Last year, the Federal Financial Institutions Examination Council (FFIEC) gift-wrapped an early Christmas present for its members, releasing its final guidance on the risks and legal pitfalls associated with banks, savings associations, credit unions, and nonbank entities engaging in social media. The guidance does not create any new legal obligations for financial institutions, but assists in identifying the many compliance and legal risks associated with social media and the FFIEC expectations for managing those risks.
The six members of the FFIEC are the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Consumer Financial Protection Bureau and the State Liaison Committee. So, the guidance is directed toward the very broad collection of financial institutions that are regulated by these Agencies.
The Guidelines state that a financial institution should have a risk management program that identifies, monitors and controls risk related to social media. They also provide a laundry list of “risk areas” associated with financial institutions engaging in social media. This article will identify the basic components of the social media risk management program that the FFIEC expects its members to have in place and briefly summarizes each of the compliance and legal risks identified by the FFIEC.
Risk Management Program
The FFIEC expects each financial institution to create a risk management program that is designed with participation of specialists in compliance, technology, information security, legal, human resources, and marketing. Components of this social media risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
- A risk management process for selecting and managing third-party relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Compliance and Legal Risks
The FFIEC also sets forth a number of laws and regulations that a financial institution should consider when engaging in social media. The FFIEC expects financial institutions to take steps to make sure it complies with all these laws and regulations, including the following:
Deposit and Lending Product Regulations
- Truth in Savings Act: Deposit accounts may not be advertised in a way that is misleading, inaccurate or misrepresents the institution’s deposit contract.
- Fair Lending Laws: Social media communications cannot violate fair lending laws and regulations. Financial institutions should takes steps to avoid running afoul of Equal Credit Opportunity Act (ECOA) prohibitions against discouraging certain persons from making an application, complying with time frames for notifying applicants of the outcome of their applications and preserving pr-screened solicitations through social media, and adverse action notices for denying credit.
- Truth In Lending Act: Any social media communication in which a creditor advertises credit products must comply with regulations requiring disclosures about loan terms and costs.
- Real Estate Settlement Procedures Act (RESPA): RESPA prohibits certain activities such as fee splitting and accepting kickbacks in exchange for referrals of settlement services business, as well as deadlines for certain disclosures. These requirements apply to applications taken through social media communications.
- Fair Debt Collection Practices Act (FCDPA). Using social media to inappropriately contact consumers, or their families and friends, or publicly disclose that a consumer owes a debt may violate the FDCPA.
- Federal Trade Commission Act (FTCA). The FTC will enforce portions of the Dodd-Frank Act which prohibits unfair or deceptive acts or practices affecting commerce. If social media is determined to be used in an unfair or deceptive manner, the FTC may bring proceedings against the financial institution. And if the act involves consumer interaction, then the CFPB may become involved if the social media communication was deemed to be “unfair, deceptive, or abusive.”
- Deposit Insurance or Share Insurance: Both the FDIC and NCUA have very specific technical requirements when advertising certain products, which would apply to any advertisement on social media. For example, advertisement of FDIC insured products must include the official advertising statement of the FDIC, usually worded, “Member FDIC.”
- Electronic Fund Transfer Act (EFTA): If social media is used to access payment systems to which the EFTA applies, including applicable consumer payment orders, the EFTA requires certain disclosures and error resolution procedures to individuals who engage in electronic fund transfers and remittance transfers.
- Uniform Commercial Code (UCC): If social media is used as a portal for authorizing electronic payment orders for non-consumers or for payments in a check-based transaction, the transaction will be governed by the UCC.
Anti-Money Laundering Programs
- Bank Secrecy Act (BSA): The BSA includes a number of monitoring requirements that apply to e-banking transactions and social media communications, including the implementation of a customer identification program; implementing risk-based customer due diligence policies, procedures, and processes; understanding expected customer activity; monitoring for unusual or suspicious transactions; and maintaining records of electronic funds transfers.
Community Reinvestment Efforts
- Community Reinvestment Act (CRA): The CRA encourages depository institutions to help meet the credit needs of communities in low- and moderate-income neighborhoods. There are some provisions that require communications, including social media communications, be preserved. For example, a bank is required to maintain a file that includes all written comments received during the prior two calendar years related to the bank's performance in helping to meet community credit needs, and any response comments by the bank.
- Gramm Leach Bliley Act (GLBA): Among other things, the GLBA requires financial institutions to protect the personal information of its customers. When posting or communicating over social media, financial institutions and their employees must remember that the information being published can be accessed by the public at large and personal information cannot be disclosed.
- CAN-SPAM and Telephone Consumer Protection Act (TCPA): The CAN-SPAM and TCPA establish requirements for sending unsolicited messages to consumers via social media. Financial institutions sending unsolicited messages should be familiar with the se provisions to evaluate whether their social media activities trigger application of either or both laws.
- Children’s On-Line Privacy Protection Act (COPPA): COPPA imposes obligations on operators of commercial websites with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. A financial institution should evaluate whether it, through its social media activities, could be covered by COPPA.
- Fair Credit Reporting Act (FCRA): The FCRA contains restrictions and requirements making solicitations using eligibility information, responding to direct disputes and collecting medical information in connection with loan eligibility. A financial institution should make sure that any solicitations over social media do not run afoul of this law.