Effective Date: December 11, 2013
If there’s one thing financial institutions can’t avoid anymore, it’s social media. Whether you’ve hopped on the bandwagon already or you’re hoping it will pass you by unnoticed, the FFIEC recommends the following guidance for considering the effect social media could have on your institution, for better or worse.
The Federal Financial Institutions Examination Council (FFIEC) has finalized its supervisory guidance on the application of consumer compliance regulations and risk management to the use of social media as a delivery channel. Financial institutions’ increasing use of social media can increase compliance, legal, operational, and reputation risk, as well as increase the risk of harm to consumers if the financial institution exercises poor oversight of its social media program. Financial institutions (FIs) are expected to use this guidance to ensure that their policies and procedures identify appropriate oversight and controls, including the performance of risk assessments that are commensurate with the institution’s size, complexity, activities, and third-party relationships.
Social media is defined as a form of interactive online communication in which users can generate and share content. Social media can take a number of forms from micro-blogging sites—such as Facebook, Google Plus, MySpace, and Twitter—to forums, blogs, customer review websites like Yelp, bulletin boards, photo and video sites like Flickr and YouTube, professional networking sites like LinkedIn, virtual worlds like Second Life, and social games, such as FarmVille and CityVille. This guidance does not include stand-alone messages sent by email or text message in its definition of social media.
Social Media Risk Management Program
FIs should adopt an appropriate risk management program based on a risk assessment of its use of social media that allows the institution to identify, measure, monitor, and control the risks associated with social media. Even if your institution does not use social media, you should consider the negative comments and complaints that could arise from social media platforms that the institution may need to monitor and respond to.
The social media risk management program should include participation from the institution’s compliance, technology, information security, legal, human resources, and marketing staff. The guidance recommends that the risk management program include:
- Clear roles and responsibilities through which the Board and/or senior management direct how social media contributes to strategic goals and establishes controls and ongoing assessments of social media activities;
- Policies and procedures that address the use and monitoring of social media and the methodologies that will be used to address risks from online postings, edits, replies, and retention;
- A process for selecting and managing third-party relationships in connection with social media;
- An employee training program on the official, work-related use of social media that includes impermissible activities;
- Audit and compliance functions to ensure ongoing compliance with internal policies and procedures, as well as all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting so that the Board and/or senior management can periodically evaluate the effectiveness of the social media program.
Compliance and Legal Risk
Compliance and legal risks arise both from nonconformance with existing laws and regulations that govern certain aspects of social media use. The following is a list of such laws and regulations:
- Truth in Savings Act, Regulation DD and Part 707: Disclosures about fees, annual percentage yields, interest or dividend rates, bonuses and other terms that must be included in advertisements and new account disclosures;
- Fair Lending Laws (Equal Credit Opportunity Act and Fair Housing Act): Prescreened solicitations, advertisements, adverse action, the collection of certain information, and the use of required logos;
- Truth in Lending Act, Regulation Z: Advertisements, loan and credit card application disclosures and error resolution procedures;
- Real Estate Settlement Procedures Act (RESPA), Section 8: prohibitions against certain mortgage activities, such as referral payments and fee splitting;
- Fair Debt Collection Practices Act: Debt collection activities by a party that is not collecting its own debts or is collecting its debt under another name;
- Unfair, Deceptive, or Abusive Acts or Practices: Advertisements or other practices conducted though social media;
- Deposit Insurance or Share Insurance Requirements: Advertisements, or other activities, including ads for nondeposit investment products;
- Electronic Fund Transfers Act, Regulation E: Specific disclosures and error resolution rules;
- Expedited Funds Availability Act and applicable State UCC: check transactions;
- Bank Secrecy Act and AML Programs: Monitoring of account activity, independent testing requirements, and recordkeeping;
- Community Reinvestment Act (if applicable): Retention of written public comments and responses;
- CAN-SPAM and the Telephone Consumer Protection Act: unsolicited communications with customers/members;
- Children’s Online Privacy Protection Act: if information on children under the age of 13 is being collected, used or disclosed; and
- Fair Credit Reporting Act: Solicitations, responding to disputes and the collection of medical information.
The guidance addresses a number of issues in reference to the harm that can arise from negative public opinion.
Fraud and Brand Identity
Protecting your brand identity in the social media context can be challenging in light of negative comments made by social media users, spoofs of your institution’s communications, and other activities in which a fraudster masquerades as your institution. The guidance recommends that financial institutions use social media monitoring tools and incorporate the use of these tools and the required response into written policies and procedures.
Third Party Concerns
As financial institutions may use third parties to provide their social media service, the guidance makes clear that monitoring these sites should be a direct responsibility of the financial institution as consumers using the sites are likely to blame the financial institution for any problems or issues they incur. However, the financial institution’s ability to monitor the sites may vary depending on the particular site and the contractual arrangement with the third party. Thus, financial institutions are advised to perform appropriate due diligence, including looking at the third party’s reputation in the marketplace, its policies and procedures on the collection and handling of consumer information and the controls, if any, that the financial institution may have over the third party’s policies or actions.
The guidance recommends that financial institutions have procedures that address situations where confidential or sensitive information, such as account numbers, are posted on the institution’s social media page or site.
Consumer Complaints and Inquiries
A financial institution could expose itself to reputation risk if it does not respond to consumer complaints in a timely and appropriate manner or if users post inaccurate information. In addition, users may use social media channels to initiate disputes that trigger the billing error procedures under Regulation E, Regulation Z, or the Fair Credit Reporting Act. While the guidance does not expect that financial institutions will monitor and respond to all Internet communications, the institution should determine an appropriate approach to monitoring and responding to such communications based on its own risk assessment. For example, an appropriate step might be to establish a specific communication channel for consumers to use to submit complaints or disputes.
Employee Use of Social Media
Employees should receive training on their participation in social media that represents the financial institution. The training should include the steps to be taken to ensure that consumers receive all required disclosures. The financial institution should have all policies and training related to employment law principles reviewed by appropriate counsel.
The guidance offers several resources for financial institutions to review in order to better understand and evaluate the operational risks posed by social media. These resources include the “FFIEC Information Technology Examination Handbook” and the FFIEC booklet “Outsourcing Technology Services”. The guidance also points out that social media platforms are vulnerable to account takeovers and the distribution of malware, which means that financial institutions should ensure that the safeguards they have in place for other platforms cover social media as well.
Although social media introduces myriad new procedures, regulations, and training that financial institutions did not have to consider before this era, the FFIEC’s new guidance illustrates that there are many new avenues for FIs to reach consumers and for consumers to reach FIs that can be harnessed as a great strength, or left unregulated as a potential risk.