was temporary fix not explicitly condoned by the rules. Bank marketers wanting to embrace new technology had to find a reasonable not explicitly compliant solution that would pass supervisory scrutiny.
Not an easy task.
Social is Advertising
The 2013 Guidance brought some clarity while attempting to be flexible. Any rule touching the social channels must acknowledge that the medium is dynamic, and in response, commercial and consumer use is evolving. The understanding of bank use of social media has changed significantly in the last few years. Initially, social advertising and content development was the Shiny-New-Thing oft discussed among bank board members and executives. Now, it’s just another advertising tool.
Banks, as well as the bank regulatory agencies, have been forced to become comfortable with the limitations imposed by social channels. The use of embedded web links to required product disclosures, and link backs to websites has become ubiquitous. At the same time, the agencies themselves are active on social channels, using it as a link to communicate with a public unlikely to visit a bank regulator’s webpage.
Social marketing has joined print, TV, and radio as one of several advertising options. Banks are more sophisticated in its use and possibilities, including the eventual reliance on social channels for account openings, deposits, and other financial transactions. However, the advent of these new possibilities for social marketing comes the necessity of understanding the risk of engagement over dynamic channels outside the bank’s operational controls.
Social Risk and Management
An aspect of the 2013 Guidance often overlooked, is the requirement for all banks to monitor social media regardless of whether the bank has a formal active presence. Self-monitoring for mentions of the bank name, employees, and products on social channels is important to assure compliance and manage reputation risk, but also to mitigate cybersecurity and fraud.
A bank’s policies and procedures should address the use of social media, and how bank employees may interact with a bank’s social postings. Are employees permitted to comment, share, or repost official bank communications? If yes, how should employees manage required disclosures and restrictions on advertising language? The answers to these questions are easier when a bank is merely promoting bank-sponsored events, or financial education. The bank response and employee training needs to be more rigorous if advertising bank products and services, including depository accounts, wealth management, or payments.
- Reputation Risk
Managing a bank’s reputation is more art than science. In social spaces, the consideration is often whether a post is business appropriate. The line between casual personal communication and formal business-speak is softened and overlapping. Unfortunately, for banks, this scenario may also introduce legal or regulatory liability when a bank can be held responsible for statements made by third parties. Risk management policies should extend to review and education of employees, as well as independent contractors, bank affiliates and subsidiaries, among others.
- Cybersecurity & Fraud
There is a growing threat of exposure to security risk and fraud through social channels. For a bank, the risk frequently appears as phishing scams and social engineering. An important component to mitigating this risk is employee training that instructs staff to refrain from posting the details of their work routine (e.g., employee schedules, armored truck deliveries) as well as restrictions on photos from the back office. A back office selfie with work friends may reveal—upon close inspection–office layout, vault location, or private passwords on background post-it-notes. Employees, once aware of the risk, are more cognizant of their role in protecting the bank and themselves.
In the almost three years since the release of the FFIEC Guidance on Social Media Risk Management, banks have developed a more sophisticated understanding of social marketing for brand promotion and product advertising while adhering to governing rules and regulations. The next leap in bank use of social media is mitigating the ever evolving risks inherent in an increasingly digital and interconnected marketplace.
Denyette DePierro is Vice President & Senior Counsel of Cybersecurity and Payments Policy at the American Bankers Association.