Amy K: Proposal Issued On Social Media Guidance
by Amy Kleinschmit, Director of ComplianceThe Federal Financial Institutions Examination Council (FFIEC) is proposing guidance to address how federal consumer protection and compliance laws, regulations and policies apply to social media activities of financial institutions. The FFIEC is made up of six members, which includes the National Credit Union Administration (NCUA). The FFIEC develops examination procedures for financial institutions that are used by its members, which again includes the NCUA. Financial institutions that are supervised by members of the FFIEC “will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media.” The Proposal can be found here: http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf (Comments must be received within 60 days.)
“Social media” as discussed in this proposal means “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille). Social media can be distinguished from other online media in that the communication tends to be more interactive.”
Social media is being used by credit unions in a variety of ways, from advertising and marketing to facilitating applications for new accounts, to engaging with existing and potential members, such as by receiving and responding to complaints or providing loan pricing. This proposed guidance provides that “to manage potential risks to financial institutions and consumers, however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged, including but not limited to, the risks outlined within this guidance.”
A risk management program would be expected to control the risk related to social media. The program would need to be tailored to the credit union and its involvement in social media. “For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent.” The guidance also suggests that the risk management program should be designed “with the participation from specialists in compliance, technology, information security, legal, human resources, and marketing.”
A credit union that is not engaged in social media will still need to be prepared to address the “potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media.”
The proposed guidance indicates that the components of a risk management program should include:
“• A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;
• Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
• A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
• An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
• Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.”
In the FFIEC’s proposal, Social Media: Consumer Compliance Risk Management Guidance, the FFIEC summarizes some of the laws that credit unions must comply with when it engages in certain activities through social media. For example, deposit and lending products trigger requirements under Truth in Savings Act/ Part 707; Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act; Truth in Lending Act/Regulation Z; Real Estate Settlement Procedures Act; Fair Debt Collection Practices Act; Unfair, Deceptive, or Abusive Acts or Practices; and Share Insurance requirements. Payments systems trigger Electronic Fund Transfer Act/Regulation E and rules applicable to check transactions. Requirements under Bank Secrecy Act are applicable to activities conducted through social media. Also privacy regulatory requirements under Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines; CAN-SPAM Act and Telephone Consumer Protection Act; Children’s Online Privacy Protection Act; and Fair Credit Reporting Act can come into play.
In addition to compliance/regulatory risks as noted above, there are also reputations risks that should be addressed such as risks associated with fraud and brand identity; third party concerns; privacy concerns; consumer complaints and inquiries; and employee use of social media site.
In addition to commenting at provisions of the proposed guidance, the FFIEC is specifically soliciting comments in response to the following questions:
1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the Agencies should be aware?
Please do not hesitate to contact Amy Kleinschmit with any questions or comments on this or any other compliance issue at akleinschmit@cuad.coop or 701.214.9721.