The Federal Financial Institutions Examination Council's proposed compliance rules for banks' use of social media are sweeping and broad. We asked Mercedes Kelley Tunstall, of counsel at Ballard Spahr, Washington, to help us parse out which of the new requirements will be burdensome for banks to comply with, and which will be relatively simple. Ballard Spahr is a 500-attorney firm that specializes in litigation, business and finance, real estate, intellectual property, and public finance.
First, the rules that will require extra work and attention:
1. Reining in employees who have their own social media pages. "Mortgage brokers or salespeople sometimes want to maintain a personal relationship with a set of customers, through their own social media page," says Tunstall, who is the practice leader of Ballard Spahr's Privacy and Data Security Group. "That presents a lot of concerns, because they may talk about bank products in a way that isn't officially sanctioned. They may have conversations in insecure media and that presents data security and privacy issues. It can sometimes be hard to police that or even to know it's out there."
Tunstall advises clients to not let employees have their own social media pages. "Then the question becomes, what do we do when find the stuff out there? Do we fire them outright, do we give them a warning letter?" she says. Some banks create templates, so employees can have their own Facebook page but only use pre-approved statements, and the comment section is closed. "This generally fails because it frustrates the purpose of social media interaction," Tunstall notes.
Software programs that monitor employees' use of social media, including products from Actiance, Gremln, Hearsay Social and Salesforce Marketing Cloud can help.
"The biggest challenge with any of that is that you need a thinking person sitting there looking at the results of all the monitoring," Tunstall says. "That in and of itself means that you're devoting lots of resources to this project." That might not make sense if it's only for a handful of employees.
2. You cannot selectively edit Tweets and Facebook posts. "You have to take the good with the bad," Tunstall says. "That means you can't just go ahead and delete comments you don't like, you need to accept that you're going to get criticism. It seems to be the natural course that social media often attracts negative attention." Posts can only be pulled down if they are irrelevant, obscene or hateful, under standard defamation rules.
Once a bank starts editing comments made about it over social media, it could become liable for what's stated.
"If you edit those regularly, you're now responsible for every piece of content on there," Tunstall says. A bank can black out swear words, competitors' names and personally identifiable information, she says.
3. Board and executive oversight of social media. The proposed FFIEC rules require the board of directors and/or senior executives to direct social media efforts.
How much this involves scales to the institution's involvement in social media, Tunstall says. Institutions that use social media primarily for marketing purposes should update every policy and procedure that affects marketing to reflect social media. When updates are made to the board of directors about marketing, social media should be included."
If a bank is very active in social media, maintaining blogs and social media communities, paying close attention to what's being said about the institution and proactively posting statements, for marketing or customer service purposes, it may be appropriate to have a governing council overseeing social media activity, Tunstall says, like a credit scoring or AML council.
"One of the things that's hard about social media is that it's a very personal medium, it's a one to many conversation to individuals," she says. “It's not to a mass audience where you can control every piece of the message. To make sure you're being consistent across the institution, a strong governance council is necessary. Otherwise you have people running off and doing weird things that are inconsistent."
4. Due diligence on third parties' social media activities. As a bank performs due diligence on a vendor it's about to start working with, it needs to look at how that company uses social media, Tunstall says, to see if there's anything inconsistent with the bank's approach.
The bank needs to canvas all that company's social media activity. "If you partner with somebody and for whatever reason you're ok with them talking about their relationship with the bank, then they could use social media to say all sorts of things about the bank and that would not be good," Tunstall says.
5. Suddenly, the Community Reinvestment Act. "There's discussion [among regulators] about how statements made in social media should be considered part of the written record for CRA purposes, and that requires documentation from the bank," Tunstall says. "That's potentially hugely burdensome, because it means you are required to watch what people are saying that relates to CRA on social media. To me, that's not practical. Even if someone is posting on your site, you don't know if they live in a low-income neighborhood. It seems burdensome to comply with that."
What's not that hard about the FFIEC's rules:
1. Determining the effectiveness of a social media program. Under the FFIEC's proposed rules, banks must have their board or executive officers set social media strategy, review the effectiveness of the strategy at least once per month, and receive reports on social media results.
Some bankers worry about this requirement, believing that return on investment is too hard to measure on fledgling social media programs. According to Tunstall, the FFIEC is looking at this from a practical, safety-and-soundness point of view. Social media programs should be watched just like any other marketing campaign.
"ROI for social media is notoriously difficult," Tunstall says. "I think the FFIEC recognizes that. What they're really saying is before you decide to shut down your customer service lines or reduce the number of butts in seats in your call center, because you're pushing everything to social media channels, make sure [your social media strategy] actually works, that the investment in time and money and reallocation of resources makes sense."
2. Establishing social media policies and procedures called for under the FFIEC rules. This generally just means updating existing compliance policies, Tunstall says. For instance, a bank's policy for complying with Truth in Savings rules under Reg DD should include a blurb about social media.
"You might also have a higher level general social media policy you put in place that says it's our policy to comply with the FFIEC's guidance on this," Tunstall says.
3. Employee training on social media compliance. This could be as simple as including in whatever annual training the bank already conducts a small segment about how the bank manages social media, and how employees generally speaking should not post on behalf of the bank.
If a bank encourages the use of social media internally, then it needs to provide more specific training. "You can't make snarky comments about people, that would violate employment concerns," for instance, Tunstall says.
One bank had an internal bulletin board discussion group for bank tellers. A bank teller posted she was being required to work extra hours and being told to sell specific products. "You can't have that kind of stuff," Tunstall says. "They need to go through training in what they can and cannot say."
There are other, appropriate channels for a teller to report this kind of thing, she says.
There's also specific training needed for employees who police and moderate the bank's social media activities.
4. Monitoring of social media activity. Software that watches social media posts for red flags can handle much of this.
At a small bank, designating someone to look at comments once or twice a day may be sufficient.
5. Social media compliance audits. This sounds daunting, but it really just means the audit and compliance teams need to include social media with other digital channels they review.
6. Reporting to the board and senior management about the bank's role in social media. The FFIEC here is concerned about reputational risks to the bank, Tunstall says. "It suggests you should make sure your board and other executive management understand what the bank's involvement is in social media and help them understand any reputational risks that might come up." In some months there would not be much to say.
