This post was also written by Timothy J. Nagle and Frederick Lah.

Earlier this week, the Federal Financial Institutions Examination Council (“FFIEC”) released its proposed guidance requesting comment on the applicability of consumer protection laws to the social media activities of financial institutions. The guidance addresses the potential risks associated with the use of social media by financial institutions.

Financial institutions use social media in a variety of ways, including marketing products, interacting with customers, facilitating applications for accounts, inviting feedback, and providing customer incentives. Social media is defined by the FFIEC as a “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” This includes micro-blogging sites, forums, blogs, customer review websites and bulletin boards, photo and video sites, sites that enable professional networking, virtual worlds, and social games.

In the report, the FFIEC describes the compliance, reputational and operational risks to financial institutions when participating in social media activities. Since the various laws applicable to financial institutions do not contain exceptions for social media, the FFIEC expects financial institutions to comply with the laws applicable to all products or services they make available or administer via social media, including deposit and lending products (e.g., Truth in Savings Act, Fair Lending Laws, Fair Housing Act, Truth in Lending Act), payments (e.g., Electronic Fund Transfer Act), and collection of customer information (e.g., Gramm-Leach-Bliley Act, CAN-SPAM, Telephone Consumer Protection Act, COPPA, Fair Credit Reporting Act). The reputation risk can be significant and can include the adverse impact of dissatisfied customer comments on proprietary pages or unrelated “gripe sites,” and the attendant negative publicity. The proposed guidance also notes that activities related to the use of customer information via social media may draw negative reactions from customers from a privacy standpoint. Also, employees may post communications on their own social media accounts about the financial institution, which may reflect poorly on the financial institution. Of particular note, the report recommends that financial institutions use social media monitoring tools and techniques to identify and respond to comments or complaints, fraudulent use of the institution’s brand (e.g. phishing), or “any active discussion of the institution on the Internet.” As with all banking activities, operational risk, which involves the risk of loss resulting from inadequate or failed processes, people, or systems, must also be considered. All employees, especially those who represent the financial institution in customer service, account support or marketing roles, must be well trained on the appropriate use of social media when interacting with the public and customers.

To address these risks, the FFIEC says that financial institutions should have a social media risk management program in place that encompasses:

  • A governance structure with clear roles and responsibilities, which should include senior management directing how the use of social media contributes to the financial institution’s strategic goals
  • Policies and procedures regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws
  • A due diligence process for selecting and managing third-party service providers who offer social media services
  • An employee training program focused on social media use
  • An oversight process for monitoring information posted to social media sites

Under the guidance, even institutions that have chosen not to use social media need to be prepared to respond to negative social media publicity, while also providing guidance to employees on business-related social media activities.

The FFIEC is inviting comments on all aspects of the proposed guidance. Specifically, the FFIEC is soliciting comments in response to the following questions:

  • Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  • Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance, but that should be discussed?
  • Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the FFIEC should be aware?

Financial institutions should review their current and expected future social media presence in light of this proposed guidance. They should also evaluate their internal social media, marketing, privacy, Internet and customer-service policies for consistency with the FFIEC release, and to guide any comments they intend to submit to the FFIEC. Industry participants have 60 days from the date that the notice is published in the Federal Register to submit comments. Please contact the authors for assistance in submitting a comment.