Regulation
02/20/2013

Managing Social Media Risk: New Guidance From Regulators


2-20-13_Bryan_Cave.pngSocial media has become ubiquitous and many banks are wondering if they can survive without a trendy presence on Facebook, LinkedIn, Twitter, YouTube, and in the “blogosphere.” It is a bit of the Wild West out there though, with few rules in place to protect your message. Instead of yelling at the TV at home, a person can post a negative comment about your business for the world to see and, even if unfair and baseless, there may be little you can do about it. 

Financial institutions use social media in a variety of ways, including marketing, promotions, account applications, consumer feedback and communicating with new and existing customers. Since these communications occur in an informal and largely unsecured environment, it introduces new risks. If your bank is active in social media, or simply advertises consumer banking or other products through social media, new proposed guidance from the Federal Financial Institutions Examination Council (FFIEC) instructs your bank to adopt compliance policies and procedures governing these activities. Even if your financial institution is not active in social media, you need a process for responding to negative comments or complaints that surface through social media platforms.

This article briefly summarizes the proposed FFIEC guidance.

We encourage all interested banks to submit comments on this guidance by the deadline of March 25, 2013.

What are the compliance expectations for banks using social media?

On January 23, 2013, the FFIEC issued a request for comment on a proposed “Social Media: Consumer Compliance Risk Management Guidance.” The intent of the guidance is to help banks, thrifts and non-banks under the supervision of the Consumer Financial Protection Bureau identify, address, oversee and control risk from social media within their overall risk management program. 

What forms of social media are within the scope of the guidance?

The FFIEC considers social media to include forms of interactive online communication in which users generate and share content through the use of text, images, audio and/or video, including:

  • Micro-blogging sites (Facebook, Google Plus, MySpace and Twitter);
  • Forums, blogs, customer review web sites and bulletin boards (Yelp);
  • Photo and video sites (Flicker and YouTube);
  • Professional networking sites (LinkedIn)
  • Virtual worlds (Second Life); and
  • Social games (FarmVille and CityVille).

What should your social media compliance program include?

A financial institution should have a risk management program that allows it to identify, measure, monitor and control risks related to social media. The size of the program should relate to how active the bank is on social media. 

  • Governance structure: Should enable senior management to direct the use of social media to contribute to its strategic goals;
  • Policies and procedures: To monitor social media use and compliance within all applicable laws, including methodologies to manage risks from online activities such as postings, edits, replies and retention;
  • Due diligence process: For managing applicable third party vendor relationships;
  • Employee training: Program that incorporates policies for official, work-related use of social media, and potentially for other uses of social media, including listing prohibited activities;
  • Oversight process: For monitoring data posted to third party social media sites;
  • Audit and compliance: To ensure ongoing compliance; and
  • Reporting parameters: To evaluate the effectiveness of social media against defined goals.

What are the key areas of concern?

  • Compliance and legal risks: Banking and consumer laws must be followed, even in the social media space
    • Deposit/lending products
      1.  A lending advertisement mentioning APY or bonus has certain requirements under the Truth in Lending Act. A link to the full disclosures can be provided in social media.
      2.  A creditor must preserve prescreened solicitations made through social media, as required by the Equal Credit Opportunity Act Regulation B.
    • Bank Secrecy Act/Anti-Money Laundering
      An e-banking product offered or conducted through social media is subject to the BSA/AML policies that apply to all customers, products and services.
    • Payment systems
      If social media is used to facilitate a consumer’s payment transactions all laws, regulations and industry rules apply such as the Electronic Fund Transfer Act/Regulation E, UCC, the Expedidted Funds Availability Act Regulation CC and PCI DSS. 
    • Community Reinvestment Act (CRA
      If a depository institution is subject to the CRA and must maintain specific items in a public file, its policies and procedures should include monitoring social media sites.
    • Privacy
      1.  If social media is part of your customers’ online account opening or use experience, Title V of the Gramm-Leach Bliley Act will apply, which restricts use of personal information shared with third parties, and gives customers the option to opt out of the sharing of such information.
      2.  If a financial institution sends unsolicitied communications to consumers through social media (e.g., spam or SMS text message) the CAN-SPAM Act and the Telephone Consumer Protection Act may govern. 
  • Reputational risk
    • Fraud and brand identity
    • Privacy concerns: Policies and procedures must address risks from receipt, use and sharing of consumer information on a social media.
    • Consumer complaints and inquiries: The inherent nature of social media exposes a bank to reputation risks when users post critical or inaccurate statements.
    • Employee use of social media sites: An employee’s use of social media, even through a personal account, may appear to a customer as reflecting the bank’s official policies.
  • Operational risk
    • Use of information technology, including social media, requires identification, monitoring and management of risk of loss from inadequate or failed processes, people or systems.
    • The incident response protocol for a data breach or account takeover needs to address social media risk.

Linda Odom

Courtney Stolz