Financial institutions have significantly increased their online presence and suite of services in recent years, and, in response to that trend, on January 17, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued proposed guidance on risk management for financial institutions impacted by social media. The guidance seeks public comment and addresses the application of laws, regulations and policies to the social media activities of banks, savings associations, credit unions and other nonbank entities supervised by the Consumer Financial Protection Bureau. While it does not impose additional obligations on financial institutions, the guidance assists financial institutions in efforts to ensure that internal risk management practices adequately address the compliance and legal risks, reputation risks, and operational risks posed by social media. The guidance seeks to promote institutional awareness of responsibilities to identify, measure, monitor and control such risks within overall risk management programs.

Described in the guidance as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video,” social media includes platforms such as Facebook, Twitter, Yelp, YouTube and LinkedIn that enable interactive and dynamic communication. Social media can prove useful to financial institutions as it facilitates the broad distribution of information, helps match financial products and services to customers, increases brand awareness, assists in advertising, and provides tools for collecting information on a variety of customer segments. Occurring in less formal and potentially unsecure environments, interactions over social media may pose challenges to financial institution compliance with existing laws.

Essential Components Of Social Media Risk Management Programs

Customer comments and complaints may arise in a variety of social media platforms, even if a financial institution has chosen not to participate in social media. The guidance points out that all financial institutions should have risk management programs that address social media. Effective risk management programs may include the following:

• internal controls, board and/or senior management assessment of social media risks, and incorporation of social media into the financial institution’s strategic goals;
• policies and procedures for the use, monitoring and retention of online posts, with specific regard to compliance with consumer protection laws;
• due diligence protocols for vetting and working with social media service providers;
• employee training on social media policies;
• oversight and monitoring of all information posted on the financial institution’s own social media accounts;
• audits and compliance procedures with respect to social media policies; and
• periodic evaluations of all social media policies, and the establishment of director and/or management reporting parameters.

Potential Risks From Financial Institution Social Media Use

The guidance notes that social media can pose a variety of risks to financial institutions, including (1) compliance and legal risks; (2) reputation risks; and (3) operational risks. Compliance and legal risks arise from the potential for nonconformance with the law, prescribed practices, internal policies or ethical standards. These risks may be heightened due to the relatively emerging nature of social media, particularly when a financial institution’s practices have not kept pace with the changing marketplace. Many laws do not specifically address social media, necessitating the application of the law through the lens of acceptable practices via other media. From a compliance and legal risk perspective, financial institutions should pay particular attention to the impact of social media in connection with laws and standards implicating the following:

• deposit and lending products, including laws that deal with consumer disclosure requirements, fair housing and equal credit opportunity, advertising, real estate settlements, fair debt collection practices, deceptive or abusing acts or practices, or deposit and share insurance;
• payment systems, such as laws governing electronic fund transfers and check transactions;
• Bank Secrecy Act and anti-money laundering programs;
• Community Reinvestment Act; and
• privacy, which may involve laws governing financial institution collection and storage of consumer information, non-solicited communications to consumers, children’s online privacy or fair credit reporting.

As the guidance stresses, social media also implicates reputational risk, or the risk arising from negative public opinion. Regardless of whether a financial institution has violated the law, negative publicity can harm the standing of the financial institution. Thus, financial institutions should manage social media with attention to any possible privacy, transparency or other consumer protection concerns. In particular, financial institutions should pay attention to reputational risks in connection with the following:

• the potential for fraud in social media and brand identity issues;
• concerns arising from relationships with social media service providers;
• consumer privacy concerns regarding the possible misuse of financial information on social media;
• the public’s ability to view consumer complaints and inquiries; and
• employee use of social media.

Further, financial institutions should remain cognizant of operational risks, or the risk of loss resulting from failed or inadequate processes, people or systems. In the context of social media, this may include account takeovers, malware and other breakdowns in security. Financial institutions should have procedures in place to deal with these issues as they relate to social media.

Request For Comment

The FFIEC seeks comments on the guidance, which is available at http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf. All comments must be received on or before March 25.

Financial institution use of social media may offer a wide variety of opportunities and benefits while potentially posing broad challenges from a regulatory and risk management perspective. If you would like to discuss the impact of social media on your institution, please do not hesitate to contact Christopher S. Connell, Nicholas Deenis or Laura E. Souchik.