There is an event in New York City each year during the holidays that at first glance sounds cheery and fun and colorful. It's called SantaCon, and it began in 1997 when a few hundred friends dressed up as Santa, elves, reindeer etc. and got together for an all-day bar crawl. Today it has gotten a bit out of control as in 2012 some 30,000 Santa's showed up. This year in preparation, signs are up in neighborhoods proclaiming "Alcohol Soaked Father Christmas-themed flash mobs not welcome here!" We think these bar crawlers should also be more careful because after all, Father Christmas has his list of who is naughty and who is nice and he's checking it twice. We think Santa would be particularly tweaked at someone doing drunken things while impersonating him.
As Santa knows, image and reputation are important and bank regulators want us to remember that in reference to social media. In fact, FFIEC has just issued guidance for banks using social media. Basically, they want banks to remember that consumer compliance rules and legal guidelines are the same, whether using social media or any other vehicle for communication with the public. There are no new requirements for financial institutions associated with the use of social media per se, but regulators do highlight some considerations that bankers should be addressing in policies and procedures.
To begin, regulators view social media to be any form of online communication that is by nature more interactive than a stand-alone web site, texts, emails or other electronic communication avenues. The interactive and informal nature of this kind of communication automatically results in a less secure environment. Like every other risk management process, a bank's social media risk management processes should identify, measure, monitor and control this risk. Like every risk management procedure, its sophistication should be relative to the complexity of the usage. For example, a bank that relies heavily upon this kind of interaction for business development purposes should have a more robust process than a bank using it only occasionally.
This is made all the more difficult because social media is rapidly changing, so risk management policies should provide a framework for appropriate use, rather than specifics based on certain programs. This is because specific sources are sure to change, so you have to be prepared and flexible. To do this right, bankers should make sure different groups participate in policy development including compliance, technology, legal, human resources and marketing personnel.
The rule focuses on reputation risk, which is that risk that arises from negative public opinion. It is a slippery one to be sure, but is at the top of the list of concerns for social media because it can come from many different directions. The reputation of a bank can be harmed even if it does not violate any law, so be sure to think through multiple scenarios as you pull together your policies. Constant monitoring of the bank's site goes a long way in addressing this, but more must be done. In addition to unhappy customers, there can be fraud or brand identity theft, or even third party concerns if the bank is using one to assist with its social media presence. Even if a bank uses a third party, internal monitoring is advised as ultimately the bank is held responsible for any misdeeds.
We think social media is a great way to communicate a bank's image and brand. What you do in the community and what is special about your institution is critical for the world to know. For us, we consider this regulatory guidance a view into the primary concerns of regulators and the focus seems to be to make sure these channels are consistent with other communications approaches you already use. It is good to know there is nothing new here, so this is just a reminder that as with any communication, banks need to manage the associated risks.