On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final supervisory guidance entitled "Social Media: Consumer Compliance Risk Management Guidance" (the Guidance). The Guidance became effective upon its release. The FFIEC is an interagency body for the following five federal regulatory agencies: Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); and the Consumer Financial Protection Bureau (CFPB) (collectively, Agencies). The FFIEC is empowered to prescribe uniform principles and standards for the examination of financial institutions and to make recommendations to promote uniformity in their supervision. The Agencies will use the Guidance in their supervision of institutions, and the FFIEC’s State Liaison Committee will encourage state regulators to adopt the Guidance.
The Guidance states that it does not impose any new requirements on financial institutions, but is designed as a guide to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with social media use. The Guidance defines "social media" as any form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. It notes that messages sent via traditional email or text message, standing alone, do not constitute social media, but messages sent through social media channels are considered social media.
The Guidance states that financial institutions should have a risk management program in place allowing them to identify, measure, monitor, and control the risks related to social media. The scope of the institution’s program should be commensurate with the breadth of its involvement in social media. The program should include a governance structure, policies and procedures for social media use, a risk management process for selecting and monitoring third party relationships in connection with social media, an employee training program, an oversight policy for monitoring information posted on proprietary social media sites, audit and compliance functions, and parameters for reporting to the board of directors or senior management to enable their periodic evaluations of the program.
The Guidance identifies three broad categories of social media risk: compliance and legal risk; reputational risk; and operational risk; and sets forth guidelines for managing each. With respect to compliance and legal risk, the Guidance establishes guidelines broken down by specific laws and regulations relating to deposit and lending products; payment systems; Bank Secrecy Act/Anti-Money Laundering; Community Reinvestment Act (CRA); and privacy. Financial institutions are likely to find the compliance and legal risk section the most detailed, relevant, and instructive of the three broad categories. The described reputational risks overlap somewhat with the compliance and legal risks category, and also include guidance for managing social media risk associated with fraud and brand identity, consumer complaints, and employee use of social media. The operational risk guidance is brief, and refers to previously-issued guidance.