Organizations using social media are confronted with an ever increasing challenge of social media risk management. To help financial institutions identify, measure, monitor, and control such risks, the Federal Financial Institutions Examination Council (“FFIEC”) has just released proposed guidance (the “Guidance”) on the use of social media by banks, savings associations, credit unions, and nonbank entities supervised by the Consumer Financial Protection Bureau and state regulators.
The proposed policy (entitled Social Media: Consumer Compliance Risk Management Guidance) defines social media broadly to include any “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video” and therefore captures micro-blogging sites such as Google Plus, Facebook, MySpace, and Twitter, photo and video sharing sites like Flickr and YouTube, professional networking sites like LinkedIn, and online forums, blogs, bulletin boards, customer review sites, virtual worlds, and online social games.
The Guidance outlines the steps financial institutions should employ to manage the risks associated with using social media platforms. The Guidance identifies the following key features of an effective social media risk management program:
- “A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution…;
- Policies and procedures…regarding the use and monitoring of social media and compliance with all applicable consumer protections laws…;
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures…;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management…”
Comments on the Guidance must be submitted before March 25, 2013 and may be submitted through the Federal eRulemaking Portal. Once finalized, covered entities will be expected to follow the Guidance and the FFIEC will encourage state regulators to adopt the policy as law.
In anticipation of this change, all companies – not just financial institutions – should review their policies and practices with respect to all of their interactive online communications to determine if they are consistent with the proposed policy. Although the FFIEC’s proposed Guidance, when finalized, will on its face apply only to financial institutions, it is an excellent summary of current best practices for managing social media and a clear indication of how all businesses are likely to be regulated in the future. Companies should seriously consider getting ahead of the curve.
The Guidance can be found here.