Financial Services Alert - December 17, 2013

The FRB issued guidance on managing outsourcing risks (the “Guidance”), intended to highlight the potential risks arising from the use of third-party service providers, describe the components of an appropriate service provider risk management program, and supplement previous guidance on technology service provider risk. The Guidance provides that prior to entering into and managing outsourcing arrangements, financial institutions should consider the following risks: (1) compliance risks, (2) concentration risks (i.e., when outsourced services or products are provided by a limited number of service providers or are concentrated in a limited geographic location); (3) reputational risks; (4) country risks (i.e., use of a foreign-based service provider); (5) operational risks; and (6) legal risks. The Guidance also stresses the use of a service provider does not relieve a financial institution’s board of directors and senior management from ensuring that the use of service providers are conducted in a safe-and-sound manner and in compliance with applicable law; rather, there is an affirmative responsibility “for ensuring that board-approved policies for the use of service providers are appropriately executed.”

The Guidance also outlines the components of an appropriate service provider risk management program. In particular, the Guidance identifies “core elements” of an effective program, which include, risk assessments, due diligence and selection of service providers, incentive compensation review, and oversight and monitoring of service providers, among other elements. For example, the Guidance provides that a financial institution should conduct an evaluation of and perform due diligence on a prospective service provider.  The extent of due diligence will vary depending on the scope, complexity, and importance of the planned outsourcing, but should include, among other things, consideration of the proposed vendor’s: (1) business background, reputation and strategy; (2) financial performance and condition; and (3) operations and internal controls.  Another key component of an appropriate service provider risk management program is understanding the service contract and any related legal issues. There should also be an effective process in place to review and approve any incentive compensation that may exist in service provider agreements. Finally, the Guidance identifies other risk considerations including, the risk of using third party service providers to comply with the suspicious activity report requirements under the Bank Secrecy Act, risks unique to foreign-based service providers (e.g., foreign service provider’s ability to comply with U.S. law), and the service provider’s own risk management activities.  The OCC’s recent guidance on managing risks of use of third-party service providers was discussed in the November 12, 2013 Financial Services Alert.

On December 11, 2013, the Federal Financial Institutions Examination Council (the “FFIEC”), on behalf of its members (the OCC, FRB, FDIC, NCUA and the Consumer Financial Protection Bureau (“CFPB”)), released final guidance (the “Guidance”) concerning the applicability of consumer protection and compliance laws, regulations and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the CFPB.  The Guidance provides considerations that financial institutions may find useful in conducting risk assessments and developing and evaluating policies and procedures regarding social media.

Purpose       

The Guidance is intended to help financial institutions understand potential consumer compliance and legal risks, in addition to related risks such as reputational or operational risks, arising out of the use of social media.  The Guidance does not impose any new requirements on financial institutions, but financial institutions are expected to manage potential risks associated with social media usage and access.  Financial institutions must ensure that their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which such financial institution is engaged.

Background

The Guidance defines social media as any form of interactive online communication in which users can generate and share content through text, images, audio and/or video.  The Guidance highlights many common forms of social media (e.g., Facebook, Twitter and YouTube), but also notes that social media includes many other avenues of digital interaction (e.g., virtual worlds and social games, website forums and blogs).  The Guidance does not include communication via email or text-messages in its definition of social media, though it notes that many of risks outlined in the Guidance apply to email and text-message communication.

Compliance Risk Management Expectations

The Guidance recommends that each financial institution have a risk management program that allows it to identify, measure, monitor and control the risks related to social media.  The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in the medium.  The risk management program should include the following: a governance structure with clear roles and responsibilities; policies and procedures regarding the use and monitoring of social media; a process for selecting and managing third-party relationships in connection with social media; and audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.

Risk Areas

Compliance and legal risks arise from the potential of violations of, or nonconformance with, laws and regulations.  Therefore, to the extent that a financial institution uses social media to engage in lending, deposit services or payment activities, it must comply with applicable laws and regulations.  The Guidance provides further details about the types of risk that use of social media creates.  For instance, if a financial institution uses social media to market products or originate new accounts, the financial institution needs to ensure compliance with applicable laws, including the Truth in Savings Act, fair lending laws (including the Equal Credit Opportunity Act), the Truth in Lending Act, RESPA, and the Fair Debt Collection Practices Act.  The Guidance also offers specific steps that a financial institution should take to alleviate other types of risks including privacy concerns, fraud and brand identity theft, and compliance with the Community Reinvestment Act.  Last, the Guidance discusses operational risk in the form of IT-related risks.  The Guidance cautions financial institutions that social media is one of several platforms vulnerable to account takeover and the distribution of malware.

Conclusion

The Guidance is intended to help financial institutions understand and manage the risks associated with the use of social media.  Financial institutions can use social media to generate new business, but as with any new channel, financial institutions are expected to manage potential risk by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed in the Guidance.

Goodwin Procter’s Private Investment Funds Practice issued a client alert that discusses recent guidance from the SEC staff on the extent to which a number of practices commonly used by fund advisers in the venture capital industry are permissible for advisers whose only clients are venture capital funds and that rely or intend to rely on the Venture Capital Exemption from registration under the Advisers Act.

Goodwin Procter’s ERISA Litigation Practice published its latest quarterly ERISA Litigation Update.  The update discusses (1) the Supreme Court’s upcoming review of the Sixth Circuit’s decision in Fifth Third Bancorp v. Dudenhoeffer, a case addressing plan investments in company stock; (2) Rochow v. Life Insurance Company of North America in which the Sixth Circuit adopted an expansive view of the remedies available under ERISA and allowed a plaintiff to recover benefits under ERISA § 502(a)(1)(B) and also obtain equitable relief in the form of disgorgement of profits under ERISA § 502(a)(3); and (3) decisions by federal district courts in Missouri and Vermont that reached opposite conclusions regarding the right to jury trial with respect to fiduciary breach claims brought under ERISA §502(a)(2).  

Fulfilling a mandate under the Dodd-Frank Act, the Federal Insurance Office (“FIO”) of the Department of the Treasury issued a report to Congress on how to modernize and improve the system of insurance regulation in the United States.  The report follows consultation with various stakeholders by the FIO and a period of public comment in response to a formal request for comment focused on the considerations specified by the Dodd-Frank Act.  The report include 18 specific areas of near-term reform for the states falling into three broad categories: (1) capital adequacy and safety/soundness, (2) reform of insurer resolution practices, and (3) marketplace regulation.   The report does not advocate for federal regulation to supplant state regulation of insurance.  Instead it posits that federal involvement should be targeted at solving problems resulting from the legal and practical limitations of state regulation, such as the need for uniformity or the need for a federal voice in U.S. interactions with international authorities, and provides nine recommendations targeting those goals.