On January 17, the Federal Financial Institutions Examination Council (“FFIEC”) released proposed guidance on the applicability of consumer protection and compliance laws to social media activities conducted by financial institutions. The guidance is a response to requests for guidance from both industry and consumers and is meant to be a resource for financial institutions in managing their use of social media and to help them understand the potential compliance, legal, reputational and operational risks associated with social media use.

The FFIEC called social media a form of customer interaction that “presents some unique challenges to financial institutions” in part because it tends to be “informal and dynamic” and “occurs in a less secure environment.” The proposed guidance defines “social media” to be “a form of interactive online communication in which users can generate and share content” including micro-blogging sites, forums, blogs, customer review web sites and bulletin boards, photo and video sites, professional networking sites, virtual worlds and social games (with examples ranging from Facebook to YouTube to FarmVille).

The FFIEC recognized the role of social media in generating new business and interacting with consumers, but stated that the use of social media can impact a financial institution’s risk profile, with increased risk coming from a wide variety of directions such as poor due diligence or oversight. Although the FFIEC has stated that the guidance does not impose any additional obligations on financial institutions, the guidance is in part intended to set out expectations for managing the risks associated with social media and “to ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program.”

In discussing the specific legal risks associated with social media use, the proposed guidance noted that failure to adequately address risks inherent with social media use could expose an institution to enforcement actions and/or civil lawsuits. Institutions should therefore take steps to ensure compliance with laws and regulations when using social media. Examples of laws which may be implicated by social media use include the Truth in Savings Act/Regulation DD (e.g., requirements that certain information is clearly stated if advertisements display triggering terms such as “APY”), the Equal Credit Opportunity Act/Regulation B (e.g., requirements that prescreened solicitations disseminated through social media are preserved), and the CAN-SPAM Act (e.g., requirements for sending unsolicited commercial messages via a social media platform’s messaging feature).

Among the many other laws listed by the proposed guidance which may be implicated by social media use are the Truth in Lending Act/Regulation Z; the Real Estate Settlement Procedures Act; the Electronic Fund Transfer Act/Regulation E; anti-money laundering laws such as the Bank Secrecy Act; privacy laws such as the Gramm-Leach-Bliley Act; deposit insurance laws; laws regarding unfair, deceptive or abusive acts or practices; the Telephone Consumer Protection Act; the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act.

The proposed guidance also highlighted the importance of addressing reputational risk, as “[a]ctivities that result in dissatisfied consumers and/or negative publicity could harm the reputation and standing of the financial institution.” The proposed guidance lists a number of areas where reputational risk may be implicated, including brand identity (e.g., spoofs of institution communications); third party concerns and the imperativeness of monitoring when functions are delegated to third parties; privacy concerns (e.g., members of the public posting confidential or sensitive information to the institution’s social media page); consumer complaints and inquiries and the importance of addressing them in a timely and appropriate manner; and employee use of social media (e.g., employee communications being viewed by the public as reflecting official policies).

The FFIEC identified the following as essential components for any social media risk management program:

  • A governance structure that establishes clear roles and responsibilities, as well as controls and ongoing assessment of risk in social media activities; 
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance; 
  • A due diligence process for selecting and managing third-party service provider relationships in connection with social media; 
  • An employee training program that incorporates the institution’s policies and procedures; 
  • An oversight process for monitoring information posted to proprietary social media sites; 
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and 
  • Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management and which enables the periodic evaluation of the social media program’s effectiveness.

The size and complexity of an institution’s social media risk management program should be “commensurate with the breadth of [their] involvement in this medium,” and should “be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing.” Even for institutions not using social media, the proposed guidance states that institutions should “be prepared to address the potential for negative comments or complaints that may arise within [social media]” and “provide guidance for employee use of social media.” In addition, the proposed guidance noted that risk can arise when policies and procedures do not keep pace with changes in the marketplace.

The important take-away is that, “[a]s with any product channel,” financial institutions must address social media and ensure “that their risk management programs provide appropriate oversight and control” so that risk areas are appropriately addressed.

The FFIEC also specifically sought comment regarding the following questions:

  • Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included? 
  • Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  • Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

Comments must be received within 60 days of the date of publication in the Federal Register (January 22). The proposed guidance can be found here: http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf.