Having a compliance management system (CMS) is a well-known regulatory imperative, but did you know that mortgage lenders and financial institutions are also required to have a social media risk management program? As the Federal Financial Institutions Examination Council (FFIEC) makes clear in its Social Media: Consumer Compliance Risk Management Guidance, “Financial institutions are expected to manage risks associated with all types of consumer and customer communications, no matter the medium.” Thus, a robust, comprehensive CMS must include social media as part of its scope of oversight.
The first step in managing social media risk is identifying potential risk sources. The FFIEC’s social media guide breaks these down into three (3) main categories. First is Compliance and Legal Risk. There are numerous rules and regulations that govern financial institution’s social media activities, including but not limited to:
Next is Reputational Risk. This is the risk arising from the potential negative public commentary and sentiment for a financial institution. This risk may stem from activities that result in dissatisfied consumers or negative publicity which could harm the reputation and public standing of the institution. Reputational Risk is particularly noteworthy, as losses are not easily quantifiable and may occur even if no law has been broken. The FFIEC outlines several areas of concern within this category, such as:
Finally, we come to Operational Risk, which is centered primarily around IT/Cybersecurity concerns. The FFIEC directs lenders and financial institutions to leverage the FFIEC Information Technology Examination Handbook and the Outsourcing Technology Services and Information Security to ensure social media accounts, access and usage adhere to industry IT/cybersecurity standards.
In addition to categorizing the areas of risk mortgage lenders and financial institutions face regarding social media, the FFIEC’s guide also outlines the specific components these organizations should have as part of their CMS to adequately manage these risks. These are as follows:
The FFIEC acknowledges that organizations will have different goals for their social media strategy, and as such, “The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium.” However, lack of social media use does not exempt lenders or financial institutions from establishing procedures to address social media risks from outside parties, such as negative comments or complaints.
Furthermore, lenders and financial institutions should involve specialists from multiple areas within the organization to develop a comprehensive social media risk mitigation strategy. These functional areas include compliance, technology, information security, legal, human resources and marketing.
Managing the risks posed by social media isn’t just good business sense – it’s also a regulatory requirement. By incorporating social media with the scope of an overall compliance management system, lenders and financial institutions can ensure they are adequately managing these risks while also meeting regulatory expectations for oversight and compliance. To learn more, check out our FFIEC Social Media Guidance page.