Last week, the Federal Financial Institutions Examination Council (“FFIEC”) issued proposed risk management guidance regarding the use of social media by financial institutions, including banks, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB). The proposed guidance calls on these institutions to develop and maintain risk management programs to identify, measure, monitor, and control the risks of social media. The proposed guidance, according to the FFIEC is intended to assist financial institutions identify, oversee and manage the potential risk associated with the use of social media to attract and interact with customers. The guidance is also intended to assist these institutions in addressing the applicability of existing federal consumer protection laws and regulations that may be implicated by the use of social media.

The proposed guidance broadly defines social media as “as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video” and suggests that financial institutions customize and maintain a risk management programs that allows the institution to identify, measure, monitor, and control the risks of social media based on the institutions use of social media. The FFIEC, however, warns that even financial institutions who do not engage in social media should be prepared to address the potential impact of negative comments or complaints that surface through social media platforms. The specific components of the risk management program proposed should include:

  1. a governance structure with clear roles and responsibilities for senior management to direct the use of social media to contribute to the strategic goals of the institution, and to establish controls and ongoing assessment of risk;
  2. policies and procedures regarding the use and monitoring of social media and compliance with federal consumer protection laws, regulations, and guidance, including methodologies to address risks from online postings, edits, replies, and retention;
  3. a due diligence process for selecting and managing third party providers;
  4. an employee training program for the institutions policies and procedures, work-related use of social media, and other uses of social media, including prohibited activities;
  5. an oversight process for monitoring information posted on proprietary social media sites;
  6. audit and compliance functions to ensure ongoing compliance with internal policies and applicable laws; and
  7. parameters for providing appropriate reporting to senior management that enable periodic evaluation of the effectiveness of the social media program.

In its guidance, the FFIEC identified areas of potential risk for financial institutions, including compliance with the Truth in Savings Act/Regulation DD and Part 707, the Equal Credit Opportunity Act/Regulation B, the Fair Housing Act, the Truth in Lending Act/Regulation Z, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, and issues related to deposit insurance.  The proposed guidance also highlights risk and compliance issues related to the use of social media to facilitate a consumer’s use of payment systems, including compliance with the Electronic Fund Transfer Act/Regulation E and rules applicable to checks, such as Article 4 of the Uniform Commercial Code and the Expedited Funds Availability Act/Regulation CC.  The FFIEC also discusses risk associated with the Bank Secrecy Act/Anti-Money Laundering Programs, the Community Reinvestment Act, and Privacy concerns under the Gramm-Leach Bliley Act.

The guidance also addresses social media and the effect it can have on an institutions reputation through negative public opinion.  The FFIEC emphasizes the importance of brand identity and how financial institutions need to instill appropriate policies to monitor and address the fraudulent use of the institution’s brand through phishing and spoofing activity.  In addition, the guidance addresses the risk associated with failing to properly monitor third-party providers of social media platforms and privacy concerns.  Further, it discusses the challenges associated with using social media as a means for consumers to post complaints or initiate disputes, and other problems associated with employees use of social media sites.

The FFIEC is requesting that public comment on the proposed guidance be submitted by March 25, 2013.  In addition to general comments, the FFIEC is requesting comments on the following questions:

  1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  2. Are there other consumer protection laws, regulations, policies, or concerns that may be implicated by financial institutions’’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the regulators and other banking agencies should be aware of?

Any comments can be submitted by visiting the Federal eRulemaking Portal.