The Federal Financial Institutions Examination Council (FFIEC) is seeking feedback on proposed guidance to help financial institutions manage the risks of interacting with consumers through social media. The FFIEC, which comprises several financial regulatory agencies, published a notice in the Federal Register on January 23, 2013, seeking comments within 60 days.
One of the trickiest aspects of providing social media guidance is making sure that the definition of "social media" is broad enough to encompass the variety of ways in which consumers interact, but limited enough to not include e-mails, texts, or other types of communication. The FFIEC explained that social media is a "form of interactive online communication in which users can generate and share content through text, images, audio, and/or video" and that "[s]ocial media can be distinguished from other online media in that the communication tends to be more interactive." The FFIEC mentioned several examples of social media, including Facebook, Yelp, and LinkedIn, as well as virtual worlds such as Second Life and social games such as FarmVille.
The FFIEC said its proposal is needed to assist financial institutions in controlling risks presented by social media, specifically those resulting from interactions that are informal and occur in a less secure environment, as well as the risks of social media campaigns that may not receive the care and attention of a traditional advertising campaign. In addition, the FFIEC acknowledged that financial institutions using social media have the potential to improve market efficiency due to the broader distribution of information among consumers.
In designing an adequate risk management program for social media, the FFIEC noted that the program needs the involvement of several departments of an institution—compliance, technology, information security, legal, human resources, and marketing (as well as public relations, not mentioned by the FFIEC). Specifically, the risk management program should include:
Having governance that incorporates individuals from each department who have enough seniority to be able to ensure social media aligns with the financial institution's strategic goals
Developing or updating policies and procedures to address social media, especially concerning consumer protection laws, regulations, and guidance
Establishing due diligence processes for managing third-party providers of social media programs
Training employees in appropriate use of social media, on and off the job
Monitoring of information posted to proprietary social media sites
Protecting against reputational harm
Incorporating social media into regular compliance and audit protocols as well as in reports to the board of directors or senior management
The proposed guidance discusses several consumer financial regulations and highlights sections of the regulations that require special consideration in the context of social media. For more details on specific regulatory language that applies, please refer to this chart. The basic rule of thumb, however, is that social media use by financial institutions should comply with all of the same requirements—disclosures, timing of responses, privacy, etc.—that the financial institution applies to any advertising, consumer application, or transaction it allows online.
Ballard Spahr attorneys are available to advise financial institutions on the use of social media to communicate with consumers to ensure compliance with consumer financial services laws, as well as related privacy laws. The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws.
Members of the Consumer Financial Services Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.
For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or email@example.com, CFS Practice Leader Jeremy T. Rosenblum at 215.864.8505 or firstname.lastname@example.org, John L. Culhane, Jr., at 215.864.8535 or email@example.com, Privacy and Data Security Practice Leader Mercedes Kelley Tunstall at 202.661.2221 or firstname.lastname@example.org, or Amy S. Mushahwar at 202.661.7644 or email@example.com.