To Tweet Or Not To Tweet: FFIEC Issues Proposed Guidance On Social Media

Thursday, February 14, 2013 - 12:53

Financial institutions have significantly increased their online presence and suite of services in recent years, and, in response to that trend, on January 17, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued proposed guidance on risk management for financial institutions impacted by social media. The guidance seeks public comment and addresses the application of laws, regulations and policies to the social media activities of banks, savings associations, credit unions and other nonbank entities supervised by the Consumer Financial Protection Bureau. While it does not impose additional obligations on financial institutions, the guidance assists financial institutions in efforts to ensure that internal risk management practices adequately address the compliance and legal risks, reputation risks, and operational risks posed by social media. The guidance seeks to promote institutional awareness of responsibilities to identify, measure, monitor and control such risks within overall risk management programs.

Described in the guidance as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video,” social media includes platforms such as Facebook, Twitter, Yelp, YouTube and LinkedIn that enable interactive and dynamic communication. Social media can prove useful to financial institutions as it facilitates the broad distribution of information, helps match financial products and services to customers, increases brand awareness, assists in advertising, and provides tools for collecting information on a variety of customer segments. Occurring in less formal and potentially unsecure environments, interactions over social media may pose challenges to financial institution compliance with existing laws.

Essential Components Of Social Media Risk Management Programs

Customer comments and complaints may arise in a variety of social media platforms, even if a financial institution has chosen not to participate in social media. The guidance points out that all financial institutions should have risk management programs that address social media. Effective risk management programs may include the following:

  • internal controls, board and/or senior management assessment of social media risks, and incorporation of social media into the financial institution’s strategic goals;
  • policies and procedures for the use, monitoring and retention of online posts, with specific regard to compliance with consumer protection laws;
  • due diligence protocols for vetting and working with social media service providers;
  • employee training on social media policies;
  • oversight and monitoring of all information posted on the financial institution’s own social media accounts;
  • audits and compliance procedures with respect to social media policies; and
  • periodic evaluations of all social media policies, and the establishment of director and/or management reporting parameters.
Potential Risks From Financial Institution Social Media Use

The guidance notes that social media can pose a variety of risks to financial institutions, including (1) compliance and legal risks; (2) reputation risks; and (3) operational risks. Compliance and legal risks arise from the potential for nonconformance with the law, prescribed practices, internal policies or ethical standards. These risks may be heightened due to the relatively emerging nature of social media, particularly when a financial institution’s practices have not kept pace with the changing marketplace. Many laws do not specifically address social media, necessitating the application of the law through the lens of acceptable practices via other media. From a compliance and legal risk perspective, financial institutions should pay particular attention to the impact of social media in connection with laws and standards implicating the following:

  • deposit and lending products, including laws that deal with consumer disclosure requirements, fair housing and equal credit opportunity, advertising, real estate settlements, fair debt collection practices, deceptive or abusing acts or practices, or deposit and share insurance;
  • payment systems, such as laws governing electronic fund transfers and check transactions;
  • Bank Secrecy Act and anti-money laundering programs;
  • Community Reinvestment Act; and
  • privacy, which may involve laws governing financial institution collection and storage of consumer information, non-solicited communications to consumers, children’s online privacy or fair credit reporting.

As the guidance stresses, social media also implicates reputational risk, or the risk arising from negative public opinion. Regardless of whether a financial institution has violated the law, negative publicity can harm the standing of the financial institution. Thus, financial institutions should manage social media with attention to any possible privacy, transparency or other consumer protection concerns. In particular, financial institutions should pay attention to reputational risks in connection with the following:

  • the potential for fraud in social media and brand identity issues;
  • concerns arising from relationships with social media service providers;
  • consumer privacy concerns regarding the possible misuse of financial information on social media;
  • the public’s ability to view consumer complaints and inquiries; and
  • employee use of social media.

Further, financial institutions should remain cognizant of operational risks, or the risk of loss resulting from failed or inadequate processes, people or systems. In the context of social media, this may include account takeovers, malware and other breakdowns in security. Financial institutions should have procedures in place to deal with these issues as they relate to social media.

Request For Comment

The FFIEC seeks comments on the guidance, which is available at http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf. All comments must be received on or before March 25.

Financial institution use of social media may offer a wide variety of opportunities and benefits while potentially posing broad challenges from a regulatory and risk management perspective. If you would like to discuss the impact of social media on your institution, please do not hesitate to contact Christopher S. Connell, Nicholas Deenis or Laura E. Souchik.

Christopher S. Connell is a Partner in Stradley Ronon’s Philadelphia office, where he focuses his practice on real estate and banking law. In his banking practice, Mr. Connell counsels financial institutions on federal and multistate compliance and licensing for banking, securities, trust and insurance products; chartering, organization and initial public offerings for de novo banks; and securities matters for public company financial institutions. He also represents financial institutions in merger and acquisition and capital raising activities. In his real estate practice, Mr. Connell focuses on investment, development and commercial projects. He advises companies and nonprofit entities in all industries and of all sizes on various real estate issues, including land development and zoning matters, acquisitions and divestitures, construction and leasing.

Nicholas Deenis is a Partner in firm’s Malvern, PA office. He handles a wide range of legal disputes. He focuses his practice on complex litigation, including class actions and RICO claims, UCC litigation, insurance defense litigation, fidelity and surety bond claims, employment litigation and labor matters, health care law and general commercial litigation. He has a broad base of experience in all types of litigation matters, and has practiced extensively in both federal and state courts, regionally and throughout the country. Mr. Deenis represents national and local banks, focusing primarily on claims under Articles 3, 4, and 4A of the Uniform Commercial Code and the Electronic Funds Transfer Act. He has extensive litigation experience in check fraud and related claims and counsels banks on an ongoing basis regarding such check fraud claims and electronic transfers. He has extensive experience in defending banks, mortgage lenders and servicers, auto finance companies, and other financial services companies in a wide variety of state and federal consumer protection claims, including the Fair Credit Reporting Act, the Truth-in-Lending Act and Regulation Z, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Equal Credit Opportunity Act, and state unfair trade practices and consumer protection laws.

Laura E. Souchik is an Associate in firm’s Philadelphia office. She advises a broad range of public and private companies on mergers and acquisitions, securities, finance, and corporate organization and compliance matters.

Please email the authors at cconnell@stradley.com, ndeenis@stradley.com or lsouchik@stradley.com with questions about this article.