Viewpoint: Getting to the Heart of the FFIEC’s Guidance on Social Media
By Terrence P. Maher, Baird Holm LLP
On Jan. 23, 2013, the Federal Financial Institutions Examinations Council (FFIEC) issued “Social Media: Consumer Compliance Risk Management Guidance’’ (Proposed Guidance).
Comments on the Proposed Guidance must be received by the FFIEC on or before March 25, 2013. The FFIEC invites comments on any aspect of the Proposed Guidance. In addition, the FFIEC specifically is soliciting comments in response to the following questions:
1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the Proposed Guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the Proposed Guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations and policies when using social media of which the agencies should be aware?
The FFIEC is proposing guidance to address the applicability of federal consumer protection and compliance laws, regulations and policies to activities conducted via social media by banks, savings associations, credit unions and by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB). Upon completion of the Proposed Guidance, and after consideration of comments received from the public, the regulatory agencies which make up the FFIEC (Agencies) will issue it as supervisory guidance to the institutions they supervise. These institutions will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks such as reputation and operational risks, raised by activities conducted via social media.
For purposes of the Proposed Guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer-review Web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille). Social media can be distinguished from other online media in that the communication tends to be more interactive.
The Proposed Guidance notes that financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public and engaging with existing and potential customers, for example, by receiving and responding to complaints or providing loan pricing.
The Proposed Guidance notes that the use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk and reputation risk. Increased risk can arise from a variety of directions, including poor due diligence, oversight or control on the part of the financial institution. The Proposed Guidance is meant to help financial institutions identify potential risk areas to appropriately address as well as to ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program.
Compliance Risk Management Expectations for Social Media
A financial institution should have a risk management program that allows it to identify, measure, monitor and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources and marketing. A financial institution that has chosen not to use social media still should be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media.
Components of a risk management program should include the following:
- A governance structure with clear roles and responsibilities, whereby the board of directors or senior management direct to financial institution’s involvement in social media.
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies and retention.
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media and, potentially, for other uses of social media, including defining impermissible activities.
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations and guidance.
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Legal and Compliance Risks
The Proposed Guidance details a number of federal laws and regulations that may impact a financial institution’s use of social media.
The Proposed Guidance notes that a financial institution faces potential reputation risk arising from negative public opinion. Activities that result in dissatisfied consumers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any law. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments. Therefore, a financial institution engaged in social media activities must be sensitive to, and properly manage, the reputation risks that arise from those activities. Reputation risk can arise in areas including fraud and brand identity, third-party relationships, privacy, consumer complaints and inquiries, and employee use of social media.
Operational risk includes the risks posed by a financial institution’s use of information technology (IT), which encompasses social media. The identification, monitoring and management of IT-related risks are addressed in the “FFIEC Information Technology Examination Handbook,” as well as other supervisory guidance issued by the FFIEC or individual agencies. Depository institutions should pay particular attention to the booklets “Outsourcing Technology Services” and “Information Security” when using social media, and include social media in existing risk assessment and management programs.
Terry Maher, a frequent contributor to Paybefore, is a partner with the Omaha, Neb., law firm Baird Holm LLP. His practice focuses on legal issues in payment systems and electronic financial services. He serves as counsel to the Network Branded Prepaid Card Association and may be reached at firstname.lastname@example.org.
In Viewpoints, prepaid and emerging payment professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.
Send to a Friend | Request Reprint | Printable View | Comments | ||