Pub. 4 2013 Issue 3

fall 2013 21 West Virginia Banker be aware of the reputation risk areas including: ○ ○ Fraud and Brand Identity – Protecting brand identity can be a challenging task. With the use of social media, issues can result from comments made by social media users, spoofing a bank’s communications and activities where a fraudster masquerades as the bank. One of the main controls that a bank can implement is implementing monitoring tools to identify heightened risks. ○ ○ Third Party Concerns – Some banks utilize third parties to provide social media services. While the bank may use a third party, the bank has the responsibility for monitoring the information placed on a social media site. Issues that occur on the social media site used by the Bank may result in damaged reputation as the consumers using the site may fault the bank for the issues that occur. ○ ○ Privacy Concerns – Customer could have nonpublic in- formation compromised if social media is used to com- municate the information. The bank must continuously educate their customers from disclosing nonpublic customer information using social media. ○ ○ Consumer Complaints and Inquiries – Social media can be used by dissatisfied customers to communicate their complaints regarding the bank. The bank should consider implementing monitoring controls for discussions of the bank on the internet. ○ ○ Employee Use of Social Media – Employees can adversely affect a bank’s reputation by their posts on social media. If an employee discloses nonpublic customer informa- tion, the bank is in violation of the GLBA and has also suffered a loss to their reputation. Other information that could adversely affect the bank includes the disclosure of software solutions used, hardware infrastructure, antivirus software used, etc. All of this information could be used by an intruder to compromise the bank’s network and obtain nonpublic customer information. • Operational risk – The FFIEC defines operational risk as “the risk of loss resulting from inadequate or failed pro- cesses, people or systems.” The operational risks include the risk posed by the bank’s information technology. Social media is part of the bank’s information technology system. The FFIEC notes that social media is one of the platforms that is vulnerable to account takeover and the distribution of malware. The FFIEC Information Technology Exam- ination Handbook addresses the various risks and controls a bank should consider. Risk Management Program. In order to address the overall risks associated with the use of social media, a bank should ensure that their risk management programs provide the appropriate oversight and controls to address the risks presented by the types of social media used by the bank. One item to note is that the size and complexity of the risk management program should be appropriate for the bank’s involvement in social media. For ex- ample, if the bank uses social media for attracting and acquiring new customers, the plan would be more detailed than if the social media was used for general communication purposes. When developing the program, various departments should be involved (where appropriate) including compliance, technology, informa- tion security, legal, human resources and marketing. The risk management program should include various compo- nents including: • Governance structure with clear roles and responsibilities • Policies and procedures regarding the use and monitoring of social media • Due diligence process for selecting and managing third party service provider relationships • An employee training program • An oversight process for monitoring information posted • Audit and compliance functions to ensure ongoing compli- ance with internal policies, laws, regulations and guidance • Parameters for providing appropriate reporting to the bank’s board of directors and/or senior management What if a bank elects not to use social media? Even if a bank does not use social media, the bank should be prepared to address negative comments that may be posted on social media, com- plaints and employee guidance for using social media. In any event, it is important to have staff aware of the positive and negative impacts of social media and to assign responsibility for making sure the bank knows how they are being viewed on social media. Conclusion. The use of social media is popular and is trending upward. As banks consider the use of social media, a bank should consider the development of an effective social me- dia program to address the risks introduced with the use of social media. As part of the social media program, the bank should en- sure that employees sign acknowledgement of the bank’s policies regarding the dissemination of information through social media and that failure to follow policies may result in disciplinary action including possible termination. n What if a bank elects not to use social media? Even if a bank does not use social media, the bank should be prepared to address negative comments that may be posted on social media, complaints and employee guidance for using social media. Chris Joseph is a Member of Arnett Foster Toothman PLLC, Certified Public Accountants, in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, Certified in Risk and Infor- mation Systems Control and Certified Information Technology Professional, Mr. Joseph has twenty-eight years experience in information technology au- dit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@aftcpas.com.