The Federal Financial Institutions Examination Counsel (FFIEC) recently issued supervisory guidance entitled “Social media: Consumer Compliance Risk Management Guidance.” Financial institutions are expected to use the Guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their involvement in social media.
The Guidance was published to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB). Notably, the Guidance does not impose any new requirements on financial institutions, but instead is a guide to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.
According to FFIEC, the use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operation risk, and reputation risk. The Guidance is meant to help financial institutions identify potential risk areas to appropriately address, as well as to ensure institutions are aware of their responsibility to oversee and control these risks within their overall risk management program.
The Guidance specifies that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risk associated with social media and should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Involving all of these specialists underscores the need for an institution to have a uniform approach to social media, with input from all facets of the institutions hierarchy. The risk management program should include:
- A clearly defined governance structure;
- Policies and procedures for use and monitoring of social media;
- A risk management process for selecting and managing third-party relationships;
- An employee training program on social media including the institutions policies and procedures of official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites;
- Audit and compliance functions; and
- Parameters for providing appropriate reporting to the institution’s board of directors or senior management.
While the Guidance is intended to help financial institutions understand and successfully manage the risk associate with the use of social media, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the CFPB will all use it as a supervisory guidance for the institutions they supervise and the State Liaison Committee of the FFIEC has encouraged state regulators to adopt the Guidance.