Bank Lawyer's Blog

Compliance Costs: No Ceiling In Sight

2015-04-01T21:49:00-05:00

These days, Chief Compliance Officers should be awarded combat pay. In a recent think piece reprinted in the American Banker (paid subscription required), author Jennifer Openshaw claims that CCOs will need a knew tool: a crystal ball.

"The key is that they have to be more risk identifiers than ever," says Barbara Stettner, managing partner at the international law firm of Allen & Overy. "The expectation is that CCOs will have to look around the corner for the organization—where is tech taking us, and what are the global risks the firm will be facing given the business line they're engaged in? They can't just be putting fires out anymore; now, it's about thinking ahead. I have this new tech, or a new generation that can't get off iPads, so how does that impact compliance and my role?"

Openshaw thinks that three key future risk areas for CCOs will be technology, cybersecurity, and new investment products and markets. Layered onto this smorgasbord of cutting edge risks is the impact of social media.

Social media platforms are evolving along with technology, and that can complicate the life of a CCO. The old marketing and advertising rules won't change much, but the forums—Twitter, LinkedIn, and so on—will continue to develop and pose significant challenges to the industry.

[...]

Social media platforms are evolving along with technology, and that can complicate the life of a CCO. The old marketing and advertising rules won't change much, but the forums—Twitter, LinkedIn, and so on—will continue to develop and pose significant challenges to the industry.

...David Rozenson, counsel and senior consultant at Boston Compliance, sees an inherent compliance conflict looming.

"As the social media platforms become more complex, the best approach for CCOs may be to keep it simple—to establish basic principles and prohibitions regarding employees' use of social media and stressing that they apply to all communications outside of the work environment," he says.

Unfortunately, the easy approach may mean that your more social media-savvy competitors, who take more risk, but spend the time and money to manage it, leave you eating their dust.

As Opensahw also observes, these evolving areas of risk mean that spending on compliance will not be decreasing.

Expect more pressure to find return on investment on the higher mechanisms required for compliance, and more struggles between CCOs and CEOs on the subject.

As I've noted in the past, because the commercial banking and credit union businesses are highly regulated, they're poor venues for wild and wooly types at one end of the spectrum and anal-retentive bean counters at the other end of the spectrum. The financial institution regulators want you dancing a waltz, and if you insist on jitterbugging, sooner or later you'll be bounced from the dance hall. On the other hand, in an era where risks are increasingly sophisticated, you can't skimp on compliance. You may not need to sit behind the wheel of a compliance Ferrari, but driving a horse and buggy won't cut it.

Yes, it's tough to make a buck in the current environment, and not merely due to the Federal Reserve's damn-the-savers management of interest rates. Elevated compliance costs are one reason for the consolidation of the banking industry (to achieve economies of scale), as well as for the dearth of de novos (although other factors drive both trends). But, there you have it. It costs more to comply now than it used to cost, and it is likely to cost even more in the future.

And the beat(ing) goes on.

Bank of America Does It Right

2013-11-26T21:45:00-06:00

Having blistered America's Bank for a social media faux pas, it's fair to give it a hat tip when it uses social media well. What the bank has done well is a video that it produced with Kahn Academy. For those not familiar with Kahn Academy, here's some background from 60 Minutes. Personally, I'm a fan of what Kahn and his cohorts have been doing to teach young people (and adults, for that matter) what many take to be tough subjects, like "Math" (gag, choke).

The latest effort with B of A is a video to teach consumers the difference between a debit card and a credit card, and the advantages and downside of each. While professionals in the banking industry might think it's simplisitic, I think it's effective in teaching the basics. It's not necessary that the average consumer be a banking geek; he or she just needs to know enough to make informed decisions. Kahn Academy (with B of A's help) is, in my opinion, making that happen. When I viewed the video again this evening, it had over 1,200,000 views. That's a lot viewing for a subject that is devoid of twerking or a character named "Katniss."

You can judge for yourselves. The video can be viewed here.

The Sunshine State Shines A Light On Short Skirts

2013-10-07T21:46:00-05:00

You'd think the home of Crockett and Tubbs would have plenty of problems to deal with other than LinkedIn endorsements of attorneys' skills and the hem length of the skirts of a lawyer's office staff. You'd think that. Of course, you'd be dead wrong, as dead as Tony Montana after a gunfight with a cadre of Columbians.

Orlando lawyer Luis Gonzalez has no plans to block endorsements on LinkedIn, no matter what the new Florida ethics rules require.

"I'm not changing a damn thing," he tells the Daily Business Review. “I want the bar to come after me. I'm 61 years old, and I'm not going to tolerate garbage like that."

Gonzalez is one of several lawyers criticizing the state bar’s new social media rules, enacted as part of new rules on lawyer advertising approved in May by the Florida Supreme Court. Many law firms consider the rules regarding Facebook, Twitter and LinkedIn to be the toughest in the country, the story says.

According to this summary (PDF), the guidelines require advertising lawyers to list their names and office addresses, bar misrepresentative testimonials and restrict the use of the words “specialist” and “expert,” as well as their variations.

Lawyers on Twitter are concerned about the need to state an office location on each tweet, the story says. Lawyers on LinkedIn also are concerned about the need to ban third-party endorsements and to refrain from using the word “expertise.” For lawyers on Facebook there is another potential problem—the need to refrain from posting inappropriate or unprofessional photos and videos.

A Twitter post is only 140 characters long. Even if stating an office location and disclaimer on every tweet made a lick of sense, which I question, what's the rest of the tweet supposed to contain? "OMG! U R MY BFF!"

Anyone who's been around LinkedIn for more than fifteen minutes understands that LinkedIn endorsements are as questionable as Anthony Weiner's grasp of the concept of "impulse control." LinkedIn, not the member, automatically generates endorsement suggestions to that member's contacts, and picks the practice area to recommend. That's the only reason that casual acquaintances have endorsed my expertise in Swiss admiralty law. I certainly never requested such an endorsement.

What's especially amusing about the linked article is the brief mention (pun intended) of the nefarious photo posted on a lawyer's Facebook page of his female office staff clad in what the Florida Bar poobahs thought were inappropriately short skirts. While the lawyer removed the photo (a spokesperson for the Bar said that "[h]e kindly removed them when we asked"), I find that the late, great Johnny Cochran could have saved that photo for a leering public with the line, "If the legs are fit, the photo must sit."

Seriously, this is what the Florida Bar is focused upon these days?

Two of my favorite comments in the comments section of the linked article are (1) "He kindly removed the short skirts when asked? How does that improve the image of the bar", and (2) "My Facebook account is very clearly personal and not professional. I’ll put pictures of cats in short skirts if I want to...In the meantime the Bar has signed off on PI firms running ads with pictures of clients and their settlement amounts as if they’re Lotto winners. That’s certainly helping the image of lawyers."

Nothing New

2013-10-03T21:47:00-05:00

Not long ago, Ballard Spahr partner Mercedes Kelley Tunstall, gave some sage advice at a regulatory symposium. She was discussing social media legal and regulatory compliance for financial institutions, and she said that "there is nothing new under the sun." A bold proclamation in a world where "twerking" wasn't on anyone's radar screen (outside of a Cat House) a mere five years ago. Nevertheless, it's true.

"Just like you have to disclose online, you have to disclose on social media. You can't look at this as completely different."

What's different in social media is that people talk back to the bank. In traditional online (and offline) marketing, the bank does all the talking. Having "outside the box" conversationalists in the mix adds a new level of risk. However, the types of risk remain, for the most part, the same.

Another speaker at the same symposium was the FDIC's Elizabeth Khalil, who I gently chastised for her earlier comments about the proposed FFIEC guidance on social media being guidance, not regulation, and, therefore, not forming the basis for regulatory enforcement actions if it's not followed. Ms. Khalil indicated that the final version of the guidance should be issued this month or next. She indicated that while details will be "tweeked" (but, presumably, not "twerked"), their will be no "wholesale changes" to the proposed guidance.

Since bankers, like most business people, prefer ceratinty to uncertainty, the issuance of the "guidance" will be welcome. At the very least, they'll provide financial insitutions with a starting point for regulatory and legal compliance in their social media efforts.

The Help Was Not Helpful

2013-07-16T12:18:40-05:00

I gave a presentation a couple of weeks ago in New York City to credit union officers about the legal risks of engaging in social media activities. One of the entities that I told my audience I thought was doing a decent job in social media was Bank of America's "Help" Twitter feed. From my personal observations, their "youngsters" seem to do a good job of handling customers who may be frustrated dealing with other segments of the giant bank's customer service octopus.

I guess I should monitor BofA Help more frequently. Digiday's Saya Weissman recounts a series of tone deaf tweets by a BofA Help "tweeter" that lead a casual observer to wonder whether someone was on Quaaludes and, if so, who. Responding to an allegation by Occupy LA that the bank should stop stealing people's homes by offering to review Occupy LA's account make you wonder about a number of things, including the following speculation by Ms. Weissman: "The immediate and understandable assumption was that the bank’s Twitter feed is run by a bot – a program that automatically replies to tweets that mention it. Bafflingly, this turns out not to be the case. A bank spokesperson explained to Digiday that real people are, in fact, behind all of the brand’s tweets."

A spokesperson for the bank insisted that real, live, human "bots" are tweeting those gems. Weissman claims that the bank's "utter lack of online competence...merely reinforced these angry tweeters’ view of the company as a faceless, heartless conglomerate." She concludes that if this is the best "help" that BofA can offer, "who needs enemies?"

I guess I wouldn't have been that harsh on the tweeter, who was likely proceeding in compliance with a carefully scripted line that he or she was required to follow. On the other hand, you have to wonder about the bank's guidelines for initiating "conversations" on Twitter. If it's whenever the bank's name is mentioned, then there ought to be some requirement that before the BofA employee "tweet"s, they be required to actually comprehend the content of the tweet to which they are "responding."

The proposed FFIEC Guidelines on social media compliance that we've previously discussed are shot through, from stem to stern, with concern about "reputational risk." Such risk is posed not only by technical violation of laws or regulations. It's also posed by ineptness.

You don't have to be perfect all of the time. However, if you're going to be incompetent any of the time, expect to pay a reputational price. Even (or, perhaps, especially) in cyberspace, it's hard to hide.

Misguided Guidance?

2013-06-17T21:44:00-05:00

While engaged in a "myth busting" exercise via the myth busters preferred venue, Source Media, FDIC senior policy analyst Elizabeth Khalil responded to one "myth" with an answer that, while it may be technically correct, may also fly in the face of recent "boots on the ground" experience.

Ms. Khalil, one of the authors of the FFIEC's proposed guidance on social media use by financial institutions, was responding to various negative comments and alleged concerns expressed by critics of the proposed guidance. One of the "myths" allegedly floated by critics is that the proposed guidance is a "regulation." Obviously, it's not a "regulation," it's "guidance." Ms. Kahlil, however, seems to negate the impact of the guidance as an embodiment of "safe and sound banking practices" that most of us in the private sector and, we assumed, most of those in the regulatory agencies, thought such guidance was intended to be.

"It doesn't create any new obligations or burdens," Khalil says. "To create any new obligations we would have to issue a regulation. We can't impose new obligations through the guidance. That's important to emphasize, because a lot of people have been referring to this document as a regulation or as rules, and that is not correct."

A bank's examiners could not cite violations of the guidance, she says. "You can't technically violate guidance. You can violate the laws and regulation referred to in the guidance, but not the guidance itself."

She then goes on to state that the guidance was intended to be some sort of public service announcement, designed, at the request of ignorant bankers, to clue them in on the risks of social media that they could not get from other sources, such as consultants and lawyers in the private sector who are paid to tell bankers what the risks might be and how to mitigate those risks. In other words, FFIEC guidance is some sort of an educational tool but not the basis for the assertion of regulatory enforcement action if a financial institution doesn't follow it.

Don't believe it. While it is true that guidance is not regulation, and a "violation" of "guidance" should not have the same effect as the violation of a formally adopted "regulation," a number of bank lawyers who have reviewed a client's report of examination in the years 2007 through 2012 and saw a Matter Requiring Attention, or reviewed a "15-day Letter" from a regulatory agency threatening a potential enforcement action against a bank's current or former officers and directors, saw among the laundry list of alleged "violations" an item that alleged that the bank violated the Statement of Policy on Concentrations in Commercial Real Estate Lending, Sound Risk Management Practice. That "Statement of Policy" specifically states that it is "guidance," yet alleged violations of it are cited as forming the basis for regulatory sanctions, including enforcement action. If violations of guidance can't be cited by an examiner in a report of examination, then what are citations of such violations that I and others have seen with our own eyes in examination reports doing there? I'm speaking of examinations done by the FDIC, by the way.

I have always understood such guidance as providing "rules of the road" that financial institutions should follow if they want to be in conformance with safety and soundness principles. Violating "safety and soundness" standards is a basis for regulatory action against the institution. Thus, I think that, notwithstanding Ms. Khalil's dismissal of the guidance as not rising to level of a "regulation," any financial institution would be foolish not to treat it seriously.

FDIC's Take On FFIEC's Social Media Guidance

2013-04-22T22:01:00-05:00

I ran across an interview recently that the FDIC's Elizabeth Khalil gave to InfoSecurity's Tracy Kitten about the FFIEC's proposed guidance on social media. Among my take-aways are the following:

The push for the guidance came from smaller banks that wanted the regulators to give them some free advice. We all understand the fact that because small banks have less money available to pay for expensive lawyers, they look to leverage off of every free resource they can glom onto. Trade associations aren't free, but if you're paying your dues, you look to them to give you your money's worth. Since banks pay the federal bank regulators assessments, they want some bang for those bucks, as well. I get it.
While Ms. Khalil mentioned "reputational risk" as the second major risk of the three she discussed ("compliance issues" was number one and "third party risk" was the third), I think reputational risk layers through much of the regulators' concerns. For example, misuse of consumers' personal information may be a compliance risk issue, and a Facebook vulnerability to hackers is a third-party risk. However, they both can impact the bank's reputation. Bad things that happen in a bank's social media endeavors often pose a reputational risk as an additional risk, and that's a safety and soundness concern which, in turn, is a regulatory compliance concern.
None of what's in the guidance is new, and banks that are already engaged in social media activities should already be familiar with the elements of the guidance. If they're not, they better become familiar in a hurry and hope that no one notices.
Due diligence on third party service providers that you intend to use is critical. The due diligence needs to be ongoing. A third party's faux pas can bite the bank in the backside as well as the third party. Monitoring is essential.
As is the case with online banking security, the regulators encourage banks to educate consumers on social media risks. For example, the regulators will look favorably on a bank educating its social media users on the risk of fraudulent bank sites, how to recognize the real deal from the fraudster, and that they should never give up personal information over social media.
Whether or not a bank is actively using social media to interface with current or potential customers, it needs to have a social media use policy. The bank's employees are using social media, and other people may be saying bad things about you in cyberspace. The bank should have a policy that deals with these issues.

The final guidance is expected to be out in the near future (the comment period closed March 25th), depending on the nature of the comments received.Interested bankers should keep their eyes peeled (although, don't hold your breath).

I'll be giving a breakout session on social media compliance on July 3, 2013 at CUNA’s America’s Credit Union Conference in New York City. If you're a reader and are attending that conference, say hello.

Eductaing Customers About Online Fraud: A Case Study

2013-04-01T21:34:00-05:00

Two years ago, we discussed the fact that, pursuant to supplemental guidance issued by the FFIEC, financial institutions were going to have take seriously the need to educate their online banking customers about ways to prevent online banking fraud. BankInfoSecurity's Tracy Kitten recently interviewed the heads of social media and information security for Bank of the West about their efforts in this area. In addition to posting educational videos for customers on the bank's web site, the bank is uploading to the bank's Youtube channel in an attempt to make those videos "go viral." In other words, the bank is blending its internal information security technology and social media expertise to do what the bank regulators want them to do: help combat online banking fraud by educating their customers.

While the entire, relatively short, interview is worth a listen, I took away the following points:

If you want social media content to "go viral" (for the social media challenged: "circulate widely via social media"), you have to make the content "relevant and compelling." You also must update it frequently. Easier said than done. It's why I believe that banks need to blend their internal talents, the way that Bank of the West is doing. Social media is not the sole province of either marketing or "technologists." It takes folks with a variety of skills to make it rock.
To banks like this one, that have been in the social media game for a while, the recently proposed FFIEC social media guidelines are no big deal. They should be well positioned to meet those guidelines with little, if any, modification to their existing procedures. As one of the gentlemen interviewed observed, they've been expecting these guidelines for years.
Social media (videos) is only one arrow in the educational quiver. The bank is also using seminars targeted to specific groups of customers (small businesses, primarily, since that's the customer group that is most at risk for online banking fraud losses).
Of most concern to information security officers is the movement of organized criminal organizations into this arena. They bring with them the money and skill set (not to mention the ruthlessness) to pull off the most successful heists, targeting not the banks but their customers.
Quality is more important than quantity in online education efforts. Throwing everything against the wall and seeing what sticks will likely not be a successful approach.
You need cooperation from different areas of the bank to do this successfully. Therefore, you need "buyoff" internally before you launch, not after.
Most of these efforts are too new to be able to measure their effectiveness, but using the tools that are available to do so on an ongoing basis is important. If your efforts aren't paying off, then you need to consider tweaking them.

Social Media Compliance Guidance Finally (Almost) Arrives

2013-02-11T21:59:00-06:00

A couple of years ago, I opined that the time was coming when the federal bank regulators would get around to "suggesting" that every bank have a policy in place that governed the use of social media by its employees.

At some point (which may have already arrived), banks aren’t going to have the option of doing nothing. Social media use by employees is proceeding at a rapid pace, and social media governance policies are a wise idea, whether or not the bank is going to jump into the use of social media itself. Not having any policy to govern the use of social media by employees in ways that could adversely affect the bank, or, having a policy in place but not adopting effective tools to monitor and enforce it, might be considered to be unsafe. As a recent client alert from Norris McLaughlin & Norris P.A. points out, the SEC and FINRA are already focused on social media sites and the risks they pose to the businesses they regulate. While the federal banking agencies are currently otherwise occupied, banks should take the trend seriously and be seriously thinking about social media governance.

The federal banking regulators have finally gotten around to specifically addressing social media risks, and the time for seriously thinking about social media governance has arrived for even the most dilatory of banks. On January 22, 2013, the FFIEC issued proposed consumer compliance risk guidance with respect to social media. Included in the proposed guidance is the following admonition:

Financial institutions should be aware that employees’ communications via social media — even through employees’ own personal social media accounts — may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk as well as reputation risk. Therefore, financial institutions should establish appropriate policies to address employee participation in social media that implicates the financial institution.

Yes, it's "proposed guidance." The FFIEC is asking for comments, and if you have any, get them in within the 60-day window. Nevertheless, I do not expect that the FFIEC will abandon its position that financial institutions should adopt "appropriate policies" regarding employee use of social media that could impact the institution.

Don't be one of those laggards like the slugs we saw who dragged their heels on multi-factor authentication in online banking. If you haven't already done so, get a sound policy in place. By "sound," I mean well thought out and cognizant of the practical and legal nuances. You'll be glad you did, and so will your regulator.

****************************************************************************************************************************

Chris Dye of Harland Financial Solutions and I are doing a webinar next month for BankersHub on the topic of "de-risking" the legal risk of social media use by financial institutions and their employees. Although special attention will be given to the proposed FFIEC guidance, we'll be ranging beyond that subject.

Taking Social Media Access "Personally"

2012-10-16T21:45:00-05:00

Professor Eric Goldman is an astute observer of the legal risks of both using social media and of trying to regulate its use. One of his most recent commentaries in Forbes concerns a new California law that restricts an employer's right to access an employee's "personal social media accounts." Professor Goldman thinks that, while the impetus for the legislation may be admirable, the execution is a pile of bat guano.

Superficially, both laws sound like a good idea. It’s ridiculous to force people to disclose social media content if they don’t want to do so; not only can that violate the accountholder’s privacy, but it can violate the privacy rights of innocent third parties. Demanding access to a social media account can be just as invasive as demanding access to an email account, something we all already knows is off-limits.

Still, new legislation is a blunt tool, and it’s not the right solution to every problem. In this situation, California’s new laws create two problems, one big and the other bigger.

The "big problem" is that the law too broadly defines "social media." Here's the definition:

“social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

To say that definition is "overly broad" is a gross understatement. As Goldman observes, that breadth is sure to have "unintended consequences."

In other words, the law governs effectively all digital content and activity, both on the Internet and stored in local storage devices, not just social media. After all, what digital resource isn’t “an electronic service or account, or electronic content”?

Here's the "bigger problem": the law restricts an employer's access to "personal" social media, but doesn't define "personal."

Thus, the law assumes that social media accounts have only two states: personal or not-personal. Sadly, that’s completely contrary to the cases I’m seeing in court right now. Instead, social media accounts fit along a continuum where the endpoints are (1) completely personal, and (2) completely business-related–but many employees’ social media accounts (narrowly construed, ignoring the statutory overbreadth problem) fit somewhere in between those two endpoints. Indeed, employers and employees routinely disagree about whether or not a social media account was personal or business-related.

So, while it's advisable, even imperative, that an employee "cough up" his access information for business-related social media accounts, the employer may be unintentionally violating state law if it asks for those credentials and the employee can make a case that the account is "personal." Goldman cites several cases where employer and employee are slugging it out in court right now over the business/personal dichotomy. While trial lawyers might regard this ambiguity as a good thing, the rest of us consider it a pain in the "personal" nether regions.

Goldman asserts that this confused state of affairs is par for the course.

Speaking for myself, I always assume that a state legislature trying to “fix an Internet problem” will botch the job. After all, state legislatures have a virtually unbroken history of poorly designed Internet regulations.

Change "state" to "federal" and "Internet" to "financial institution" and you have Dodd-Frank.

Those of us who do not live in California might chalk this up to the typical dysfunctionality of life in the land of fruits and nuts. Unfortunately, other states are adopting similar laws. Legislators can't help themselves. Screwing up the lives of their citizens, and especially those ctizens who attempt to conduct business, is what they do. It's embedded in their DNA. As in many areas, The Golden State sheds a light on America's future.

Thank God for Shiner Bock...