The Federal Financial Institutions Examination Council (FFIEC) has released proposed guidance on the use of social media by financial institutions, including banks, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau. The proposed “Social Media: Consumer Compliance Risk Management Guidance” (“Proposed Guidance”) defines “social media” broadly to including micro-blogging sites (like Google Plus, Facebook, MySpace and Twitter), online forums, blogs, bulletin boards, customer review sites, photo and video sharing sites, professional networking sites, virtual worlds and online social games.
The Proposed Guidance highlights some of the potential benefits of social media—including improving market efficiency, more broadly distributing information to users of financial services, and helping users and providers find each other and match products and services to users’ needs—but notes that the “informal and dynamic” nature of social media interactions, and their occurrence in less secure environments, presents unique challenges to financial institutions.
The Proposed Guidance calls for financial institutions to adopt tailored risk management programs to identify, measure, monitor, and control the risks related to social media. The Proposed Guidance identifies the following as key components of a social media risk management program:
• A governance structure with clear roles and responsibilities, as well as controls and ongoing assessment of risk in social media activities;
• Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance (including methodologies to address risks from online postings, edits, replies, and retention);
• A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
• An employee training program that incorporates the institution’s policies and procedures;
• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
• Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the media program’s effectiveness.
The Proposed Guidance also includes an extensive list of consumer protection laws and regulations that may potentially be implicated by a financial institution’s social media activities, including the Truth in Savings Act/Regulation DD, Equal Credit Opportunity Act/Regulation B, Fair Housing Act, Truth in Lending Act/Regulation Z, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, Electronic Fund Transfer Act, Bank Secrecy Act, and Community Reinvestment Act.
As to privacy concerns specifically, the Proposed Guidance cites Section 5 of the FTC Act, Gramm-Leach-Bliley Act, Children’s Online Privacy Protection Act, Telephone Consumer Protection Act, and Fair Credit Reporting Act. Among other privacy issues, the FFIEC notes that the use of a social media service’s messaging feature could implicate regulatory restrictions on email and SMS messages and that an online service attractive to children would implicate COPPA. In addition, financial institutions should have a process to monitor for the posting of sensitive consumer information, such as account numbers.
The Proposed Guidance notes that none of the various laws identified contain exceptions regarding the use of social media, and thus financial institutions should remain cognizant of the legal and compliance risks that may arise when engaging in traditional banking activities through this new medium. The Proposed Guidance also indicates that financial institutions that do not rely on social media should still establish appropriate policies to address employee participation in social media that implicates the financial institution.
The FFIEC has solicited comments on the Proposed Guidance, which are due by March 25, 2013. In addition, the FFIEC specifically requested comments in response to the following questions:
- Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
- Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
- Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the Agencies should be aware?
Financial institutions that use or that may wish to use social media for business purposes should consider responding to this request. Although guidance in this area is clearly warranted and will likely be welcomed by most institutions, it will be important that regulators do not unduly or inadvertently impose restrictions on financial institutions that limit beneficial engagement with social communications technologies.