On December 17, 2013, the Federal Financial Institutions Examination Council (“FFIEC” or “Council”) published in the Federal Register its final guidance (the “guidance” or “final guidance”), which describes the risks social media activities may pose to financial institutions and provides guidance on how risk management programs should address such concerns.1 Although the guidance addresses how federal consumer protection laws applying to a financial institution’s social media activities, it expressly states that it does not impose any new requirements on and is not intended to discourage the use of social media by financial institutions. The guidance, which is effective immediately, is largely the same as the proposed guidance of January 2013, (78 Fed. Reg. 4848 (Jan. 23, 2013) (the “proposed guidance”),2 with certain provisions clarified, as discussed in detail below.
Social Media Risk Management
Under the guidance, financial institutions are advised to ensure their risk management programs address the risks presented by social media activities. The guidance defines social media as interactive online communication where users generate and share content through text, images, audio and/or video. In response to concerns of commenters, the guidance clarifies that while this definition includes messages sent through social media platforms, it does not include traditional emails or text messages, but financial institutions are asked to consider how laws and regulations discussed in the guidance may apply to such communications. The guidance’s definition of social media is meant to be illustrative, rather than exhaustive, and financial institutions are encouraged to consider new forms of social media that may emerge as technology evolves.
Rather than requiring a unified approach to risk management among institutions, the guidance points to the “longstanding principle” that financial institutions should take into account size, complexity, activities and third-party relationships when implementing a risk management program that identifies, measures, monitors and controls social media risks. Consumer financial protection laws and regulations listed by the guidance that may be applicable to social media activities, such as the taking of applications via social media, include the Truth in Lending Act/Regulation Z, the Telephone Consumer Protection Act and the Controlling the Assault of Non-Solicited Pornography and Marketing Act.
Third-Party Risk Management.
In response to commenters, the guidance clarifies the FFIEC’s expectations for third-party risk management, including those parties with which the financial institution “does not have a traditional vendor relationship,” presumably a reference to unaffiliated social media platforms such as Facebook or Twitter. The guidance advises financial institutions to conduct evaluations and perform due diligence prior to engaging with such third parties to understand the risks that third parties might pose. Such due diligence should include learning about the third party’s reputation in the marketplace and its policies, including those related to collection and handling of consumer information. Additionally, an institution should be aware of the process by which such policies may be modified and whether the institution may have any control over the third party’s policies or actions.
Complaints and Reputational Risk
The guidance addresses how financial institutions should monitor reputational risks related to consumer complaints and other communications on websites other than its own. In response to some commenters’ concerns that the proposed guidance suggested that financial institutions had a responsibility to monitor for and respond to complaints across the internet, the guidance clarifies that institutions are not expected to conduct such monitoring and should instead weigh the risks to determine the appropriate approach for monitoring and responding to internet comments.
One such approach, consistent with other applicable legal requirements, is for a financial institution to establish channels for consumers to submit communications directly to the institution. Depending on its size and risk profile, a financial institution might also consider monitoring negative comments on the internet, including by monitoring forums on social media sites to ensure that communications are reviewed, and when appropriate, addressed in a timely manner. Regardless of the approach it takes, a financial institution should consider the impact to its reputation if it chooses to not respond to complaints that were not received in a specified channel or when it responds to customers selectively.
Relatedly, the guidance clarifies that depository institutions subject to the Community Reinvestment Act (the “CRA”)3 are expected to retain comments on the institution’s performance in helping meet a community’s credit needs (and their responses) only when they are received on sites run by or on behalf of the institution, including social media sites.
Employee Use of Social Media.
The guidance also clarifies that an employee’s official use of social media may subject the financial institution to compliance, operational and reputational risks. To address this, the final guidance suggests that financial institutions implement policies and training to address employee participation in social media when representing the institution. For example, this may include requiring employees to provide appropriate disclosures when communicating with a customer about a loan product through social media. The guidance expressly states that it “is not intended to impose specific requirements” regarding employees’ personal use of social media.