oRecordkeeping and retention of business-related communications.

oRecommendations posted to buy or sell securities that are suitable and appropriate to the investors reading the posts.

oSupervisory review of communications posted that are compliant.

oManagement of third-party postings on the firm's social media sites.

Even though the FINRA regulatory notice is targeted at Securities and Exchange Commission-regulated firms, the guidance communicates a framework that has applications to the credit union industry.

There are fundamental security risks common to social media sites. Understanding the risks and applying controls to address the impact of these risks is imperative to a successful social media presence. Social media site security is facilitated by the service provider, which means that the security controls or lack thereof, are limited to the predefined options. These options should be used to their fullest extent. Foremost on the list is to use strong password controls. Ensure the password is unique to the social media site and is long and complex. Change the password regularly. Because the website is hosted on the provider's servers, everyone subscribing to the service is subject to outages and hacker attacks waged against the provider's server infrastructure such as denial of service and malware attacks.

Social media sites pose significant compliance risks, due in part to the heightened focus on consumer protection regulations. The credit union department charged with developing and managing the social media site content must either be highly proficient with compliance requirements or else work closely with the compliance department before adding any information to the social media sites. The compliance requirements applicable to the social media sites include advertising and records retention requirements.

The primary advertising regulations affecting social media sites are Regulation Z and NCUA Rules and Regulations Part 707 (Truth in Savings). We regularly see violations of both of these requirements on social media sites. If your social media site contains a trigger term for loan products or share accounts, you are required to include further disclosures. For Regulation Z, one of the most common trigger terms we see on social networking sites is the APR for home equity lines of credit.

The first step in starting a social media site is to have a plan. As obvious as that sounds, it is an often overlooked prerequisite to an effective implementation. As with any other business venture, starting with a strategy will ensure that the following are in place: measurable value derived from implementing social media; executive management participation; a mission statement and goals; recognition of what the site will promote or advertise; awareness of the services that will be offered; an understanding of the business, member, security and compliance risks; assigned responsibilities; mMonitoring and the review of controls; and oversight.

Having a strategy in place before implementing a social media presence on the Internet will improve success dramatically. A social media strategy will align the goals of the site with expectations of the credit union and it will provide needed controls over operations, security and compliance.

Will Andrews is a manager at RSM McGladrey. He can be reached at 415-848-5360 or

[email protected]