The Financial Conduct Authority (FCA) has recently announced plans to release updated guidance for financial firms operating on social media. At the moment, there is no indication about what this might contain, however, recent US social media guidelines, released by the FFIEC, provide some good insight into regulatory and risk management best practice.
With this in mind, I have created a briefing document to inform UK institutions about the FFIEC guidelines and what they can learn from them.
Best practice advice for UK Financial Service Institutions from the FFIEC social media guidelines Danielle Sheerin, Senior Consultant, NixonMcInnes @DanielleSheerin Page 1 | FFIEC social media guidance briefing | January 2014
What is this all about? The FCA plans to publish new social media guidance for UK financial service companies in 1Q14 This follows the final version release of the Official FFIEC Guidelines for Social Media in Banking in the US just before Christmas 2013 Current FCA social media guidance around social media extends the guidance for financial promotions to communications on social channels but provides little insight into specific social media risks for firms While we dont know as yet what the new FCA guidance will cover, the FFIEC release provides some useful insight into social media best practice for risk mitigation that can be applied by UK financial service institutions Page 2 | FFIEC social media guidance briefing | January 2014
The extent of the guidance The FFIEC Guidance proposes a combination of expectations, considerations and advice for financial services organisations. Broadly this breaks down as: Financial institutions are expected to manage risks associated with all types of consumer and customer communications, no matter the medium The Guidance provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media Financial institutions are expected to use the Guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their involvement in social media Page 3 | FFIEC social media guidance briefing | January 2014
What does this mean in practice? So, according to the FFIEC: Financial service institutions should have a risk framework This framework should reflect the institutions level of social media activity. If the institution is not active on social media, this will be relatively light, compared to an institution operating an advanced social media strategy however, some sort of risk management consideration should still exist There are no new requirements that apply directly to social media (above and beyond existing compliance requirements) BUT the guidance offers some best practice advice and some important considerations for financial service institutions crafting their risk frameworks Page 4 | FFIEC social media guidance briefing | January 2014
Why is this relevant for UK firms? So, why does this matter to you? This is equally important for UK financial service institutions that want to manage risk effectively Regardless of the final content of the forthcoming FCA guidelines, all UK financial service institutions should be proactively managing the risks associated with social media, whether they are active on social media or not Social media is global. Over time we would expect to see a convergence of regulation and rules so that there is a global consistency in the way customer communications are managed Page 5 | FFIEC social media guidance briefing | January 2014
What you need to do More than anything, what the FFIEC guidance encourages is some common sense due diligence for financial service firms with regard to social media. If you are a financial service firm, and you want to use social media properly, treat it as you would any other business project and get the following elements in place: Strategic plan Risk framework with controls and ongoing assessment Relevant supporting policies, processes and guidelines Employee training Measurement and reporting framework But what sort of things should you take into consideration? Fortunately the FFIEC advice provides some insight here too. Page 6 | FFIEC social media guidance briefing | January 2014
Recommendations from the FFIEC guidance The main recommendations from the FFIEC guidance (in plain English) are: 1.Make sure that all your communications are compliant 2.Have a social media strategy 3.Monitor social media activity around your brand 4.Have processes, guidelines and training that provide the appropriate controls 5.Have an audit trail 6.Measure and report you activity against your strategic goals Lets have a look at these in more detail to see what they entail and what they might mean for you. Page 7 | FFIEC social media guidance briefing | January 2014
1. Make sure that all your communications are compliant The FCA social media guidelines already cover compliance around financial promotions and state that the rules are generally medianeutral, and they focus on the content of the financial promotion, rather than the medium used to communicate it. Therefore, applying the rules to financial promotions made using new media is no different to financial promotions using any other medium. Questions for you Are your employees aware of their responsibilities with regard to compliance on social media? Does your risk management include employee training on social media in a professional capacity? Page 8 | FFIEC social media guidance briefing | January 2014
2: Have a social media strategy The FFIEC suggests you should have a governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution. Dont assume that because youre organisation does not use social media that this recommendation does not apply to you. Even if you are not active on social media, this should be because you have made a decision not to be active for clear, well documented business reasons. It should not be an omission or oversight. Questions for you Does your organisation have a formal social media strategy that supports your business strategy and outlines clear goals for activity Does this strategy go right to the top of your organisation with clear governance and accountability for direction and implementation sitting with the senior exec of your organisation? Page 9 | FFIEC social media guidance briefing | January 2014
3: Monitor social media activity around your brand The FFIEC suggest that monitoring should be appropriate to provide the level of oversight commensurate with the institutions social media activity. Questions for you Do you monitor your own social spaces to spot customer posts that could expose you to potential reputational or privacy risk? Even if you do not manage any social media spaces as an organisation, others may still be talking about you online. This puts you at risk of fraud, brand hijacking or PR crises. Are you aware of the risks here? Do you monitor for this? And have you considered how you would respond if any of these things happened? If you have third parties managing your spaces do you have oversight on the posts they are making on your behalf to ensure they are compliant? Page 10 | FFIEC social media guidance briefing | January 2014
4: Have processes, guidelines and training that provide the appropriate controls If you are monitoring, you will need the appropriate controls in place so that you know how and when to act to mitigate the risks identified. According to the FFIEC this might include policies and procedures, employee training and other guidance relevant to your activities. Questions for you If a customer posts a negative comment or complaint, what is your policy and process for handling this? How will you act if someone posts personal details online, creating a privacy risk? Do you have escalation processes in place? Do your staff training, policies and guidelines provide sufficient guidance that staff know what they can and cant say on social media in a professional or personal capacity? Page 11 | FFIEC social media guidance briefing | January 2014
5: Keep an audit trail According to the FFIEC you should include audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations. Questions for you Are you tracking your conversations on social media and keeping records of conversations? Do you have a robust approach to complaints identification and handling on social media? Are you able to manage and report on customer issues originating in social media in the same way as those in other media? Page 12 | FFIEC social media guidance briefing | January 2014
6: Measure and report you activity against your strategic goals The FFIEC also states that you should provide appropriate reporting to the financial institutions board of directors or senior management that enables periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives. This does not mean you must show the ROI for your social media activity, it just means you should know why you are doing what you are doing and if it is working. Questions for you Do you have a measurement framework in place that lets you track how your social media is delivering against your strategy? Do you report on this and have processes in place to ensure that insights from this are