On December 11, 2013, the Federal Financial Institutions Examination Council (“FFIEC”)1issued final guidance entitled “Social Media: Consumer Compliance Risk Management Guidance” (the “Guidance”). Institutions supervised by the federal financial regulatory agencies are expected to use the Guidance in developing and implementing the risk management policies and practices to manage and control risks associated with social media. The Guidance does three primary things: (1) it defines “social media;” (2) it sets the expectation that institutions will develop and implement a social media risk management plan and defines the minimum contents of such a plan; and (3) it identifies possible risks associated with social media use by financial institutions and suggests ways that financial institutions could manage such risks.
The Guidance states that it does not impose any new obligations on financial institutions, but rather is intended to help financial institutions understand how existing laws and regulations apply in the context of social media platforms. Specifically, the FFIEC suggests that the Guidance is intended to help institutions identify potential risk areas associated with their use of social media and understand their obligations to manage such risks, and to clarify that existing consumer protection and compliance laws apply to activities conducted through social media as they would to activities conducted through other channels. However, institutions should pay particular attention to the section of the Guidance on “Reputation Risks,” which raises a number of issues not previously explored by the agencies and has the potential to create significant new burdens.
Although the FFIEC received 81 comments on proposed guidance that was issued on the same topic in January 2013, the FIEC describes the final Guidance as being “substantially as proposed.” Nonetheless, the final Guidance includes several clarifications, including that it does not require a “one-size-fits-all” approach to compliance and risk management responsibilities, but rather that each financial institution should evaluate and manage its particular risks, considering the institution’s size, complexity, activities and third party relationships. The final Guidance also makes clarifications regarding the definition of social media, the risks associated with third party relationships, the monitoring of communications on the Internet about an institution, and employees’ personal use of social media, each of which is discussed in the applicable section below.
Financial institutions that are subject to the Guidance should review current and expected social media activities and their existing risk management policies and procedures and other relevant policies in light of the Guidance. The text of the Guidance can be found online.
Social Media Definition
The Guidance defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.” The Guidance distinguishes social media from other online media by stating that social media “tends to be more interactive.” The Guidance specifically identifies several forms of media that would be considered social media under this definition: micro-blogging sites, forums, blogs, customer review websites, bulletin boards, photo and video sites, professional networking sites, virtual works and social games. The Guidance also identifies, by name, specific examples that are considered social media under this definition: Facebook, Google Plus, MySpace, Twitter, Yelp, Flickr, YouTube, LinkedIn, Second Life, FarmVille and CityVille.
The final Guidance states specifically that messages sent by traditional email or text messages do not, standing alone, constitute social media. However, messages sent through social media channels are subject to the Guidance. The Guidance also notes that, given the dynamic and evolving technology of social media, the examples of social media included in the Guidance are illustrative and not exhaustive, and that other forms of social media may emerge in the future that institutions should also consider. (Indeed, the examples are notable for their omission of some of the most popular social media services at the time of publication, such as Pinterest, Tumblr and Instagram.)
Risk Management Program Expectations
The Guidance sets the expectation that a financial institution should have a risk management program in place to identify, measure, monitor and control risks related to social media that is commensurate in size and complexity to the level of the institution’s involvement in social media. Under the Guidance, even a financial institution that does not actively utilize social media is expected to have a risk management program in place to address employee use of social media and is expected to consider what, “if any,” actions it will take to monitor and/or address comments or complaints that arise in social media platforms. Compliance, technology, information security, legal, human resources and marketing specialists would be expected to be involved in the development of a financial institution’s social media risk management program.
Under the Guidance, a financial institution’s social media risk management program is expected to include, at a minimum, the following:
- A governance structure that clearly identifies roles and responsibilities, with the board of directors or senior management directing how social media contributes to the institution’s strategic goals, and establishing controls and ongoing risk assessment;
- Policies and procedures2 for the use and monitoring of social media and compliance with applicable laws and incorporating the Guidance, including methodologies to address risks from online postings, edits, replies and retention;
- A risk management process for selecting and managing third party service provider relationships regarding social media;
- An employee training program incorporating policies and procedures for official, work-related use of social media (and potentially other uses) and defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by or on behalf of the institution;
- Audit and compliance functions to ensure compliance with the institution’s policies, laws and the Guidance; and
- Parameters for reporting effectiveness of the social media program to the institution’s board or senior management.
Risk Areas Identified
The Guidance identifies several potential risks for financial institutions to evaluate in connection with development and implementation of their social media risk management programs and identifies possible ways of managing such risks. These potential risks are grouped into three general categories: compliance and legal risks, reputation risks and operational risks.
Compliance and Legal Risks
The Guidance describes compliance and legal risks as the possibility of enforcement actions and/or civil lawsuits arising out of a financial institution’s use of social media. The Guidance indicates that these risks can arise from the failure to adequately address the potential for violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures and ethical standards applicable to social media use or the failure to keep pace with industry changes. In addition, the broad distribution of information through social media opens the door for the possibility of claims of defamation and libel. The FFIEC notes that consumer financial protection laws do not provide exemptions where social media is used, and accordingly, such laws would apply regardless of whether the supervised activity is taken in a social media context. The Guidance then provides an extensive, but non-exclusive, list of existing laws and regulations that may apply to particular types of financial products and services in the social media context, in the categories of Deposit and Lending Products, Payment Systems, Community Reinvestment Act, and Privacy. Of particular note in this regard are references, unchanged from the proposal, in the discussions of Truth in Savings and Truth in Lending to the ability of a financial institution to provide required disclosures through suitably clear and conspicuous links to other pages or documents. Moreover, in a change from the proposal, the Guidance specifically clarifies that “under the [Community Reinvestment Act], comments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be retained.”
The Guidance cautions financial institutions to be aware of, and properly manage the potential for, reputation risk arising from negative public opinion in connection with the use of social media. In particular, the Guidance identifies the following reputation risks that may arise in connection with social media use and suggests possible methods of minimizing such risks. As noted at the outset, the directive to manage these risks may create new obligations for financial institutions, as a topic that has historically been considered a “business” risk becomes transformed into a “compliance” issue.
- Fraud and Brand Identity Risks—The Guidance recommends that financial institutions consider using social media monitoring tools and methods to identify and respond to reputation risks that may arise in the context of social media, such as negative comments made by other social media users, spoofs and fraudsters. Further, an institution’s policies and procedures should include monitoring and procedures for timely addressing fraudulent use of the institution’s brand. Although the Guidance clearly contemplates a “risk-based” approach this type of issue, it provides little detail as to considerations for addressing these risks. For example, the steps that are appropriate for a community bank with only a local presence may be very different from the tools that may be needed to protect a national or even global brand, but the Guidance does not offer suggestions as to the appropriate balance in such circumstances.
- Third Party Risks—The Guidance states that use and monitoring of an institution’s social media site is a direct responsibility of a financial institution, even if the functions are delegated to a third party. Even when the social media site is owned and maintained by a third party, the Guidance cautions financial institutions to consider their ability to control content on the third party site before using a third party to conduct social media activities. Further, the final Guidance requires that a financial institution conduct an evaluation and perform due diligence appropriate to the risks posed by a prospective service provider before engaging the service provider, considering such factors as the third party’s reputation in the marketplace, the third party’s policies (including policies on collection and handling of consumer information), the process and frequency by which the third party’s policies change and what control, if any, the institution would have over the third party’s policies or actions.
- Privacy Risks—The Guidance provides that a financial institution should have procedures in place to address risks from other social media users posting confidential or sensitive information on a financial institution’s social media site or page.
- Consumer Complaints and Inquiry Risks—The Guidance states that a financial institution should adopt monitoring procedures in place to address statements or complaints posted on social media sites. This would include procedures to address any errors or disputes that a customer attempts to raise via social media to which the financial institution must respond under applicable law, such as errors under Regulation E or Regulation Z or disputes under the Fair Credit Reporting Act. A financial institution should also consider how and when to address disparaging comments made about the institution in the social media context. The final Guidance clarifies that financial institutions are not required to monitor and respond to all Internet communications, but are expected to consider the results of their own risk assessments in determining an appropriate approach to take regarding the monitoring of, and response to, such communications. The final Guidance suggests that one appropriate step would be to establish one or more specific channels that consumers must use when submitting complaints or disputes to the institution, to the extent consistent with the institution’s other legal requirements. The Guidance further states, however, that an institution should consider the risks, especially the reputation risk, of not responding to complaints and disputes received through other channels, and tailor its policies and procedures accordingly. One approach to managing these risks, the Guidance suggests, would be to monitor question and complaint forums on social media sites to ensure that complaints and comments are reviewed and, when appropriate, addressed in a timely manner.
- Employee Use of Social Media Risks—The Guidance states that a financial institution should take steps to address employee use of social media, such as establishing policies and training to address employee participation in social media representing the institution. The Guidance does not, however, explore the circumstances under which employee statements may be attributed to an institution or even be subject to various substantive restrictions on “advertisements.” The Guidance cautions that an institution’s policies should be reviewed for employment law considerations. Finally, whereas the proposed guidance had expressly referred to employees’ own personal social media accounts, the final Guidance states that it is not intended to impose any specific requirements for policies or procedures regarding such personal use.
The Guidance describes operational risk as risk of loss from inadequate or failed processes, people or systems, which can arise from a financial institution’s use of information technology, including social media. The Guidance refers subject financial institutions to other FFIEC and federal financial institution agency information technology publications which address operational risk. Specifically, the Guidance refers to the FFIEC Information Technology Examination Handbook, highlighting the “Outsourcing Technology Services” and “Information Security” booklets in particular. The Guidance suggests social media use makes financial institutions particularly vulnerable to malware and account takeover and indicates that social media should be incorporated into a financial institution’s security incident response procedures as appropriate.