The final version of guidance on social media policies and practices that the Federal Financial Institutions Examination Council issued this week contains several clarifications about how to assess risks.

The final guidance, which reflects revisions made since a proposed version was issued by the regulators in January, highlights a number of key issues. For example, the new guidance addresses:

Specific laws and regulations, such as the Community Reinvestment Act, that should be applied to social media activities; Third-party and vendor management risks that banking institutions need to incorporate into their overall risk management activities; The need for banking institutions to develop individualized strategies for monitoring and responding to communications posted by customers via social media; Clarifications about how social media is defined.

Helpful Reminder

George Tubin, a financial fraud expert and security adviser at online security vendor Trusteer, says the FFIEC's new guidance offers a helpful reminder to banking institutions of the social media risk assessment steps they should already be taking.

"This guidance does not impose any new requirements," Tubin says. It simply reminds institutions of the existing requirements and provides examples of how existing requirements apply to social media usage."

But the guidance falls short in addressing emerging socially-engineered risks to employees, he contends.

"Since the initial proposed [guidance] was distributed, we have been seeing increasing use of social engineering through social media to obtain login credentials," Tubin says. "These attacks are targeted at both bank customers and bank employees."

The guidance is focused on consumer risks, and not risks to bank employees, which Tubin sees as a major shortcoming.

"Typically, the goal of the attack is to lead the [internal] target to a malicious site where they are unknowingly infected with malware," he says. "But this real and growing concern was not addressed."

Avivah Litan, a financial fraud expert who's an analyst at Gartner, says the guidance's failure to address the internal risks posed by social media is concerning because most attacks waged against employees who have privileged access to systems start through social media.

"They usually look for the IT people and then spear-phish them to get the malware on their desktop," she says. "From there they compromise privileged access management. Most advanced threats today take advantage of privileged accounts; so banks need to do a better job of monitoring those privileged accounts."

Most banking organizations lack good policies on addressing social networking risks and protecting privileged accounts, Litan adds.

Virtual Payments

The final version of the guidance includes insights on how social media could affect emerging payment options, such as Bitcoin and peer-to-peer payments, and outlines pertinent regulations.

Among the regulations that could apply if banks and credit unions rely on social networks for the collection and receipt of payments, or merely consumers' submission of payment account information, are: the Bank Secrecy Act, the Community Reinvestment Act, the Expedited Funds Availability Act, Article 4A of the Uniform Commercial Code, and the Electronic Fund Transfer Act.

The guidance points out that privacy is a concern anytime banking institutions use social media for correspondence about or with consumers. Institutions should ensure they are not violating certain privacy laws, such as the Gramm-Leach-Bliley Act, the CAN-Spam and Telephone Consumer Protection Acts, the Children's Online Privacy Protection Act, and the Fair Credit Reporting Act.