The Federal Financial Institutions Examination Council (“FFIEC”) has published final guidance on the applicability of federal consumer protection and compliance laws, regulations and policies to activities conducted via social media by banks and nonbank entities supervised by the CFPB. The guidance published on December 11, 2013, titled Social Media: Consumer Compliance Risk Management Guidance, does not impose any new requirements on financial institutions, but outlines potential consumer compliance and legal risks, and related risks like reputation and operational risks, associated with the use of social media. The guidance also explains supervisory expectations for managing those risks. The guidance defines social media as a form of interactive online communication in which users can generate and share content through text, images, audio and/or video. Messages sent by e-mail or text message, standing alone, are not social media for purposes of the guidance, though such communications also may be subject to some of the laws and regulations discussed in the guidance. According to the guidance, compliance and legal risk arise from the potential for violations of laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards when using social media. For example, social media maybe used to market products or originate new accounts. The federal banking agencies expect financial institutions to take steps to ensure that advertising, account origination and document retention are performed in compliance with applicable consumer protection and compliance laws and regulations, including Truth in Savings and Truth in Lending requirements, when social media is used for marketing or account origination.
Nutter Notes: The guidance recommends that each financial institution develop and implement a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. Those risks include risk of harm to consumers, compliance and legal risks, operational risks and reputation risks, according to the guidance. The guidance provides that the size and complexity of a risk management program should be commensurate with the breadth of the financial institution’s use of social media. However, the guidance recommends that institutions that have chosen not to use social media should still consider the potential for negative comments or complaints that may arise on social media platforms and evaluate in the risk management context what, if any, action to take to monitor for such comments or respond to them. The guidance recommends that components of a social media risk management program should include a governance structure with clear roles and responsibilities for directors and senior management, controls and ongoing assessment of risk in social media activities, written policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and a risk management process for selecting and managing third-party relationships in connection with social media. A social media risk management program should also include employee training on work-related use of social media and defining impermissible activities, an oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a third-party vendor, and audit and compliance functions to ensure ongoing compliance with internal policies and applicable laws and regulations.