About

Comment Policy

Disclaimer

Share or Subscribe

Add me to your TypePad People list

Search BLB


  • Google

Stats

Blog powered by TypePad
Member since 03/2004

Social Media

April 22, 2013

FDIC's Take On FFIEC's Social Media Guidance

GuidanceI ran across an interview recently that the FDIC's Elizabeth Khalil gave to InfoSecurity's Tracy Kitten about the FFIEC's proposed guidance on social media. Among my take-aways are the following:

  • The push for the guidance came from smaller banks that wanted the regulators to give them some free advice. We all understand the fact that because small banks have less money available to pay for expensive lawyers, they look to leverage off of every free resource they can glom onto. Trade associations aren't free, but if you're paying your dues, you look to them to give you your money's worth. Since banks pay the federal bank regulators assessments, they want some bang for those bucks, as well. I get it.
  • While Ms. Khalil mentioned "reputational risk" as the second major risk of the three she discussed ("compliance issues" was number one and "third party risk" was the third), I think reputational risk layers through much of the regulators' concerns. For example, misuse of consumers' personal information may be a compliance risk issue, and a Facebook vulnerability to hackers is a third-party risk. However, they both can impact the bank's reputation. Bad things that happen in a bank's social media endeavors often pose a reputational risk as an additional risk, and that's a safety and soundness concern which, in turn, is a regulatory compliance concern.
  • None of what's in the guidance is new, and banks that are already engaged in social media activities should already be familiar with the elements of the guidance. If they're not, they better become familiar in a hurry and hope that no one notices.
  • Due diligence on third party service providers that you intend to use is critical. The due diligence needs to be ongoing. A third party's faux pas can bite the bank in the backside as well as the third party. Monitoring is essential.
  • As is the case with online banking security, the regulators encourage banks to educate consumers on social media risks. For example, the regulators will look favorably on a bank educating its social media users on the risk of fraudulent bank sites, how to recognize the real deal from the fraudster, and that they should never give up personal information over social media. 
  • Whether or not a bank is actively using social media to interface with current or potential customers, it needs to have a social media use policy. The bank's employees are using social media, and other people may be saying bad things about you in cyberspace. The bank should have a policy that deals with these issues.

The final guidance is expected to be out in the near future (the comment period closed March 25th), depending on the nature of the comments received.Interested bankers should keep their eyes peeled (although, don't hold your breath).

I'll be giving a breakout session on social media compliance on July 3, 2013 at CUNA’s America’s Credit Union Conference in New York City. If you're a reader and are attending that conference, say hello.

10:01 PM in CFPB, Compliance, Consumer Law-General, Credit Unions, FDIC, FFIEC, FRB, Marketing, OCC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

April 01, 2013

Eductaing Customers About Online Fraud: A Case Study

Educate MeTwo years ago, we discussed the fact that, pursuant to supplemental guidance issued by the FFIEC, financial institutions were going to have take seriously the need to educate their online banking customers about ways to prevent online banking fraud. BankInfoSecurity's Tracy Kitten recently interviewed the heads of social media and information security for Bank of the West about their efforts in this area. In addition to posting educational videos for customers on the bank's web site, the bank is uploading to the bank's Youtube channel in an attempt to make those videos "go viral." In other words, the bank is blending its internal information security technology and social media expertise to do what the bank regulators want them to do: help combat online banking fraud by educating their customers.

While the entire, relatively short, interview is worth a listen, I took away the following points:

  • If you want social media content to "go viral" (for the social media challenged: "circulate widely via social media"), you have to make the content "relevant and compelling." You also must update it frequently. Easier said than done. It's why I believe that banks need to blend their internal talents, the way that Bank of the West is doing. Social media is not the sole province of either marketing or "technologists." It takes folks with a variety of skills to make it rock.
  • To banks like this one, that have been in the social media game for a while, the recently proposed FFIEC social media guidelines are no big deal. They should be well positioned to meet those guidelines with little, if any, modification to their existing procedures. As one of the gentlemen interviewed observed, they've been expecting these guidelines for years.
  • Social media (videos) is only one arrow in the educational quiver. The bank is also using seminars targeted to specific groups of customers (small businesses, primarily, since that's the customer group that is most at risk for online banking fraud losses).
  • Of most concern to information security officers is the movement of organized criminal organizations into this arena. They bring with them the money and skill set (not to mention the ruthlessness) to pull off the most successful heists, targeting not the banks but their customers.
  • Quality is more important than quantity in online education efforts. Throwing everything against the wall and seeing what sticks will likely not be a successful approach.
  • You need cooperation from different areas of the bank to do this successfully. Therefore, you need "buyoff" internally before you launch, not after.
  • Most of these efforts are too new to be able to measure their effectiveness, but using the tools that are available to do so on an ongoing basis is important. If your efforts aren't paying off, then you need to consider tweaking them.

09:34 PM in Banking Law-General, Compliance, Crime, FFIEC, Marketing, Risk Management, Social Media, Web/Tech | | TrackBack (0)

February 11, 2013

Social Media Compliance Guidance Finally (Almost) Arrives

FinallyA couple of years ago, I opined that the time was coming when the federal bank regulators would get around to "suggesting" that every bank have a policy in place that governed the use of social media by its employees.

At some point (which may have already arrived), banks aren’t going to have the option of doing nothing. Social media use by employees is proceeding at a rapid pace, and social media governance policies are a wise idea, whether or not the bank is going to jump into the use of social media itself. Not having any policy to govern the use of social media by employees in ways that could adversely affect the bank, or, having a policy in place but not adopting effective tools to monitor and enforce it, might be considered to be unsafe. As a recent client alert from Norris McLaughlin & Norris P.A. points out, the SEC and FINRA are already focused on social media sites and the risks they pose to the businesses they regulate. While the federal banking agencies are currently otherwise occupied, banks should take the trend seriously and be seriously thinking about social media governance.

The federal banking regulators have finally gotten around to specifically addressing social media risks, and the time for seriously thinking about social media governance has arrived for even the most dilatory of banks. On January 22, 2013, the FFIEC issued proposed consumer compliance risk guidance with respect to social media. Included in the proposed guidance is the following admonition:

Financial institutions should be aware that employees’ communications via social media — even through employees’ own personal social media accounts — may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk as well as reputation risk. Therefore, financial institutions should establish appropriate policies to address employee participation in social media that implicates the financial institution.

Yes, it's "proposed guidance." The FFIEC is asking for comments, and if you have any, get them in within the 60-day window. Nevertheless, I do not expect that the FFIEC will abandon its position that financial institutions should adopt "appropriate policies" regarding employee use of social media that could impact the institution.

Don't be one of those laggards like the slugs we saw who dragged their heels on multi-factor authentication in online banking. If you haven't already done so, get a sound policy in place. By "sound," I mean well thought out and cognizant of the practical and legal nuances. You'll be glad you did, and so will your regulator.

****************************************************************************************************************************

Chris Dye of Harland Financial Solutions and I are doing a webinar next month for BankersHub on the topic of "de-risking" the legal risk of social media use by financial institutions and their employees. Although special attention will be given to the proposed FFIEC guidance, we'll be ranging beyond that subject.

09:59 PM in Banking Law-General, Compliance, Consumer Law-General, FFIEC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

October 16, 2012

Taking Social Media Access "Personally"

Stop_stupid_lawsProfessor Eric Goldman is an astute observer of the legal risks of both using social media and of trying to regulate its use. One of his most recent commentaries in Forbes concerns a new California law that restricts an employer's right to access an employee's "personal social media accounts." Professor Goldman thinks that, while the impetus for the legislation may be admirable, the execution is a pile of bat guano.

Superficially, both laws sound like a good idea.  It’s ridiculous to force people to disclose social media content if they don’t want to do so; not only can that violate the accountholder’s privacy, but it can violate the privacy rights of innocent third parties.  Demanding access to a social media account can be just as invasive as demanding access to an email account, something we all already knows is off-limits.

Still, new legislation is a blunt tool, and it’s not the right solution to every problem.  In this situation, California’s new laws create two problems, one big and the other bigger.

The "big problem" is that the law too broadly defines "social media." Here's the definition:

“social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

To say that definition is "overly broad" is a gross understatement. As Goldman observes, that breadth is sure to have "unintended consequences."

In other words, the law governs effectively all digital content and activity, both on the Internet and stored in local storage devices, not just social media.  After all, what digital resource isn’t “an electronic service or account, or electronic content”? 

Here's the "bigger problem": the law restricts an employer's access to "personal" social media, but doesn't define "personal."

Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related.

So, while it's advisable, even imperative, that an employee "cough up" his access information for business-related social media accounts, the employer may be unintentionally violating state law if it asks for those credentials and the employee can make a case that the account is "personal." Goldman cites several cases where employer and employee are slugging it out in court right now over the business/personal dichotomy. While trial lawyers might regard this ambiguity as a good thing, the rest of us consider it a pain in the "personal" nether regions.

Goldman asserts that this confused state of affairs is par for the course.

Speaking for myself, I always assume that a state legislature trying to “fix an Internet problem” will botch the job. After all, state legislatures have a virtually unbroken history of poorly designed Internet regulations.

Change "state" to "federal" and "Internet" to "financial institution" and you have Dodd-Frank.

Those of us who do not live in California might chalk this up to the typical dysfunctionality of life in the land of fruits and nuts. Unfortunately, other states are adopting similar laws. Legislators can't help themselves. Screwing up the lives of their citizens, and especially those ctizens who attempt to conduct business, is what they do. It's embedded in their DNA. As in many areas, The Golden State sheds a light on America's future.

Thank God for Shiner Bock...

09:45 PM in Compliance, Consumer Law-General, Contracts, Employment, Life (In General), Litigation, Risk Management, Social Media, State Law | | TrackBack (0)

Recent Posts

Archives

More...

Categories