Financial Institutions Should Develop Policies and Practices to Address and Monitor Reputational and Operational Risks
On December 10, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued its final guidance regarding use of social media by financial institutions, titled Social Media: Consumer Compliance Risk Management Guidance (the “Guidance”). The Guidance, effective immediately, was published in the Federal Register on December 17, 2013, at 78 Fed. Reg. 76297. The final Guidance, which is substantially based on the FFIEC’s January 2013 draft, with some clarifications, can be accessed through the FFIEC press release, at http://www.ffiec.gov/press/pr121113.htm.
This Guidance applies to all financial institutions under the jurisdiction of the six FFIEC members, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB) and the State Liaison Committee (SLC), as well as state regulators.
The Guidance addresses the social media activities of banks, savings institutions, and credit unions, as well as non-bank entities regulated by the CFPB. While the Guidance states that it imposes no new requirements on financial institutions, it applies to conduct previously unregulated by these agencies, such as the monitoring of negative comments posted on third-party websites. The Guidance expects that financial institutions will adopt risk management policies and practices to ensure that social media usage will comply with legal obligations and minimize the reputational and operational risks presented by social media usage.
Risk Management Programs
The FFIEC Guidance suggests steps that financial institutions might take to mitigate the risks presented by the use of social media. It notes that a risk management program should have input from a broad array of specialists, including compliance, technology, information security, legal, human resources, and marketing personnel. That guidance acknowledges the fact that social media usage and strategies affect nearly every aspect of a bank’s operations.
The FFIEC recommends that an effective social media risk management program include:
- Policies and procedures regarding the use and monitoring of social media platforms;
Guarding against fraudulent conduct on social media sites, including “spoofing” of bank email address and websites;
An effective due diligence process for selecting third-party service providers for social media use and/or monitoring;
- An employee training program to address both work-related as well as non-work-related uses of social media;
An oversight process for monitoring information posted on social media sites – both by the financial institutions and by third parties;
Audit and compliance programs for monitoring compliance with applicable laws and regulations, as well as internal policies; and
- Periodic reporting to the board of directors and/or senior management to enable evaluation of the effectiveness of social media use in achieving its objectives.
The FFIEC encourages even financial institutions that are not currently using social media to develop and implement a risk management program to address third-party social media usage, such as possibly negative comments about the financial institution posted on social media platforms, and to provide guidance for employee use of social media.
The Guidance stresses that financial institutions must take a proactive role to anticipate and address these reputational risks. It notes that the informality and immediacy of social media present special challenges. Of note, some suggestions in the Guidance could conceivably conflict with other legal rights and obligations. For example, covered entities are expected to monitor third-party social media sites for disparaging communications and to address issues that arise from disparaging or negative comments. The Guidance further counsels financial institutions to “establish appropriate policies to address employee participation in social media that implicates the financial institution.” While those suggestions are laudable, the financial institutions may not, as a practical matter, have the legal right to require that negative comments be taken down or to restrict all employee comments, without impinging on consumers’ First Amendment rights. Similarly, there are some limits on the kinds of restrictions that employers can impose on employees’ uses of social media. The Guidance explicitly states that it is not addressing employment-related issues.
Legal Compliance Programs
The FFIEC Guidance further reminds all financial institutions that, despite the informality of the social media milieu, laws and regulations governing financial institutions, advertising, solicitations and disclosures, continue to apply and must be observed. The Guidance lists many of the laws that apply to financial institutions, including the Truth in Savings/Reg DD and Part 707, Fair Lending Laws: Equal Credit Opportunity Act/Regulation B, the Fair Housing Act; Truth in Lending Act/Regulation Z; the Real Estate Settlement Procedures Act; the Fair Debt Collection Practices Act; Unfair, Deceptive and Abusive Practices Act under Dodd-Frank and the FTC Act; the Electronic Fund Transfer Act/Regulation E; anti-money laundering laws such as the Bank Secrecy Act; privacy laws such as the Gramm-Leach-Bliley Act; the Telephone Consumer Protection Act; the Children’s Online Privacy Protection Act; and the Fair Credit Reporting Act.
In conclusion, the FFIEC Guidance acknowledges the growing significance of social media in the consumer financial services area. As social media channels expand, banks and other financial institutions need to adopt flexible and comprehensive policies to ensure that their reputational and other risks are mitigated while ensuring viability of operations and protection of consumer rights.
We would be pleased to assist you in assessing how this Guidance may have an impact on your business and risk assessments, and suggest ways to implement guidelines and other measures to address the reputational and other risks posed by use of social media.