It May Be Time To Update That Social Media Policy: FFIEC Releases Social Media Guidance


On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final supervisory guidance entitled "Social Media: Consumer Compliance Risk Management Guidance" (the Guidance). The Guidance became effective upon its release. The FFIEC is an interagency body for the following five federal regulatory agencies: Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); and the Consumer Financial Protection Bureau (CFPB) (collectively, Agencies). The FFIEC is empowered to prescribe uniform principles and standards for the examination of financial institutions and to make recommendations to promote uniformity in their supervision. The Agencies will use the Guidance in their supervision of institutions, and the FFIEC’s State Liaison Committee will encourage state regulators to adopt the Guidance.

The Guidance states that it does not impose any new requirements on financial institutions, but is designed as a guide to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with social media use. The Guidance defines "social media" as any form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. It notes that messages sent via traditional email or text message, standing alone, do not constitute social media, but messages sent through social media channels are considered social media.

The Guidance states that financial institutions should have a risk management program in place allowing them to identify, measure, monitor, and control the risks related to social media. The scope of the institution’s program should be commensurate with the breadth of its involvement in social media. The program should include a governance structure, policies and procedures for social media use, a risk management process for selecting and monitoring third party relationships in connection with social media, an employee training program, an oversight policy for monitoring information posted on proprietary social media sites, audit and compliance functions, and parameters for reporting to the board of directors or senior management to enable their periodic evaluations of the program.

The Guidance identifies three broad categories of social media risk: compliance and legal risk; reputational risk; and operational risk; and sets forth guidelines for managing each. With respect to compliance and legal risk, the Guidance establishes guidelines broken down by specific laws and regulations relating to deposit and lending products; payment systems; Bank Secrecy Act/Anti-Money Laundering; Community Reinvestment Act (CRA); and privacy. Financial institutions are likely to find the compliance and legal risk section the most detailed, relevant, and instructive of the three broad categories. The described reputational risks overlap somewhat with the compliance and legal risks category, and also include guidance for managing social media risk associated with fraud and brand identity, consumer complaints, and employee use of social media. The operational risk guidance is brief, and refers to previously-issued guidance.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields Jorden Burt | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.