On January 22, 2013, the Federal Financial Institutions Examination Council (FFIEC) released proposed guidance regarding the use of social media by federally regulated financial institutions. Our Financial Institutions Practice Group issued a Client Alert on the FFIEC guidance on January 25th, additional copies of which are available at our web site or upon request from any attorney identified to the left on this page. The significant role that social media will play in furthering the delivery of products and services to the financial institutions sector cannot be minimized, and is one of the reasons for the issuance of early guidance from the FFIEC. Our Financial Institutions Practice Group is working with clients on the development of programs, policies and best practices. We intend to continue to forward to our clients and friends Client Alerts on matters we believe will be of interest as this important area evolves and as we move toward the promulgation of actual regulatory requirements. Based on conversations we have had to date with industry executives and social media specialists, we are able to share a variety of thoughts and reactions regarding (i) the effects of the guidelines on various uses of social media, (ii) risk management considerations and (iii) emerging best practices.
Effects of the Guidelines on Various Uses of Social Media
Marketing: Marketing through social media platforms is treated as written advertising, and is subject to compliance with traditional advertising law. When posts, content or forums are being used for marketing purposes, institutions should make this point clear. Use of consumer testimonials collected through social media channels should be treated the same as any consumer testimonials, meaning they may not be used without permission from the consumer and may not be used out of context in a way that could be misleading. User-generated content contests are subject to specific sweepstakes and advertising laws.
Customer Service: A best practice for customer service through social media platforms is to use social media as a vehicle for identifying customers with problems, then to direct them to existing, more formal channels for service rather than attempting to service needs through social media outlets themselves. Institutions should be aware of the way different social media sites protect private information, and warn customers not to provide personal information through channels that would make it publicly available.
Encouraging Customer Dialogue: Institutions should have clear and publicized policies about how they will edit content on social media sites which invite participation. Editing out negative comments can lead to liability by making the institution responsible for the veracity of the content that is left as an “editor” of the content. Editing out profanity, threats or off-topic comments will not lead to this kind of liability, as long as standards are made clear. Institutions should also clearly identify when the company itself is participating in the dialogue.
Public Relations: Information provided through social media outlets should be treated like any other press release, and is subject to commercial speech standards and rules regarding forward-looking statements. When space is limited, as in Twitter posts, a one-click rule applies such that full disclosures need not be provided in the post if a link is provided that will take a viewer to a screen on which the full disclosures are provided.
Risk Management Considerations
FFIEC guidance notes that social media tends to be an informal and less secure environment, which leads to increased risk, including reputational risk. Best practices for addressing this risk include creating a social media governance team made up of individuals from each department who have enough seniority to ensure social media usage aligns with the institution’s strategic goals, and creating and training all levels of employees on clear policies governing the use of social media. It is important that institutions be complete and comprehensive in communicating to their customer base and employees what the institution’s social media presence will be, and in communicating to employees what is and is not acceptable in terms of personal use of social media.
Advertising: Any promotional messages published through social media outlets are treated as written advertisements. Institutions should be particularly aware of the audience targeted by social media platforms and consider who is likely to respond and how they are likely to understand the messages conveyed. Unfair, Deceptive or Abusive Acts and Practices (UDAAP) rules apply to information shared by institutions through social media.
Fair Lending: Institutions should have clear policies for review and approval of all marketing messages, including those published through social media, and should be aware of selective messaging and any potential that information may be misleading. Institutions should be aware of the likelihood that marketing efforts through social media platforms are targeted at a particular segment of the institution’s consumer population, and behave accordingly.
Information Security and Fraud: The sense of familiarity associated with social media communications can lead consumers and institutions to let their guard down. Institutions should be proactive about warning customers that information posted on social media sites is available to the public at large. It is best practice to continually track the information privacy practices of third-party social media sites actively used by an institution.
Customer Complaints: Institutions should have a formalized procedure or mechanism (not just guidelines) in place for responding to all complaints, including those received through social media channels. Best practice is to use this procedure to respond to even those complaints posted to the public at large rather than directed to the institution. Particular attention should be paid to any Community Reinvestment Act (CRA) or fair lending-related complaint, and such complaints and responses should be documented and retained.
Archiving: Institutions do not need to track and archive every communication made through social media channels. Information about an individual customer should be retained, which is why it is helpful to push customers into existing channels that are documented and over which the institution has control. It is also important to document and retain communications if the institution uses them for any purpose, such as testimonials used for marketing or other types of information collection. There is no record retention requirement specific to social media, but social media use is subject to rules for advertising, etc.
Employee Manual for Social Media Compliance
Best practice is to create a comprehensive employee manual for social media compliance, addressing both personal and professional use of social media by employees. Suggested sections include: Your Identity Online; Creating and Managing Content; Leaving Comments; Confidentiality and Privacy; Potential Conflicts and Red Flags; and Building Your Virtual Footprint and Your Network.
Important takeaways for employees include:
Your social media activity is trackable and traceable;
Never use the company name or any other name associated with the company on a blog post unless you have written permission to do so;
Never post about the company anonymously. Be transparent, use your name and make clear your affiliation with the company; and
Never make false or misleading statements.
We are available to analyze your institution’s internal social media risk and to help develop a comprehensive, effective social media risk management program.
 Full disclosures should be on the screen when the link is opened, and should not be at the bottom of a page which would require a party to scroll down to see them. Each post should include its own one-click disclosures.