Penny Crossman, over at National Mortgage News, sat down and interviewed Mercedes Kelley Tunstall of Ballard Spahr with respect to the Federal Financial Institutions Examination Council’s (FFIEC) Social Media Guidelines. The below is taken directly from her article shown in full here. I am posting it almost verbatim as many Companies have had a problem with how they handle their Social Media. This looks like it will be the norm going forward:
1. Reining in employees who have their own social media pages. “Mortgage brokers or salespeople sometimes want to maintain a personal relationship with a set of customers, through their own social media page,” says Tunstall, who is the practice leader of Ballard Spahr’s Privacy and Data Security Group. “That presents a lot of concerns, because they may talk about bank products in a way that isn’t officially sanctioned. They may have conversations in insecure media and that presents data security and privacy issues. It can sometimes be hard to police that or even to know it’s out there.”
Tunstall advises clients to not let employees have their own social media pages. “Then the question becomes, what do we do when find the stuff out there? Do we fire them outright, do we give them a warning letter?” she says. Some banks create templates, so employees can have their own Facebook page but only use pre-approved statements, and the comment section is closed. “This generally fails because it frustrates the purpose of social media interaction,” Tunstall notes.
Software programs that monitor employees’ use of social media, including products from Actiance, Gremln, Hearsay Social and Salesforce Marketing Cloud can help.
“The biggest challenge with any of that is that you need a thinking person sitting there looking at the results of all the monitoring,” Tunstall says. “That in and of itself means that you’re devoting lots of resources to this project.” That might not make sense if it’s only for a handful of employees.
2. You cannot selectively edit Tweets and Facebook posts. “You have to take the good with the bad,” Tunstall says. “That means you can’t just go ahead and delete comments you don’t like, you need to accept that you’re going to get criticism. It seems to be the natural course that social media often attracts negative attention.” Posts can only be pulled down if they are irrelevant, obscene or hateful, under standard defamation rules.
Once a bank starts editing comments made about it over social media, it could become liable for what’s stated.
“If you edit those regularly, you’re now responsible for every piece of content on there,” Tunstall says. A bank can black out swear words, competitors’ names and personally identifiable information, she says.
3. Board and executive oversight of social media. The proposed FFIEC rules require the board of directors and/or senior executives to direct social media efforts.
How much this involves scales to the institution’s involvement in social media, Tunstall says. Institutions that use social media primarily for marketing purposes should update every policy and procedure that affects marketing to reflect social media. When updates are made to the board of directors about marketing, social media should be included.”
If a bank is very active in social media, maintaining blogs and social media communities, paying close attention to what’s being said about the institution and proactively posting statements, for marketing or customer service purposes, it may be appropriate to have a governing council overseeing social media activity, Tunstall says, like a credit scoring or AML council.
“One of the things that’s hard about social media is that it’s a very personal medium, it’s a one to many conversation to individuals,” she says. “It’s not to a mass audience where you can control every piece of the message. To make sure you’re being consistent across the institution, a strong governance council is necessary. Otherwise you have people running off and doing weird things that are inconsistent.”
4. Due diligence on third parties’ social media activities. As a bank performs due diligence on a vendor it’s about to start working with, it needs to look at how that company uses social media, Tunstall says, to see if there’s anything inconsistent with the bank’s approach.
The bank needs to canvas all that company’s social media activity. “If you partner with somebody and for whatever reason you’re ok with them talking about their relationship with the bank, then they could use social media to say all sorts of things about the bank and that would not be good,” Tunstall says.
5. Suddenly, the Community Reinvestment Act. “There’s discussion [among regulators] about how statements made in social media should be considered part of the written record for CRA purposes, and that requires documentation from the bank,” Tunstall says. “That’s potentially hugely burdensome, because it means you are required to watch what people are saying that relates to CRA on social media. To me, that’s not practical. Even if someone is posting on your site, you don’t know if they live in a low-income neighborhood. It seems burdensome to comply with that.”
What’s not that hard about the FFIEC’s rules:
1. Determining the effectiveness of a social media program. Under the FFIEC’s proposed rules, banks must have their board or executive officers set social media strategy, review the effectiveness of the strategy at least once per month, and receive reports on social media results.