The Federal Financial Institutions Examination Council (“FFIEC”) issued final guidance on December 11, 2013, about the applicability of existing consumer protection laws, regulations, and policies to financial institutions’ activities on social media. The guidance does not introduce new requirements, but it is intended to assist financial institutions in understanding the risks related to social media.
The guidance recommends that financial institutions implement a risk management program that “allows it to identify, measure, monitor, and control the risks related to social media.” The size of the program will vary with the degree of the institution’s social media involvement, but even institutions that do not actively participate on social media should consider having some type of mechanism for monitoring negative comments or complaints by customers. The guidance recommends that the risk management program include input from specialists in compliance, technology, information security, legal, human resources, and marketing.
The guidance also details the regulations that could apply in the social media context. The laws and regulations that apply when institutions use other media apply to the use of social media as well. For example, if a financial institution uses social media to market products or originate new accounts, it should comply with the applicable consumer protection laws. The applicable laws may include the Truth in Savings Act, the Equal Credit Opportunity Act, the Truth in Lending Act, the Real Estate Settlement Procedures Act, and the Fair Debt Collection Practices Act. Additionally, if a depository institution advertises FDIC-insured products, the institution must include the official advertising statement of FDIC membership (usually “Member FDIC”). Insured credit unions must include the official advertising statement of NCUA membership (usually “Federally insured by NCUA”) in their advertising statements.
Also, the guidance addresses social media that could facilitate a consumer’s use of payment systems. There, a financial institution should keep in mind the laws, regulations, and industry rules regarding payments that may apply, including those providing disclosure and other rights to consumers. In particular, banks should be thinking about rules that apply to check transactions and the Electronic Fund Transfer Act.
The guidance also notes that privacy rules are an important consideration for financial institutions using social media. Financial institutions should be aware of the application of the Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines, the CAN-SPAM Act, the Telephone Consumer Protection Act, the Children’s Online Privacy Protection Act, and the Fair Credit Reporting Act.
Finally, the guidance provides advice to financial institutions about reputational risk and operational risk. As part of its recommendations on reputational risk, the guidance mentions that financial institutions should be aware of monitoring and responding to consumer complaints. It also recommends training employees about their presence on social media as it relates to the financial institution.
Social media can be a valuable tool for financial institutions, but it is important to be aware that, even though the customer communication may be more informal, consumer protection laws and regulations still apply. In light of the guidance, it is clear that Banks that make use of social media for advertising or other business purposes should have robust policies and procedures in place to address the risks identified in the guidance. Banks should review their existing social media policies and procedures to ensure they address all of the risks and other components discussed in the new guidance. Even if your Bank does not make use of social media for business purposes, we recommend that you adopt a formal policy to address employees’ use of social media to the extent that such use may affect your institution.