Social Media: Consumer Compliance Risk Management Guidance

December 31, 2013 at 4:51 pm Leave a comment

Written by: Tanner Weigel

The Federal Financial Institutions Examination Council recently released final guidance (the “Guidance”) on the applicability of consumer protection laws, regulations, and policies to social media activities conducted by banks. The Guidance, which applies to financial institutions supervised by the OCC, Federal Reserve, and FDIC, provides insight on the effective management of potential risks that may arise from an institution’s use of social media.

As described in the Guidance, social media is a “form of interactive online communication” that can be distinguished from other online media based on the level of interaction between users. Thus, the insight provided in the Guidance does not apply to communication through traditional email messaging, but does apply to messages sent through social media platforms. Communication through the following platforms is deemed to be “social media” communication: Facebook, Twitter, Yelp, Flickr, YouTube and LinkedIn. As such, the following insight applies to communication through those platforms.

If effectively managed, social media can be an incredibly powerful tool in your financial institution’s networking and communication tool kit. Among other benefits, social media provides financial institutions the opportunity to improve market efficiency, broadly distribute information to users of financial services products, and match products and services to users’ needs. However, financial institutions must appreciate the unique risks presented by social media and actively seek to mitigate those risks. As noted in the Guidance, the risks presented by social media currently exist for all financial institutions, regardless of whether or not a financial institution actively participates in social media activities. Therefore, even financial institutions that have opted not to use social media may still wish to consider the possibility that the institution will be the subject of a negative comment or complaint on a social media platform and evaluate what, if any, response the institution will make regarding these types of comments.

Naturally, the size and complexity of the institution’s risk management program should be commensurate to the frequency and extent of its participation in social media activities. The components of an effective risk management program should include:

  • Clear governance structure and audit functions. The financial institution should have a governance structure whereby the senior management establishes controls and ongoing risk assessment related to social media activity, and audit and compliance functions should be implemented to ensure ongoing compliance with these internal policies.
  • Effective oversight process. The financial institution should have protocols and policies in place for the continuous monitoring of information posted to social media sites.
  • Compliance with consumer protection laws and regulations. Although communication through social media channels is commonly perceived to be less formal than communication through other mediums, a financial institution must ensure that they are in full compliance with all applicable consumer protection laws and regulations when it chooses to engage in communication through social media channels.
  • Risk management processes for third parties. As a vital part of the oversight process, the financial institution should have a risk management process for selecting and managing third-party relationships in connection with social media.
  • Effective employee training program. The financial institution should have an effective employee training program that incorporates the institution’s policies and procedures for official use of social media, and such program should clearly delineate all impermissible social media activities.

Notably, the Guidance recognizes that the use of social media subjects financial institutions to the following three risks, including: 1) compliance and legal risk, 2) reputation risk, and 3) operational risk. These risks, and policies and procedures that may be instituted for their proper mitigation, will be discussed in turn.

Compliance and Legal Risks:

Compliance and legal risks arise from the potential for a financial institution’s violation of laws and regulations through its use of social media. As an ever-evolving medium, social media activity may present new threats to an institution’s traditional risk management program. Particularly if the program has not kept pace with changes in the marketplace, the financial institution faces a very real threat of violating a consumer protection law or statute.

The Guidance provides the following scenario to illustrate how social media interaction may test an institution’s current risk management program: “when a customer uses social media to communicate issues or concerns directly with a financial institution, such as an error dispute under Regulation E, a billing error under Regulation Z, or a direct dispute about information furnished to a consumer reporting agency under FCRA and its implementing regulations, the aforementioned regulations may apply to the communication.”

Importantly, the failure to recognize the applicable nature of a law may have severe consequences for the institution. To the extent that a financial institution uses social media to engage in lending, deposit services, or payment activities, it must fully comply with applicable laws and regulations in the same manner as it does when it engages in these activities through other forms of media.

Notably, the Guidance offers an extensive list of laws and regulations that may be relevant to a financial institution’s social media activities and provides general guidance on how those laws or regulations may apply to social media communication. Financial institutions are encouraged to evaluate the list of laws and regulations to determine their applicability to the type of social media interaction in which the institution currently participates. When in doubt as to the applicability of certain laws or regulations, institutions are encouraged to consult with their legal counsel for a specific determination of the applicability of any law or regulation.

Reputation Risk:

Reputation risk is the risk arising from negative public opinion. A financial institution engaged in social media activities is expected to be sensitive to, and properly manage, the reputation risks that arise from all social media activities. Reputation risk may be especially prevalent when a financial institution participates in social media activities on a platform not maintained by the institution itself. Naturally, the financial institution’s ability to control content on a site owned or administered by a third party may vary depending on the particular site and the contractual arrangement with the third party, if any.

The Guidance notes that reputation risk can arise in the following areas:

  • Fraud and brand identity. Risk to a financial institution’s brand may arise in many ways.  A financial institution should have appropriate policies currently in place to monitor and timely respond to these risks in an effective manner. As an example, the Guidance advises financial institutions to have a plan ready to be implemented in case the financial institution’s brand is threatened by fraudsters masquerading as the institution, such as through a phishing or spoofing attack.
  • Third party concerns. A financial institution should regularly monitor the information it places on social media sites. Notably, the monitoring process remains the direct responsibility of the financial institution even when it is delegated to third parties.
  • Consumer complaints and inquiries.  The interactive nature of social media can expose a financial institution to reputation risks that arise when users post critical, accusatory, or inaccurate statements on a social media platform. Importantly, the Guidance does not require financial institutions to monitor and respond to all Internet communications.  On the other hand, the institution must consider the risks inherent in not responding to complaints.

Operational Risk:

Social media platforms are vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. In addition, protocols should be established to ensure that a financial institution can respond to operational risks in a timely and effective manner.

Financial institutions must be cognizant of the fact that the relatively informal nature of many types of social media communication does not excuse the institution from their compliance obligations arising from applicable laws and regulations.  Stinson has the necessary bank regulatory expertise to help limit your institution’s exposure to the risks associated with its social media activities.

Entry filed under: Client Alerts, FDIC, Financial Institutions, Regulatory Guidance. Tags: , , , , .

Regulators Release Capital Estimation Tool Safe Harbor for Investments in Partnerships Claiming Historic Rehabilitation Credits: IRS Releases Revenue Procedure 2014-12

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: