The growth of social networking, micro-blogging and collaborative media, such as Facebook, LinkedIn, Twitter and wikis, presents financial institutions, like other businesses, with both challenges and opportunities. Like blogging a few years ago, social media offers businesses a new channel for advertising and customer communications, while employee usage creates various reputational, liability and information security risks (in addition to lost productivity). Enterprises need to adopt a comprehensive social media strategy with policies tailored to the requirements and culture of their business in order to tap the potential and manage the risks of new media.
Financial institutions, however, are not like other businesses, as they have special compliance requirements for communicating with customers, advertising their products and services, protecting customers and the institution itself from fraud, and managing reputation risk. Let's look at the special social media risk management issues financial institutions encounter, and some options for their Internet use policy and marketing, communications and brand management strategies.
Have a corporate Internet use policy
Financial institutions should seriously consider whether to even permit employees to make personal use of social media at work. If they do, such use should be consistent with a written Internet use policy that every employee is required to sign and which should explicitly state that violations may result in disciplinary action. Many elements in such a corporate policy will be the same for non-financial businesses -- e.g., no defamatory or harassing content, no posting of third-party copyrighted materials or trademarks, no posting of confidential or proprietary information.
However, regulators' concern with management of reputational, operational and liability risks as an integral factor in safety and soundness heightens the importance of these elements for financials. For this reason, a financial institution's compliance and information security officers should be prepared to present copies of the corporate Internet use policy and to discuss it in connection with regulatory examinations. Confidential information must specifically include any and all non-public personal information and any associated financial or product eligibility data. As in other corporate policies, unless a social media post is an approved communication or advertisement, the employee should be required to include in or in close proximity to any post that references the financial institution, a conspicuous disclaimer that the post reflects the employee's personal views and not those of the institution.
Because financial regulations require specific disclosures in product advertising, which is also subject to broader scrutiny under the rubric of unfair and deceptive advertising practices, financial institutions -- in addition to requiring a disclaimer -- should prohibit employees from using blogs or social media to provide any description of or statement about the terms, features or availability of products and services, including pricing, rates, rewards, eligibility or decision criteria. Such communications should only be made through authorized channels.
A financial institution should also consider whether to go further and prohibit even generalized comments about its business, since certain comments may reflect adversely on the institution's safety and soundness or reputation (e.g., "I work in the credit card division at XYZ, and I've been seeing a lot of defaults lately") or may be taken as misleading or deceptive. If some commentary is permitted, the employee should be required to clearly state his or her affiliation with the financial institution and include a disclaimer that the post reflects his or her personal views.
Marketing and customer communication strategy
In addition to evaluating whether and to what extent to permit employee personal usage of social media, financial institutions should integrate social media into their marketing and customer communication strategy, as its rapid and widespread adoption makes it a powerful channel. The danger here is that the very informality of social media -- especially Twitter -- creates an incentive to use it in a spontaneous manner free of the systematic procedures and controls, such as prior legal and compliance review, that apply to direct mail, email and other marketing and communications channels.
Yet precisely because social media is another communications channel, a regulator focused on protecting consumers is likely to apply the same compliance standards. Therefore, all social media posts that represent official statements of the financial institution about its business (e.g., a Facebook page) should undergo the same prior review process as press releases, including legal review for securities compliance if the company is publicly traded. Posts that include a description of or statement about the terms, features or availability of the institution's products or services, including pricing, rates, rewards, eligibility or decision criteria, should undergo a prior regulatory compliance review. (This may limit the ability to advertise specific products on Twitter, since any disclaimers would likely cause the post to exceed the service's 140-character maximum.)
Where social media is used to communicate with individuals, there are additional compliance, information security and brand management issues. Accordingly, scripts, guidelines and procedures should be developed for handling such customer communication that are integrated with those the institution uses for telephone and email communications and address the following issues.
Regulated financial institutions are generally required to retain copies of customer communications, which would presumably include Twitter tweets and Facebook comments, so a system for capturing this information and, if feasible, linking it to the customer's account record should be implemented. With that said, social media should never be used to receive or process personal information or transactions; financial institutions should clearly and repeatedly remind their customers by inserting prominent messages in their profiles and posts and through customer alerts that the institution will never ask for such information or accept such transactions through social media. Customers should be educated to take their individual issues offline. This is vital to protect them from identity theft and the financial institution from fraud losses due to phishing and spoofing schemes.
Brand management and trademark protection
To combat phishing and spoofing schemes perpetrated through social media where a fraudster impersonates the institution by means of a username or profile incorporating the financial institution's name or trademarks, the institution should adopt an aggressive brand management strategy. This strategy should be coordinated with the institution's information security policy, domain name and trademark protection strategy, and should include the use of in-house resources or a trademark monitoring service to detect potentially harmful or infringing uses of the organization's marks on social media sites and elsewhere on the Internet.
Concerns about "name squatting" have increased due to Facebook's recent addition of a feature allowing users to register usernames consisting of vanity URL's (e.g., www.facebook.com/yourname). In the week leading up to the opening of registration, Facebook allowed owners of federally registered trademarks to submit an online form to block the registration of their marks as usernames, but the submission period is now closed. Without an ability to block, there is, quite simply, no legal substitute for a financial institution's "getting there first," (i.e., registering its marks as usernames on social media sites before anyone else does). Financial institutions should do so immediately, even if they need additional time to figure out how to build their profile or develop a social media strategy.
Unlike with domain name cyber squatting, remedies for which exist under both the federal trademark statute and ICANN's uniform domain name dispute resolution policy, which was incorporated in domain name registration agreements, the law of name squatting on social media is still in its infancy. If working with social media sites fails to provide the desired relief and the name squatter can be identified, a civil suit for trademark infringement and/or false designation of origin, among other things, may be possible, provided the name squatter is making some commercial use of the financial institution's name or trademark (such as to obtain money or information or to direct users to a profile or webpage offering competing services), and that consumers are likely to be confused or deceived. If a trademark is extremely well known and the name squatter's commercial use could weaken or tarnish it, a suit for trademark dilution may also be brought.
As highly regulated businesses with special obligations to the public, financial institutions must learn to manage the risks of social media before they attract the attention of fraudsters, regulators and plaintiffs' lawyers. With a properly balanced and coordinated social media strategy, financial institutions can reap the benefits of a dynamic new communications channel while avoiding threats to their safety, soundness and the bottom line.
About the author:
Andrew M. Baer is an attorney with extensive experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at firstname.lastname@example.org.