FFIEC Issues Final Social Media Guidance
In late 2013, the Federal Financial Institutions Examination Council (“FFIEC”) issued a supervisory guidance for financial institutions related to the risks of social media use.
Notably, the guidance does not impose any new requirements on financial institutions. Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks (such as reputation and operational risks), associated with the use of social media. It further outlines the expectations for managing those risks. Finally, the guidance provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media.
The FFIEC published a proposed guidance in January 2013 and invited public comments through March 25, 2013. The agencies received 81 comments through that process and took those comments into account in making certain revisions to the guidance.
Key Components of Guidance
The guidance discusses the need to create a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the program should be appropriate to the breadth of the financial institutions involvement with social media. For example, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only in a limited manner. With that said, a financial institution that has chosen not to use social media should still consider the potential for negative comments or complaints that may arise within the many social media platforms out there, and when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them.
The guidance suggests that a risk management program should include:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
- A risk management process for selecting and managing third-party relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
- The guidance also outlines the various “compliance and legal risks” associated with social media use. For instance, the guidance outlines ways in which social media use might affect compliance with deposit and lending, payment systems, and privacy laws and regulations. It further summarizes some likely “reputational risks” such as fraud and brand identity, third party concerns, privacy concerns, consumer complaints/inquiries, and employee use of social media sites.
Finally, it urges financial institutions to be aware of “operational risks,” such as loss resulting from inadequate or failed processes, people or systems, posed by the use of social media. The guidance cautions that social media is one of several platforms vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.
What do we do now?
Social media oversight can no longer remain the responsibility of the marketing department alone. Indeed, as the FFIEC puts it, “Your risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing.” Therefore, financial institutions should assess their use of social media as a marketing tool, product channel, etc. In doing so, financial institutions can better tailor their risk management strategies to encompass all risks, and not just those posed by social media.
The FFIEC Guidance can be found in full at https://www.ffiec.gov/press/pr121113.htm.