#socialmediarisk – Social Media and Consumer Marketing for Financial Services Organizations Social media has created significant opportunities for organizations to connect with their customers and the overall market. It has also created a whole new set of risks for heavily regulated organizations such as financial services institutions. Along with the usual array of concerns faced by all businesses in the social media realm, financial services organizations face an even higher level of scrutiny from regulators and consumer watchdogs.

Social media, and leveraging social business processes to build relationships internally and externally, is an emergent landscape where, quite literally, the rules are still being written. While social media has the potential to improve market efficiency, risk management is critical, and federal regulators are taking steps to place social media risk management top of mind for financial institutions.

Issue As many organizations know or are quickly learning, social media can take many forms, including:

• Micro-blogging sites such as Facebook, Google Plus, MySpace and Twitter

• Forums, blogs, customer review websites and bulletin boards (e.g., Yelp)

• Photo and video sites (e.g., Flickr and YouTube)

• Social games (e.g., FarmVille and CityVille)

Messages sent via email or text message typically do not constitute social media, although such communications may be subject to a number of laws and regulations. In addition to the examples of social media mentioned, other forms may emerge in the future that financial institutions should also consider.

Responding to a growing number of questions from organizations struggling to understand and navigate the social media landscape under current laws, the Securities and Exchange Commission (SEC) and the Federal Financial Institutions Examination Council (FFIEC) have taken steps to offer more direction.

Protiviti | 2

The SEC has offered social media guidance for several years. Most recently, the SEC’s Division of Investment Management issued a “Guidance Update” for registered investment advisers. Essentially, it provides a set of “do’s and don’ts” as it pertains to the use of social media in investment adviser advertising.

This guidance issued by the SEC does not establish any new rules, but aims to apply section 206(4) of the Investment Advisers Act of 1940 and rule 206(4)-1(a)(1) – the so-called testimonial rule – to social media.

Together, these rules prohibit investment advisers from engaging in any act, practice or course of business that is “fraudulent, deceptive or manipulative.” Similarly, the testimonial rule forbids the use of endorsements because they “may give rise to a fraudulent or deceptive implication, or mistaken inference, that the experience of the person giving the testimonial is typical of the experience of the adviser’s clients.”

The SEC provided its guidance in the form of questions and answers designed to offer practical advice in addressing specific situations. However, the recommendations share the following themes:

• Independence is a necessity – Information disseminated by investment advisers via social media must be produced independently of the advisers and must not be influenced by them. Furthermore, investment advisers may not publish public commentary that is an explicit or implicit endorsement for them or their services because its use would violate the testimonial rule.

• Material connections are prohibited – A material connection would be deemed present if, for example, advisers influenced social media commentary by selectively censoring, emphasizing or editing the content before using it for their marketing initiatives. Likewise, advisers may not have a supervised person submit testimonials on their behalf and then use such content in advertisements. Advisers providing compensation, including discounts and offers of free services, to social media users for producing reviews also would constitute a material connection.

• Completeness is paramount – Simply put, investment advisers seeking to incorporate commentary found on an independent social media site into their own marketing platforms need to publish such commentary in its entirety. Selectively choosing only favorable reviews or de-emphasizing negative ones constitutes a violation.

Aside from addressing straightforward advertising initiatives, the SEC’s guidance also cautions investment advisers regarding the seemingly innocuous use of “friends” or “contacts” lists and “fan/community” pages. The use of both on social media sites is ubiquitous, but potentially can cause issues for advisers. The SEC deems as benign the basic listing of current or past clients as friends. But if the listing somehow creates an inference, for example, that the friends experienced favorable results from the adviser, it could be judged as a violation of the testimonial rule.

Similarly, the SEC raised red flags not about fan pages in general, but regarding their certain use. For example, the SEC found no issues with an independent third party’s creation of a fan page that features the adviser, but strongly cautions that adviser from steering traffic to it for risk of raising fraudulent or mistaken inferences.

Protiviti | 3

The FFIEC also has issued formal guidance on social media compliance risk. Entitled “Social Media: Consumer Compliance Risk Management Guidance,” the supervisory guide, published in December 2013, provides a framework of social media policies and procedures to ensure proper oversight and controls.

The guidance applies to banks, savings associations, credit unions and nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB). It is intended to help these institutions identify, assess, monitor and control against harm to consumers, compliance and legal risks, operational risks, and reputation risks.

Among the key points in the FFIEC’s guidance:

• The guidance does not impose any new requirements on financial institutions. Rather, it applies existing requirements and supervisory expectations to social media.

• The guidance provides tips that financial institutions may find useful in conducting risk assessments and crafting and evaluating social media policies and procedures.

• The FFIEC will use the guidance in examinations – and expects financial institutions to do the same – to ensure that risk management and consumer protection practices address consumer compliance and legal risks adequately, along with related risks (e.g., reputation and operational risks).

• Rather than discourage the use of social media, the guidance is intended to help financial institutions use new media safely and effectively by understanding and managing the associated risks successfully.

• Each institution is responsible for carrying out an appropriate risk assessment and maintaining a risk management program tailored to the institution’s size, activities and risk profile.

• State agencies that adopt the guidance will expect the financial institutions they regulate to adhere to this guidance.

Challenges and Opportunities Financial institutions currently use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers by receiving and responding to complaints or providing loan pricing. The informal and dynamic nature of this interaction can present some unique challenges, including compliance, reputation and operational risks (see accompanying table).

Protiviti | 4

Compliance Risks Reputation Risks Deposit and lending products • Truth in Savings Act/Regulation DD and Part

707

• Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act

• Truth in Lending Act/Regulation Z

• Real Estate Settlement Procedures Act (RESPA)

• Fair Debt Collection Practices Act

• FTC Act, Section 5/Dodd-Frank Act, Sections 1031 and 1036

• Deposit insurance or share insurance Payment systems

• Electronic Funds Transfer Act (EFTA)/Regulation E

• Article 4, Uniform Commercial Code/Expedited Funds Availability Act/Regulation CC

Bank Secrecy Act/Anti-Money Laundering programs (BSA/AML) Community Reinvestment Act (CRA)

Privacy • Gramm-Leach-Bliley Act Privacy Rules and

Data Security Guidelines (GLBA)

• CAN-SPAM Act and Telephone Consumer Protection Act (TCPA)

• Children’s Online Privacy Protection Act (COPPA)

• Fair Credit Reporting Act (FCRA)

Fraud and brand identity Third-party concerns Privacy concerns Consumer complaints and inquiries

Employee use of social media

Operational Risks Social media

• One of several platforms vulnerable to account takeover and the distribution of malware

Protiviti | 5

Our Point of View The SEC’s and FFIEC’s guidelines, though helpful, still leave many other questions unanswered regarding the application of social media. That’s understandable, however, considering that the ever-changing nature of social media makes it impossible to address or anticipate every conceivable scenario. The best course of action lies in developing a comprehensive social media plan that monitors the medium proactively and establishes protocols for its use.

Every financial institution should have a risk management program to identify, measure, monitor and control social media risks. That program should be commensurate with the financial institution’s use of social media. Even an institution with no active involvement in social media marketing needs to monitor for comments or complaints originating outside the organization, and have a plan in place to evaluate and respond as needed.

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources and marketing. Financial institutions should also provide guidance and training for employees’ official use of social media (on behalf of the organization, not for personal use).

Per the FFIEC’s guidance, a solid risk management program should include the following components:

• A governance structure with clear roles and responsibilities – The board of directors or executive management should direct how using social media contributes to the strategic goals – brand awareness, product advertising and new business development – and establish controls and ongoing assessment of risk in social media activities.

• Policies and procedures – Institutions should clearly define appropriate and inappropriate social media use, and specify how they will monitor that use, as well as compliance with consumer protection laws. Policies should address methodologies for addressing risks resulting from online postings, edits, replies and records retention.

• Third-party relationships – From search engine optimization (SEO) to social media marketing firms and contract content providers, institutions need to have a risk management process for selecting and managing vendors that post and comment on social media on the institution’s behalf.

• Employee training – Communication is key. Employees need a clear understanding of what constitutes both permissible and impermissible social media use and communications, as well as all online activities.

• Oversight – Institutions need to monitor online chatter regularly and be prepared to react/respond to potentially damaging posts/comments.

• Audit and compliance – As with any corporate policy or procedure, it is important for financial institutions to ensure that online activities are consistent and compliant with both internal policies and all applicable laws and regulations.

• Reporting – A good risk management program should provide for periodic evaluation and reporting to the board of directors and executive management as to the effectiveness of the social media program and whether it is achieving its stated objectives.

Protiviti | 6

How We Help Companies Succeed Social technologies are creating opportunities to acquire and serve more customers, often at a lower cost. Protiviti helps organizations create social business strategies to engage – not manage – their customers in a controlled and compliant fashion. We also help build internal communities that improve business processes.

Protiviti’s Community Maturity Model includes eight core social media risk management processes to help organizations manage risk in their online communities. This model has been validated over several years by dozens of expert online community specialists, managers and strategists who are members, along with Protiviti, of The Community Roundtable. These eight processes are illustrated on the left side of the Protiviti Community Maturity Risk Model, while their maturities are shown from left to right along the top.1

As social media presents real opportunities and risks, it demands a disciplined approach. We help companies benchmark their current state of social business to what others are offering, and work with them to build a plan with established goals and metrics to advance their social business capabilities to the next level in accordance with the expectations of community managers, regulators, executives and board members. See www.protiviti.com/socialbusiness for more information on how we can help.

1 Protiviti teamed with The Community Roundtable and adapted the Protiviti Community Maturity Model presented herein by defining processes and maturity levels relevant to establishing and sustaining community.

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Example Protiviti was retained by a major financial services provider to benchmark social media initiatives and usage against best practices and corporate strategy. Working with both front-line and back-office personnel, we used Protiviti’s Community Maturity Model and FFIEC guidelines to assess current practices and help the client develop a strategy for achieving the desired future state/maturity.

Specifically, we helped our client to:

• Understand the scope of its existing social media footprint, including the frequency and nature of officially sanctioned outbound communications; market chatter; and unofficial – and potentially fraudulent – “rogue” pages created by others, using the corporate identity.

• Assess its social media infrastructure, including roles and responsibilities, executive sponsorship, policies and procedures, training protocols, etc.

• Chart a course toward its goal of using social media as a brand builder and outreach mechanism to reach a younger demographic.

• Leverage Protiviti’s global knowledge to compare the client’s social media maturity to its competitors and those considered best-in-class across industries.

Through our efforts, our client achieved a clearer understanding of the full scope of its current social media efforts, how those efforts compare with the competition, risks associated with current practices, and a plan for aligning future social media efforts with both business and risk management objectives.

About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Contacts Greg Hedges +1.312.476.6380 gregory.hedges@protiviti.com

Gregg Barrow +1.212.708.6332 gregg.barrow@protiviti.com