by Michael B. Raines
and Jeffrey E.
Jamison
Last week, the Federal Financial Institutions Examination
Council ("FFIEC") issued proposed risk management guidance regarding the use of
social media by financial institutions, including banks, credit unions, and
non-bank entities supervised by the Consumer Financial Protection Bureau
(CFPB). The proposed guidance calls on these institutions to develop and
maintain risk management programs to identify, measure, monitor, and control
the risks of social media. The proposed
guidance, according to the FFIEC is intended to assist financial
institutions identify, oversee and manage the potential risk associated with
the use of social media to attract and interact with customers. The guidance is
also intended to assist these institutions in addressing the applicability of
existing federal consumer protection laws and regulations that may be
implicated by the use of social media.
The proposed guidance broadly defines social media as "as
"a form of interactive online communication in which users can generate and
share content through text, images, audio, and/or video" and suggests that financial
institutions customize and maintain a risk management programs that allows the
institution to identify, measure, monitor, and control the risks of social
media based on the institutions use of social media. The FFIEC, however, warns
that even financial institutions who do not engage in social media should be
prepared to address the potential impact of negative comments or complaints
that surface through social media platforms. The specific components of the
risk management program proposed should include:
- (1) a
governance structure with clear roles and responsibilities for senior
management to direct the use of social media to contribute to the strategic
goals of the institution, and to establish controls and ongoing assessment of
risk;
- (2) policies
and procedures regarding the use and monitoring of social media and
compliance with federal consumer protection laws, regulations, and guidance,
including methodologies to address risks from online postings, edits, replies,
and retention;
- (3) a due
diligence process for selecting and managing third party providers;
- (4) an employee
training program for the institutions policies and procedures, work-related
use of social media, and other uses of social media, including prohibited
activities;
- (5) an
oversight process for monitoring information posted on proprietary social
media sites;
- (6) audit and
compliance functions to ensure ongoing compliance with internal policies
and applicable laws; and
- (7) parameters
for providing appropriate reporting to senior management that enable
periodic evaluation of the effectiveness of the social media program.
In its guidance, the FFIEC identified areas of potential
risk for financial institutions, including compliance with the Truth in Savings
Act/Regulation DD and Part 707, the Equal Credit Opportunity Act/Regulation B,
the Fair Housing Act, the Truth in Lending Act/Regulation Z, the Real Estate
Settlement Procedures Act, the Fair Debt Collection Practices Act, and issues
related to deposit insurance. The proposed guidance also highlights risk
and compliance issues related to the use of social media to facilitate a
consumer's use of payment systems, including compliance with the Electronic
Fund Transfer Act/Regulation E and rules applicable to checks, such as Article
4 of the Uniform Commercial Code and the Expedited Funds Availability
Act/Regulation CC. The FFIEC also discusses risk associated with the Bank
Secrecy Act/Anti-Money Laundering Programs, the Community Reinvestment Act, and
Privacy concerns under the Gramm-Leach Bliley Act.
The guidance also addresses social media and the effect
it can have on an institutions reputation through negative public
opinion. The FFIEC emphasizes the importance of brand identity and how
financial institutions need to instill appropriate policies to monitor and
address the fraudulent use of the institution's brand through phishing and
spoofing activity. In addition, the guidance addresses the risk
associated with failing to properly monitor third-party providers of social
media platforms and privacy concerns. Further, it discusses the
challenges associated with using social media as a means for consumers to post
complaints or initiate disputes, and other problems associated with employees
use of social media sites.
The FFIEC is requesting that public comment on the
proposed guidance be submitted by March 25, 2013. In addition to general
comments, the FFIEC is requesting comments on the following questions:
1. Are there other types of social media, or ways in
which financial institutions are using social media, that are not included in
the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations,
policies, or concerns that may be implicated by financial institutions'' use of
social media that are not discussed in the proposed guidance but that should be
discussed?
3. Are there any technological or other impediments to
financial institutions' compliance with otherwise applicable laws, regulations,
and policies when using social media of which the regulators and other banking
agencies should be aware of?
Any comments can be submitted by visiting the Federal
eRulemaking Portal. Stay tuned to the CFPB-Lawblog for further
developments as the FFIEC finalizes its Social Media guidance.
Read more articles about the Consumer Financial Protection
Bureau at Dykema's CFPB Blog
For
more information about LexisNexis products and solutions connect with us
through our corporate site.