The FFIEC released today (January 22, 2013) the “Social Media: Consumer Compliance Risk Management Guidance” and is available here online. The release is seeking comments and is a great opportunity to see where enforcement agencies are leaning; what are the concerns they are seeing on a macro scale, and their intended path to mitigating these unique areas.
“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.
According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference
Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.
“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:
- Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
- Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
- Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”
Participate in the comments and invoking of these guidances here.
The guidance itself is again available here. (pdf)
*See me speak at the RSA 2013 Conference – Passwords are Dead (I’ll also be posting research elements on this site for the communities input)