Anyway, one of the questions this consultant posed had to do with the regulatory risk associated with social media. My response was that I felt that regulators would likely give a social media implementation little more than lip service and so long as an appropriate risk assessment and policy was in place, the examiners would look no further. I told this consultant that given the current focus of the regulatory agencies, I would be surprised if they considered social media at all. But better safe than sorry.
I followed that up by stating to the consultant that the regulatory risk was the least of a bank's worries. While there may be some regulatory implications related to the use of social media, it is insignificant compared to the larger reputational risk posed by social media.
Earlier today I picked up the November/December issue of Western Banking Magazine. In the Consider This section of the magazine was an article that I wish I had read prior to speaking with this consultant because I think it would have laid it out very neatly for him. I've quoted this section of the magazine below.
"One out of eight respondents to the Travelers Global Technology business unit survey indicated that they post work-related information on social media websites. In fact, 30 percent feel it is acceptable to post information online about their employers as long as they believe it is true. Survey results also showed that more than 75 percent of those who post anything personal online said they were 'not at all' or 'not very concerned' about information posted online causing professional damage.
The growth of social media and the lack of awareness among employees and employers on how social media are changing the corporate landscape could increase a company's risk exposure. The Travelers survey results also indicate that two-thirds of respondents say their companies do not have a policy in place for social media usage, or they are not aware that one exists."
If you have followed this blog you know that I am a stickler for risk assessments and policies. My recommendation is to get the bank's internal auditor or product manager to prepare and present a social media risk assessment to executive management and the board of directors. This should be treated just like any other new product/service implementation.
My next recommendation is to enhance the bank's Acceptable Use Policy to include the social media policy - rather than create an entirely new policy. The bank's information security policy can also be used in lieu of the AUP.
If you have no idea where to begin with a social media policy, begin with my earlier post (Pain Free Social Media Policy). You will be able to get a customized policy up and running in no time.
As I stated above, regulatory risk is the least of your worries. What you want to do is make sure your employees know the rules of engagement - because, whether or not your bank has a social media strategy of its own, chances are your employees are out there potentially putting your good name at risk.