The Federal Financial Institutions Examination Council (FFIEC) is seeking feedback on proposed guidance to help financial institutions manage the risks of interacting with consumers through social media. The FFIEC, which comprises several financial regulatory agencies, published a notice in the Federal Register on January 23, 2013, seeking comments within 60 days.
One of the trickiest aspects of providing social media guidance is making sure that the definition of "social media" is broad enough to encompass the variety of ways in which consumers interact, but limited enough to not include e-mails, texts, or other types of communication. The FFIEC explained that social media is a "form of interactive online communication in which users can generate and share content through text, images, audio, and/or video" and that "[s]ocial media can be distinguished from other online media in that the communication tends to be more interactive." The FFIEC mentioned several examples of social media, including Facebook, Yelp, and LinkedIn, as well as virtual worlds such as Second Life and social games such as FarmVille.
The FFIEC said its proposal is needed to assist financial institutions in controlling risks presented by social media, specifically those resulting from interactions that are informal and occur in a less secure environment, as well as the risks of social media campaigns that may not receive the care and attention of a traditional advertising campaign. In addition, the FFIEC acknowledged that financial institutions using social media have the potential to improve market efficiency due to the broader distribution of information among consumers.
In designing an adequate risk management program for social media, the FFIEC noted that the program needs the involvement of several departments of an institution—compliance, technology, information security, legal, human resources, and marketing (as well as public relations, not mentioned by the FFIEC). Specifically, the risk management program should include:
- Having governance that incorporates individuals from each department who have enough seniority to be able to ensure social media aligns with the financial institution's strategic goals
- Developing or updating policies and procedures to address social media, especially concerning consumer protection laws, regulations, and guidance
- Establishing due diligence processes for managing third-party providers of social media programs
- Training employees in appropriate use of social media, on and off the job
- Monitoring of information posted to proprietary social media sites
- Protecting against reputational harm
- Incorporating social media into regular compliance and audit protocols as well as in reports to the board of directors or senior management
The proposed guidance discusses several consumer financial regulations and highlights sections of the regulations that require special consideration in the context of social media. For more details on specific regulatory language that applies, please refer to this chart. The basic rule of thumb, however, is that social media use by financial institutions should comply with all of the same requirements—disclosures, timing of responses, privacy, etc.—that the financial institution applies to any advertising, consumer application, or transaction it allows online.