- A Look at Proposed FFIEC Guidance: “Social Media: Consumer Compliance Risk Management Guidance”
- February 15, 2013 | Authors: David A. Bell; Annie Chen; F. John Podvin
- Law Firm: Haynes and Boone, LLP - Dallas Office
On January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC)1 issued a notice for comment on its proposed guidance, Social Media: Consumer Compliance Risk Management Guidance2 (the “Guidance”).
The use of social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB) (collectively, “financial institutions”), may increase the financial institutions’ risk profile. The Guidance does not impose additional obligations but is intended to better inform financial institutions of potential consumer compliance, legal, reputation, and operational risks, as well as the expectations for managing those risks.3
In light of the Guidance, it is increasingly important that financial institutions build the issues discussed in the Guidance into their risk assessment process as well as their enterprise-wide compliance management program when using social media to communicate with customers.
The boards of directors of financial institutions also must ensure that qualified management is in place to monitor changes in the social media delivery channels as well as the content on the financial institution’s social media page or site.
Compliance Risk Management Expectations for Social Media
The Guidance advises financial institutions to maintain risk management programs to identify, measure, monitor, and control risks related to social media. Such a program should include:
- A governance structure with clear roles and responsibilities for the board of directors or senior management to direct how social media will contribute to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
- Policies and procedures on the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance, which should incorporate methodologies to address risks from online postings, edits, replies, and retention;
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
- An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the social media programs’ effectiveness, including in achieving its stated objectives.
The Guidance addresses the risk areas of: (A) compliance and legal risks, (B) reputation risks, and (C) operational risks.
A. Compliance and Legal Risks
Each financial institution must ensure compliance on social media with all federal, state, and local laws, regulations, and guidance. The Guidance provides the following nonexclusive list of laws and regulations that may be relevant.
i. Deposit and Lending Products
1. Truth in Savings Act (TISA)/Regulation DD and for credit unions, Part 707 of the National Credit Union Administration (NCUA) Rules and Regulations
2. Fair Lending Laws:
a. Equal Credit Opportunity Act/Regulation B
b. Fair Housing Act (FHA)
3. Truth in Lending Act/Regulation Z
4. Section 8 of the Real Estate Settlement Procedures Act (RESPA)
5. Fair Debt Collection Practices Act (FDCPA)
6. Unfair, Deceptive, or Abusive Acts or Practices:
a. Section 5 of the Federal Trade Commission (FTC) Act
b. Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
7. Deposit Insurance or Share Insurance:
a. Advertising and Notice of FDIC Membership
b. Advertising and Notice of NCUA Share Insurance
c. Nondeposit Investment Products
ii. Payment Systems
1. Electronic Fund Transfer Act (EFTA)/Regulation E
2. Rules Applicable to Check Transactions:
a. Applicable industry rules
b. Article 4 of the Uniform Commercial Code of the relevant state
c. Expedited Funds Availability Act/Regulation CC
1. Gramm-Leach-Bliley Act (GLBA) Privacy Rules and Data Security Guidelines
2. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), Telephone Consumer Protection Act (TCPA) and their implementing rules
3. Children's Online Privacy Protection Act (COPPA) and the Federal Trade Commission's implementing regulation
4. Fair Credit Reporting Act (FCRA)
1. Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)
2. Community Reinvestment Act (CRA)
B. Reputation Risk
The use of social media is almost sure to raise complications in regard to involvement by employees and third parties. Together with the potential for consumer complaints and inquiries, privacy concerns, brand misuse or even fraud, the reputation risks for financial institutions are a serious concern.
To address the fraudulent use of the financial institution’s brand, such as through phishing or spoofing, the Guidance recommends the use of social media monitoring tools and to implement policies that allow for timely monitoring and response.
Importantly, the Guidance places the responsibility of “regularly” monitoring the information placed on social media sites upon the financial institutions, even when such functions are contracted out to third parties.4
The Guidance also, unsurprisingly, advises financial institutions to maintain procedures that address the risk of confidential or sensitive information (e.g., account numbers) being posted on the financial institution’s social media page or site.
Financial institutions, moreover, should have policies that address employee participation in social media.
The Guidance advises financial institutions to have monitoring procedures in place, such as using monitoring software, to ensure that inquiries, complaints, or comments are timely and appropriately addressed. Most other industries that have developed social media guidelines have not highlighted the importance of this practice. Yet, with respect to financial institutions, in addition to the reputation risks, serious compliance issues are implicated when a customer uses social media to initiate a dispute, whether “an error dispute under Regulation E, a billing error under Regulation Z, or a direct dispute about information furnished to a consumer reporting agency under FCRA and its implementing regulations.”
C. Operational Risks
The Guidance defines “operational risk” as “the risk of loss resulting from inadequate or failed processes, people, or systems,” including the risks posed by the use of information technology (IT).5 Particularly, the Guidance advises financial institutions to ensure that their controls and procedures to thwart and respond to IT security risks - e.g., malicious software, a data breach, or an account hack - address social media.
1 The six members of the FFIEC are: the Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the “Agencies”); and the State Liaison Committee (SLC).
2 Social Media: Consumer Compliance Risk Management Guidance, Federal Financial Institutions Examination Council, 78 Fed. Reg. 4848 (Jan. 23, 2013), https://federalregister.gov/a/2013-01255.
3 Comments must be received by March 25, 2013, and after consideration, the Agencies will issue the supervisory guidance.
4 Guidance from the Agencies addressing third-party relationships is generally available on their respective Web sites.
5 The identification, monitoring, and management of IT-related risks are addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance issued by the FFIEC or individual agencies.