The Federal Financial Institutions Examination Council (FFIEC) released a proposed guidance regarding the applicability of consumer protection, compliance and privacy laws to social media usage by banks, credit unions, and other covered financial institutions.
Financial institutions typically use social media in a number of ways, including marketing and brand awareness, facilitating applications for new accounts, receiving public feedback, and otherwise engaging with existing and potential customers. Since social media tends to be more informal than traditional interactions, it presents some compliance challenges to financial institutions. Although the guidance does not impose new obligations on financial institutions, it was written to help financial institutions highlight risks to social media usage and remind companies of their responsibilities to manage these risks within their overall risk management programs. These risks include consumer compliance and legal risks, as well as reputation and operational risks raised by social media activities.
Risk management programs should be updated with assistance from experts in law and regulatory compliance, technology and data security, human resources, and marketing. And even if a financial institution elects not to use social media, it should still have a policy in place that addresses how to respond to unsolicited negative comments and complaints posted on online platforms and how to educate employees on social media usage.
The FFIEC guidance outlines some principal components of a successful risk management program:
A governance structure that includes clear roles and responsibilities, with senior management directing and staying abreast of how social media contributes to the strategic goals of the institution.
Policies and procedures regarding the use and monitoring of social media and compliance with all applicable laws and regulations. This would include a due diligence process for overseeing third-party service providers and monitoring procedures to ensure ongoing compliance.
A corporate social media policy for employee that includes a training program. Financial institutions should be aware that employees’ social media communications — even through personal accounts — may be viewed by the public as reflecting the financial institution’s official policies.
The FFIEC guidance also delineated some of the risks facing financial institutions that use social media:
Compliance and Legal Risks: These include risks from violations of laws, regulations, internal policies and procedures, or ethical standards.
Truth in Savings Act/Regulation DD and Part 707: Disclosure requirements designed to enable consumers to make informed decisions about deposit accounts
Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 and Fair Housing Act: Regulations surrounding solicitations, denials, and collection of information with regard to credit opportunities
Truth in Lending Act/Regulation Z: Regulations concerning the advertising of credit products
Real Estate Settlement Procedures Act: Regulations prohibiting certain activities regarding federally related mortgage loans
Fair Debt Collection Practices Act: Restrictions on debt collection activities
Unfair and Deceptive Practices: Prohibitions on unfair or deceptive acts, such as Section 5 of the Federal Trade Commission (FTC) Act
Deposit Insurance or Share Insurance: Requirements regarding advertising surrounding FDIC deposit insurance
Payment Systems: If social media is used to facilitate a consumer’s use of payment systems, a financial institution should ensure compliance with appropriate laws and regulations concerning disclosures to consumers and required internal controls concerning anti-money laundering rules.
Privacy: Institutions must ensure compliance with privacy laws, including, among others, the Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines, CAN-SPAM Act, TCPA, COPPA, and the Fair Credit Reporting Act.
Reputational Risk: Financial institutions engaged in social media activities must manage the reputation risks that arise from the open communication environment inherent in social networks. Companies should have procedures to address consumer complaints or other statements that require further investigation. Moreover, protecting one's brand in a social media context can be daunting, particularly with regard to online comments, popular spoofs, and fraudulent activities such as phishing attacks. Institutions must also monitor information that any third-party social media service posts online on its behalf.
Operational Risk: A financial institution should ensure that the data security controls that protect its systems and safeguard customer information from outside attacks adequately address social media usage.