Playing Defense: How To Side-Step Common Social Media Mistakes To Maintain Compliance
By Michael Steer
The power of social media to increase reach and drive new business is considered to be a given by most independent mortgage lenders and financial institutions. However, it is that very same power that has drawn regulators’ eyes to this marketing channel.
Lenders have to be extremely careful to ensure they remain in compliance with the many federal and state regulations regarding financial advertising/marketing, especially when promoting products, rates or services, as well as their overall brand.
When it comes to social media, there are several offenses that lenders frequently commit. By recognizing where compliance violations may arise and implementing the appropriate resources or best practices company-wide, lenders can be reasonably assured that their entire organization is protected against these offenses.
One of the biggest social media offenses a financial institution can make is not having a social media risk management program. This is something that the Federal Financial Institutions Examination Council (FFIEC) has stated is necessary. To comply with the FFIEC’s guidance on this, lenders must include the following elements in their social media risk management program:
- A clear governance structure that enables the board of directors or senior management to direct social media strategy in relation to the organization’s overall goals, including the establishment of internal controls and performance of on-going social media risk assessments;
- Specific policies and procedures that cover the use and monitoring of social media to ensure compliance with all applicable consumer protection laws and regulations, as well as guidance on how to address risks from posts, edits, replies and content retention;
- A risk management process for vendor selection and relationship management as it relates to social media;
- An employee training program based on established social media policies and procedures that covers official, work-related use of social media, outlines other possible uses of social media and defines impermissible activities;
- An official process for auditing information posted to proprietary social media sites, either administered by the lender or using a third-party provider; and
- Protocols for reporting to the board of directors or senior management to periodically measure the effectiveness of the social media program against its stated objectives.
Another common misstep lenders commit is not having established crisis communication procedures for addressing offensive, inaccurate or non-compliant social media posts. Not only is this a serious offense from a regulatory standpoint in some states, but it also exposes organizations to a tremendous amount of risk that may be outside of its control.
These days, the line between an individual’s personal and professional presence on social media is often blurry, and the ease with which an individual can be linked to their employer based purely on their digital footprint means employers are often taken to task for their employee’s inappropriate behavior on social media, even when it occurs on the employee’s personal account. Like it or not, lenders need to have a plan in place for addressing these kinds of situations.
The natural instinct for lenders to head off these kinds of issues is to institute rules related to employees’ social media behavior and/or accounts. However, many states have issued their own rules regarding what an organization can or cannot ask employees to do in regard to social media. Examples of these include:
- Requiring employees to connect with a supervisor, administrator or other official employer contact on their personal social media account;
- Stipulating account privacy settings for an employee’s personal social media account;
- Obligating employees to access their personal social media accounts in the presence of their employer;
- Waiving their legal rights and protections as they might relate to social media usage as a condition of applying for or accepting employment; or
- Divulging their personal social media account information (except in connection with the investigation misconduct allegations).
In addition to directives from their supervisory regulators, lenders must also take into consideration compliance with federal labor regulations when developing social media policies and procedures, including the National Labor Relations Act (NLRA). To avoid possible conflicts with employee’s protected rights, social media policies should be as specific as possible regarding prohibited social media activities.
The National Labor Relations Board also recommends that organizations include examples of both prohibited and permitted behavior in their corporate social media policy to prevent any misinterpretations of corporate policies and/or infringement on employees’ labor rights.
Along with addressing internal threats (i.e. employees), lenders’ social media plans must also cover threats from outside the organization.
As with any online activity, fraud represents a significant risk for corporate social media users in terms of both reputational damage and potential harm to consumers. Because fraud has become so prevalent online, most large lending organizations have already included some form of information regarding social media fraud/scams on their websites.
However, fraudsters are equal opportunity perpetrators, and as such, lenders of any size can fall victim to social media fraud and must take the appropriate steps to maintain the authenticity of their digital presence as much as possible, including addressing the security their social media accounts. The FFIEC identified operational/IT risk as one of the major categories of risk financial institutions face in regard to social media use, with compliance/legal risk and reputational risk rounding out the top three, and as such, recommends that lenders reference its “Information Technology Examination Handbook” and “Outsourcing Technology Services” booklet to ensure that lenders are applying the appropriate levels of IT security to their social media accounts.
One seemingly small offense that can quickly get out of hand is not monitoring social media accounts for complaints. Lenders would be wise to incorporate this practice into their overall social media risk mitigation strategy since complaint management is at the heart of an effective compliance management system.
Consumer reviews play a critical role in forming an organization’s online reputation, and social media platforms are one mechanism by which organizations can solicit this feedback. However, social media is not a one-way communication tool, and when consumers feel they have been unfairly dealt with by a company, it is not uncommon for them to post those concerns to that company’s social media accounts to spur a timely response.
Ultimately, lenders should take into account their own risk profile to determine the best approach for monitoring and/or responding to complaints or other communications received via social media and incorporate those decisions into their corporate policies and procedures.
In a similar vein, lenders need to tread lightly when leveraging social media to conduct targeted marketing campaigns. For less regulated industries, this represents a savvy business strategy, as it allows companies to focus their efforts on specific consumer demographics for maximum impact. In the mortgage industry, targeting any segmented group of consumers represents a violation of Fair Lending regulations and/or the Unfair, Deceptive, or Abusive Acts or Practices Act (UDAAP). To avoid running afoul of regulators in this regard, lenders would be wise to eschew this strategy altogether.
In addition to avoiding these common missteps, there are also a host of best practices lenders can implement to ensure all employees are aware of the social media plan, understand how it affects them and what steps they need to take to abide by it when leveraging social media in a professional capacity:
- Appoint a qualified individual or group of individuals to review and manage social media content for the company.
- Include social media in the training program for all new hires, and at least annually (if not quarterly) review social media policies and procedures with all employees, including an attestation that the employee has read it, understands it and agrees to comply with it. Obtain a list of loan originator’s business-related social media presence at the time of hire, and perform an initial target review, as well as periodic follow-up audits.
- Create a watch list of “repeat offenders,” and target those accounts for audit more frequently.
- Create a list of trigger words to monitor (e.g. free, best, approve/approval, rate, low/lowest, expert, etc.).
- Conduct periodic random searches for potential violations and consolidate findings into a centralized location for review by the compliance department.
- Create a deboarding process for loan originators to ensure they update their social media presence to remove any reference to the company in a timely manner. Document and retain all evidence of these activities in internal compliance and HR folders.
- Use an automated software tool, if budgets allow, to expand organizational reach and more easily identify and manage non-compliant social media posts.
While the power of social media as a marketing tool is undeniable, the level of risk this medium poses to lenders is equally as definitive. Awareness is the greatest defense lenders possess to avoid many of the pitfalls that come with social media use, and with the appropriate policies and procedures in place, lenders can mitigate the risk social media use poses to their organizations and ensure safe, compliant social media activity for marketing purposes.
Michael Steer is president of Mortgage Quality Management & Research, LLC (MQMR). Contact him at [email protected]