Financial institutions can begin 2014 with live tweeting, Facebook posts, or maybe some blogging, directed by the recently released guidance on social media from the Federal Financial Institutions Examination Council.
On behalf of its members – the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau – the FFIEC released final supervisory guidance in “Social Media: Consumer Compliance Risk Management Guidance.”
Effective immediately, the final guidance largely tracked the original proposal released for public comment last year, offering covered entities – banks, savings associations, credit unions, and nonbank entities supervised by the CFPB – an explanation of various federal regulations and laws applicable to social media communications.
Defining social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video,” the FFIEC offered examples ranging from micro-blogging sites like Twitter and Facebook to consumer review sites like Yelp to photo and video sites like Flickr and YouTube to virtual worlds like Second Life and social games like FarmVille.
One clarification from the proposal: Messages sent via e-mail or text message, standing alone, do not constitute social media, the FFIEC said, although messages sent via a social media channel are considered social media.
With input from company-wide sources (like information security, legal, human resources, and marketing), a financial institution should establish a risk management program related to social media “commensurate with the breadth” of the level of its involvement in social media. The program should feature a governance structure with clear roles and responsibilities and policies and procedures regarding the use and monitoring of social media, as well as compliance with the relevant consumer protection laws and regulations, specifically addressing how to handle the risks of online postings, edits, replies, and retention, according to the guidance.
Other considerations include employee training (including defining the scope of permissible and impermissible social media activities), audit and compliance functions, and a process for handling third-party relationships in the context of social media.
Interaction via social media is by nature more informal and dynamic, the FFIEC noted, which presents compliance, legal, operational, and reputational risks for covered entities. For example, a financial institution that posts an advertisement on its Facebook page featuring a triggering term such as “bonus” must then satisfy the disclosure requirements found in the Truth in Savings Act, like the minimum balance required to obtain the advertised bonus.
Financial institutions should also use care not to run afoul of the Equal Credit Opportunity Act and the Fair Housing Act, the FFIEC cautioned, and avoid collecting information via social media regarding a borrower’s race, color, religion, national origin, or sex.
Attention should also be paid to the impact of the Bank Secrecy Act and Anti-Money Laundering program, particularly in the context of virtual worlds and the increasing use of Internet games to launder money.
On a bright note for financial institutions, the guidance clarified the scope of comments received from the public that must be maintained under the Community Reinvestment Act’s two-year lookback requirement. “[C]omments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be required to be retained,” the FFIEC explained. “Rather, the institution should retain comments made on sites run by or on behalf of the institution that specifically relate to the institution’s performance in helping to meet community credit needs.”
Another major area of focus for financial institutions is privacy. Laws like the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, the Telephone Consumer Protection Act, the CAN-SPAM Act, and the Fair Credit Reporting Act all present varying considerations regarding notification to consumers about the collection and use of information via social media as well as appropriate contact.
Separate from legal and compliance risks, the guidance also set forth reputational risks like brand identity and fraud, a serious issue for a bank subject to a phishing or spoofing attack. An inadequate response to consumer complaints or questions on social media can also turn into a PR nightmare for a financial institution (just look at JPMorgan’s recent Twitter foray).
The guidance noted the need for covered entities to conduct the appropriate due diligence prior to working with third parties in the social media context, referencing additional tips on third-party relationships from its member agencies, including the OCC’s recently released guidance.
To read the final guidance, click here.
Why it matters: The FFIEC emphasized that the guidance did not create new duties for covered entities, but is intended to help financial institutions make their way through the ever-expanding world of social media. The guidance also emphasized that because the scope of involvement on social media varies by financial institution, entities must conduct an individualized risk analysis. “Each institution is responsible for carrying out an appropriate risk assessment and maintaining a risk management program that is appropriate and tailored to the particular institution’s size, activities, and risk profile,” the FFIEC explained, specifically disclaiming a “one size fits all” approach. “The revised guidance clarifies and points to the longstanding principle that financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships.” Financial institutions would be well served to familiarize themselves with the document and, if they haven’t already, establish relevant policies and procedures for the social media ecosystem.