FFIEC Issues Proposed Guidance on Social Media
On January 23, 2013, the Federal Financial Institutions Examinations Council (“FFIEC”) issued “Social Media: Consumer Compliance Risk Management Guidance” (the “Proposed Guidance”). Comments are due by March 25, 2013.
After consideration of public comments, the regulatory agencies that make up the FFIEC (the “Agencies”) will issue final supervisory guidance to the institutions that they supervise. Accordingly, such institutions will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address social media risks.
The Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille). Social media can be distinguished from other online media in that the communication tends to be more interactive.
The Proposed Guidance notes that financial institutions may use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers, for example, by receiving and responding to complaints, or providing loan pricing.
Use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk. Increased risk can arise from a variety of directions, including poor due diligence, oversight, or control on the part of the financial institution. The Proposed Guidance is meant to help financial institutions identify potential risk areas and to ensure institutions are aware of their responsibilities to oversee and control such risks within their overall risk management program.
Compliance Risk Management Expectations for Social Media: A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. A financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media.
Components of a risk management program should include:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct to financial institution’s involvement in social media.
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
- A due diligence process for selecting and managing third- party service provider relationships in connection with social media.
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Legal and Compliance Risks: The Proposed Guidance details a number of federal laws and regulations which may impact a financial institution’s use of social media.
Reputation Risk: The Proposed Guidance notes that a financial institution faces potential reputation risk arising from negative public opinion. Activities that result in dissatisfied consumers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any law. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments. Therefore, a financial institution engaged in social media activities must be sensitive to, and properly manage, the reputation risks that arise from those activities. Reputation risk can arise in areas including fraud and brand identity, third party relationships, privacy, consumer complaints and inquiries, and employee use of social media.
Operational Risks: Operational risk includes the risks posed by a financial institution’s use of information technology (IT), which encompasses social media. The identification, monitoring, and management of IT-related risks are addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance issued by the FFIEC or individual agencies. Depository institutions should pay particular attention to the booklets “Outsourcing Technology Services” and “Information Security” when using social media, and add social media to existing risk assessment and management programs.