Bank Board Letter June 2014 : Page 2

if most of their branches were in the same markets as Target stores, then they might just decide to do a mass reissue. The key is to take action in a timely manner, since losses can easily mount. Procrastination is not a good strategy. Banks must be proactive and conduct reviews of customers within their databases to determine who might have shopped at the af-fected retailer that announced a breach. And banks cannot wait to notify their customers that they also need to monitor their accounts. Banks can determine later whether to reissue cards, depending on the volume of those actually impacted. Considering such massive data breaches are on the rise, banks should develop some type of response plan before any of their customers are affected. Hopefully every bank is pre-pared for this type of problem and already has procedures and policies in place. Banks should play out “what-if ” scenarios, have a process to determine whether the impact is high or low, whether there have been any fraudulent transactions, and then react accordingly. The $464-asset StonehamBank in Massachusetts put a data breach response plan in place after the bank’s customers were impacted by the TJMaxx breach in 2007. After the bank learned that roughly 900 of its customer cards were impacted by the Target breach, StonehamBank used FoxtrotOne’s software pro-gram to determine which cards were actually compromised, and which might have been or could subsequently be compromised. The bank immediately reissued the compromised cards, but sent letters and emails to customers in the latter group, alert-ing them to monitor their accounts for fraudulent transactions. Stoneham also disabled signature transactions for those cards to minimize fraud, but allowed customers to still use their PINs for their own transactions. Although sophisticated software can be useful, not all com-munity banks need to invest in such solutions. They should be able to find ways to monitor their own databases using in-house technology. Smaller banks may also choose to have their staffs personally call some of their higher-value customers, instead of emailing or using automated messages, as in the case of the $40 million-asset BOND Community Federal Credit Union in Atlanta, Ga. BOND staffers called hundreds of customers to let them know their cards had been compromised and that their reissued cards would be arriving in the mail within several weeks. A larger institution may not have that capability, but it can provide additional support to customers. Bank of America now has a webpage on its site, Understanding Data Compromise, that defines breaches, how the bank is notified of compromises by the credit card companies or law enforcement agencies, what customers can expect when a compromise occurs, what Bank of America will do to monitor their accounts, and what customers should do once their cards are reissued — including alerting companies that receive recurring online payments from them that their card numbers have changed. Paul Schaus is president of CCG Catalyst, a consulting firm pro-viding strategic direction and focused guidance for banks. For more information, visit ccg-catalyst.com. TIME FOR BANKS TO GET SOCIALLY COMPLIANT BY BARRIE VANBRACKLE O ffering an explanation of various federal regulations and laws applicable to social media communications, the Fed-eral Financial Institutions Examination Council released final supervisory guidance in “Social Media: Consumer Compliance Risk Management Guidance.” The final guidance largely tracked the original proposal re-leased for public comment last year. Defining social media as “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video,” the FFIEC offered examples ranging from micro-blogging sites like Twitter and Facebook to consumer review sites like Yelp to photo and video sites like Flickr and YouTube to virtual worlds like Second Life and social games like FarmVille. NEXT MONTH: Enterprise Risk Management Mortgage Banking Made Easier One clarification from the proposal: Messages sent via email or text message do not constitute social media, although mes-sages sent via a social media channel are considered social media. With input from company-wide sources, a financial institu-tion should establish a risk management program related to social media “commensurate with the breadth” of the level of its involvement in social media. The program should feature a governance structure with clear roles and responsibilities and policies and procedures regarding the use and monitoring of social media, as well as compliance with the relevant consumer protection laws and regulations, specifically addressing how to handle the risks of online postings, edits, replies and retention, according to the guidance. Other considerations include employee training, audit and compliance functions, and a process for handling third-party relationships in the context of social media. Interaction via social media is by nature more informal and dynamic, the FFIEC noted, which presents compliance, legal, op-erational and reputational risks for covered entities. For example, a financial institution that posts an advertisement on its Facebook page featuring a triggering term such as “bonus” must then satisfy the disclosure requirements found in the Truth in Savings Act, like the minimum balance required to obtain the advertised bonus.

TIME FOR BANKS TO GET SOCIALLY COMPLIANT

Barrie Vanbrackle


Offering an explanation of various federal regulations and laws applicable to social media communications, the Federal Financial Institutions Examination Council released final supervisory guidance in “Social Media: Consumer Compliance Risk Management Guidance.”

The final guidance largely tracked the original proposal released for public comment last year. Defining social media as “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video,” the FFIEC offered examples ranging from micro-blogging sites like Twitter and Facebook to consumer review sites like Yelp to photo and video sites like Flickr and YouTube to virtual worlds like Second Life and social games like FarmVille.

One clarification from the proposal: Messages sent via email or text message do not constitute social media, although messages sent via a social media channel are considered social media.

With input from company-wide sources, a financial institution should establish a risk management program related to social media “commensurate with the breadth” of the level of its involvement in social media. The program should feature a governance structure with clear roles and responsibilities and policies and procedures regarding the use and monitoring of social media, as well as compliance with the relevant consumer protection laws and regulations, specifically addressing how to handle the risks of online postings, edits, replies and retention, according to the guidance.

Other considerations include employee training, audit and compliance functions, and a process for handling third-party relationships in the context of social media.

Interaction via social media is by nature more informal and dynamic, the FFIEC noted, which presents compliance, legal, operational and reputational risks for covered entities. For example, a financial institution that posts an advertisement on its Facebook page featuring a triggering term such as “bonus” must then satisfy the disclosure requirements found in the Truth in Savings Act, like the minimum balance required to obtain the advertised bonus.

Financial institutions should also use care not to run afoul of the Equal Credit Opportunity Act and the Fair Housing Act, the FFIEC cautioned, and avoid collecting information via social media regarding a borrower’s race, color, religion, national origin or sex.

Attention should also be paid to the impact of the Bank Secrecy Act and Anti-Money Laundering program, particularly in the context of virtual worlds and the increasing use of Internet games to launder money.

On a bright note for financial institutions, the guidance clarified the scope of comments received from the public that must be maintained under the Community Reinvestment Act’s two-year lookback requirement. “[C]omments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be required to be retained,” the FFIEC explained. “Rather, the institution should retain comments made on sites run by or on behalf of the institution that specifically relate to the institution’s performance in helping to meet community credit needs.”

Another major area of focus for financial institutions is privacy. Laws like the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, the Telephone Consumer Protection Act, the CAN-SPAM Act, and the Fair Credit Reporting Act all present varying considerations regarding notification to consumers about the collection and use of information via social media as well as appropriate contact.

Separate from legal and compliance risks, the guidance also set forth reputational risks like brand identity and fraud, a serious issue for a bank subject to a phishing or spoofing attack. An inadequate response to consumer complaints or questions on social media can also turn into a PR nightmare for a financial institution (just look at JPMorgan Chase Bank’s recent Twitter foray).

The guidance noted the need for covered entities to conduct the appropriate due diligence prior to working with third parties in the social media context, referencing additional tips on third-party relationships from its member agencies, including the OCC’s recently released guidance.

The FFIEC emphasized that the guidance did not create new duties for covered entities, but is intended to help financial institutions make their way through the ever-expanding world of social media. The guidance also emphasized that because the scope of involvement on social media varies by financial institution, entities must conduct an individualized risk analysis.

“Each institution is responsible for carrying out an appropriate risk assessment and maintaining a risk management program that is appropriate and tailored to the particular institution’s size, activities and risk profile,” the FFIEC explained, specifically disclaiming a “one size fits all” approach. “The revised guidance clarifies and points to the longstanding principle that financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the size, complexity, activities and third-party relationships.” Financial institutions would be well served to familiarize themselves with the document and, if they haven’t already, establish relevant policies and procedures for the social media ecosystem.

Barrie VanBrackle is co-chair of the financial services practice at Los Angeles-based Manatt Phelps & Phillips, www.manatt.com.

Read the full article at http://omagdigital.com/article/TIME+FOR+BANKS+TO+GET+SOCIALLY+COMPLIANT/1734912/213495/article.html.

Previous Page  Next Page


Publication List
Using a screen reader? Click Here