Financial Institution’s Guidance for Social Media

In 2013, members of the Federal Financial Institutions Examination Council (FFIEC), published final supervisory guidance titled “Social Media: Consumer Compliance Risk Management Guidance.” In the paper the FFIEC provided guidance to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by financial institutions. In the paper the FFIEC points out that financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions. The Agencies believe social media, as any new communication technology, has the potential to improve market efficiency. Social media may more broadly distribute information to users of financial services and may help users and providers find each other and match products and services to users’ needs. To manage potential risks to financial institutions and consumers, however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged, including but not limited to, the risks outlined within this guidance. Financial institutions must be aware that examiners will look at compliance efforts and policies related to the institution’s use of social media. As more institutions utilize social media, such as Facebook, LinkedIn, Twitter and other services to engage customers, the FFIEC has now issued guidelines that must be reviewed and integrated in the risk management program. The new guidance will be used as supervisory guidance by the OCC, Federal Reserve, FDIC, NCUA and CFPB, and the institutions they supervise are “expected to use the Guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their involvement with social media.” Even if social media is not integrated into a financial institution’s operations, the paper suggest that all financial institutions have a guidance plan in place. To formalize the plan they suggest input from compliance, technology, information security, legal, human resources and marketing constituents. Additionally, the Guidance states that institutional should provide guidance and training for employee official use of social media. The FFFIEC has provided a general outline of concepts to include in a risk management program, which are as follows:

[list line=”no” style=”style3″]
  • A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution and establishes controls and ongoing assessment of risk in social media activities;
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
  • A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
  • An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
  • Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

Finally, more than half of the Guidance is dedicated to specific compliance and legal risks presented by social media. This information discusses laws and regulations that may be relevant to a financial institution’s social media activities, and further discusses the following laws:

[list line=”no” style=”style3″]
  • Truth in Savings Act
  • Equal Credit Opportunity Act/Reg B and Fair Housing Act
  • Truth in Lending Act/Reg Z
  • Real Estate Settlement Procedures Act
  • Fair Debt Collection Practices Act
  • Unfair, Deceptive or Abusive Acts or Practices
  • Deposit Insurance or Share Insurance (FDIC/NCUA notices)
  • Electronic Fund Transfer Act/Reg E
  • Rules Applicable to Check Transactions (UCC provisions)
  • Bank Secrecy Act/Anti-Money Laundering Programs
  • Community Reinvestment Act
  • Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines
  • CAN-SPAM and Telephone Consumer Protection Act
  • Children’s Online Privacy Protection Act
  • Fair Credit Reporting Act

Since community banks strive to be a part of the community and interact with their clients, developing a risk management program is essential and laws and regulations need to be addressed. Community banks and other financial institutions should consult the Guidance to identify the specific risks in each of these statutes, as well as other practices that they can implement into part of their risk management programs.

Contact Us

Have any questions? Send our team an email and we'll get back to you as soon as posible. *Warning: Do not send or include any information in any email generated through this web site if you consider the information confidential or privileged. By submitting information by email or other communication in response to this web site, you agree that the communication does not create a lawyer-client relationship between you and the law firm and its lawyers and that any information submitted is not confidential and is not privileged. You further acknowledge that, unless the law firm subsequently enters into a lawyer-client relationship with you, any information you provide will not be treated as confidential and any such information may be used adversely to you and for the benefit of current or future clients of the law firm.

Start typing and press Enter to search