On January 22 2013 the Federal Financial Institutions Examination Council (FFIEC)(1) issued a request for comment on proposed guidance entitled "Social Media: Consumer Compliance Risk Management Guidance". Comments on the proposed guidance must be received by the FFIEC by March 25 2013. On completion, the guidance will be issued as supervisory guidance by the federal financial regulatory agencies and the State Liaison Committee of the FFIEC will also encourage state regulators to adopt the final guidance.
On finalisation of the guidance by the FFIEC, the institutions supervised by the federal financial regulatory agencies will be expected to use the guidance in developing and implementing the risk management policies and practices to manage and control risks associated with social media. If adopted, the proposed guidance would:
- define 'social media';
- set the expectation that institutions will develop and implement a social media risk management plan and define the minimum contents of such a plan; and
- identify possible risks associated with social media use by financial institutions and suggest ways that financial institutions could manage such risks.
The FFIEC's request for comment states that the guidance imposes no new obligations on financial institutions, but rather is intended to help financial institutions understand how existing laws and regulations apply in the context of social media platforms. Specifically, the FFIEC suggests that the guidance is intended to help institutions to identify potential risk areas associated with their use of social media and to understand their obligations to manage such risks. However, institutions should pay particular attention to the section of the guidance on reputational risks, which raises a number of issues not previously explored by the agencies and has the potential to create significant new burdens. Further, the proposed guidance does not specifically address the extra-territorial scope (outside of the United States) of the proposed guidance. If interpreted expansively from a geographic perspective, the proposed guidance could pose significant challenges for covered institutions, including identifying and resolving and conflicting cross-jurisdictional regulatory conflicts and increased costs of cross-border monitoring, among others.
Financial institutions that will be subject to the guidance when it is adopted should review current and expected social media activities and the existing financial institution's risk management policies and procedures and other relevant policies in light of the proposed guidance. This review may be used to inform any comments in response to the guidance or to consider potential changes to the institution's risk management policies upon finalisation of the guidance.(2) Because the guidance, as drafted, provides little in the way of practical suggestions or actionable principles, affected institutions should consider commenting with real-world examples that could help the agencies to make the guidance more concrete and useful.
'Social media' definition
For purposes of the guidance, the FFIEC proposes to define 'social media' as "a form of interactive online communication in which users can generate and share content through text, images, audio and/or video". The guidance distinguishes social media from other online media by stating that social media "tends to be more interactive". The guidance specifically identifies several forms of media that would be considered social media under this definition: micro-blogging sites, forums, blogs, customer review websites, bulletin board, photo and video sites, professional network sites, virtual works and social games. The guidance also identifies, by name, specific examples that would be considered social media under this definition: Facebook, Google Plus, MySpace, Twitter, Yelp, Flickr, YouTube, LinkedIn, Second Life, FarmVille and CityVille.
Risk management programme expectations
The proposed guidance would set the expectation that a financial institution have a risk management programme in place to identify, measure, monitor and control risks related to social media that is commensurate in size and complexity to the level of the institution's involvement in social media. Under the proposed guidance, even a financial institution that does not actively utilise social media would be expected to have a risk management programme in place to address employee use of social media and the handling of comments or complaints that arise in social media platforms. Compliance, technology, information security, legal, human resources and marketing specialists would be expected to be involved in the development of a financial institution's social media risk management programme.
Under the proposed guidance, a financial institution's social media risk management programme would be expected to include at minimum:
- a governance structure that clearly identifies roles and responsibilities, with the board of directors or senior management directing how social media contributes to the institution's strategic goals and establishes controls and ongoing risk assessment;
- policies and procedures for the use and monitoring of social media and compliance with applicable laws and the guidance, including methodologies to address risks from online postings, edits, replies and retention;
- a due diligence process for selecting and managing third-party service provider relationships regarding social media;
- an employee training programme incorporating policies and procedures for official, work-related use of social media (and potentially other uses) and defining impermissible activities;
- a process for monitoring information posted to proprietary social media sites administered by or on behalf of the institution;
- audit and compliance functions to ensure compliance with the institution's policies, laws and the guidance; and
- parameters for reporting effectiveness of the social media programme to the institution's board or senior management.
Risk areas identified
To help financial institutions to understand potential risks, the proposed guidance identifies several potential risks for financial institutions to evaluate in connection with development and implementation of their social media risk management programmes and identifies possible ways of managing such risks. These potential risks are grouped into three general categories:
- compliance and legal risks;
- reputation risks; and
- operational risks.
The proposed guidance describes compliance and legal risks as the possibility of enforcement actions or civil lawsuits arising out of a financial institution's use of social media. The proposed guidance indicates that these risks can arise from the failure to address adequately the potential for violations of or non-conformance with laws, rules, regulations, prescribed practices, internal policies and procedures and ethical standards applicable to social media use or the failure to keep pace with the industry changes. In addition, the broad distribution of information exchanges through social media opens the door for the possibility of claims of defamation and libel. The FFIEC notes that consumer financial protection laws do not provide exemptions where social media is used, and accordingly such laws would apply regardless of whether the supervised activity is taken in the social media context. The proposed guidance then provides an extensive, but non-exclusive, list of existing laws and regulations that may apply to particular types of financial product and service in the social media context.
The proposed guidance cautions financial institutions to be aware of, and properly manage the potential for, reputational risk arising from negative public opinion in connection with social media use. In particular, the proposed guidance identifies the following reputational risks that may arise in connection with social media use and suggests possible methods of minimising such risks. As noted at the outset, the directive to manage these risks likely will create new obligations for financial institutions:
- Fraud and brand identity risks – the proposed guidance recommends that financial institutions consider using social media monitoring tools and methods to identify and respond to reputation risks that may arise in the context of social media, such as negative comments made by other social media users, spoofs and fraudsters. Further, an institution's policies and procedures should include monitoring and procedures for timely addressing fraudulent use of the institution's brand. However, the guidance provides little detail as to considerations for addressing these risks. For example, the steps that are appropriate for a community bank with only a local presence may be very different from the tools that may be needed to protect a national or even global brand.
- Third-party risks – the proposed guidance states that use and monitoring of an institution's social media site is a direct responsibility of a financial institution, even if the functions are delegated to a third party. A financial institution will not be absolved of responsibility with regard to social media compliance, even if a third party runs a social media site on behalf of an institution. Accordingly, the guidance cautions financial institutions to consider their ability to control content on a third-party site before using a third party to conduct social media activities.
- Privacy risks – the proposed guidance provides that a financial institution should have procedures in place to address risks from other social media users posting confidential or sensitive information on a financial institution's social media site or page.
- Consumer complaints and inquiry risks – the proposed guidance states that a financial institution should adopt monitoring procedures in place to address statements or complaints posted on social media sites. This would include procedures to address any errors or disputes that a customer attempts to raise via social media to which the financial institution must respond under applicable law, such as errors under Regulation E or Regulation Z or disputes under the Fair Credit Reporting Act. Since such monitoring may pose a real challenge, institutions may wish to comment regarding alternative approaches, such as clearly identifying for customers the specific channels through which regulated disputes may be initiated. A financial institution should also consider how and when to address disparaging comments made about the institution in the social media context.
- Employee use of social media risks – the proposed guidance states that a financial institution should establish policies to address employee participation in social media that implicates the institution, but cautions that such policies should be reviewed for employment considerations. For example, the guidance does not explore the circumstances under which employee statements may be attributed to an institution or even be subject to various substantive restrictions on advertisements.
The proposed guidance describes operational risk as risk of loss from inadequate or failed processes, people or systems, which can arise from a financial institution's use of information technology, including social media. The proposed guidance refers subject financial institutions to other FFIEC and federal financial institution agency information technology publications which address operational risk. Specifically, the proposed guidance refers to the FFIEC Information Technology Examination Handbook, highlighting the "Outsourcing Technology Services" and "Information Security" booklets in particular. The proposed guidance suggests that social media use makes financial institutions particularly vulnerable to malware and indicates that social media should be incorporated into a financial institution's security incident response procedures as appropriate.
For further information on this topic please contact David E Teitelbaum, James Huizinga, Joel D Feinberg or Gretchen Lamberg at Sidley Austin LLP by telephone (+1 202 736 8000), fax (+1 202 736 8711) or email (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
(1) The FFIEC is comprised of the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Consumer Financial Protection Bureau and the State Liaison Committee of the FFIEC.
(2) The text of the proposed guidance can be found online at www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf.