Social Media Part 3: Complaints, Compliance and Risk Mitigation
By Sharon Blanchette, CPA, CIA and MBA
Assistant Director, New England
Pamela C. Buckley, CRCM
Regional Director, New England
The following is the third installment of a three-part series that examines the benefits of social media along with the risk and compliance issues inherent in this exploding networking opportunity.
In the first installment of our series on social media, we discussed the benefits of this new delivery channel. In part two we reviewed the risks — some obvious and some not so obvious — that banks take on when engaging in social media. In this third installment, we review issues related to handling complaints, compliance and risk mitigation.
Complaints, Compliments and Document Retention
Customer Complaints: Will your institution consider complaints received via social media to be "in writing"? Even the smallest complaint could present a Fair Lending issue or a Regulation E issue, and you will want to have trained personnel monitoring the site for such complaints and documenting them. Determine whether you wish to create a separate complaint policy for complaints received through social media sites versus through your traditional complaint handling process. Be especially vigilant regarding any complaints that allege discrimination and have processes in place to address them immediately.
Whistleblower Complaints: How will your institution respond to complaints of institutional wrongdoing that materialize online?
Compliments: If your social media efforts are successful, you'll no doubt receive many compliments. Be sure to record in some manner (screen shots, perhaps) any compliments that specifically relate to the bank's performance in helping to meet community credit needs, along with any response to the comments by the bank.
Document Retention and eDiscovery: All of that information being tweeted and posted could represent official communications of the institution where you have to follow institution document retention policies and procedures. How will your institution capture and archive this information?
Human Resource Issues
Recognize that members of the community at large are already blogging and posting messages about your institution — and some of those folks may be your own employees. Just as you can indicate what is acceptable use by an employee of your bank's Internet, e-mail and other computing devices, so too can you indicate what is acceptable posting or tweeting about your institution in social media venues. Start with an overall social media policy as opposed to simply incorporating social media into existing policies. By implementing a social media policy, an institution can define and describe "social media," and this serves to educate employees who might not be as Internet savvy as others. Many institutions have blocked employee access to these kinds of Web sites during business hours.
Your social media policy should be clear that tweets and postings on company-sponsored social media are examples of business correspondence and "official communications" of the company and require official accounts, which are the property of the company. The policy should address which employees are authorized to post and tweet, and whether specific communications require approval, and from whom. This is similar to how an institution defines who can speak to media on behalf of the institution. The policy should also indicate what topics can be discussed; however, institutions should not overly limit topics because this could dampen users' interest in returning to the venue. The policy should also be clear about copyright issues, intellectual property issues (trade secrets, etc.) and privacy/security issues.
Social media tweets and postings by institution employees on non-company-sponsored social media venues — both during work hours and on personal time — should be addressed in the social media policy as well. Employees must understand that their activities on social media venues can easily be associated with the institution if they include their employer, job title, contact information, etc., in their demographic/account information.
The institution has to make decisions about many other issues before writing a social media policy. For example:
- Can employees include institution information, including a logo or trademark, on personal social media accounts, and if so, is any disclaimer required?
- For those employees who are allowed to post and tweet official institution communications, will user names, account names or passwords have to be provided to institution management? Will employees be informed that anything they write for the institutionally sponsored blog or site belongs to the institution? Will employees have to sign agreements?
- Will the institution allow employees to use non-company-sponsored social media applications using institution systems on institution time?
- Will the institution allow endorsements and recommendations of other companies or other people on institution-sponsored social media venues? How about for non-institution-sponsored venues? How will all of this activity be monitored, if at all?
- Will the institution make mandatory reporting a policy if any employee discovers another employee posting or tweeting inappropriate or prohibited content about the institution using any social media? How will the institution discipline employees who post defamatory, pornographic, proprietary, harassing or libelous material, or generally violate the privacy rights of other employees/customers/vendors?
- How will the institution dovetail these employee policies into its code of ethics/conduct, employee handbook and other written social media guidance?
As with any risk issue, institutions can ignore the risk, mitigate the risk or avoid the risk altogether. Below are some suggestions for mitigating the risk.
For starters, here are some strategies for measuring and solidifying the institution's ethical culture:
- Before embarking on the social media journey, ensure that your financial institution is perceived by its own employees as an ethical organization. The general public will care about what other members of the general public say, but they will care much more about what the institution's own employees (and former employees) say. Perhaps consider administering a third-party confidential survey about the institution's ethical climate. The results of such surveys can be helpful in the institution's risk assessment.
- Ensure that ethical behavior is an important part of leadership at the institution.
- Implement or formalize an existing whistleblower procedure for employees and the public to raise issues. Most institutions would prefer to have the opportunity to research and investigate complaints, allegations or misinformation long before they become public.
- Develop written policies, procedures, processes and other guidance regarding social media use.
- Develop a quality control program for content. The institution has to make sure that content uploaded or posted to social media, especially institution-sponsored venues, is accurate, verifiable, compliant and not misleading in any manner, as well as timely and current.
- Have a definite plan for how to respond to an untoward event, and test the execution of the plan.
- Provide overview training to all staff and specific training to staff who:
- Are permitted to participate in institution-sponsored social media
- Will monitor social media for compliance issues
- Will audit social media
Some additional strategies you should employ include:
- Implementing or enhancing network controls
- Performing ongoing risk assessment updates, perhaps every six months for the first two years
- Implementing a robust and continuous self-monitoring program, and engaging a third party to perform independent, periodic spot-checks of what is being posted or tweeted on institution-sponsored social media
- Performing compliance reviews at least annually
- Adding social media to the audit universe
Every risk has an opportunity, and every opportunity has risks. There was a day when an article similar to this was written about the concept of institutions having a Web site or institutions allowing remote IT access to employees. Initially the risks will seem overwhelming. Some institutions will avoid the risk, while others will assess and manage the risks. Those institutions that have a strong community presence and which enjoy a positive reputation in their community will probably be the biggest beneficiaries of social media communication. If your institution does not yet have a social media presence, consider forming a social media committee and let the project planning begin!
Part 1: Getting Started with Social Media
Part 2: Rolling Out Social Media = Rolling the Dice
. . .
FPS regularly works with financial services companies to maximize the impact of their client communications, including e-mail and online communications. To find out how we can help you develop effective strategies for communicating with corporate financial executives, contact FPS President Vince DiPaolo at 847-501-4120 or [email protected].
If you are not already a MarketScope subscriber, please request your own free monthly edition.