The FFIEC Proposes Guidance on Social Media Use

The Federal Financial Institutions Examination Council (FFIEC)[1] recently requested comment on its proposed guidance entitled Social Media: Consumer Compliance Risk Management Guidance.  FFIEC guidance consists of recommendations regarding supervisory matters.  This guidance proposes to address the applicability of current compliance laws, regulations and policies to social media activities conducted by financial institutions, including nonbank entities.  FFIEC’s guidance contains a non-exhaustive checklist of existing laws that apply even in the social media space.  These laws include the Truth in Savings Act, Equal Credit Opportunity Act, Fair Housing Act, Truth in Lending Act, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, UDAAP, deposit and share insurance Acts, Electronic Fund Transfer Act, Bank Secrecy Act, Community Reinvestment Act, Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act (COPPA), together with their related regulations.  The guidance operates as reminder to financial institutions of their compliance obligations and requires that financial institutions design and implement a comprehensive risk management program tailored to their operations, but does not propose any new policies or obligations specific to social media use or access by financial institutions.   Each financial institution is expected to manage the potential compliance, reputation and operational risks associated with its operations –including social media use.    While much of the guidance could be interpreted as ‘business as usual’, we’ve highlighted the FFIEC guidance in connection with some of the less obvious compliance and reputation risks unique to social media.[2]

Compliance Risks

• Financial institutions using social media platforms that otherwise require users to provide personal information such as age, sex or religion will need to ensure that such information is not being used in violation of applicable fair lending laws, especially where the social media platform is being maintained by a third party on the financial institution’s behalf – think virtual worlds.
• All required compliance logos and statements (e.g., Equal Housing Opportunity logo or “Member FDIC” statement) must appear in a financial institution’s social media advertising, which would include its Facebook page.
• Financial institutions need to maintain awareness of money laundering and other Bank Secrecy Act risks associated with social media use, especially where virtual currencies could make it easier to launder money and finance illegal activity.
• Comments and complaints received by financial institutions on social media platforms “count” as written comments from the public that are required to be maintained in a public file by depository institutions under the Community Reinvestment Act.
• Although most social media platforms require users to attest that he/she is at least 13, in keeping with COPPA, the FFIEC guidance proposes that financial institutions nevertheless monitor whether it is actually collecting information of persons under 13.

• Financial institutions that choose not to use social media still need to be prepared to address reputation risks associated with negative comments or complaints that arise on social media platforms.
• Financial institutions should use social media monitoring tools to prevent fraudsters from masquerading as the institution and spoofing institution communications.
• The FFIEC recommends that financial institutions implement procedures that prevent users from publicly posting sensitive information such as account numbers on the financial institutions social media page.
• Because a financial institution employee’s personal use of social media could be perceived as representing the financial institution’s policies or position, the FFIEC proposes that policies be established to address employee participation in social media.

In its request for comment, the FFIEC members expressed interest in determining whether there other types of social media that should be taken into consideration in the guidance or other consumer protection regulations or concerns that could be implicated by a financial institution’s use of social media.   FFIEC agencies are also trying to determine whether there are any impediments to regulatory compliance when using social media.   Comments are due on March 25, 2013.