These days, the employees of many banks and other financial institutions use social media to interact with existing and potential customers. The Federal Financial Institutions Examination Council (FFIEC) has issued final guidance on identifying and mitigating the risks related to social media. The guidance is intended to help banks understand potential risks – such as consumer compliance, legal, reputation, and operational risks – of using social media.
The guidance, titled “Social Media: Consumer Compliance Risk Management Guidance,” directs financial institutions to verify that their risk management programs provide oversight and controls that align with the risks presented by the types of social media being used. The risk management program of a bank should be commensurate with that bank’s particular size, complexity, activities, and relationships with third parties.
According to the guidance, a bank’s risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby senior management directs the contribution social media makes to strategic goals
- Policies and procedures for using and monitoring social media
- A training program that incorporates the bank’s policies for social media use
- A process for monitoring information posted on social media sites
- Due diligence policies and procedures for selecting and managing vendors in connection with social media
- An audit function to help banks ensure ongoing compliance with policies
- Appropriate reporting to the board of directors or senior management on the effectiveness of the social media risk management program
As part of the risk management program, banks should conduct a risk assessment to help identify, measure, monitor, and control the risks of social media. Even if a financial institution does not use social media, it is important to understand the medium and monitor the channels through which customer complaints and data breaches can easily tarnish the institution’s image. The guidance also details many legal and regulatory requirements that financial institutions already comply with and need to apply to social media – such as fair lending laws; the Truth in Lending Act/Regulation Z; the Real Estate Settlement Procedures Act; the Fair Debt Collection Practices Act; unfair, deceptive, or abusive acts or practices (UDAAPs); and many more.
The FFIEC guidance, which is effective immediately, is intended to help financial institutions understand and manage the risks associated with activities conducted using social media channels. The risks of using social media in this new world of customer communication and connection cannot be ignored.