On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued final guidance for financial institutions relating to their use of social media (the “Guidance”). With its release, the FFIEC adopts its January 2013 proposed guidance in substantially the same form. (Socially Aware’s overview of the proposed guidance is available here.)
Financial institutions should expect that the federal banking agencies, Consumer Financial Protection Bureau and National Credit Union Administration (the agencies that comprise the FFIEC) will require supervised institutions to incorporate the Guidance into their efforts to address risks associated with the use of social media and to ensure that institutional risk management programs provide effective oversight and controls related to such use. As a result, financial institutions should consider the appropriateness of their social media risk management programs and should be cognizant of potential technical compliance traps that could result from the use of social media to interact with consumers about products governed by consumer financial protection laws, such as the Truth in Lending Act.
Changes to the Proposed Guidance
Although adopted in substantially the same form as the proposed guidance, the Guidance does attempt to address some concerns raised by commenters. For example, the FFIEC clarifies that compliance should not be viewed as a “one-size-fits-all” process and that institutions should tailor their approach based on their size, complexity, activities and third-party relationships. Additionally, the Guidance clarifies that stand-alone messages sent through traditional email and text channels will not be considered social media. Nonetheless, the Guidance cautions that the term “social media” will be viewed broadly by the agencies.
While the FFIEC attempted to clarify a financial institution’s obligations with respect to service providers involved in the institution’s social media activities, the Guidance provides limited specific considerations. For example, the Guidance directs institutions to “perform due diligence appropriate to the risks posed by the prospective service provider” based on an assessment of the third party’s policies, including the frequency with which these policies have changed and the extent of control the financial institution may have over the policies.
Another area where the FFIEC attempted to clarify its expectations is the extent to which a financial institution would be required to monitor consumer communications on Internet sites other than those maintained by the institution (“Outside Sites”). While the preamble to the Guidance notes that “financial institutions are not expected to” monitor Outside Sites, the Guidance provides that the public nature of social media channels may lead to increased reputational risk, and that compliance considerations may arise if, for example, a consumer raises a dispute through social media. Further, the Guidance states that institutions are still expected to make risk assessments to determine the appropriate approach to monitoring and responding to communications made on Outside Sites. The Guidance also continues to state that, based on the risk assessments, institutions will need to consider the need to “monitor question and complaint forums on social media sites” to review and, “when appropriate,” address complaints in a timely manner.
The cornerstone of the Guidance continues to be the expectation that a financial institution will maintain a risk management program through which it identifies, measures, monitors and controls risks related to its use of social media. The Guidance provides that a financial institution’s risk management program should include the following components:
- A governance structure so that social media use is directed by the institution’s board of directors or senior management.
- Policies and procedures regarding the institution’s use of social media, compliance with applicable consumer protection laws and regulations, and methodologies to address risks from online postings, edits, replies and retention.
- A risk management process for selecting and managing third-party relationships for social media use.
- An employee training program incorporating the policies and procedures, and informing employees of appropriate work and non-work uses of social media (including defined “impermissible activities”).
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or contracted third party.
- Audit and compliance functions to ensure compliance with internal policies and applicable laws, regulations and the Guidance.
- Parameters for reporting to the institution’s board of directors or senior management to enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Moreover, the Guidance continues by focusing on identifying potential risks related to a financial institution’s use of social media, including risk of harm to consumers. In particular, the Guidance identifies potential risks within three broad categories: (1) compliance and legal risk; (2) reputational risk; and (3) operational risk. While the Guidance catalogs the many risks presented by the use of social media, the focus is on the risks associated with compliance with consumer protection requirements, including:
- Fair Lending Laws: While it focuses on an institution’s compliance with time frames for adverse action and other notices required by the federal fair lending laws and regulations, the Guidance also highlights possible compliance traps if a financial institution fails to carefully consider whether the institution’s social media use is consistent with applicable law. For example, the Guidance highlights that, where applicable, the Fair Housing Act would require mortgage lenders who maintain a Facebook page to display the Equal Housing Opportunity Logo.
- Truth in Lending Act/Regulation Z: The Guidance highlights that the Regulation Z advertising requirements would apply to relevant advertisements made through social media. Credit card issuers in particular will be familiar with Regulation Z’s disclosure requirements for advertisements that include trigger terms and reference deferred interest promotions, and should be cognizant of the application of these requirements in social media advertisements.
- Truth in Savings Act/Regulation DD: Like the considerations for compliance with Regulation Z, the Guidance highlights that Regulation DD also contains special advertising requirements for use of trigger terms such as “bonus” and “APY,” and further notes that depository institutions can ensure compliance with the federal disclosure requirements by including a link to the additional information required to be provided to the consumer.
- Deposit Insurance and Share Insurance: The Guidance reminds institutions that they are required to comply with the advertising requirements for deposit insurance in non-social media advertisements and displays.
The FFIEC having finalized its Guidance, financial institutions will need to carefully review their social media policies and practices in light of the Guidance. Indeed, even companies that are not financial institutions may find the Guidance to reflect emerging best practices for minimizing risk in using social media to promote products and services.