December 16, 2013
FFIEC Raises the Bar on Social Media and Regulatory Compliance
On Wednesday, the Federal Financial Institutions Examination Council (FFIEC) issued its long awaited guidance "Social Media: Consumer Compliance Risk Management Guidance", covering the use of social media within financial services. The guidance applies to banks and nearly every other financial entity that fall under the regulatory umbrellas of the Office of the Comptroller of the Currency (OCC), FDIC, NCUA, and Consumer Financial Protection Bureau (CFPB).
While the guidance imposes no new obligations upon firms, it does a very thorough job of highlighting the plethora of existing regulations whose rules should be considered in assessing the risks of using social media for firm business. Amongst these include:
Applying to Deposit and Lending:
- Truth in Savings Act/Regulation DD
- Fair Lending Laws: Equal Credit Opportunity
- Fair Housing Act
- Truth in Lending Act/Regulation Z
- Real Estate Settlement Procedures Act
- Fair Debt Collection Practices Act
- FTC Section 5 on Unfair, Deceptive, or Abusive Acts
- FDIC requirements on Deposit Insurance
Applying to Payment Systems:
- Electronic Fund Transfer Act
- Check Transactions rules
Applying to Data Privacy:
- Children's Online Privacy Protection Act
- CAN-SPAM Act
- Gramm-Leach Bliley Act (GLBA)
On the GLBA point, the FFIEC noted specific relevance when social media has been integrated into the over-all customer experience. In this case, firms should clearly disclose the use of social media within its privacy policies as required under GLBA.
Most importantly, the ruling outlines the compliance, operational, and reputational risks associated within social media, and encourages the use of risk management programs to assess the potential exposure to the firm. Components of this program should include:
- Design with participation from stakeholders from compliance, technology, information security, legal, human resources, and marketing,
- A governance structure with clear roles and responsibilities
- Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations
- A risk management process for selecting and managing third-party relationships in connection with social media
- An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate
- Periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
The net effect of the FFIEC should be to encourage firms to think holistically about social media as an integrated component of its information risk management strategy. As a component of this strategy, firms should also evaluate available technologies that allow for the proactive capture and secure storage of social media content - as is provided today for email, instant messages and other mature communication technologies.
The business use of social media is undeniable - and the FFIEC guidelines clearly demonstrate that regulated firms should take proactive steps now to ensure issues with existing regulations are avoided.