FFIEC Clarifies Social Media RisksFinal Guidance Addresses Payments, Third-Party Management
The final version of guidance on social media policies and practices that the Federal Financial Institutions Examination Council issued this week contains several clarifications about how to assess risks.
The final guidance, which reflects revisions made since a proposed version was issued by the regulators in January, highlights a number of key issues. For example, the new guidance addresses:
- Specific laws and regulations, such as the Community Reinvestment Act, that should be applied to social media activities;
- Third-party and vendor management risks that banking institutions need to incorporate into their overall risk management activities;
- The need for banking institutions to develop individualized strategies for monitoring and responding to communications posted by customers via social media;
- Clarifications about how social media is defined.
George Tubin, a financial fraud expert and security adviser at online security vendor Trusteer, says the FFIEC's new guidance offers a helpful reminder to banking institutions of the social media risk assessment steps they should already be taking.
"This guidance does not impose any new requirements," Tubin says. It simply reminds institutions of the existing requirements and provides examples of how existing requirements apply to social media usage."
But the guidance falls short in addressing emerging socially-engineered risks to employees, he contends.
"Since the initial proposed [guidance] was distributed, we have been seeing increasing use of social engineering through social media to obtain login credentials," Tubin says. "These attacks are targeted at both bank customers and bank employees."
The guidance is focused on consumer risks, and not risks to bank employees, which Tubin sees as a major shortcoming.
"Typically, the goal of the attack is to lead the [internal] target to a malicious site where they are unknowingly infected with malware," he says. "But this real and growing concern was not addressed."
Avivah Litan, a financial fraud expert who's an analyst at Gartner, says the guidance's failure to address the internal risks posed by social media is concerning because most attacks waged against employees who have privileged access to systems start through social media.
"They usually look for the IT people and then spear-phish them to get the malware on their desktop," she says. "From there they compromise privileged access management. Most advanced threats today take advantage of privileged accounts; so banks need to do a better job of monitoring those privileged accounts."
Most banking organizations lack good policies on addressing social networking risks and protecting privileged accounts, Litan adds.
The final version of the guidance includes insights on how social media could affect emerging payment options, such as Bitcoin and peer-to-peer payments, and outlines pertinent regulations.
Among the regulations that could apply if banks and credit unions rely on social networks for the collection and receipt of payments, or merely consumers' submission of payment account information, are: the Bank Secrecy Act, the Community Reinvestment Act, the Expedited Funds Availability Act, Article 4A of the Uniform Commercial Code, and the Electronic Fund Transfer Act.
The guidance points out that privacy is a concern anytime banking institutions use social media for correspondence about or with consumers. Institutions should ensure they are not violating certain privacy laws, such as the Gramm-Leach-Bliley Act, the CAN-Spam and Telephone Consumer Protection Acts, the Children's Online Privacy Protection Act, and the Fair Credit Reporting Act.
Banking institutions also should be mindful of existing FFIEC guidance, namely the FFIEC Information Technology Examination Handbook, which notes specific steps institutions should take to authenticate users and protect online banking accounts, the guidance says.
"Social media is one of several platforms vulnerable to account takeover and the distribution of malware," the FFIEC guidance states. "A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. Financial institutions' incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate."
The guidance reiterates that banking institutions should have risk management programs in place that identify, measure, monitor and control risks associated with social media.
"The size and complexity of the risk management program should be commensurate with the breadth of the financial institution's involvement in this medium," regulators say. "For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent."
But even institutions that are not using social media should develop policies and procedures within their risk management strategies for responding to negative consumer comments and complaints posted via social media platforms, the FFIEC adds. "Financial institutions should also provide guidance and training for employee official use of social media."
The guidance spells out that risk management should include:
- A governance structure with clear roles and responsibilities about how using social media contributes to the strategic goals of the institution;
- Policies and procedures for monitoring of social media;
- A risk management process for selecting and managing third-party relationships;
- An employee training program;
- An oversight process for monitoring information posted to social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance; and
- Parameters for providing appropriate reporting to management regarding the effectiveness of the institution's social media program.
The final version of the guidance also says banking institutions are expected to conduct an evaluation of risks posed by a prospective third party before doing business with it.