Social Media Risk for Financial Services - A Protiviti Point-of-View
#socialmediarisk – Social Media and Consumer
Marketing for Financial Services Organizations
Social media has created significant opportunities for organizations to connect with their customers and
the overall market. It has also created a whole new set of risks for heavily regulated organizations such
as financial services institutions. Along with the usual array of concerns faced by all businesses in the
social media realm, financial services organizations face an even higher level of scrutiny from regulators
and consumer watchdogs.
Social media, and leveraging social business processes to build relationships internally and externally, is
an emergent landscape where, quite literally, the rules are still being written. While social media has the
potential to improve market efficiency, risk management is critical, and federal regulators are taking steps
to place social media risk management top of mind for financial institutions.
As many organizations know or are quickly learning, social media can take many forms, including:
• Micro-blogging sites such as Facebook, Google Plus, MySpace and Twitter
• Forums, blogs, customer review websites and bulletin boards (e.g., Yelp)
• Photo and video sites (e.g., Flickr and YouTube)
• Social games (e.g., FarmVille and CityVille)
Messages sent via email or text message typically do not constitute social media, although such
communications may be subject to a number of laws and regulations. In addition to the examples of
social media mentioned, other forms may emerge in the future that financial institutions should also
Responding to a growing number of questions from organizations struggling to understand and navigate
the social media landscape under current laws, the Securities and Exchange Commission (SEC) and the
Federal Financial Institutions Examination Council (FFIEC) have taken steps to offer more direction.
Protiviti | 2
The SEC has offered social media guidance for several years. Most recently, the SEC’s Division of
Investment Management issued a “Guidance Update” for registered investment advisers. Essentially, it provides a
set of “do’s and don’ts” as it pertains to the use of social media in investment adviser advertising.
This guidance issued by the SEC does not establish any new rules, but aims to apply section 206(4) of
the Investment Advisers Act of 1940 and rule 206(4)-1(a)(1) – the so-called testimonial rule – to social
Together, these rules prohibit investment advisers from engaging in any act, practice or course of
business that is “fraudulent, deceptive or manipulative.” Similarly, the testimonial rule forbids the use of
endorsements because they “may give rise to a fraudulent or deceptive implication, or mistaken
inference, that the experience of the person giving the testimonial is typical of the experience of the
The SEC provided its guidance in the form of questions and answers designed to offer practical advice in
addressing specific situations. However, the recommendations share the following themes:
• Independence is a necessity – Information disseminated by investment advisers via social
media must be produced independently of the advisers and must not be influenced by them.
Furthermore, investment advisers may not publish public commentary that is an explicit or implicit
endorsement for them or their services because its use would violate the testimonial rule.
• Material connections are prohibited – A material connection would be deemed present if, for
example, advisers influenced social media commentary by selectively censoring, emphasizing or
editing the content before using it for their marketing initiatives. Likewise, advisers may not have
a supervised person submit testimonials on their behalf and then use such content in
advertisements. Advisers providing compensation, including discounts and offers of free services,
to social media users for producing reviews also would constitute a material connection.
• Completeness is paramount – Simply put, investment advisers seeking to incorporate
commentary found on an independent social media site into their own marketing platforms need
to publish such commentary in its entirety. Selectively choosing only favorable reviews or de-
emphasizing negative ones constitutes a violation.
Aside from addressing straightforward advertising initiatives, the SEC’s guidance also cautions
investment advisers regarding the seemingly innocuous use of “friends” or “contacts” lists and
“fan/community” pages. The use of both on social media sites is ubiquitous, but potentially can cause
issues for advisers. The SEC deems as benign the basic listing of current or past clients as friends. But if
the listing somehow creates an inference, for example, that the friends experienced favorable results from
the adviser, it could be judged as a violation of the testimonial rule.
Similarly, the SEC raised red flags not about fan pages in general, but regarding their certain use. For
example, the SEC found no issues with an independent third party’s creation of a fan page that features
the adviser, but strongly cautions that adviser from steering traffic to it for risk of raising fraudulent or
Protiviti | 3
The FFIEC also has issued formal guidance on social media compliance risk. Entitled “Social Media:
Consumer Compliance Risk Management Guidance,” the supervisory guide, published in December
2013, provides a framework of social media policies and procedures to ensure proper oversight and
The guidance applies to banks, savings associations, credit unions and nonbank entities supervised by
the Consumer Financial Protection Bureau (CFPB). It is intended to help these institutions identify,
assess, monitor and control against harm to consumers, compliance and legal risks, operational risks,
and reputation risks.
Among the key points in the FFIEC’s guidance:
• The guidance does not impose any new requirements on financial institutions. Rather, it applies
existing requirements and supervisory expectations to social media.
• The guidance provides tips that financial institutions may find useful in conducting risk
assessments and crafting and evaluating social media policies and procedures.
• The FFIEC will use the guidance in examinations – and expects financial institutions to do the
same – to ensure that risk management and consumer protection practices address consumer
compliance and legal risks adequately, along with related risks (e.g., reputation and operational
• Rather than discourage the use of social media, the guidance is intended to help financial
institutions use new media safely and effectively by understanding and managing the associated
• Each institution is responsible for carrying out an appropriate risk assessment and maintaining a
risk management program tailored to the institution’s size, activities and risk profile.
• State agencies that adopt the guidance will expect the financial institutions they regulate to
adhere to this guidance.
Challenges and Opportunities
Financial institutions currently use social media in a variety of ways, including marketing, providing
incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with
existing and potential customers by receiving and responding to complaints or providing loan pricing. The
informal and dynamic nature of this interaction can present some unique challenges, including
compliance, reputation and operational risks (see accompanying table).
Protiviti | 4
Compliance Risks Reputation Risks
Deposit and lending products
• Truth in Savings Act/Regulation DD and Part
• Fair Lending Laws: Equal Credit Opportunity
Act/Regulation B and Fair Housing Act
• Truth in Lending Act/Regulation Z
• Real Estate Settlement Procedures Act
• Fair Debt Collection Practices Act
• FTC Act, Section 5/Dodd-Frank Act, Sections
1031 and 1036
• Deposit insurance or share insurance
• Electronic Funds Transfer Act
• Article 4, Uniform Commercial
Code/Expedited Funds Availability
Bank Secrecy Act/Anti-Money
Laundering programs (BSA/AML)
Community Reinvestment Act (CRA)
• Gramm-Leach-Bliley Act Privacy Rules and
Data Security Guidelines (GLBA)
• CAN-SPAM Act and Telephone Consumer
Protection Act (TCPA)
• Children’s Online Privacy Protection Act
• Fair Credit Reporting Act (FCRA)
Fraud and brand identity
Consumer complaints and inquiries
Employee use of social media
• One of several platforms vulnerable to
account takeover and the distribution of
Protiviti | 5
Our Point of View
The SEC’s and FFIEC’s guidelines, though helpful, still leave many other questions unanswered
regarding the application of social media. That’s understandable, however, considering that the ever-
changing nature of social media makes it impossible to address or anticipate every conceivable scenario.
The best course of action lies in developing a comprehensive social media plan that monitors the medium
proactively and establishes protocols for its use.
Every financial institution should have a risk management program to identify, measure, monitor and
control social media risks. That program should be commensurate with the financial institution’s use of
social media. Even an institution with no active involvement in social media marketing needs to monitor
for comments or complaints originating outside the organization, and have a plan in place to evaluate and
respond as needed.
The risk management program should be designed with participation from specialists in compliance,
technology, information security, legal, human resources and marketing. Financial institutions should also
provide guidance and training for employees’ official use of social media (on behalf of the organization,
not for personal use).
Per the FFIEC’s guidance, a solid risk management program should include the following components:
• A governance structure with clear roles and responsibilities – The board of directors or
executive management should direct how using social media contributes to the strategic goals –
brand awareness, product advertising and new business development – and establish controls
and ongoing assessment of risk in social media activities.
• Policies and procedures – Institutions should clearly define appropriate and inappropriate social
media use, and specify how they will monitor that use, as well as compliance with consumer
protection laws. Policies should address methodologies for addressing risks resulting from online
postings, edits, replies and records retention.
• Third-party relationships – From search engine optimization (SEO) to social media marketing
firms and contract content providers, institutions need to have a risk management process for
selecting and managing vendors that post and comment on social media on the institution’s
• Employee training – Communication is key. Employees need a clear understanding of what
constitutes both permissible and impermissible social media use and communications, as well as
all online activities.
• Oversight – Institutions need to monitor online chatter regularly and be prepared to
react/respond to potentially damaging posts/comments.
• Audit and compliance – As with any corporate policy or procedure, it is important for financial
institutions to ensure that online activities are consistent and compliant with both internal policies
and all applicable laws and regulations.
• Reporting – A good risk management program should provide for periodic evaluation and
reporting to the board of directors and executive management as to the effectiveness of the
social media program and whether it is achieving its stated objectives.
Protiviti | 6
How We Help Companies Succeed
Social technologies are creating opportunities to acquire and serve more customers, often at a lower cost.
Protiviti helps organizations create social business strategies to engage – not manage – their customers
in a controlled and compliant fashion. We also help build internal communities that improve business
Protiviti’s Community Maturity Model includes eight core social media risk management processes to help
organizations manage risk in their online communities. This model has been validated over several years
by dozens of expert online community specialists, managers and strategists who are members, along
with Protiviti, of The Community Roundtable. These eight processes are illustrated on the left side of the
Protiviti Community Maturity Risk Model, while their maturities are shown from left to right along the top.
As social media presents real opportunities and risks, it demands a disciplined approach. We help
companies benchmark their current state of social business to what others are offering, and work with
them to build a plan with established goals and metrics to advance their social business capabilities to the
next level in accordance with the expectations of community managers, regulators, executives and board
members. See www.protiviti.com/socialbusiness for more information on how we can help.
Protiviti teamed with The Community Roundtable and adapted the Protiviti Community Maturity Model presented
herein by defining processes and maturity levels relevant to establishing and sustaining community.