The Federal Financial Institutions Examination Council (FFIEC) recently released its final supervisory guidance on social media use. In January 2013, we wrote about the FFIEC’s proposed guidance in connection with the applicability of existing laws and policies to the social media activities of financial institutions. Since that time the FFIEC received 81 official comments on its proposal. The final guidance is not markedly different from the proposed guidance but clarifies the proposal in a few areas. The chart below summarizes the clarifications. As the FFIEC mentioned in its proposed guidance and confirmed in the final guidance, the guidance does not impose any new regulations on financial institutions, but instead is expected to assist financial institutions in understanding and managing the risks involved in the use of social media. We will continue to monitor regulator implementation of the guidance and financial institutions’ efforts to comply with it.
|Definition of Social Media
|Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.
|Clarification: Messages sent via email or text message, standing alone, do not constitute social media. However, messages sent through social media channels are social media.
|Scope of Risk Program
|Financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged, including but not limited to, the risks outlined within this guidance.
|Clarification: FFIEC is not imposing a “one-size-fits-all” approach to risk management. Financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution's size, complexity, activities, and third party relationships.
|Employee Use of Social Media
|Financial institutions should be aware that employees’ communications via social media — even through employees’ own personal social media accounts — may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications.
|Clarification: The Guidance does not require a particular approach to employee personal use of social media. Training and guidance should be provided to employees regarding official use of social media —that is, when employees communicate officially on behalf of the financial institution.
|Third Party Relationships
|The financial institution's ability to control content on a site owned or administered by a third party and to change policies regarding information provided through the site may vary depending on the particular site and the contractual arrangement with the third party. A financial institution should thus weigh these issues against the benefits of using a third party to conduct social media activities.
|Clarification: A financial institution should conduct an evaluation and perform due diligence appropriate to the risks posed by the prospective service provider prior to engaging with the provider. To understand the risks that may arise from a relationship with a given third party, the institution should be aware of matters such as the third party's reputation in the marketplace; the third party's policies, including policies on collection and handling of consumer information, including the information of the institution's customers; the process and frequency by which the third party's policies may change; and what, if any, control the institution may have over the third party's policies or actions.
|Consumer Complaints and Inquiries
|A financial institution should have monitoring procedures in place to address the potential for these statements or complaints to require further investigation. Financial institutions should consider the feasibility of monitoring question and complaint forums on social media sites to ensure that such inquiries, complaints, or comments are addressed in a timely and appropriate manner.
|Clarification: The Guidance does not require financial institutions to monitor and respond to all Internet communications; however, a financial institution is expected to take into account the results of its own risk assessments in determining the appropriate approach to take regarding monitoring of, and responding to, such communications. For example, establishing one or more specific channels consumers must use when submitting complaints or disputes directly to the institution for further investigation, to the extent consistent with other applicable legal requirements.
|Community Reinvestment Act
|Depository institutions subject to the CRA should ensure their policies and procedures addressing public comments also include appropriate monitoring of social media sites run by or on behalf of the institution.
|Clarification: Comments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be required to be retained.