Social Media Guidance to Financial Institutions

David Bell, Annie Chen and John Podvin, Haynes and Boone, LLP

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) issued a notice for comment on proposed social media guidelines to financial institutions – that is, banks, savings associations, and credit unions, and nonbank entities supervised by the Consumer Financial Protection Bureau (the “Guidance”).

Dozens of comments were submitted in response to the Guidance. Some requested clarification on employee use of social media and advertising regulations. For example, a few commenters suggested the “One Click Rule,” wherein required disclosures would be “one click” away. Several critiqued the Guidance as overly burdensome, particularly with its expectations for financial institutions, including those not socially active, to monitor others’ activity.

Compliance Risk Management Expectations for Social Media

The Guidance advises financial institutions to maintain risk management programs to identify, measure, monitor, and control risks related to social media. A program should include:

1. A governance structure with clear roles for the board of directors or senior management to direct how social media will contribute to strategic goals and establish controls and ongoing risk assessment in social activities;
2. Policies on use and monitoring of social media and compliance with applicable consumer protection law and regulations.  These should address risks from online postings, edits, replies, and retention;
3. A due diligence process for selecting and managing third-party social media service providers;
4. An employee training (or certification) program;
5. Oversight for monitoring information posted to proprietary social media sites administered by the company or a contracted third party;
6. Audit and compliance functions for compliance with internal policies and all applicable laws, regulations, and guidance; and
7. Parameters for reporting to the financial institution’s board of directors or senior management, to periodically evaluate the social media programs’ effectiveness.

Risk Areas

The Guidance addresses three risk areas: compliance and legal, reputation, and operational.

Compliance and Legal Risks

Each financial institution must ensure compliance on social media with all federal, state, and local laws, regulations and guidance. The Guidance lists illustrative relevant laws and regulations, including those bearing on deposit and lending products (think: the Fair Housing Act and Section 5 of the FTC Act), payment systems (the Electronic Fund Transfer Act), and privacy (the CAN-SPAM Act, GLB Act, COPPA, FCRA, and so on).

Reputation Risks

The use of social media is almost sure to raise complications when involving employees and third parties. Together with the potential for consumer complaints and inquiries, privacy concerns, brand misuse or even fraud, reputation risks for financial institutions are significant.

To address the fraudulent use of the financial institution’s brand, such as through phishing or spoofing, the Guidance recommends using social media monitoring tools and implementing policies for timely monitoring and response. The Guidance also advises financial institutions to maintain procedures that address the risk of confidential or sensitive information (i.e. account numbers) being posted on the institution’s social media page.

The Guidance places the responsibility of “regularly” monitoring social media content upon the financial institutions, even when such functions are contracted out to third parties.

The Guidance also advises financial institutions to implement monitoring procedures, such as by using monitoring software, to ensure timely and adequate responses to inquiries, complaints, or comments. Most other industries that have developed social media guidelines have not highlighted the importance of this practice. Yet, with respect to financial institutions, particularly serious compliance issues are implicated when a customer uses social media to initiate a dispute.

Financial institutions, moreover, should have policies addressing employee participation in social media.

Operational Risks

Defined as “the risk of loss resulting from inadequate or failed processes, people, or systems,” operational risks include those posed by the use of information technology. The Guidance advises financial institutions to ensure that their controls and procedures to thwart and respond to IT security risks—whether malicious software, a data breach, or an account hack—address social media.

About Haynes and Boone, LLP:

Haynes and Boone is a relatively young law firm, but one with an impressive and respected history. It began from the efforts and dreams of one lawyer, Richard Haynes, who was soon joined by his colleague and former student Mike Boone. Together they and many other talented individuals built an organization around collaboration and mutual respect, and on absolute dedication to providing clients with value. That Haynes and Boone today is one of America’s largest law firms testifies to the strength of their vision.