On Tuesday, January 22, 2013, the Federal Financial Institutions Examination Council (FFIEC), an interagency body formed to develop uniform supervisory principles and standards on behalf of six federal agencies that regulate financial institutions released proposed guidance entitled “Social Media: Consumer Compliance Risk Management,” regarding the use of social media by federally regulated financial institutions. Once the proposed guidance is finalized after considering comments received from the public, the FFIEC anticipates that its member federal agencies – the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau – will issue the guidance as supervisory guidance to their regulated institutions.
Risks Associated with the Use of Social Media
Acknowledging that many financial institutions are using social media to attract new business and engage with existing customers, the FFIEC is seeking to increase awareness of the potential consumer compliance and legal risks, as well as reputation and operational risks, involved in the use of social media, and to establish a framework for managing those risks. For purposes of the proposed guidance, the FFIEC considers “social media” to be a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.
Financial institutions may use social media for a variety of marketing purposes, such as providing incentives and advertising loan pricing, as well as operational functions such as facilitating new account applications or interacting with current and potential customers. Use of social media by financial institutions is particularly challenging from a risk management perspective because social media interactions are often informal and occur in a relatively unsecure environment. Poor oversight, due diligence, or control of social media channels by a financial institution can exacerbate the risk.
The proposed guidance provides a non-exhaustive list of laws and regulations that may be implicated by the use of social media by financial institutions, including, among others: fair lending laws such as the Equal Credit Opportunity Act/Regulation B and the Fair Housing Act; the Truth in Lending Act/Regulation Z; the Real Estate Settlement Procedures Act; the Fair Debt Collection Procedures Act; the Electronic Fund Transfer Act/Regulation E; anti-money laundering laws such as the Bank Secrecy Act; privacy laws such as the Gramm-Leach-Bliley Act; laws regarding unfair, deceptive or abusive acts or practices; the Telephone Consumer Protection Act; the Children’s Online Privacy Protection Act; and the Fair Credit Reporting Act.
Risk Management Programs
In the proposed guidance, the FFIEC suggests steps that financial institutions could take to mitigate the risks presented by the use of social media, including implementing a risk management program designed by a team including specialists in compliance, technology, information security, legal, human resources, and marketing for measuring, monitoring, and controlling the risks related to the use of social media. The FFIEC recommends that an effective social media risk management program include:
- A governance structure with clear roles and responsibilities pursuant to which the board of directors or senior management will identify how use of social media interacts with the institution’s strategic goals;
- Policies and procedures regarding use and monitoring of social media platforms;
- A due diligence process for selecting third-party service providers for social media use and/or monitoring;
- An employee training program regarding the institution’s policies for work-related social media use, and possibly for other use of social media;
- An oversight process for monitoring information related to the institution posted to social media sites;
- Audit and compliance functions for monitoring compliance with internal policies, laws, regulations, and guidance; and
- Periodic reporting to the board of directors and/or senior management to enable evaluation of the effectiveness of social media use in achieving its objectives.
For those financial institutions that do not use social media, the FFIEC encourages them to develop and implement a risk management program to address, among other things, potential negative comments about the financial institution that may arise in social media platforms, and to provide guidance for employee use of social media.
Comments on Proposed Guidance Welcome
The FFIEC is inviting comments on any aspect of this proposed guidance, and is specifically seeking comments in response to the following questions:
- Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
- Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
- Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?
Comments must be submitted to the FFIEC by March 25, 2013.
We are available to assist you with submitting comments on the proposed guidance, and to analyze your institution’s internal social media risk and develop a comprehensive, effective social media risk management program.
The full text of the FFIEC guidance is available at http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf.