Alert January 29, 2013

Federal Financial Institutions Examination Council Issues Proposed Guidance on Social Media Usage by Financial Institutions

On January 22, 2013, the Federal Financial Institutions Examination Council (“FFIEC”) issued proposed guidance (the “Proposed Guidance”) on the usage of social media by financial institutions (“FIs”).  The Proposed Guidance does not contemplate the imposition of additional obligations upon FIs; instead, it highlights the diversity of risks posed to FIs by social media and emphasizes the need for FIs to maintain active risk management programs commensurate with their social media usage.

Brief Overview of FFIEC Proposed Guidance

The Proposed Guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.”  Social media can take many forms, including, micro-blogging sites, such as Facebook, Google Plus, MySpace, and Twitter; online forums, blogs, customer review websites and bulletin boards such as Yelp; photo and video sites, such as Flickr and YouTube; sites for professional networking, such as LinkedIn; “virtual worlds” such as Second Life; and social games such as FarmVille and CityVille.  Social media offers potential benefits to FIs as well as enhanced risks.  Social media permits FIs to distribute information more broadly to users of financial services and allows providers to more accurately match products and services to users’ needs.  The FFIEC states affirmatively in the Proposed Guidance that social media has the potential to improve market efficiency.  The challenge for FIs is to capitalize on this enhanced market efficiency while operating in compliance with existing laws and regulatory requirements generally applicable to the banking transactions generated by social media. Because much of this interaction occurs in a more dynamic, real-time and less-secure environment than conventional marketing and correspondence, it also poses an added measure of risk. 

The Proposed Guidance does not discourage social media use by FIs, and it does not call for the creation of additional rules or regulations.  Instead, the Proposed Guidance attempts to present the range of risks to FIs posed by social media in its various forms, some of which may be obvious and others of which are much less apparent.  The Proposed Guidance is intended to help FIs identify potential risk areas, and ensure that FIs are aware of their responsibilities to control these risks within their overall risk management programs and in a manner that permits them to identify, measure, monitor, and control the risks related to social media.  To this end, the complexity of an FI’s social media risk management program should be commensurate with the scale of its involvement in this medium.

The Proposed Guidance identifies three categories of risk: Compliance and Legal, Reputational, and Operational.  The following is a brief summary of the FFIEC’s description of each risk category.

Compliance and Legal.  The Proposed Guidance emphasizes that existing laws do not contain exceptions regarding the use of social media.  FIs must adhere to established rules and regulations applicable to banking practices such as lending, deposit services, or payment systems, regardless of whether a transaction involves social media.  The categories of risk addressed in the Proposed Guidance are not exhaustive.  The following is a sample of the laws and regulations identified in the Proposed Guidance as being of possible relevance to the social media aspects of an FI’s risk management program. 

  • Deposit and Lending Products: Social media may be used to market products and originate new accounts.  The Proposed Guidance advises that FIs must ensure that all related advertising, account origination, and document retention are performed in compliance with existing consumer protection and compliance laws and regulations, including the Truth in Savings Act/Regulation DD and Part 707, fair lending laws such as the Equal Credit Opportunity Act, the Fair Housing Act, the Truth in Lending Act, the Real Estate Settlement Procedures Act, and the Fair Debt Collection Practices Act.  The Proposed Guidance offers a number of examples, such as if an FI engages in residential mortgage lending and maintains a presence on Facebook, the Equal Housing Opportunity logo must be displayed on that FI’s Facebook page.  Similarly, under the Truth in Lending Act, FIs must provide consumers with all Regulation Z disclosures within the required time frames, regardless of the use of social media in the origination of a loan. 
  • Payment Systems: The Proposed Guidance notes that under existing law, no additional disclosure requirements apply simply because social media is involved, but nonetheless emphasizes that FIs should be aware of the unique compliance challenges posed by social media in the context of payment systems.  In addition to compliance with existing requirements for disclosure and error resolution mandated by the Electronic Fund Transfer Act, Article 4 of the Uniform Commercial Code, and the Expedited Funds Availability Act, the Proposed Guidance highlights the Bank Secrecy Act and anti-money laundering programs as being of particular relevance to a social media risk management program.  The online world frequently operates with a measure of anonymity.  This lack of transparency can present significant challenges to FIs which nonetheless must comply with existing requirements for customer identification, due diligence in the tracking of suspicious transactions, and the maintenance of records for electronic funds transfers.  “Virtual world” or “second life” programs will often include “virtual economies” linked to real world payment systems.  The Proposed Guidance notes that illicit actors are known to use these virtual economies as a means of money laundering and terrorist financing, and advises that FIs must be diligent in monitoring fund transfers associated with virtual world gaming. 
  • Privacy: Social media presents additional challenges to compliance with existing laws for customer privacy and data security, such as the Gramm-Leach-Bliley Act.  The Proposed Guidance advises FIs that the Controlling the Assault of Non-Solicited Pornography and Marketing Act (aka the “CAN-SPAM Act”) and the Telephone Consumer Protection Act establish requirements for sending unsolicited messages by telephone or text message, and thus may be applicable to communications sent via a social media platform’s messaging features.  The social media marketplace is dynamic and often features a high volume of small-scale communication between businesses, customers, and prospective customers, and the Proposed Guidance advises FIs to take this reality into account when assessing risk management programs.

Reputational Risk.  The Proposed Guidance defines “reputational risk” as the risk arising from negative public opinion, noting that activities that result in dissatisfied customers or negative publicity could harm the reputation of an FI even if it has not violated any laws.  In this regard, the Proposed Guidance merely reflects best practices for any high-profile industry or company.  Social media facilitates more frequent and more informal interactions between FIs and their customers, and along with it an increased potential for fraud, threats to brand identity, and reputational damage should customer complaints “go viral” and garner attention from conventional media or the public at-large.  The Proposed Guidance also notes that compliance risk can arise when a customer uses social media to an effort to initiate a dispute. 

Operational Risk.  The Proposed Guidance defines operational risk as “the risk of loss resulting from inadequate or failed processes, people, or systems,” noting that operational risk includes the risks posed by an FI’s use of information technology, which encompasses social media.  Social media platforms are generally viewed as more vulnerable to account takeover and the distribution of malware, particularly data-mining malware designed to gather financial account information.  The Proposed Guidance advises that an FI’s risk management program should account for the IT/operational risk posed by social media.

The FFIEC, in the Proposed Guidance, directs FIs to adopt a social media risk management program that is tailored to the risk profile of the FI and that includes the following key elements:

  • an appropriate governance program with effective controls;
  • appropriate policies and procedures;
  • a due diligence process regarding the selection and management of third-party vendors;
  • employee training;
  • an oversight process for information posted to the FI’s social media sites;
  • adequate audit coverage and compliance verifications of the effectiveness of the program; and
  • periodic reporting to the FI’s Board of Directors or senior management regarding the effectiveness of the social media program.

Request for Public Comment.  In addition to general comments on the Proposed Guidance, the FFIEC specifically seeks comments in response to the following three questions:

  1. Are there any other types of social media, or ways in which FIs are using social media, that should be included in the Proposed Guidance?
  2. Are there any other consumer protection laws, regulations, policies or concerns that may be implicated by FIs’ use of social media that should be discussed in the Proposed Guidance?
  3. Are there any technological or other impediments to FIs’ compliance with otherwise applicable laws, regulations and policies when using social media of which the [agencies comprising FFIEC] should be aware?

Comments on the Proposed Guidance are due by March 25, 2013.