The Federal Financial Institutions Examination Council, which is comprised of the OCC, FRB, FDIC, NCUA, CFPB, and a state liaison committee, issued guidance addressing the applicability of federal consumer protection laws to activities conducted using social media. Recognizing the potential benefits of social media to the industry and consumers, the guidance is intended to ensure that industry risk management programs mitigate the concomitant risks and provides considerations for financial institutions in conducting risk assessments. The guidance provides that financial institutions should have risk management programs that identify, measure, monitor, and control social media risks. For example, the guidance provides that a risk management program should include, among other things, policies and procedures regarding the use and monitoring of social media, risk management processes for selecting and managing third-party relationships in connection with social media, and an oversight process for monitoring information posted to proprietary social media sites administrated by the financial institution or a third-party service provider.
The guidance also surveyed the types of laws that might pose specific risk for social media. For example, the guidance noted that laws governing unfair, deceptive and abusive acts or practices, ECOA, TILA, RESPA, and the FDCPA, as well as payment systems laws, the Bank Secrecy Act, the Community Reinvestment Act, and privacy and data security laws (e.g., Telephone Consumer Protection Act) may be relevant to a financial institution’s social media activities. In particular, the guidance noted that RESPA applied to applications taken electronically including through social media, and that communicating using social media in a manner that discloses the existence of a debt (e.g., posting about debt on a Facebook wall) may violate the FDCPA. Finally, the guidance highlights reputational risk that can arise when using social media such as risks related to fraud and brand identity, risks attendant to using third-party service providers, privacy concerns, and risks related to employees’ use of social media.