Marketing and customer communication strategy
In addition to evaluating whether and to what extent to permit employee personal usage of social media, financial institutions should integrate social media into their marketing and customer communication strategy, as its rapid and widespread adoption makes it a powerful channel. The danger here is that the very informality of social media -- especially Twitter -- creates an incentive to use it in a spontaneous manner free of the systematic procedures and controls, such as prior legal and compliance review, that apply to direct mail, email and other marketing and communications channels.
Yet precisely because social media is another communications channel, a regulator focused on protecting consumers is likely to apply the same compliance standards. Therefore, all social media posts that represent official statements of the financial institution about its business (e.g., a Facebook page) should undergo the same prior review process as press releases, including legal review for securities compliance if the company is publicly traded. Posts that include a description of or statement about the terms, features or availability of the institution's products or services, including pricing, rates, rewards, eligibility or decision criteria, should undergo a prior regulatory compliance review. (This may limit the ability to advertise specific products on Twitter, since any disclaimers would likely cause the post to exceed the service's 140-character maximum.)
Where social media is used to communicate with individuals, there are additional compliance, information security and brand management issues. Accordingly, scripts, guidelines and procedures should be developed for handling such customer communication that are integrated with those the institution uses for telephone and email communications and address the following issues.
Regulated financial institutions are generally required to retain copies of customer communications, which would presumably include Twitter tweets and Facebook comments, so a system for capturing this information and, if feasible, linking it to the customer's account record should be implemented. With that said, social media should never be used to receive or process personal information or transactions; financial institutions should clearly and repeatedly remind their customers by inserting prominent messages in their profiles and posts and through customer alerts that the institution will never ask for such information or accept such transactions through social media. Customers should be educated to take their individual issues offline. This is vital to protect them from identity theft and the financial institution from fraud losses due to phishing and spoofing schemes.
Brand management and trademark protection
To combat phishing and spoofing schemes perpetrated through social media where a fraudster impersonates the institution by means of a username or profile incorporating the financial institution's name or trademarks, the institution should adopt an aggressive brand management strategy. This strategy should be coordinated with the institution's information security policy, domain name and trademark protection strategy, and should include the use of in-house resources or a trademark monitoring service to detect potentially harmful or infringing uses of the organization's marks on social media sites and elsewhere on the Internet.
Concerns about "name squatting" have increased due to Facebook's recent addition of a feature allowing users to register usernames consisting of vanity URL's (e.g., www.facebook.com/yourname). In the week leading up to the opening of registration, Facebook allowed owners of federally registered trademarks to submit an online form to block the registration of their marks as usernames, but the submission period is now closed. Without an ability to block, there is, quite simply, no legal substitute for a financial institution's "getting there first," (i.e., registering its marks as usernames on social media sites before anyone else does). Financial institutions should do so immediately, even if they need additional time to figure out how to build their profile or develop a social media strategy.
A business confronted with a name squatter has certain trademark protection options. The terms of use for Facebook and Twitter, for example, contain various provisions clearly prohibiting the infringement of third-party trademarks and the impersonation of other users, and both sites reserve the right to reclaim usernames (in Twitter's case, specifically if a username infringes a mark in which another party has legal rights). Facebook also provides an online form which trademark owners can use to submit grievances. When the name squatter's use of a trademark is clearly fraudulent or harmful to the public, such as in a phishing scheme, the social media sites are likely to be responsive and cooperative. However, that may not be the case when a dispute over a username gets into the nuances of trademark law and fair use.
Unlike with domain name cyber squatting, remedies for which exist under both the federal trademark statute and ICANN's uniform domain name dispute resolution policy, which was incorporated in domain name registration agreements, the law of name squatting on social media is still in its infancy. If working with social media sites fails to provide the desired relief and the name squatter can be identified, a civil suit for trademark infringement and/or false designation of origin, among other things, may be possible, provided the name squatter is making some commercial use of the financial institution's name or trademark (such as to obtain money or information or to direct users to a profile or webpage offering competing services), and that consumers are likely to be confused or deceived. If a trademark is extremely well known and the name squatter's commercial use could weaken or tarnish it, a suit for trademark dilution may also be brought.
Twitter prudently
As highly regulated businesses with special obligations to the public, financial institutions must learn to manage the risks of social media before they attract the attention of fraudsters, regulators and plaintiffs' lawyers. With a properly balanced and coordinated social media strategy, financial institutions can reap the benefits of a dynamic new communications channel while avoiding threats to their safety, soundness and the bottom line.
About the author:
Andrew M. Baer is an attorney with extensive experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at andrew@baerbizlaw.com.
