According to the Pew Research Center’s Social Media Use in 2018, 73 percent of adults in the United States use at least one type of social media, and the typical American uses three. For 18 to 29 year olds, 80 percent use some form of social media. Given its prevalence, social media affords financial services institutions a unique opportunity to engage with consumers directly to provide information on products and services that consumers find interesting and to resolve consumer issues in real time. Forward thinking institutions are able to effectively utilize social media as a driving force for business generation and customer retention. But, social media also comes with a great deal of compliance risk for financial institutions. In 2013, the Federal Financial Institutions Examination Council (FFIEC) issued guidance highlighting some of the legal and compliance risks from social media use and requiring financial services companies to establish a “risk management program that allows [them] to identify, measure, monitor, and control the risks related to social media.” Set forth below are some items to consider when developing or updating your company’s social media risk management program.
1. Understand how your company is using or intends to use social media
Social media, like letters, emails, telephone calls, text messages, or advertisements, is merely a vehicle for interacting with consumers. While the use of social media can raise some unique issues, social media use is governed by the same laws and regulations that generally govern how financial services companies interact with consumers (e.g., ECOA, FCRA, RESPA, TILA, etc.). As a result, compliance and legal professionals should begin any risk assessment by understanding how the company uses or intends to use social media, as the company’s use of social media will drive the analysis. For example, if your company plans to use Facebook ads to introduce a new loan product, you should consider whether you have satisfied the various advertising requirements scattered across federal law and whether you have taken appropriate steps to address any fair lending concerns.
2. Remember that each social media platform is unique
Social media is often discussed as a broad topic, but compliance and legal professionals should not lose sight of the fact that each platform has its own unique features. For example, some social media platforms require users to attest that they are at least 13 years of age. The presence or absence of this type of assertion can impact how a company approaches compliance with the Children’s Online Privacy Protection Act (COPPA), which imposes specific obligations regarding the collection, use, and disclosure of a child’s personal information.
3. Consider compliance risks posed by social media’s unique features
Social media is a powerful tool because it allows companies to (1) engage in rich back-and-forth interactions with consumers; (2) quickly and directly communicate with significant numbers of consumers; and (3) utilize powerful data. However, the very features that make social media a powerful tool create compliance risks. For example, Facebook has recently faced allegations of discriminatory advertising based on the way it uses consumer data to target advertisements. While these allegations are directed at Facebook rather than the individual advertisers, they highlight the need to understand how social media companies use their data when advertising for your company.
4. Be mindful that you are not interacting with consumers on your platform
By using social media, your company is, by definition, choosing to interact with customers outside of its normal platform and IT environment. Therefore, many of the features that your company may take for granted (e.g., security measures that are built into your customer portal, storage protocols for company emails and letters, etc.) may not be available. As an example, the Community Reinvestment Act (CRA) requires certain depository institutions to store consumer comments related to the institution’s performance in helping to meet community needs. If your company is subject to the CRA and runs a social media site, it must consider how it will identify and store these comments.
5. Maintain a plan for addressing consumer comments and complaints
As the host of a social media site, your company often has limited control over (1) the materials posted to the site and (2) the accessibility of the site. Financial services companies must keep these facts in mind when developing risk management procedures. For example, companies must consider how they will address situations where a borrower posts personally identifiable information (e.g., an account number) to the company’s social media page. Companies must also consider how they will handle the reputational risks associated with responding, or not responding, to consumer complaints or negative comments posted to the company’s social media page.