Financial institutions are looking at social networking for many reasons.  Even those not particularly interested feel pressured to join in because of the advantages it appears to offer:

• It’s the marketing marvel of the day:  Most marketing experts consider it the new way of doing business not because organizations are exploring it but because consumers are demanding it.  It empowers them with much more say in the marketplace and consumers like that.
• Repairing an image:  Consumer opinions of financial institutions declined during the recession. Financial institutions know that consumers are flocking en masse to social networking and so it presents an optimal venue to repair tarnished images with a personal touch.
• Consumers are in the driver’s seat:  Consumers can now publish comments online about anybody, including financial institutions.  It might be a positive comment, it might not.  Joining the conversation at least gives financial institutions a voice and some control.
• A new method for R&D:  With all the free dialogue out there, financial institutions are listening to the chatter to uncover the products and services that consumers want most.
• The audience is unprecedented:  Advertising during the Super Bowl reaches millions of people but at what cost, millions of dollars.  Social networking sites, most of which are free, add new accounts every day.  Facebook has more than 400 million users and Twitter at least 75 million.     

Are There Pitfalls Along the Yellow Brick Road?
The financial institutions that have jumped in are using social networking mostly to deepen their customer relationships and influence the dialogue out there.  However some have gone a step further by using it to deal with customer service issues, and there is even a very small minority using it to provide basic account information.   Should they be concerned and should you?  Yes, because the same things that make social networking so enticing are also the things that should give financial institutions significant pause.  

Twitter’s business page calls itself “a communication platform that helps businesses stay connected with their customers.”  Obviously that has the potential to benefit both sides of the equation.  However, it goes on to remind users that “the messages are public.”  So while it and other sites are flexible and useful communication vehicles, they are also in the public domain.  There are certainly conversations that financial institutions could have with customers that would be acceptable in the public arena but there are many more that would not be from legal, ethical and regulatory reasons. 

What if you post a message on your Facebook page or tweet?  Is it considered an advertisement and if so, do all corresponding regulations apply?  The Financial Industry Regulatory Authority (FINRA), the only regulatory agency to publish guidelines on social media, believes it does.  FINRA’s Regulatory Notice 10-06 (Jan. 2010) states “The goal… is to ensure that - as the use of social media sites increases over time – investors are protected from false or misleading claims and representations, and firms are able to effectively and appropriately supervise their associated persons’ participation in these sites.”  Even if you aren’t regulated by FINRA, there are existing advertising rules and regulations that encompass social networking.  For example, the FDIC’s advertising rules consider “a commercial message, in any medium, that is designed to attract public attention, or patronage to a product or business,” an advertisement.  This would certainly include messages posted by insured depositary institutions on social networking sites.  When such messages are posted, “Member of FDIC” or “Member FDIC,” along with the FDIC logo, is required. 

Disclosure requirements under Regulation Z (Truth-In-Lending Act) and Regulation DD (Truth –in-Savings Act) will also apply if certain “trigger terms” are included in messages posted on behalf of a covered financial institution. An “advertisement” is defined by Regulation Z as “a commercial message in any medium that promotes, directly or indirectly, a credit transaction.” If the message directly or indirectly promotes deposit accounts, the advertising rules set forth by Regulation DD could also apply.   Much like the controls you have  put in place for your institution’s website, controls  designed to provide reasonable assurance of compliance with applicable regulations should also be established for social networking sites.  Remember though, it is much easier  to control information posted on your website.

Then there are your customers to consider.  While they may enjoy the ease and comfort of communicating with you via Twitter or other sites, financial institutions have a fiduciary and legal duty to maintain the privacy of customers’ personal and confidential information.  If they do not, they face serious regulatory repercussions.  Social networking is no exception.  

Employees are the other human piece to this puzzle.  Who is allowed to post messages on behalf of your financial institution and when and how can employees engage in social networking of a personal nature?  The lines between work and home begin to blur very quickly with social networking. Employees posting what they consider harmless tidbits about themselves and their jobs could unwittingly give away confidential information through targeted social engineering tactics.  The Denver Business Journal recently reported that “even when secrets aren’t revealed outright, identity thieves and corporate spies have been able to piece together enough information about companies through their employee’s social network entries to hack into company computers or to trick confidential information out of the business in person.”  

What about the Wicked Witch of the West?
Dorothy only had to manage one wicked witch but financial institutions have to deal with a multitude of wicked witches, black hats, hackers or whatever else you want to call cyber criminals.  And these black hats are waiting in the wings to expose your institution to phishing, malware and viruses in order to hack into your systems and steal confidential information for their own gain, fraud or identity theft.  Social networking is particularly susceptible to this type of malicious activity.
• It is difficult to verify the authenticity of end users.  How does your customer know they are on your official Facebook page and not a malicious look-a-like?  And vice versa, how do you know if the person on the other end of the tweet is actually your customer.
• Both Twitter and Facebook were created for personal use.  Now as businesses are jumping on the bandwagon, social networking sites want to accommodate them but IT experts express serious concerns about whether they are ready for this influx with the proper security protocols.
• As search engines and business websites have made significant progress in information security, black hats know that the next great breeding ground for infiltration is the social network scene.

Perhaps the biggest threat is the very foundation on which social networking is based, trust.  People who’ve learned not to click on suspicious looking links in email are letting their guard down on social networking sites for that very reason; if you can’t trust a friend, who can you trust.  Cybercriminals know this and use it to their advantage.  In their recent white paper, “2010 Threat Predictions,” McAfee Labs put it this way, “wherever, whenever a trusted mainstream website distributes or promotes third party content, attackers seek to abuse the trust relationship established between the sites and their users.”  This couldn’t be truer for social networking sites and their users.

What is a Financial Institution to Do?
The lion, the tin man and the scarecrow helped Dorothy but in the end she had to take care of herself and so does your financial institution.  Are the options simply to engage in social networking or not?  No, it’s more complicated than that.  There are obvious benefits to this trend but jumping in blindly or unwittingly is unwise.  As with everything, planning and preparation serve your institution best.
1. Conduct appropriate due diligence on the sites you use.  Think of them as you do other third party service providers.  Do they provide you and your customers with adequate security?
2. Demand tighter security controls.  Social networking sites realize the boon provided from growing their business accounts.  Use that leverage to push for stronger security protocols.
3. Develop a social media policy.  Thoroughly address how your institution intends to use social networking, including the responsible parties; the appropriate content; privacy and confidentiality issues; employee usage at home and the office; customer relations; communication; and training.
4. Educate your customers.  Frequently remind customers not to share personal or account information over public domains such as Twitter, Facebook or Linkedin.  Post this message on your account’s public page and make it an ongoing theme in your customer communications.
5. Train your employees.  All employees must be trained on social media and not just those responsible for your Facebook or Twitter page.  Incorporate social media into your information security training and vice versa.  Explain the potential impacts of personal networking and identify prohibited behaviors.
6. Consider your relevant Risk Assessments.  Finally, and most importantly, whether your institution actively engages in social networking or you are just concerned about employees’ personal posts, the risks of this new medium are great.  As such, it must be assessed and accounted for in relevant risk assessments performed by your institution.  At a minimum, this should include your Compliance, Information Security, and BSA/AML Risk Assessments. 

There’s No Place Like Home
Dorothy learned this lesson the hard way because Oz turned out to be an illusion.  Social networking may be here to stay or it may fade in the coming years.  No one really knows.  In the here and now, if you want to use it to increase customer loyalty or repair broken trust in the aftermath of the recession, make sure your institution takes all the necessary precautions.  Identify the risks and make sure relevant policies and procedures are updated. The last thing you want is to face regulatory criticism – or possible enforcement action - for compliance violations or to create a whole new set of legal and trust issues due to a security breach caused by social networking.

Lori Moore is a Certified Regulatory Compliance Manager. She is currently the director of compliance for ATTUS Technologies Inc., and has more than 25 years of experience in the financial services industry. During her career, she has gained in-depth knowledge and practical experience within all areas of community banking and has served in key positions, including vice president of operations, BSA officer, compliance officer, internal auditor and vice president of risk management. Moore was also designated as the Outstanding Graduate of the Texas Bankers Association Operations School.