NCUA Guide to Social Media Compliance

WHITE PAPER

COMPLIANCE
IMPLICATIONS OF
SOCIAL MEDIA
A Guide for
NCUA Credit Unions

WHITE PAPER – Compliance Implications of Social Media 2

Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Lack of specific guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Maintaining compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

CUs in Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Appropriate Use of Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Compliance Curtails Entry into Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

CU Compliance Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Data Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Advertising. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Retention of Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Wider Regulatory Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Gramm-Leach-Bliley Act (GLBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Red Flag Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Privacy of Consumer Financial Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Payment Card Industry Data Security Standard (PCI DSS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Federal Rules of Civil Procedure (FRCP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

When Social Media Goes Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Hackers Taking Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Blogging Gone Bad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Good Intentions, Bad Tweets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Inappropriate Comments Equal Lost Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Employee Tweets Create Negative Working Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Consequences of Violating Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Key Tenets of CU Social Media Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Mitigating the Risk of Social Media and Web 2.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Enforcement of Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Monitor Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Prevent Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Block Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Log All Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

About Actiance, Inc.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

This white paper is for informational purposes only. Actiance makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Actiance, Inc. © 2001 - 2011 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage,
Unified Security Gateway and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.

Worldwide Headquarters EMEA Headquarters
1301 Shoreway, Suite 275 400 Thames Valley Park
Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK
(650) 631-6300 phone +44 (0) 118 963 7469 phone
info@actiance.com emea@actiance.com

©2001-2011 Actiance, Inc. A-WP-008-SM-CREDIT-UNIONS-0111


Overview
It took the humble telephone eighty-nine years to reach the 150 million users that Facebook achieved in just five.
The impact of social media can be seen everywhere, in the workplace, at home, even on billboards, and TV. For
credit unions looking to connect with their members and grow their business, social media is a must. But what are
the dangers, who is at risk, and how can credit unions ensure that embracing Facebook, LinkedIn, and Twitter doesn’t
result in a social scandal?

Lack of specific guidelines
Although the National Credit Union Administration (NCUA) has not yet issued additional rules or guidelines on the
use of social media, when regulations already in existence are considered, it’s easy to see that they currently cover
this new form of electronic communication. From advertising and the retention of records to the possibility of leaking
social security numbers, account numbers, credit card data and other PII (Personally Identifiable Information), the
regulations may not mention social media specifically, but it’s clearly a medium that potentially enables all of these
negative and potentially dire circumstances to occur.

Social media applications were developed with consumers in mind. Therefore, there are no enterprise controls
available natively. With the majority of credit unions not in a position to control the content of messages posted to
Facebook by employees, let alone archive the messages with any meaningful context, many have wisely decided to
postpone their social media strategy.

However, the compelling evidence of the benefits of embracing social media has meant that others have leapt in
with both feet, potentially placing them ahead of their competitors and making more difficult the decision for others
to stay away from social media. The danger for credit unions is that without the right security, management, and
compliance controls in place, any benefit of its use can evaporate quicker than saying “Federally Insured”.

Maintaining compliance
Following FINRA’s footsteps in the US, the FSA in the UK has recently taken steps to ensure that members recognize
that new media such as social networking, blogs, and forums are automatically included in current regulations. It is
highly likely that the NCUA, along with other financial regulatory bodies, will follow suit and clarify that, like every
other form of electronic communication, care must be taken to ensure that social media usage complies with
current regulations.

This whitepaper considers the threats that social media poses and the regulations they may infringe upon and
suggests how credit unions can overcome them, remain compliant, and embrace the new Internet.

(650) 631-6300 phone +44 (0) 118 963 7469 phone

©2001-2011 Actiance, Inc.


CUs in Social Media
When President Roosevelt first signed the Federal Credit Union Act in 1934, television was in its infancy. Who
could have predicted that nearly seventy-five years later that Larissa Walkiw’s Young and Free Alberta video for the
Common Wealth Credit Union (now Servus) would be one of the most popular credit union videos on YouTube.

Social media is taking credit unions by storm. From marketing to member services, it offers several benefits over
traditional forms of communications, including cost. But perhaps the biggest reason for its success is one that fits
in very comfortably with the credit union ethos, the personal touch and dedication to superior member service.
Social media experts have always advocated the use of “real people” and genuine photos of employees accessing
Facebook, LinkedIn, and Twitter, and the strategy pays off. One may not know all of one’s followers or buddies, but
the interaction and conversation with a face you can put a name to, has a major impact in cultivating relationships.

Smaller credit unions have been quick to take advantage of social media and Web 2.0, with a great deal of success
in attracting new business and growing investment opportunities with existing ones. Their success has not gone
unnoticed by the larger credit unions, which until recently have shied away from social media. However, with more
than 500 million users on Facebook, 75 million on LinkedIn, and 70 million on Twitter, credit unions can’t afford to
not include social media in their business strategy.

A recent survey of 11,000 credit union members conducted by Callahan Internet Strategy Consortium, a group of
credit unions that cooperatively conduct research, discovered that:

• More than 82% of credit union members aged 18-60+ use Facebook

• Members using Twitter expect their credit union to provide information, such as fraud alerts (71%), special offers
(60%), financial tips (58%), and rate specials (57%).

• About half of all members surveyed said they would read a credit union’s Facebook page periodically.

(Source: thefinancialbrand.com)

Appropriate Use of Social Media
When credit unions include social media in their marketing plan, they need to understand from the outset that while
it is a social interaction, it’s also a very public and professional one. Every credit union wants to show the “human”
side of their operations, yet they must be careful to not become too casual in their replies to posts and Tweets, or
they face coming across as unprofessional and careless. Content on their social media sites is also important – all
photos and links must be professional as well. “Think before you post” must be kept top-of-mind at all times.
Credit unions must remind their employees to consider how it would look if their post hit the front page of a leading
publication. This advice applies whether that “leading publication” is a newspaper, website, or blog site.

Without a doubt, credit union employees can be great ambassadors. If given every reason to promote the credit union
brand and no motivation to complain, they can spread the word about the credit union advantage far and wide – and
at virtually no cost. Social media proponents argue that appropriate use of social media can help create a positive
corporate culture, which in turn leads to happier and more productive employees. Some social media advocates even
go so far as to contend that the optimal use of social media can actually increase productivity, e.g., by taking a few
minutes off to play a Facebook game or watch a couple of funny YouTube videos, the employee comes back relaxed,
refreshed, and ready to work!

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Compliance Curtails Entry into Social Media
One of the reasons for the delay by many credit unions in taking the social media plunge has been well-founded
concerns over compliance issues. Whether this is due to a greater awareness of the potential pitfalls or waiting for
guidance from regulators, such as the NCUA, is not clear, but it is worth noting that now some of the biggest credit
unions such as BECU and Golden 1 can now be found on Twitter.

Social media is just an extension of how credit unions converse with their members. Whether it’s assistance
on using a service, letting people know about the latest offers, or even introducing new business contacts,
Facebook, LinkedIn, and Twitter simply offer another point of contact, such as walking into a local branch or
talking on the telephone.

However, like every other form of communication, care must be taken that anything that could be considered an
advertisement or advice must comply with current regulations. For the majority of communications, that means
securing, filtering content, monitoring, and archiving each and every post. Not an easy task when there are so many
different social media and Web 2.0 tools and applications.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



CU Compliance Concerns
As social media use within credit unions grows so does the risk of non-compliance. Whether a credit union is using
social media to communicate with members, announce new products, or promote community events, it’s not just
the outspoken views of rogue employees that they need to control. Social media can suddenly allow a vast number
of specific credit union guidelines and regulations and other associated regulations, such as the Gramm-Leach-Bliley
Act (GLBA), to be broken, often unintentionally.

Data Leakage
Although not specifically covered in either NCUA or National Association of State Credit Union Supervisors
(NASCUS) regulations, the use of modern communication tools is still governed by current rules. For instance, the
NCUA guideline 792.67, Security of systems of records, states credit unions “…shall establish administrative and
physical controls to ensure the protection of a system of records from unauthorized access or disclosure and from
physical damage or destruction…Procedures shall also be adopted to prevent accidental access to or dissemination
of records.”

In Actiance’s Fifth Annual Collaborative Internet Survey, 14% of organizations questioned had experienced data
leakage through social networks and a further 18% took disciplinary action as a result of incidents. Whether it’s
an instant message to the wrong person, a tweet that should have been a direct message, or a misjudged post to
Facebook, the route for accidental leakage has never been easier, nor has it had such a potentially wide audience.

Advertising
Advertising regulation is also a potential compliance failing point. From Regulation Z – Truth in Lending to the
Fair Housing Act (FHA), the rules around advertising are being tightened all the time. Under the Fair Housing Act,
“Advertisements must not contain any words, symbols, models or other forms of communication that suggest a
discriminatory preference or policy of exclusion.”

NCUA rule 707.2 defines advertisement as “a commercial message, appearing in any medium that promotes directly
or indirectly…” terms, yields, and bonus.

In the case of rule 707, these “trigger” words demand that a notice must be given as to where investors can view
additional information on the offer such as a webpage. For credit unions using Twitter, this ruling can sometimes be
a challenge, but the use of shortened URLs can help to keep posts to 140 characters and still comply. Consideration
should also be given to chats over IM, as the rulings around advertising still apply and disclaimers should be given.

Retention of Records
The Truth in Savings Act demands that “A credit union shall retain evidence of compliance with this regulation for a
minimum of two years after the date disclosures are required to be made or action is required to be taken.” However,
for credit unions using social media, this ruling may prove difficult to comply with. Facebook, for instance, currently
offers no archiving facility of members’ posts, making it impossible for credit unions to keep a reliable record of
messages posted.

Appendix A to part 749 of the NCUA regulations states that although there is no specific format in how records are
retained, they must be easily accessible and accurate. In addition, “The credit union should also ensure that the
reproduction is acceptable for submission as evidence in a legal proceeding.” Compliance with eDiscovery requires
a tamper-proof archive, and best practice demands that records include the context of the message, not just the
message posted.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Wider Regulatory Concerns

Gramm-Leach-Bliley Act (GLBA)
Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) outlines standards for safeguarding confidential member
information, including names, addresses, phone numbers, account numbers, and Social Security numbers. The
GLBA requires that the content of communications should be scanned for such information, that the data should not
be sent in clear text, and that it should never be sent via public communications channels.

In a survey by Actiance, over a third of the respondents that can access IM services at work admitted to sending an
instant message to the wrong person. Accidental data leakage is one of the biggest concerns for any organization.
Many financial institutions take care to move conversations that require sensitive information exchange to more
secure channels, but all it takes is a simple mistake for a regulation to be violated.

Red Flag Rules
The Red Flag rules require credit unions to protect information against identity theft and to implement a program that
would detect warning signs or raise a “red flag” to possible suspicious activity. The rapid growth in social media and
Web 2.0 usage has made them a magnet for hackers and malware writers looking to steal confidential information
that enables them to directly steal identities or to build up a profile that may lead to identity theft.

One of the problems with social media is that users place too much trust in their network of followers or friends,
enabling social engineering techniques that persuade users to give up passwords or click on malicious links to work
with a surprising success rate.

Privacy of Consumer Financial Information
The consumer privacy rule generally encompasses a privacy notice that details how non-public information may be
used by the credit union and an opt-out clause for the consumer. Similar to the GLBA, credit unions must ensure that
non-public information, including name and address, transaction history, consumer credit reports, and court records,
is protected against malicious and accidental data leakage.

In addition, guidance issued by the NCUA states, “The fact that an individual is a customer of a credit union equates
to personally identifiable financial information about that consumer,” which is something to keep in mind when
devising social media strategies to encourage new followers and fans.

Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS requires that organizations that process payment account information should ensure that they build and
maintain a secure network, encrypt cardholder data sent over public networks, and that unique IDs are assigned to
individuals that have access to cardholder information.

When using social media, credit unions need to ensure not only against data leakage, but also be able to identify
those employees that have access to both cardholder information and applications such as instant messaging or sites
such as Facebook, which frequently involve the use of different user names.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Federal Rules of Civil Procedure (FRCP)
The FRCP defines the procedures for managing civil suits in district courts, including legal discovery. Rule 34 allows
the requesting party to designate the form in which the electronically stored information should be produced. If this
format is unavailable, the producer must deliver it in a form which is reasonably usable.

Social media sites such as Facebook, LinkedIn, or Twitter have neither archiving facilities nor a guarantee to keep
messages for the last week, let alone the six or seven years that some legislation requires. Being able to accurately
reproduce data for a court of law is challenging in the best of times, social media just made it harder.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



When Social Media Goes Bad
Here are some examples of how unchecked social media activities can cause damage to a credit union:

Hackers Taking Control
In February 2010, Omni Credit Union and Advanced Savings both lost control of their Twitter accounts by disclosing
their password in a social engineering attack. The hackers then used the accounts to send out spam porn, including
malicious links. Although no harm was done, besides a few surprised members being offered more than a great APR,
the incident potentially damaged the reputation of the credit unions.

Blogging Gone Bad
Last year, a receptionist from a credit union in Utah blogged about her pet peeves at work, including the name of her
credit union. Fortunately, someone quickly pointed out the error of her ways and the blog was promptly taken down
and an apology issued, but it is amazing how often a lack of forethought is behind most social media faux pas.

Good Intentions, Bad Tweets
A loan officer at a credit union in Wisconsin was simply looking to get the word out about the credit union’s great loan
rates. After all, it is his job to build the credit union’s much-needed loan portfolio. Looking to generate new business,
he tweeted about their excellent new and used car rates – albeit without all of the required legal disclosures. Simply
not enough room in 140 characters!

Inappropriate Comments Equal Lost Business
A teller at a Kansas-based credit union had a negative experience with a member who was having a bad day. Before
social media, such an occurrence would be confined to the back office and perhaps a post-work conversation at
the employee’s dinner table. However, when the teller posted her thoughts on the member’s rude behavior on her
Facebook page, it did not take long for it to circulate back to the member. Later that week, the member closed his
account with the credit union, and it just happened to be a quite profitable account.

Employee Tweets Create Negative Working Environment
A group of employees were killing time on a slow day by tweeting back and forth at a small credit union in Texas –
fairly harmless chit chat at first. But, when the tweets migrated into sexually oriented matters, one employee was
offended. Fortunately, it did not lead to a sexual harassment lawsuit, but it did create tension and a negative working
environment at the credit union’s headquarters.

Consequences of Violating Regulations
Below are just some of the dire consequences associated with violating NCUA regulations:

GLBA Substantial fines, imprisonment for up to five years and loss of reputation
PCI Substantial fines and loss of reputation
Red Flag Rules Penalties of up to $3,500 per violation
PCI-DSS Fines of up to $500,000, possible refusal of future transactions, and loss of reputation
Z- Truth in Lending Fines of up to $5000, imprisonment for up to one year
Regulation E (Electronic Fund Transfers Act) Substantial fines, imprisonment for up to one year

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Key Tenets of CU Social Media Policies
Many observers believe that there is anarchy in the absence of social media policy and training. Perhaps the first step
is to emphasize the credit union’s core values: the mission statement and member service guidelines must carry over
online. In other words, the credit union’s General Code of Ethics should provide guidance on the positive behavior
expected from all employees, regardless of channel.

Credit unions should invest in adequate training programs to remind their staff of their responsibilities and outline
clearly what is acceptable and appropriate. They should send frequent messages to employees on the misuse of
social media and draw upon case studies to convey the consequences of bad behavior or reputational damage to
the credit union. Credit unions must establish clear rules of engagement – these rules need to spell out employee
expectations in terms of tone, language to be used, as well as situations that demand an employee response, e.g.,
correcting misguided information related to interest rates or loans.

Other items that credit unions should consider adding to their policies include:

• Don’t let personal use of Twitter or other social networking sites interfere with work.

• Employees must be approved to use Twitter or other social networking sites to conduct business.

• Any use of the credit union’s name, trademarks, logos, or other intellectual property must be approved.

• If employees make personal comments about any aspect of the credit union’s business, their profiles must carry a
disclaimer that the views expressed are their own and not the organization’s views.

• Tweets and other posts may not disclose confidential, proprietary, rate, or loan information.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Mitigating the Risk of Social Media and Web 2.0
Traditional security measures are no match for today’s modern communication tools. Many legitimate applications
use evasive techniques, such as port hopping, protocol tunneling, and encryption. In addition, some use peer-to-peer
connections. Skype, for instance, uses a peer-to-peer connection and is encrypted end-to-end, often even tunneling
through HTTP/port 80 if that is the only port/protocol that it finds open on the firewall, negating the use of an URL
filtering solution to control it.

Aside from the obvious hazard of malware using this unauthorized channel to surreptitiously enter the network,
enabling social media and Web 2.0 applications without the means to enforce other communication channels from
being used adds the danger that organizations are not monitoring everything that leaves their network.

Below are the key areas that credit unions must consider when enabling social media and Web 2.0 to be used in
the workplace. Control of social media is not as difficult as it first seems; credit unions just need to follow the best
practice guidelines of control, including logging and archiving all pertinent content. What they must recognize is that
their current security measures are no match for Web 2.0 applications.

Enforcement of Policy
Social media and Web 2.0 applications offer huge productivity benefits, but that doesn’t mean to say that employees
should be given free rein. Consideration should still be given to whether an employee really needs access to specific
applications or be able to transfer certain files types.

In Actiance’s Fifth Annual Survey, The Collaborative Internet: Usage Trends, End User Attitudes and IT Impact
(originally published as “FaceTime’s Fifth Annual Survey”), file sharing tools (websites or P2P applications) were
found to be present in 74% of enterprises, with only 32% of IT professionals estimating that they were in use. Web-
based chat was also found in 95% of enterprises, with only 31% of IT professionals estimating that it was in use.

Credit unions need to ensure that only authorized websites and applications are used by employees and that access
is limited to their job requirements. Whether it’s being able to post to LinkedIn but not to give recommendations or
view Twitter but not to post, consideration must be given, not just from a reputational standpoint, but also from the
regulations they potentially could violate.

Monitor Content
In just the same way that the majority of organizations have implemented technology to monitor email content, so
the same must be done for social media. Whether a credit union decides only to block posts that contain trigger
words such as “APR” or “yield,” or send all posts to a compliance officer for monitoring will depend on individual
circumstances. However, without some form of monitoring in place, it will be impossible for credit unions to
demonstrate compliance with many advertising regulations.

Prevent Data Leakage
As credit unions turn to social media to collaborate with colleagues and members, the risk of accidental data leakage
has increased significantly. A small lapse in judgment can have serious consequences. Controlling how social media
is used in the workplace is not just about stopping an inappropriate comment; it’s also about preventing users from
sharing business-critical information in what is essentially a public forum.

In Actiance’s Fifth Annual Collaborative Internet survey, 69% of IT respondents reported incidents of malware and/
or information leaks due to the use of Internet applications. Viruses were most common at 55%, followed by spyware
infiltrations at 45% – but in new statistics gathered for the first time this year, 14% have seen data leakage through
social networks.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Prevention of data leakage features prominently in virtually every regulation that a credit union must comply with.
For example, a quick tweet of “@(member name) thanks for stopping by the branch today”, could potentially break a
confidentiality clause if the recipient hasn’t indicated publicly that they did so themselves.

Block Threats
It is no secret that Web 2.0 applications, public IM, peer-to-peer file sharing and social media introduce risk to the
credit union. The productivity advantages of collaboration are quickly lost when malware infections send the IT staff
into the equivalent of search and rescue mode to clear malware from end points and protect the credit union from
sensitive data loss.

Unsurprisingly, social engineering tactics are used extensively by malware writers who hijack IM buddy lists to
trick users into thinking a link coming in on their IM screen is actually from a trusted friend on the system. Once
introduced to the network, multi-protocol malware can quickly jump from the public IM system to internal systems.
Credit unions need to ensure that all entry points for malware are blocked, not just email and basic Internet
gateway ports.

Log All Content
In order to comply with industry regulations and eDiscovery requirements, credit unions need to be able to log each
and every interaction posted to social media and other Web 2.0 applications. Although sites like Twitter and Facebook
have not been specifically mentioned yet in guidelines, such as those issued by NCUA, the current regulations make
it perfectly clear that records pertaining to transactions, advertising, and other credit union activities should be
archived. Aside from non-compliance, the consequences of not logging content is that it potentially leaves the credit
union at the mercy of the other party in a legal dispute.

Currently, the majority of social media sites do not offer any means to log and store content, nor do they give
any guarantees that the information there today will be available tomorrow. Going further, it’s not a given that
today’s social media darling will still be around in two years time to retrieve content and conversations. To ensure
compliance, credit unions need to consider how to log content posted to social media, including the context of the
whole “conversation”.

Archive
The process of archiving, storing, and making social media conversations easily retrievable for regulatory
compliance and legal discovery is made exponentially more complex because of the multidimensional nature of
these conversations. For example, a chat on a Facebook wall can include numerous participants joining at different
times, creating a requirement to understand the context surrounding each participant’s understanding of these
conversations.

To simplify retrieval, credit unions need to ensure that content and context of posts and messages can be exported,
along with corporate identity credentials, to an email archive or WORM storage, for a single discovery location.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



Summary
Some analysts believe that usage of social media will follow a trajectory similar to email and instant messaging:
discouraged or even blocked by organizations at first, then approved for use by a few individuals, and eventually
opened up to the majority of employees. The trajectory often changes as the organization identifies ways the new tool
can make it more competitive or more efficient in conducting its business.

For credit unions looking to take advantage of social media now and to be prepared for future compliance, they must
consider the regulations that are already in place that govern other forms of electronic communications. Additionally,
as major financial regulatory bodies around the globe, such as FINRA and the FSA, begin to issue additional
guidelines to specifically include social media, it is clear that it is only a matter of time before the NCUA clarifies
their position.

For the majority of communications, that means securing, filtering, monitoring, and archiving each and every post -
not always an easy task given that there are so many different social media and Web 2.0 applications with no native
controls in the enterprise. However, so long as credit unions look to include the same controls they do over other
electronic communication, such as email, and partner with the right vendors to put such controls in place, it needn’t
be too onerous.

(650) 631-6300 phone +44 (0) 118 963 7469 phone



About Actiance, Inc.
Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogs
and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9
of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance of
unified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unified
communications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype,
Microsoft, IBM, and Cisco.

Socialite
Socialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular control
of Facebook, LinkedIn, and Twitter.

Socialite not only controls access to 150 different features across social networks, but can also moderate, manage,
and archive any social media traffic routed through the solution, which can either be on-premise or hosted.

Socialite includes a number of key features for securely enabling the use of social networks, including:

• Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently

• Identity management: establishing a single corporate identity and tracking users across multiple social media
platforms (e.g., @JohnJones on Twitter is the same as JohnHJones on LinkedIn)

• Activity control: managing access to features, such as who can read, like, comment upon, or access specific
features

• Moderator control: pre-approving content for Facebook, LinkedIn, and Twitter, where content is required to be
reviewed by a corporate communications officer or other third party

• Granular application control: enabling access to Facebook but not to Facebook Chat or downloading/installing any
of the applications in the gaming category

• Conversation and content logging: capturing all posts, messages, and commentary in context, including export to
an archiving platform of your choice for eDiscovery purposes

(650) 631-6300 phone +44 (0) 118 963 7469 phone


NCUA Guide to Social Media Compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to NCUA Guide to Social Media Compliance

Similar to NCUA Guide to Social Media Compliance (20)

More from Actiance, Inc.

More from Actiance, Inc. (16)

Recently uploaded

Recently uploaded (20)

NCUA Guide to Social Media Compliance