On December 11, 2013, the Federal Financial Institutions Examination Council (the “FFIEC”), on behalf of its members (the OCC, FRB, FDIC, NCUA and the Consumer Financial Protection Bureau (“CFPB”)), released final guidance (the “Guidance”) concerning the applicability of consumer protection and compliance laws, regulations and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the CFPB. The Guidance provides considerations that financial institutions may find useful in conducting risk assessments and developing and evaluating policies and procedures regarding social media.
The Guidance is intended to help financial institutions understand potential consumer compliance and legal risks, in addition to related risks such as reputational or operational risks, arising out of the use of social media. The Guidance does not impose any new requirements on financial institutions, but financial institutions are expected to manage potential risks associated with social media usage and access. Financial institutions must ensure that their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which such financial institution is engaged.
The Guidance defines social media as any form of interactive online communication in which users can generate and share content through text, images, audio and/or video. The Guidance highlights many common forms of social media (e.g., Facebook, Twitter and YouTube), but also notes that social media includes many other avenues of digital interaction (e.g., virtual worlds and social games, website forums and blogs). The Guidance does not include communication via email or text-messages in its definition of social media, though it notes that many of risks outlined in the Guidance apply to email and text-message communication.
Compliance Risk Management Expectations
The Guidance recommends that each financial institution have a risk management program that allows it to identify, measure, monitor and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in the medium. The risk management program should include the following: a governance structure with clear roles and responsibilities; policies and procedures regarding the use and monitoring of social media; a process for selecting and managing third-party relationships in connection with social media; and audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.
Compliance and legal risks arise from the potential of violations of, or nonconformance with, laws and regulations. Therefore, to the extent that a financial institution uses social media to engage in lending, deposit services or payment activities, it must comply with applicable laws and regulations. The Guidance provides further details about the types of risk that use of social media creates. For instance, if a financial institution uses social media to market products or originate new accounts, the financial institution needs to ensure compliance with applicable laws, including the Truth in Savings Act, fair lending laws (including the Equal Credit Opportunity Act), the Truth in Lending Act, RESPA, and the Fair Debt Collection Practices Act. The Guidance also offers specific steps that a financial institution should take to alleviate other types of risks including privacy concerns, fraud and brand identity theft, and compliance with the Community Reinvestment Act. Last, the Guidance discusses operational risk in the form of IT-related risks. The Guidance cautions financial institutions that social media is one of several platforms vulnerable to account takeover and the distribution of malware.
The Guidance is intended to help financial institutions understand and manage the risks associated with the use of social media. Financial institutions can use social media to generate new business, but as with any new channel, financial institutions are expected to manage potential risk by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed in the Guidance.