Monday, September 15, 2014

Panel Discussion on Data Security, Breach Response, and Emergency Management

I was honored to be asked  to participate in a panel discussion on business security issues with some top thought leaders in North Carolina. Topics included data security, risk management, breach response, and emergency management. I enjoyed hearing the insights of these three smart, accomplished people. Please feel free to view the video on YouTube and share it with others who might be interested.

Tuesday, September 9, 2014

Social Media for Financial Institutions: Maximizing the Rewards while Minimizing the Risks

(This article was published in the Carolina Banker magazine by the North Carolina Bankers Association in the Fall 2014 issue.)

Social Media for Financial Institutions: Maximizing the Rewards while Minimizing the Risks

By now almost everyone knows that social media has tremendous potential for businesses of all kinds to connect with important constituent groups. The average American spends 37 minutes per day on social media. Facebook alone has more than 1.2 billion users, and a quarter of them log in more than five times per day. Twitter has twice as many users as the United States has citizens. In addition to marketing products and services to customers and prospects, banks now use social media to obtain feedback and market intelligence, recruit and engage employees, and enhance shareholder relationships. These attractive opportunities do not come without risk; fortunately, however, these can be mitigated by an effective social media compliance and risk management program.

Regulatory Attention

A few months ago, the Federal Financial Institutions Examination Council ("FFIEC"), which includes representatives from federal and state regulators, issued guidance for banks regarding the legal, operational and reputational risks associated with social media. Soon, examiners will likely expect banks to have written risk assessments and social media policies and procedures.

The FFIEC guidance addressed many — but not all — of the outstanding banking law questions about social media. Most of the regulations the guidance discusses involves the nature and placement of consumer disclosures, recordkeeping, and other straightforward issues. The guidance also raised more complex issues, however, such as the risk of disparate impact, an anti-discrimination legal theory favored by the Consumer Financial Protection Bureau. Not all of the outstanding questions were addressed by the guidance, however, so good, practical judgment will be needed to apply existing regulations in a new environment. For example, customer privacy issues can arise in social media that require banks to respond to customer communications differently than other businesses might.

Importantly, the guidance states that even banks that do not have any official social media accounts should still consider the risks posed by social media, document the risk assessment, and adopt any policy needed to address identified risks. Risks faced by banks that do not have an official social media account include reputational risks of negative comments and complaints by customers, as well as risks posed by employees' use of social media. The regulators have made clear that a bank may be held responsible for an employee's social media use if it appears the employee is acting on behalf of the bank and the bank has not taken adequate steps to address the risk. (How certain are you that none of your bank's employees are talking about the bank's products and services on their own social media accounts?)

Reputation Management

A widespread concerns among bankers about social media is the potentially damaging effects of publicly-aired customer complaints. This is a real risk, but it is important to note that it is present whether or not a bank has a social media presence. Disgruntled customers can — and do — air grievances on social media and customer review websites whether or not you have a Facebook page or Twitter profile. If your bank has a presence on social media, however, you may have a better opportunity to identify and address those grievances.

Both legal and practical considerations in determining whether, and how, to respond to a public complaint. Well-crafted social media policies and procedures, coupled with a well-trained and savvy team, can effectively handle most public complaints, and may achieve net-positive outcomes. When the commenter can be identified, the recommended approach is usually to simply ask the customer to remove the offending post. If a commenter refuses to remove a false, misleading, or abusive comment voluntarily, you may resort to dealing with platform provider (e.g., Facebook, Twitter, Google, Yelp, etc.). Each platform has terms and conditions that establish unique criteria for removing posts. Understanding these criteria can help you draft a request to the platform that is more likely to result in the removal of an offending comment. A letter sent from a knowledgeable lawyer on behalf of the bank is often helpful.


Social media presents opportunities for others to impersonate or "spoof" the bank. However, this can happen whether or not a bank is active on social media, and in fact, by being active in social media, a bank can actually reduce the likelihood and effectiveness of these nefarious efforts. Fortunately, most social media platforms are generally quick to shut down fraudulent accounts.


Social media and promotional contests seem to go together like peanut butter and jelly. They can be useful tools to encourage social sharing of your bank's content. As with any promotional contest, various state and federal laws must be observed, and liability and reputational risks must be mitigated. Also, some social media platforms restrict certain types of promotions. It may be worthwhile to consult a knowledgeable lawyer before beginning any contest or drawing.

Developing a Policy, Procedures, and Implementation Team

The size and complexity of a social media program should be commensurate with the degree of the bank's involvement in social media. For example, a bank that uses only one platform (e.g. Facebook) should have a more focused program. A bank using several media (e.g., Facebook, LinkedIn, Twitter, Yelp, Google +, and YouTube) should have more comprehensive procedures.

The FFIEC advises that a social media program should be designed with participation from specialists in compliance, technology, information security, legal issues, human resources, and marketing. Ideally, a team will be small, with individuals whose expertise spans more than one of these categories. After a program is crafted, it can be implemented by a smaller team or an individual, with support from specialists as necessary.

A recent survey revealed that banks in the southeastern United States have the lowest rates of social media participation in the nation. In some other regions of the country, banks are more than three times as likely to have a social media presence. Given the size of the potential audiences and the high level of user engagement, it seems likely that more banks in our region will implement or expand social media strategies soon. Though all risks cannot be eliminated, a well-crafted plan can manage the risks while maximizing the rewards.