Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) issued a notice for comment on proposed social media guidelines to financial institutions. While it remains unclear when the final supervisory guidance will issue, financial institutions would be shrewd to take certain steps.
First, financial institutions should build the issues raised in the draft guidance into their risk assessment processes and enterprise-wide compliance management programs when using social media to communicate with customers. Second, the boards of directors of financial institutions also must ensure that qualified management is in place to monitor changes in both an institution’s social media delivery channels and content thereon.
In January 2013, the FFIEC issued the “Social Media: Consumer Compliance Risk Management Guidance” (“the Guidance”) specifically to banks, savings associations, and credit unions, as well as to nonbank entities supervised by the Consumer Financial Protection Bureau. The Guidance does not impose additional obligations, but rather is intended to better inform financial institutions of potential consumer compliance, legal, reputation, and operational risks, as well as the expectations for managing those risks.
It is unknown when the final supervisory guidance will be issued. Comments were due by March 25, 2013, and many dozens of comments were submitted, including some after that deadline. Some requested clarification regarding employee use of social media and advertising regulations. For example, a few commenters suggested the “One Click Rule,” wherein required disclosures would be “one click” away, and a “practicality” exception to the requirements of including the official advertising statement of FDIC or NCUA membership. Several critiqued the Guidance as overly broad and burdensome, particularly with its expectations for financial institutions, including those not active in social media, to monitor communications on other parties’ social media sites.
Below we will discuss some of the key issues raised by the draft Guidance.
Compliance Risk Management Expectations for Social Media
The Guidance advises financial institutions to maintain risk management programs to identify, measure, monitor, and control risks related to social media. Such a program should include:
- A governance structure with clear roles and responsibilities for the board of directors or senior management to direct how social media will contribute to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
- Policies and procedures on the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance, which should incorporate methodologies to address risks from online postings, edits, replies, and retention;
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the social media programs’ effectiveness, including in achieving its stated objectives.
The Guidance addresses three risk areas: compliance and legal, reputation, and operational.
- Compliance and Legal Risks
Each financial institution must ensure compliance on social media with all federal, state, and local laws, regulations, and guidance. The Guidance lists illustrative relevant laws and regulations, including those bearing on deposit and lending products (think: the Fair Housing Act and Section 5 of the Federal Trade Commission Act), payment systems (such as the Electronic Fund Transfer Act), and privacy (the CAN-SPAM Act, the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and so on).
- Reputation Risks
The use of social media is almost sure to raise complications in regard to involvement by employees and third parties. Together with the potential for consumer complaints and inquiries, privacy concerns, brand misuse or even fraud, the reputation risks for financial institutions are a serious concern.
To address the fraudulent use of the financial institution’s brand, such as through phishing or spoofing, the Guidance recommends the use of social media monitoring tools and to implement policies that allow for timely monitoring and response.
Importantly, the Guidance places the responsibility of “regularly” monitoring the information placed on social media sites upon the financial institutions, even when such functions are contracted out to third parties.
The Guidance also, unsurprisingly, advises financial institutions to maintain procedures that address the risk of confidential or sensitive information (e.g., account numbers) being posted on the financial institution’s social media page or site.
Financial institutions, moreover, should have policies that address employee participation in social media.
The Guidance advises financial institutions to have monitoring procedures in place, such as using monitoring software, to ensure that inquiries, complaints, or comments are timely and appropriately addressed. Most other industries that have developed social media guidelines have not highlighted the importance of this practice. Yet, with respect to financial institutions, in addition to the reputation risks, serious compliance issues are implicated when a customer uses social media to initiate a dispute, whether “an error dispute under Regulation E, a billing error under Regulation Z, or a direct dispute about information furnished to a consumer reporting agency” under the Fair Credit Reporting Act and its implementing regulations.
- Operational Risks
The Guidance defines operational risk as “the risk of loss resulting from inadequate or failed processes, people, or systems,” including the risks posed by the use of information technology. Particularly, the Guidance advises financial institutions to ensure that their controls and procedures to thwart and respond to IT security risks—e.g., malicious software, a data breach, or an account hack—address social media.