News & Articles

Attorneys

Practice Areas

General Counsel Services

FFIEC Proposes Supervisory Guidance for Financial Institutions Using Social Media

January 24, 2013
Joseph D. Simon

The Federal Financial Institutions Examination Council (the “FFIEC”) has proposed supervisory guidance addressing the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by financial institutions. Comments on the proposed guidance must be submitted to the FFIEC by March 25, 2013.

The proposed guidance is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with social media use, along with expectations for managing those risks.

The proposed guidance states that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution's involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing.

Components of a risk management program should include the following:

The proposed guidance identifies the major risk areas related to social media as compliance and legal risks, operational risks, and reputation risks.

Compliance and legal risks are defined as “the potential for violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards.” Financial institutions are advised to make sure that in their use of social media, they comply with various laws, rules, and regulations. The proposed guidance provides a list of applicable laws and regulations, but warns that this list is not all-inclusive. Some laws and regulations identified in the proposed guidance are: (i) the Truth in Savings Act/Regulation DD, (ii) the Equal Credit Opportunity Act/Regulation B, (iii) the Fair Housing Act, (iv) the Truth in Lending Act/Regulation Z, (v) the Real Estate Settlement Procedures Act, (vi) the Fair Debt Collection Practices Act, (vii) Section 5 of the Federal Trade Commission Act (unfair, deceptive, or abusive acts and practices), (viii) deposit insurance rules, (ix) the Electronic Fund Transfer Act/Regulation E, (x) the Bank Secrecy Act and anti-money laundering laws and regulations, (xi) the Community Reinvestment Act, and (xii) privacy laws.

The proposed guidance defines reputation risk as “the risk arising from negative public opinion.” The FFIEC states that a financial institution engaged in social media activities must be sensitive to, and properly manage, the reputation risks that arise from those activities. Reputation risk can arise in areas including the following: (i) fraud and brand identity, (ii) concerns with using third parties in connection with social media activities, (iii) privacy concerns, (iv) consumer complaints and inquiries, and (v) employee use of social media sites.

The final type of risk identified in the proposed guidance is operational risk. Operational risk is defined as “the risk of loss resulting from inadequate or failed processes, people, or systems.” The FFIEC advises financial institutions to ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. Financial institutions' incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.

The complete proposed guidance can be found in the Federal Register online at http://www.gpo.gov/fdsys/pkg/FR-2013-01-23/pdf/2013-01255.pdf.

As noted above, comments on the proposed guidance must be received by the FFIEC on or before March 25, 2013. If you have any questions regarding this proposed guidance, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenanddykman.com.