Social Media: Consumer Compliance Risk Management Guidance The Federal Financial Institutions Examination Council recently released final guidance (the “Guidance”) on the applicability of consumer protection laws, regulations, and policies to social media activities conducted by banks. The Guidance, which applies to financial institutions supervised by the OCC, Federal Reserve, and FDIC, provides insight on the effective management of potential risks that may arise from an institution’s use of social media.
As described in the Guidance, social media is a “form of interactive online communication” that can be distinguished from other online media based on the level of interaction between users. Thus, the insight provided in the Guidance does not apply to communication through traditional email messaging, but does apply to messages sent through social media platforms. Communication through the following platforms is deemed to be “social media” communication: Facebook, Twitter, Yelp, Flickr, YouTube and LinkedIn. As such, the following insight applies to communication through those platforms.
If effectively managed, social media can be an incredibly powerful tool in your financial institution’s networking and communication tool kit. Among other benefits, social media provides financial institutions the opportunity to improve market efficiency, broadly distribute information to users of financial services products, and match products and services to users’ needs. However, financial institutions must appreciate the unique risks presented by social media and actively seek to mitigate those risks. As noted in the Guidance, the risks presented by social media currently exist for all financial institutions, regardless of whether or not a financial institution actively participates in social media activities. Therefore, even financial institutions that have opted not to use social media may still wish to consider the possibility that the institution will be the subject of a negative comment or complaint on a social media platform and evaluate what, if any, response the institution will make regarding these types of comments.
Naturally, the size and complexity of the institution’s risk management program should be commensurate to the frequency and extent of its participation in social media activities. The components of an effective risk management program should include:
Notably, the Guidance recognizes that the use of social media subjects financial institutions to the following three risks, including: 1) compliance and legal risk, 2) reputation risk, and 3) operational risk. These risks, and policies and procedures that may be instituted for their proper mitigation, will be discussed in turn.
Compliance and Legal Risks:
Compliance and legal risks arise from the potential for a financial institution’s violation of laws and regulations through its use of social media. As an ever-evolving medium, social media activity may present new threats to an institution’s traditional risk management program. Particularly if the program has not kept pace with changes in the marketplace, the financial institution faces a very real threat of violating a consumer protection law or statute.
The Guidance provides the following scenario to illustrate how social media interaction may test an institution’s current risk management program: “when a customer uses social media to communicate issues or concerns directly with a financial institution, such as an error dispute under Regulation E, a billing error under Regulation Z, or a direct dispute about information furnished to a consumer reporting agency under FCRA and its implementing regulations, the aforementioned regulations may apply to the communication.”
Importantly, the failure to recognize the applicable nature of a law may have severe consequences for the institution. To the extent that a financial institution uses social media to engage in lending, deposit services, or payment activities, it must fully comply with applicable laws and regulations in the same manner as it does when it engages in these activities through other forms of media.
Notably, the Guidance offers an extensive list of laws and regulations that may be relevant to a financial institution’s social media activities and provides general guidance on how those laws or regulations may apply to social media communication. Financial institutions are encouraged to evaluate the list of laws and regulations to determine their applicability to the type of social media interaction in which the institution currently participates. When in doubt as to the applicability of certain laws or regulations, institutions are encouraged to consult with their legal counsel for a specific determination of the applicability of any law or regulation.
Reputation Risk:
Reputation risk is the risk arising from negative public opinion. A financial institution engaged in social media activities is expected to be sensitive to, and properly manage, the reputation risks that arise from all social media activities. Reputation risk may be especially prevalent when a financial institution participates in social media activities on a platform not maintained by the institution itself. Naturally, the financial institution’s ability to control content on a site owned or administered by a third party may vary depending on the particular site and the contractual arrangement with the third party, if any.
The Guidance notes that reputation risk can arise in the following areas:
Operational Risk:
Social media platforms are vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. In addition, protocols should be established to ensure that a financial institution can respond to operational risks in a timely and effective manner.
Financial institutions must be cognizant of the fact that the relatively informal nature of many types of social media communication does not excuse the institution from their compliance obligations arising from applicable laws and regulations. Stinson has the necessary bank regulatory expertise to help limit your institution’s exposure to the risks associated with its social media activities.
div.wpa>div { margin-top: 1em; } #google_ads_div_wpcom_below_post_adsafe_ad_container { display: block !important; }