Guest Contributor: Terry Ray,Vice-President, Software Development, Temenos
In January of 2013, the FFIEC released proposed guidance for financial institutions regarding social media. As the year draws to a close, if your institution has not already written, revised and gotten board approval for your social media policy, you would be wise to do so now. Great! Now that your policy is in place, and you’ve begun employee awareness and training, how do you go about addressing some of the more technology-dependent requirements you’ve created for your institution? You don’t actually have some poor clerk copying and pasting Twitter posts into a spreadsheet do you? This post will suggest some key functional areas to consider as you roll out your social media technology arsenal.
Ah, archiving much? What could be more fun? The requirements for institutions to maintain data for extended time periods are no less excessive for social media than any other form of data. That’s the good news. The bad news is that the social networks themselves do not necessarily store this data on your behalf. So unfortunately, it’s up to the institution to implement long-term archiving of all social media data. And, what about a situation where a post is deleted after the fact? Perhaps the damage, whatever it may be, has been done but the offender has decided to remove the evidence? Want to give Zuckerburg a quick call for help? Or maybe you know some folks over at the NSA. Regardless, wouldn’t it be much easier to leverage a system that captures social media content as close to its creation point as possible? Even better, make sure you have a good search tool for digging up any older posts. It is particularly useful when you can employ some ad-hoc query functionality to specify a range of dates, type of network, or a specific user. Bonus points if you can slay a few trees and print your reports in a nice, clean stack for your friendly examiner.
To monitor, or not to monitor: that is the…. Well, actually, there is no question. You have no choice. The reputational risk associated with social media requires that, regardless of any active engagement by your institution, you are responsible for managing the use of your brand in the socialverse. Obviously, this becomes quite the manual task if one were to take that route. Unfortunately, the practice of search engines and Internet content aggregators is such that they generally do not index social media posts individually (imagine that big data) but rather the profiles of individuals and other entities. So, a Google search is not going to get it done for you. You need a way to track posts as they enter that awesome archiving system (see above) and a strategy for weeding out those deemed problematic. I suggest you implement a system that can generate alerts when appropriate and deliver those alerts to the folks who need to know. So, intelligent monitoring is the key here because the alternative is tragically time-consuming.
Controls and Security
Always a favorite icebreaker at parties, the topic of controls and security must also be addressed as part of a social media policy. Your social media identities are more valuable than you may assume. Consider what might happen if your institutions Twitter account credentials were compromised by a vengeful former employee or a malicious third-party. In a very short timespan, great damage could be done. This falls in the operational risk zone in case you were wondering. Guard these social media credentials appropriately. If possible, have them managed by your IT staff in a way that fits with existing policies and implement a good social media tool that allows marketing and other creative types to share their gifts without accessing those identities directly. Ideally, you would want to have someone on the compliance staff review posts made on behalf of the institution just like a printed ad or radio spot.
In summary, putting social media policy in to practice for a financial institution involves careful selection of one or more technology solutions. Try to think beyond the risk and compliance aspects and plan for your functional needs as well. The three areas I’ve mentioned above aren’t meant to be comprehensive functional requirements but rather some practical items to get your institution thinking. May you have great success with your social media efforts!