For many banks, the biggest obstacle to initiating social media |_marketing is resolving the compliance issues.

Here's an overview of the major problem areas.

26

MAti'H ^iin

ABA BANK MARKEnNG

Are Nice But Are They Compliant?

UyKattilynLFarrell

he regulatory compliance issues surrounding scK'ial networking activities of financial institutions fall into five categories: Advertising regulations. Fair Iending/CR.\ compliance. Records ct^mpHance. information security. Bank Secrecy Act IBSA) anti-money laundering regulations and Reg. E. This anicle pro\ides a perspective on the types of issues that .should lie reviewed when managing the risks of using stxiil networking as a customer service tool. As with any new compliance challenge, compliance officers will need lo detemiiiie their institutions' specific risk, establish review and mrinitoring procedures, and determine how to

use the castomer irtbrmation to bolster their banks' ctjmpliance efforts.

Advertising Compliance
Typical social netw^orking sites aimed at consumers, such as Faceb(X)k anti MySpace. are perfect for communicating to consumer's aKiut bank pnxJucLs. A random sample of b:ink pages viewed during a 30-day period found that institutioas in their pcjsts mention all types of tlnancial producLs, stream \ ideo commercials and post product brochures. Also noted: loLs of compliance errors. For regulatory purpcses, banks' messages on social media sites generally fail into the categor>' of advertisements. Whether messages from con.sumers are considered "advertisement.s"

ABA BANK MARKETING MARCH 2010 ?7

Tile following Tweet was noted:

In a social networking environment, making sure that all information is strictly in compliance with the advertising rules could be a challenge.
is a complex question. Fiecause the bank ultimately controls the site and should remove information thai is incorrect, a reasonable view would be that any communication that clears the bank's review and remains visible to the public does qualify as an advertisement for regulator}- purposes. What regulations should the compliance officer consider-' rules related C credit cards (revio .sins to these rules are effective in 2010) so mentioning ratesespecially introduct(;ry or promtnional rateswould require additional disclosures. In a social netwt >rking environent^^where the bank s po.sts strive f(.)r infomialiti' and where consumers can make their own post.smaking sure that all infonnation is strictly in compliance with the ad\eitising Riles could Ixr a cliallenge. Here :ire a ctmple of actual posts (with identifying information I'enioved): A Twitter post: Mortgage rate upcUite^.30-year fi.xed 5.375% APR. 15-year fixed 4.875%, FHA 5.50%. Apply today at [web address/ A brochure posted on Facebook: A Home Ei}uiiy Line of Credit urith NO CLOSING COSTS (6 mo. utmductoiy rate) 350 APR*. then as low as 4. ?<9'>. APR' Tiie Facelxjok posting seems to be a reprini of an ad tliat appeared in a printed format. 'Hie asterisks pr(.)bably referred the reader to the additional disclosures, but unfcrtunately tho.se disclosures did not appear on the Facel"xx)k page. In cases where brochures are reprixluced on a site. tJie entire document sh<;uld appear.

While you 're there, open a CD (up to 3% interest) or savings account. A Facelxiok entr>' from the beginning of July 2(X)9 offered the following: Become a Facehnok fan to get a 4% CD during the month offuty.

FDIC membership advertising requirements

In nearly all cases the bank should inclucie the "Member FDIC" or similar logotyf")e on its page or with its logo. In our review of Faceliook pages and Twitter messages, this logo w-as absent in the majority of cases, even when deposit accounts were specifically mentioned.

Fair Housing Act

If the bank mentions a loan to be secured by the borrower's home, the equal housing lender logo should be included, and no advertising communication can indicate illegal discrimination. This was a widespread error we noted when reviewing Facebook pages with mentions of home-related lending. In the home equity line-of-credit ad cited above, there was no equal housing lender logo even though the posting was a brochure.

Regulation Z requirements for loan advertising

Reg. Z has a plethora of requirements that apply to advertisements of loan products. Generally, if an advertisement states specific terms, only those actually offered by the bank should be included. There are many other loan-related advertising rules in Reg. Z, including the following: If triggering terms are used for open-end or closed-end loans, the other recjuisite disclosures must also lie included (in electronic ads, the other terms can be referenced by a link). Ne\\' requirements fcjr hMiie loan prixlucts require more extensi\'e disclosures ii" rates or payments are mentioned in the ad: HFLOC advertising requirements have also Ixren extensively rew ritten. There are new rules regarding the use of the term "fixed" in connection with loans where the rate or payment may increase under certain circumstances, as well as neiA" rules for advertising ARM loans. The 2008 changes to Reg. Z include rules regarding misrepresentations (e.g., misleading comparisons, misrepresenting government endorsements and so forth), Reg. Z has a host of advertising

Nondeposit retail investment/RNRA advertising restrictions

Under the nondeposit retail investment guidelines any mentions of n<}ndeposit investments require disclosures, and such advertisements must be separate fnjm insured deposit information. FINRA CFinancial Industry Regulatory Authority) has determined tliat communications on social networking sites that are open to the public are considered for regulatory purposes to be advertisements, and institutions mast comply with FINRAs applicable regulations, hi addition, FINRA has stated that if an institution allows its employees to set up profiles on a social networking site that provide work-related information, those profile.^ will also be considered advertising if they are open to the public. If. however, an employee's page is open only to tlie enipi)yee's own contacts, it will be con.sidered "sales literature" and subjea lo applicable regulations. In any

Regulation DD deposit advertising

Reg. DDs deposit advertising rules apply to information posted b\ the bank. For example, if tiie APY is stated, the irther requisite disclosures mtist lie stated. Tlie mention of Ixjnuses also requires additional disclosures.

28 MARCH 2010 ABA BANK MARKHING

Many of the Fears about Bank Use of Social Media are Overblown
A Facebook presence has existed for -TVMidWe.stOne Bank (assets: SI,5 billion), l(nva City. Iowa, since September 2009. The Ixmk uses the site primarily to promote conimtmity activities and the ixtnk s role in ihese activities. 'It help-us to build relationships w ith our nonprofits and loecome a portal for what s lioing on locally." explain Nick Pfeiffer, marketing officer. The original plan was to have one employee primarily in charge of the bank's Fact-book page, with m o otliers to assist and to cover when neetled. However, compliance in.sisted that there be three additional employees available lo respond to any posts. .Additionally, compliance was worried about the types of comments that customers would postthat is, complaints, personal information (account numbers, for example) or obscenities. Pfeiffer says that experience has shown that these fears are not justified, The bank weekly prinLs out and files hard copies of every page on the Facebr>nk site. It also follows a policy on not posting photos that contain people tliat can he identified. "Compliance felt tliis would IK- a privacy issue," says Pfeilfer. The only way ari)und it would have been to have any identifiable person in the photo to sign an agreement allowing the trank to post their phi)to. i would prefer to be able ro go out and lake photos at tliese community events, but we have ni>t found a good way to get around this obstacle," notes Pfeiffer. When de^'L-loping a social media site. Pfeiffer recommends that bank marketers communicate their plans and goals flilly with liieir compliance officers and work together with them tci find a way to accomplish them. Knowthat your bank and compliance officer are unique. obser\'es Pfeiffer. Don't get too excited or upset if your officer won't let you do something tliat another bank is doing. Just because some other bank is doing it. doesn't make it right, he observes, His key suggestion: Be patient and adaptable." WaltAlhro

MdWiIOBi tanli, M... ixjd marml To Takt Cir* of Off C

i n Spy* ftcmovtt
- aqrway ID t n * (P

Chonn

Chvin Cirv MMHOrtj VDur dnmtaiH I K H i

n bv icful iDCf 'or

aatfi a your cnmm

lilumor* l-Da

i. or ipi asupon [

The facebook page of MidWestOne Bank, Iowa City, Iowa.

event, the institution will be responsible for compliance if it allows such practices to continue. To avoid this outcome, the in.stitution shtiuld establish a policy regarding the posting of work-related information on employees" personal social networking pages and will need to blcK'k such activity on woik computers. The ciirporalion's own site shtuld al.so Ix* carefully monitored for compliance. If the institution w ants to put product information on its social networking site^or mention products at all

then FI.NRAs preapproval procedures should be followed and the normal compliance requirements, .such as the following, apply: No exaggerations can be included. All material facts must be disclosed. No tbrward-looking statements can be included, c;iearl\' identify the sound trasis for evaluation. Mutual funds disclosures must be filed with FINRA in advance.

ABA BANK MARKEnNG

MARCH 2010 29

Initiating Sociai Media: Tiiorough Research Pays Off

irst Federa! Bank of Florida launched its Facebtxik account in the spring of 2009 and added T-Aitter die following summer (Twitier primarily reposts the bank's Facel^ook content). First Federal, wiiich has assets of $617 million, is located in Lake Cit>-, Fla. Wlien the lUin to initiate social media rst came up, compliance attempted to find material about compliant SiK'ial media use. At tlie tinie, there was tittle infonnation available. "nilially tliere was a learning curve for both departments liecause social media was so new, and tliere had not been much in the way of guidance or even l">est practices," says

Nina Heringer, public relations ctxirdinator/m:irketing manager. Eventually. tlirough diligent research, both depanments were able to gather information of practical use. Marketing and cx>mpliance made an early decision tt) treat .social media like any other media: If you're selling a product, include the appropriate disclosures. Post "'Member FDIC" and "Equal Housing Lender" tm your Facelxjok page in a permanent place. The bank usually isn't selling a product on its Facebook page {'We don't want to bombard our customers with more selling," Heringer says). However, if tlie

bank does end up promoting its Mobile Hanking or F.a.sy Savings solutions, the bank links the reference to the banks Web site so that customers can obtain more coniprehensive information. Ileringer thinks that the l>est way to avoid compliance-related obstacles in social media is to ihorougWy re.search the issues prior to launch. "Look for other banks that have implemented social media, find articles on online media compliance, and attend Webinars about social media. Tlie more you and your compliance officer know, the easier it will be to adopt social media."

One of the most important risk management issues involved with social networking sites is information security.
Sales of insurance by depository institutions (GLBA)
The insurance disclosures (not FDICinsured, not guaranteed by the bank, not guaranteed by any government agency, may io.se value and so forth) should appear if the bank mentions insurance products in its posts or on its pages.

receives in its CRA public file. Comments received through social networking sites or tlirough a ratings and reviews page would appear to i|ualify. Fiven comments that do not meet the filtering or mt)deration standards or are rem(3ved from a posting page should be maintained in the public file if tliey qualify under the regulations. While tliis may seem like an unfavi)rable development, a bank is actually much more likely to get a favorable comment via one of tliese channels than a negative one. Research shows that consumers who are likely to comment or provide a rating on a pnxJuct or company are much more likely to rate it favorably than not. So encouraging these social networking activities could actually increase the numlier of favc^rable CRA comments the bank receives. Because these sites are a new, convenient channel for the voice of the consumer, there is a good chance that there will be a complaint issued every now and then. Compliiuice professionals should welcome this devektpment. Why? One of the most difficult things to achie\e in a multibrajich environment is to I>e aware of wliat is actually happening in tlie branches. In inany cases, tlie banks employees might not want cu.stomer complaints to reach the corporate'" level because stich complaints may Ix; perceived as reflecting txidly on them or their operations. When information flows freely through social net^v'orking venues, the barriers of communication are broken and the compliance ofTicer can actually hear the voice of coRsumersand learn mt>re alxjut how the bank s policies and practices are peR"eived by the pubiic.

UDAP rules
It's worth taking a look at tlie regulatory agency UDAP Issuances fOCC M 20023; n>IC FIL S7-2CX12, and FIL 26-2004) as well as your stitte's UDAP rules to make sure that everything said on the site is true and not deceptive in any manner. Having a .system in place to monitor customer comments is impeniLi\e to easure tJiat a misinformed statement that is po.sted does not remain and thereby obtain tlie bank s imprimamr.

Fair Lending/CRA compliance

According to Reg. BB and the other CR\related regulations, the bank is required to keep all CRA-reiated ciimments it

30 MARCH 2010 ABA BANK MARKEnNG

Safeguarding Your Social Media Campaign

Technology Can Lower the Compliance Burden of Social Media

ne of the top reasons why community l:)anks avoid S(XMal media is die Lssue of compliance and the concerns it brings. For example, a number ot community banks advertise marketing promotions, new prcxjuas, speci;il interest rates. Internship programs and job openings \'ia their Fucebook and Twitter pages. Under current regulatitjn, each page of a banks' Web site must include the proper disclosures (e.g. Equal HOLISing Opportunity Act, FDIC. KEOC, etc) tiiat are relevant to the page content. In the absence of specific guitlance for this practice through scx:ial networking channels, the .s;ime regulatiiin should be applied to any mentions of products, mortgage rates, or job postings on a sodal media page. Regrettabl)^ compliance regulations have noi kept pace with the atloption ol stKia! media, but banks owe ii to tlieir employees and sliarehoiders to give

them a policy that cleariy provides guidance and controls ftir social netwcjrking in the name of the institution. Community banks that use social media musl establish controls for use and content and identify a way to monitor and recortt these elTorts. Ihe policy should cover tlic purpose of the bank using social networking, how it ciin and cannot l>e used, the appliaitions that are autJiorized. the u.sers and the appnjved content. Moreover, security measures must also \y in place to avoid the phishing of ciistomers and prevent the bank's scx'ial media accounLs (e.g. Facebook account) fnim being hacked or misrepre.sented. The bank should also consi,stently remind social media users tliat perstjnal information cannot Ix? shared. The cunent approach to compliance Ls to assign responsibilities to various empkiyees and use manual processes to monitor tasks. At a time when tiie regiilalory burden and associated costs will tjnjy increase. ieclinok.)gy atn le u.sed to manage the new risks that come with

social networking. The right compliance solution c-an ensure that docunientiition is implicit in the activity' itself and automatically generate an audit tniil. The exUii work that comes with the manual methods is eliminated, thus reducing tfie work associated with compliance by up to 70 percent. As a result the teclinology will ncit only alleviate social media compliance concerns, but also decrease the financial ant.! internal rest^urces that are devoted lo compliance. Moving forward, social media will expand the responsibilities of the compliance department and strengthen its relationship witJi the bank's marketing team b\' giving employees anotlier reason to work t(jgether. Ct)nimunity banks must also address the use of social medi;i by employees in their personal time. N3tTiile they are noi fonnally representing the bank, customers may ntit feel comfortable doing business with individuals who they have seen publicize controversial (Opinions or post pictures in which they are engaging in questionable behavior. Jim Kvicb is Chief Strategy Officer al Continuity Engine even if it were removed from the site. Tliis also applies to ratings and reviews forums. F.ven if the review was filtered during the moderation prcx:ess, the actual conunent needs to be retained. Both Reg. Z and Reg. DD require that evidence of compliance be retained for two years. If deposit or loan infbmiiition on a bank's social networking site qualifies as advertising, that electronic communication should Ix" retained so that it can be retrie\'ed for purposes of d(X"umenting compliance with these regulations. FINRA has determined tliat communiciition tm social media sites related to activities that it governs fall into its record retention rules and must tx; maintained for three years. E-dlscovtT>' requirements will apply to all records maintained by the bank thrcugh its social media forums, so if the comments and material on the bank's social media sites are retained, they liave to be availalile for discovery. A txfst practice is for the bank to formulate pt>cy to determine what infonnation will be retained and for wliat length of time. It is helpful it the comments and information are sonable by topicthat way, if sensitive com-

Records management can be a challenge in the environment of social media.

For example, in many cases, when a fair lending-relaled situation ari.ses. tlie bank's upper management and compliance Stan' often had no idea that a customer was unhappy or that there was a problem with a bank employee until a complaint was made to a regulatory agency. Hearing ihe consumers voice early in the process can only make a compliance officer's job easier in tlie long mn. If there's a problem with a process or the bank is perceived to be acting in a way that is not consumer friendly, learning about it early allows the liank to respond in a thoughtful way and fix die problem.

Records Management Compliance

Records management can be a challenge in the environment of social media. Several laws and regulations require that records be retained for specific time periods. For example. Reg. B requires that all records related to a loan application be maintained for 25 months. Thus, if a customer whose application was denied posts a complaint related to the denial thai comment would need to be retained.

32

MARCH 2010

ABA BANK MARKETING

ments need to be retained for a longer time period tliey can be identified and .stt)red appropri;iiely.

Because these sites are a new, convenient channel for the voice of the consumer, there is a good

Information Security
One of the most impijrtant risk management issues involved with stKial networking sites is inf(jniiation security. Direct mnages and posts from consumers that contain sensitive information such as account information or personally identifiable infomiation are subject to liacking and pliLsliing attacks, which bear a risk of fraud or identity theft. Facebook was hit by multiple plilshing attempts early in 2009- It is important for tlnancial in.stitutions to have the capatiitity to secure messages with sensitive information or have instant mfjderation o mess:iges in iirder to prevent their ex[X)Siire to the public.

chance that there will be a complaint issued every now and then.
computers, the issue of when employees can u.se social networking .sites and how much they can say about their jobs and companies should Ix' a subject of bank polic\'. Both the human resources policy and the Ixink's code of conduct are possible venues for this policy, but no matter where the policy resides, it should clearly address the fcjllowing questions: As social media sites evolve, risk management professionals will need to be especially nimble to kee]") up with the issues tliat arise in the realms of regulatory compliance, information sec-urit>\ technology, and general risk management areas such as reputation risk. Remaining in the information loop wthin tlie institution is the kt*y to analyzing these risks and responding to them in a May employees access their personal timely and appropriate manner. sites during uK>rk hours? For example, can an employee update his or her Facebook, MySpace or Linkedin site during a break or lunch or at any other timer' I Kathlyn I. Farrell Certified How much work-related informalion will the hank allow employees Regulatory Compliance Manager lo post on [iersonal social networking sites? Ciin tlie empkjyee reveal (CRCM), is the managing director the name of the bank or his or of risk management services for her title, job de.scription or similar informatk)n? Such information Sheshunoff Consulting + Technology, often appears on business-related networking sites, such as Linkedln. an A u s t i n , Texas-based bank Should the inlbrmation shared be limited to just the bare facts of the consulting company. She is a Licensed employees joliand no additional attorney with more than 30 years c(.)mpany inft )rmati(jn shared? With whom can the employee con- experience in banking. She has been nect on his or her site (that , "link with." "friend" and so forth)? The in-house counsel and compliance bank should consider whether its policy will address the practice of officer for small- and medium-sized employees connecting with bank customers-unless there is a pre- banks and is the author of the ABA's existing relationshipbecause this is the equi\alent of allowing the "Reference Guide to Regulatory employee to take home (and .store) Compliance." E-mail: tfarrell@smslp. the bank's proprietary customer information. There have been com Telephone: (800) All-1112. instances of employees leaving one institution and soliciting customef5 of the previous institution with whom they were connected via How useful was Uils article? social networking pages. Please use the postage-free Re:Kler Opinion Qird provided Who has the authority to jxist inforin tJiis issue or leave a message mation on hehalfofthe hank on tlye at (202) 663-5075. You can also fmnks own social netu^frking sites? send comments by e-mail to If the hank has a rating's and waibro@afaa.com. reviews site, may employees post their own ratings or reviews of bank pnxlucts?

Bank Secrecy Act/Anti-Money Laundering and Other PaymentRelated Compiiance Considerations

area comes under tlie categor)' of future consideration. There is serious speculation that the most p<:)pular social networking sites will eventually facilitate person-tc^person (1^2P) payement orders, either with real currency through banking channels and nonbanking channels such as PayPal, or tlirough the use of tlifir <>\N n virtual currency'. To tlif extent tliat banks are involved in this activity there are certainly BSA/AML considerations surrounding these payment channels. For instance, an institution would need to inc(5rp(jr.ite this t>'pe of payment activity into its normal BSA/AML monitoring processes to determine whether tlie acti\'iiy Is liigh risk. Appropriate review thresholds and trending analysis would \y necessary. Also, if the trank is directly involved in facilitating payments tliRiugh a social netv^'ijrking site, then Reg. E disclosures would be required for payments made eiectionically.

Ottier Risk-Related Issues

With the use of social netwodcing sites, other risk management concerns ari.se tliat are not directly related to regulatory compliance. Specifically, the sharing of bank-related irbrmation on an employee's personal site poses some reputation risk to the instiaition. ju.st as most institutions liave now grappled with the risks surrounding their employees' use of e-mail and the Internet on work

ABA BANK MARKEHNG MARCH 2010 33

Copyright of ABA Bank Marketing is the property of Bank Marketing Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.