The Federal Financial Institutions Examination Council (FFIEC) has released final supervisory guidance on the use of social media by financial institutions. We last reported on the guidance when it was published in draft form in January 2013. The final guidance is substantially similar to the proposal (and we encourage you to read our prior post for more details on the elements of the guidance), but the FFIEC made certain revisions in light of the 81 public comments it received on the proposal. The FFIEC also held a public teleconference on December 19 at which regulators discussed the Final Guidance and responded to questions from industry participants. Slides from the teleconference are available here.
The key message of the guidance, which was reinforced during the December 19 teleconference, is that existing laws, regulations, and regulatory expectations continue to apply to activities conducted through social media as they apply to activities conducted through other channels. To address risks related to social media, the final guidance, like the proposal, calls for financial institutions to adopt tailored risk management programs to identify, measure, monitor, and control the risks arising from social media.
The final guidance identifies the following as key components of a social media risk management program:
- A governance structure with clear roles and responsibilities, as well as controls and ongoing assessment of risk in social media activities;
- Policies and procedures (either standalone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance (including methodologies to address risks from online postings, edits, replies, and retention);
- A risk management process for selecting and managing third-party relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enables periodic evaluation of the media program’s effectiveness.
The final guidance responds to certain concerns that commenters raised about the proposed guidance. It clarifies that, for purposes of the guidance, traditional emails and text messages, standing alone, are not social media. However, messages sent through social media channels are considered social media. The guidance also clarifies that it does not apply to employees’ personal use of social media, but only to social media activities conducted on behalf of the financial institution. It also explains that financial institutions are not expected to monitor all Internet communications for complaints and inquiries about the institution. Rather, institutions are expected to monitor their proprietary social media sites (including for purposes of addressing public comments under the Community Reinvestment Act), and take into account the results of their own risk assessments in determining the appropriate approach for monitoring third-party sites.
In responding to questions during the December 19 teleconference, FFIEC representatives noted that they do not currently plan to develop examination procedures focused on social media, but will continue to review activities conducted through social media under the existing examination process. The regulators also discussed the extent to which financial institutions were expected to conduct due diligence with respect to third-party social media platforms—such as Facebook—over which the institutions have limited, if any, control. They explained that when assessing potential risks from such a relationship, an institution should still consider the third party’s reputation in the marketplace, the nature of the information to which the third party will have access, and what, if any, control the institution will have over the third party.
The FFIEC is an interagency body of banking regulators tasked to develop standards and guidelines as relevant to regulatory examination of covered institutions. Participants include the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC’s teleconference slides also include links to social media-related resources issued by other regulators, including guidance from FINRA, the SEC, and the FTC. The FFIEC noted that institutions are not required to consult these materials, but may find them helpful in developing their social media compliance programs.