Mortgage Lenders` Use of Social Media
Transcription
Mortgage Lenders` Use of Social Media
Mortgage Lenders’ Use of Social Media― Balancing the Benefits and the Risks A CohnReznick White Paper JUNE 2014 Whether a company was an early adopter of social media or is just now dipping its toes in the water, the risks associated with an enterprise’s presence on social media platforms have to be carefully weighed against the benefits. When the Federal Financial Institutions Examination Council (“FFIEC” or the “Council”)― composed of several major financial and governmental agencies1―released its proposed social media guidelines for financial institutions in January 2013, lenders were concerned about the potential implications. Many of the recommendations within the guide have since been clarified and now lay out a comprehensive “handbook” on how financial institutions should execute social media and networking strategies. To assist the lending community in navigating the social media waters, CohnReznick presents the following insight on what all types of lenders can do to mitigate the risks associated with the use of social media while embracing its benefits. What Is Social Media … and What Is It Not? In its notice titled, “Social Media: Consumer Compliance Risk Management Guidance,”2 the FFIEC describes social media as a hyper-interactive, dynamic and constantly evolving form of communication. Examples of social media platforms provided within FFIEC’s guidance include platforms that enable: • Micro-blogging (Facebook, Google+, MySpace, Twitter) • Organization of forums, blogs, customer reviews/testimonials, and online bulletin boards (Blogger, WordPress, Yelp) • Sharing of photos and videos (Flickr, YouTube, Instagram, Pinterest) • Social gamification and virtualization (Badgeville, FarmVille, CityVille, Second Life) However, the FFIEC’s guidance only hints at how broad the overall scope of social media is. The rapid growth of all things “social” has proven to be overwhelmingly difficult to keep up with and has rendered even the most recent and relevant publications slightly inaccurate with regard to the exact number of current platforms and their diverse capabilities. Although we may never be able to pin these numbers down precisely, Figure 1 on page 2 does an admirable job at demonstrating the far-reaching breadth of social media platforms as well as their competencies. For the purposes of this whitepaper, we will not be touching upon email and text messaging as they are not to be included under the social media “umbrella” per the Council’s guidance. A financial institution’s or lender’s website would not be considered a part of its social media mix either, unless the site includes capabilities similar to those noted above. 1 The agencies composing the FFIEC include, but are not limited to, the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA). 2 FFIEC. (2013) Social Media: Consumer Compliance Risk Management Guidance. Retrieved from http://www.ffiec.gov/press/pr012213.htm cohnreznick.com | 1 Figure 1: The Conversation Prism3 If You Snooze, You Lose As the world embraces social media as a way to connect with one another, non-participation in the medium is no longer an option. Customers seeking a service provider will do so online, and a stale Facebook page or stagnant Twitter feed gives a negative impression of the business. Customers naturally gravitate to companies who show an eagerness and seriousness in wanting to do business with them. In addition to reinforcing brand recognition, participation in social media has a host of other benefits, including repeat exposure to who you are and what you do, the opportunity to influence and engage your community by sharing information and establishing yourself as a credible knowledge leader, and the ability to gain a competitive advantage over competitors who may fall short in their own social media programs. Organizations are also using social media to keep tabs on the market, their industry, customers, etc., and make adjustments to their strategies as required. 3 Brian Jolis and JESS3. (2013) The Conversation Prism. Retrieved from http://conversationprism.com/ 2 | Mortgage Lenders Use of Social Media According to a 2013 report4 conducted by the Center for Marketing Research at the University of Massachusetts Dartmouth of the 500 fastest-growing private companies in the U.S. as compiled annually by Inc. Magazine, 77% of companies maintain active Twitter accounts, 70% have Facebook pages, 69% have YouTube accounts, and 34 percent are actively blogging. The use of LinkedIn grew to 88% in 2013, making it the platform of choice for the Inc. 500. In addition, there is a correlation between a company’s social media engagement and its financial performance. According to a survey5 conducted in November 2013 by LinkedIn and TNS of 998 North American small- and medium-sized businesses (SMBs) with revenue between $1 million and less than $50 million, 81% said they use social media, and of this group, nearly all of them (94%) use it to market their businesses. Seventy-three percent of hyper growth SMBs (those experiencing significant increases in revenue) reported an increased spend on social media. Additionally, they are finding social media to be a highly effective way to maintain brand presence and identity (90%) and a meaningful source of lead generation (82%). While the majority of businesses acknowledge the benefits of social media, few have developed a comprehensive strategy to harness and control it. Whether a company was an early adopter of social media or is just now dipping its toes in the water, the risks associated with an enterprise’s presence on social platforms have to be carefully weighed against the benefits. It is quite common for a company’s social media efforts to be spearheaded by marketing or other business teams, such as sales, with little or no input from the information technology (“IT”) and compliance departments. This makes their jobs that much more difficult, as they are forced to play catch up with regard to their strategies to mitigate the risks associated with the new social media exposure points. Oftentimes, we find that existent legal and human resources functions within organizations were not properly consulted and brought into the social media governance fold. This is not only a waste of valuable resources, but is also a surefire way to leave one’s organization susceptible to episodic non-compliance. While the majority of businesses acknowledge the benefits of social media, few have developed a comprehensive strategy to harness and control it. Impediments include fear of its misuse, security vulnerabilities, or compliance issues. Most social media strategies focus more on the tools and tactics than on its ability to have a positive impact on the bottom line. In Auditing Social Media – A Governance and Risk Guide,6 the authors state, “to build the business case for social media, only a comprehensive strategy aligned to business objectives combined with policies and procedures that mitigate risk will be able to properly demonstrate value while calming fears.” A real strategic plan, adds the authors, “recognizes that the purpose of social media is to develop relationships and use the appropriate social technologies to leverage connections and conversations between real people, and it involves a new level of commitment to learning and collaboration. A true social media strategy has the greatest ability to support the achievement of business objectives.” 4 Nora Ganim Barnes, Ph. D, Ava M. Lescault, MBA. (2013) LinkedIn Rules But Sales Potential May Lie with Twitter. Retrieved from http://www.umassd.edu/cmr/socialmediaresearch/2013inc500/ 5 LinkedIn, TNS. (2013) Priming the Economic Engine: How Social Media is Driving Growth for Small and Medium Business (SMBs). Retrieved from http://marketing.linkedin.com/blog/social-media-a-hotbed-for-smb-growth-and-fertile-ground-for-financialservices-prospects/) 6 Peter R. Scott, J. Mike Jacka. (2011) Auditing Social Media – A Governance and Risk Guide cohnreznick.com | 3 For mortgage lenders, a social media strategy will seek to engage future customers in a meaningful manner while at the same time align business goals with compliance implications. Companies can learn from the mistakes of those entities that got burned after blindly jumping into social media use without first and foremost having considered the variety of risks posed by these platforms. Only once a comprehensive assessment of the nature of these risks has been performed can the development of mitigation plans begin. Social Media’s Inherent Risks According to the FFIEC, there are three types of risk associated with a financial institution’s use of social media: • Compliance and legal risk • Operational risk • Reputational risk The mismanagement of these risks can place a lender’s vital assets within the near grasp of danger―including their stored data (including confidential customer data), the integrity of their operational infrastructure, their brand’s reputation, favorable compliance standings and, in some cases, even their bottom lines. Social Media and Legal Compliance There has been some confusion as to whether the FFIEC’s guidance should be regarded as a set of regulations or simply used as a “guiding hand” through which financial institutions and lenders develop their own risk management plans. Elizabeth Khalil, senior policy analyst with the FDIC and one of the authors of the FFIEC’s guidance, stated that the document does not create any new obligations in and of itself by which financial institutions must abide. However, financial institutions can, in fact, violate laws and regulations denoted within the guidance. Several of the laws mentioned apply directly to mortgage lending and, without proper social media risk monitoring and management, can serve as grounds for regulatory non-compliance. For example, to be in compliance with Fair Lending Laws and the Equal Credit Opportunity Act (ECOA), all communication must not solicit, collect, or discriminate based on information related to a consumer’s race, color, religion, national origin, or sex. However, since many social media platforms already collect and present this information, lenders should insulate themselves from Fair Lending Law and ECOA non-compliance accordingly. This can be accomplished by establishing and documenting compliance training programs for their loan officers through which they are made aware of the potential consequences of inappropriate and unsanctioned practices including, but not limited to, the misuse of consumer information. 4 | Mortgage Lenders Use of Social Media Another example that illustrates the relation between social media and compliance is the Real Estate Settlement Procedures Act (RESPA). Section 8(a) of RESPA prohibits the acceptance of fees, kickbacks, or “things of value” for the referral of settlement business. Section 8(b) prohibits the acceptance of portions, splits, or percentages of charges for real estate settlement services. These prohibitions apply to all applications taken electronically, including those taken via social media. An example of a RESPA violation would be a referral-based “contest” or “raffle” hosted online or on a social network where a loan officer’s clients send him/her referrals in exchange for an opportunity to win “things of value” or “kickbacks.” Employees of lending institutions may be tempted to engage in these activities to boost leads, not realizing the potential legal risk at which they are placing themselves and their employers. These are just a few of many possible examples illustrating how improper use of social media by a lender can reflect on its legal compliance status. Social Media and Operational Risk Because social media use is relatively new ground for lenders, some may decide to freely introduce these technologies as enterprise-wide business development and marketing tools without first having well-developed IT risk assessments and incident response plans in place― ultimately leaving themselves susceptible to operational risk. Operational risk is defined by the Council as a risk of loss resulting from inadequate or failed processes, people, or systems. Operational risk strongly ties into social media from an IT perspective and requires proper oversight and management of an institution’s IT infrastructure. Social media is one of many channels susceptible to account hijackings and malware intrusions and, as such, lenders should ensure that the controls it implements to protect its infrastructure and consumer data from malicious breaches appropriately address social media channels as well. Companies should also ensure that their revised incident response plans and protocols regarding cyber security breaches account for social media. Social Media and Reputational Risk The Council defines reputational risk as risk arising from negative public opinion. Activities that ultimately result in discontented consumers and/or negative publicity can severely harm any company, even one with contemporaneously robust operational infrastructure and compliant legal standing. Reputational risk is the most diverse of the risks associated with the organizational use of social media and comes in several forms: • Fraud and Brand Identity ― Outsiders can create a social media profile fraudulently representing your business and broadly distribute false company-related information as well as intake misled customers’ credentials. cohnreznick.com | 5 • Privacy Concerns ― Lenders should consider the potentially adverse reactions of the public to any use of protected or unprotected personal information through social media. • Third-Party Concerns ― Working with third-party social media service providers can expose mortgage lenders to substantial reputational risk – especially because end users of third-party sites are more than likely to blame the lender for any problems or complications that may occur on the site, such as the misusage of personal information or vague policy modifications. • Mismanagement of Consumer Complaints and Inquiries ― Another opportunity for reputational risk arises when lenders and financial institutions do not monitor and address consumer complaints and inquiries in a timely, appropriate manner as these are capable of going viral at any time. • Independent Employee Use of Social Media Platforms ― Mortgage lenders should be aware that employees’ independent communications on social media platforms can be viewed by the public as reflecting their official policies and views. ― The risk can be further elevated by “rogue” loan officers if these employees decide to distribute or collect information in a manner that is unsanctioned by their employer’s practices and policies. However, thorough documentation and employee sign-off processes proving an employer’s provision of training related to company-sanctioned social media practices can prove helpful towards the mitigation of these risks. In addition, lenders should monitor the quality, integrity, and accuracy of all data and claims distributed by their officers through these channels to ensure proper mitigation of reputational risk. The Fourth Risk―Opportunity In addition to the risks identified by the FFIEC, CohnReznick offers opportunity risk as a fourth category. The perils generally associated with enterprise usage of social media can easily overshadow the incredible value that social networks can have to mortgage lenders and loan officers. Social media has provided us with a humanizing channel through which we can establish relationships with new clients while keeping tabs on ongoing client relations. Social networks may also hold the Rosetta Stone to future communication with millenials―the generation emerging from the Digital Age―who have recently been seeing ever-increasing purchasing power and are soon to be fully immersed in the housing market. This generation was born at the dawn of widespread technology usage and has come of age speaking in bits and bytes. The adoption of social media by mortgage lenders and other financial institutions can help decipher this language and facilitate communication and engagement with this vital market segment as we have learned from the recent successes of the entertainment and retail industries. 6 | Mortgage Lenders Use of Social Media These four risks combine to create a “perfect storm” of sorts―affording lenders and financial institutions with an opportunity to develop a comprehensive, customized risk management program with integrated efforts from functions across the entire organization. This program, when designed and executed effectively, can help lenders implement the policies, controls, and processes necessary to properly monitor, mitigate, and control the severity of these risks’ effect on their assets. Social Media Risk Management in the Context of Mortgage Lending One of the most significant driving points behind the FFIEC’s guidelines is that all types of consumer lenders should have a risk management program that enables them to identify, measure, monitor, and control the risks related to social media. These best practices should be developed as a conjunctive effort with inputs from the company’s operational staff including, but not limited to, specialists in compliance and legal, information technology and security, human resources, and marketing. When designed and executed effectively, a Social Media Risk Management Program can help lenders implement the policies, controls, and processes necessary to properly monitor, mitigate, and control the severity of these risks’ effect on their assets In conducting social media audits for organizations across several industries, CohnReznick has found a common thread of unaddressed control and process gaps―demonstrating that many enterprises jumped onto the social media bandwagon without first having developed a comprehensive, all-encompassing risk management program with the proper controls and processes in place prior to the introduction of organizational social media use. We also discovered a strong correlation between the components of the FFIEC’s proposed risk management program and the recommended controls that eventually remediated the gaps found amongst our social media internal audit clients. With that said, in the table on pages 8-9 we have listed the components of the Council’s social media risk management program along with our interpretations and the risks associated with their neglect. cohnreznick.com | 7 FFIEC's Recommended Controls CohnReznick's Interpretation Risks Associated with Not Establishing These Controls Governance structure by which senior-level management directs how social media usage can contribute to strategic goals and initiatives and establishes controls and ongoing assessments of risk related to social media activities. Before delving into its use, the board of directors and/or senior-level management should discuss how social media fits into the company's current strategy as well as which controls will be instituted and how they will be managed and monitored. • Lack of top-down awareness and knowledge of social media use Developed policies and procedures regarding the usage and monitoring of social media and compliance with applicable customer protection laws and regulations. Social media may generally be considered a realm where a company can "let go" of its corporate inhibitions. However, financial institutions should establish content approval processes to assist in shielding themselves from non-compliance with customer protection laws and regulations. • Legal risks including, but not limited to, costly lawsuits, regulatory penalties, and other ramifications of non-compliance with applicable laws and regulations such as Fair Lending Laws, RESPA, and Section 5 of the Federal Trade Commission's Act, which prohibits unfair, deceptive, or abusive acts and practices Due diligence processes for third-party relationships in connection with social media. Financial institutions should conduct thorough due diligence on potential third-party social media service providers as they will be providing consumers with a company's primary online touch points. • Misrepresentation of company through third-party's practices Contractual language should be included in formal agreements with third parties addressing their social media responsibilities. Documented employee training program incorporating policies and procedures for use of social media. Oversight process for monitoring information posted by financial institution or contracted third parties. • Misaligment with corporate strategies • Lack of accountability for risk oversight • Operational risks including, but not limited to, account hijackings or theft of consumer information stemming from a third party's potentially weak operational and information technology infrastructure Social media training should be conducted to ensure that employees understand the purpose of the organizational use of these platforms and their respective roles within these initiatives. • Introduction of legal, compliance, and operational risks stemming from employee misuse of social platforms All proprietary social media channels should be closely monitored to ensure that all content posted by the company, its consumers, and/or third-party vendors is in compliance with both internal policies and applicable laws and regulations. • Reputational risk associated with fraud and misrepresentation of brand 8 | Mortgage Lenders Use of Social Media • Lack of organizational insulator in the case of a "rogue" employee's unethical actions • Independent employee use of social media platforms reflecting on company's official policies and beliefs • Inappropriate, untimely management of consumer complaints and inquiries • Compliance and legal risks including, but not limited to, non-compliance with Truth in Lending Act and Section 5 of the Federal Trade Commission's Act FFIEC's Recommended Controls (cont'd.) Audit and compliance functions to ensure ongoing compliance with internal policies as well as applicable laws and regulations. CohnReznick's Interpretation Risks Associated with Not Establishing These Controls (cont'd.) The majority of financial institutions already have some form of audit and compliance functions in place. That being said, these departments can be leveraged for the purposes of company-wide social media initiatives by being brought into the mix and further assisting the company in lessening vulnerabilities related to non-compliance with applicable laws and regulations. • Legal and compliance risks including, but not limited to, non-compliance with Fair Lending Laws, the Equal Credit Opportunity Act, and RESPA (cont'd.) • Stale controls rendered inadequate by the constantly evolving regulatory environment Assurance processes should be conducted periodically to ensure that the company's social media usage continues to comply with applicable laws and regulations. Parameters for providing reporting enabling evaluation of social media program's effectiveness and whether it is achieving its stated objectives. While it is difficult to measure or quantify social media ROI, there are tools to help gauge these metrics including, but not limited to, levels of engagement with customers, overall social media sentiments, and how the company is performing on social media as compared to competitors. • Failure to set parameters for the evaluation of a company’s social media program makes it difficult to gauge its effectiveness and calls into question its purpose • If there is no accountability for sustaining the platforms and adding new content on a regular basis, the company is exposed to reputational risk as sites languish • If social media is not integrated into the organization’s overall goals and objectives, resources invested in its planning, implementation, and oversight have gone to waste cohnreznick.com | 9 The Council explains that the size and complexity of the risk management program should be proportionate to the breadth of the company’s involvement on these platforms. However, regardless of the size of a mortgage lender’s operation, a set risk management program should be in place in order to monitor and mitigate the risk associated with the use of these communication platforms. From a technology perspective, there are several, widely available social media monitoring tools and platforms for even the smallest of mortgage lenders such as HootSuite and TweetDeck which, for a relatively small monthly fee, empower their users with the ability to monitor their social platforms. More powerful data discovery applications such as QlikView offer an integrated view across various social media channels that enable users to attribute online conversations to specific parts of their business, allowing accelerated responses to sentiment regarding brand, campaigns, and their associated effectiveness. Dashboard functionality enables users to quickly compare their social media activity against their competitors’, monitor sentiment (both positive and negative), and make informed adjustments to their business strategy based on measureable trends, not hunches. Figure 2: Portion of QlikView's Social Media Risk Monitoring Dashboard7 NUMBER OF HIGH RISK INCIDENTS— Number of Tweets and Facebook Posts Over Time Company A 80 Company B 60 Company C 40 Company D 20 Company E My Company 7 13 0- 08 20 13 -1 0-1 13 20 20 13 -1 0- 9-0 13 20 13 20 03 28 23 9-0 -0 13 20 20 13 -0 9- 9- 13 18 0 Qlikview Social Media Risk Monitoring Dashboard. Example from Qlik (www.qlik.com). 10 | Mortgage Lenders Use of Social Media Figure 3: Social Media Sentiment Analysis Illustrated Using QlikView8 What Is Sentiment Analysis? Combined Sentiment Scores for Twitter and Facebook Sentiment Analysis is the processing of words to identify subjective information. Humans do this all the time: we scan a sentence to understand the attitude of the speaker/writer. We look to understand if the author has a positive, neutral, or negative tone. 0.6 Twitter Facebook 0.4 Computer sentiment analysis tools look to do the same thing. A program will scan text to decifer the sentiment of the author. The longer the text sample, the better chance the computer has to understand the sentiment. Text can then be scored with a value, based on the perceived tone. 0.2 E M y C C om pa ny D pa om pa ny om om C pa pa C C ny C B ny A ny om pa om C ny 0.0 There are many sentiment analysis tools in the market today, but this application uses Repustate, Twitter Sentiment, and Random. Twitter and Facebook Average Sentiment Over Time 20 Company A 15 Company B 10 Company C 5 Company D 0 Company E My Company -1 13 20 -0 13 20 -0 13 20 0- 01 9- 01 8- 01 -0 13 20 -0 13 20 -0 13 20 7- 01 6- 01 5- 01 -0 13 20 -0 13 20 -0 13 20 4- 01 3- 01 2- 01 1-0 13 20 01 -5 Once these controls have been fully implemented, lenders should take part in assurance reviews―the periodic and ongoing monitoring of risk programs and the updating of controls that have lost their relevancy. In its 2010 white paper Social Media: Business Benefits and Security, Governance and Assurance Perspectives9, ISACA (formerly Information Systems Audit and Control Association) says “it is the role of the assurance professionals within the enterprise to validate and monitor these controls to ensure that they are, and remain, effective and that compliance with these controls is established and measureable.” 8 Social Media Sentiment Analysis Illustrated Using QlikView. Example from Qlik (www.qlik.com). ISACA. (2010) Social Media: Business Benefits and Security, Governance and Assurance Perspectives. Retrieved from http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/ 9 cohnreznick.com | 11 The elements identified in ISACA’s Business Model for Information Security can be used by assurance professionals to ensure that risks are being appropriately managed: Strategy and Governance • Has a risk assessment been conducted to map the risks to the enterprise presented by the use of social media? • Is there an established policy (and supporting standards) that addresses social media use? • Do the policies address all aspects of social media use in the workplace―both business and personal? People Processes Technology • Has effective training been conducted for all users, and do users (and customers) receive regular awareness communications regarding policies and risks? • Have business processes that utilize social media been reviewed to ensure that they are aligned with policies and standards of the enterprise? • Does IT have a strategy and the supporting capabilities to manage technical risks presented by social media? • Do technical controls and processes adequately support social media policies and standards? • Does the enterprise have an established process to address the risk of unauthorized / fraudulent use of its brand on social media sites or other disparaging posting that could have a negative impact on the enterprise? The Bottom Line Social media plays a significant role in communication and marketing across many industries and that role is likely to become more significant in the future. The migration from “old world” ways of conducting business to today’s real-time, transparent methods may appear understandably daunting to lenders – especially when their own policies as well as relevant laws and regulations have not been able to fully keep pace with the dynamic changes of the social media marketplace. Mortgage lenders should not discourage their loan officers from using social media as a means of client acquisition and communication as their participation within this arena may result in larger volumes of leads, faster conversion rates, and ultimately, more business for the organization. Lenders should, however, be sure to establish company-wide social media best practices and risk management programs, including training and monitoring platforms, in order to remain in compliance with internal policies as well as all applicable laws and regulations. 12 | Mortgage Lenders Use of Social Media Key Takeaways • For the purposes of this white paper, social media is defined as a hyper-interactive, dynamic, and constantly evolving form of communication. • As per the FFIEC’s guidance, financial and lending institutions should have all-encompassing, fully-integrated and scalable risk management programs enabling them to identify, measure, monitor, and mitigate the risks associated with organizational usage of social media―including operational, legal, and reputational risks. • Though the FFIEC’s guidance is not considered a regulatory document in and of itself, adherence to its prescribed risk management program components can assist financial and lending institutions in remaining compliant with laws and regulations. • Social media-based communication will play a significant role in financial dealings going forward and a failure to adapt and integrate it throughout an organization’s initiatives can result in another significant risk―opportunity risk. By establishing proper social media-related controls, policies, procedures, training programs, and audit functions, financial and lending institutions can make strides toward insulating themselves from non-compliance while enjoying the many advantages of organizational social media usage. • By establishing proper social media-related controls, policies, procedures, training programs, and audit functions, financial and lending institutions can make strides toward insulating themselves from non-compliance while enjoying the many advantages of organizational social media usage. For more information, please contact George Gallinger, Principal and National Director of CohnReznick Advisory Group’s Governance, Risk, and Compliance Practice at 973-871-4060 or [email protected], or Roberta Janel, CMB, Director at CohnReznick Advisory Group at 973-871-4027 or [email protected]. Circular 230 Notice: In compliance with U.S. Treasury Regulations, the information included herein (or in any attachment) is not intended or written to be used, and it cannot be used by any taxpayer for the purpose of i) avoiding penalties the IRS and others may impose on the taxpayer or ii) promoting, marketing or recommending to another party any tax related matters. CohnReznick LLP © 2014 This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy of completeness of the information contained in this publication, and CohnReznick, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you and anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. cohnreznick.com | 13 cohnreznick.com CohnReznick is an independent member of Nexia International