On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC), issued its final supervisory guidance entitled “Social Media: Consumer Compliance Risk Management Guidance” (Guidance).
Financial institutions, including banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB), “are expected to use the Guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their involvement with social media.”
Definition of Social Media
The Guidance defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” The interactive nature of social media sets it apart from other online media, and traditional email or text messages are not considered social media for purposes of the Guidance.
Financial institutions use social media in a variety of ways, including:
- Advertising and marketing;
- Providing incentives;
- Facilitating applications for new accounts;
- Inviting feedback from the public; and
- Engaging with existing and potential customers.
Customer interaction via social media is often informal and dynamic, and may occur in a less secure environment.
Risks for Financial Institutions
As a result, use of social media may lead to increased risks for a financial institution, including the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk.
To the extent a financial institution uses social media to engage in lending, deposit services, or payment activities, the Guidance identifies various laws and regulations with which the financial institution must comply.
Directives to Perform Risk Assessments and Implement Risk Management Programs
Financial institutions must perform risk assessments and maintain risk management programs to identify, measure, monitor and control the risks related to social media. Each such program should be “appropriate and tailored to the particular institution’s size, activities and risk profile.”
An appropriate risk management program will include:
- A governance structure with clear roles and responsibilities to direct how social media contributes to the strategic goals of the institution and establish controls and ongoing risk assessment;
- Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations. These policies and procedures should incorporate the Guidance where appropriate, and address risks from online postings, edits, replies, and retention;
- A risk management process for selecting and managing third-party relationships;
- An employee training program for work-related use, other use, and impermissible uses of social media;
- An oversight process for monitoring information posted to the institution’s proprietary social media sites’
- Audit and compliance functions; and
- Parameters for appropriate reporting to the institution’s board of directors or senior management to evaluate the social media program.
The use of social media offers many potential benefits, as well as risks. Financial institutions will find the Guidance useful in assessing social media risk and ceating (or updating) their policies and procedures regarding social media in order to address those risks.
Financial institutions will want to pay particular attention to any retention requirements applicable to information posted or exchanged via social media platforms, and incorporate social media records into their existing document retention or records information management (RIM) policies.