Thursday, December 12, 2013

Social Media: Consumer Compliance Risk Management Guidance

On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final guidance (“Guidance”) on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau (collectively, “financial institutions”). The Guidance was issued final on behalf of the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB) (collectively, the “Agencies”), and the State Liaison Committee (SLC).

The Guidance is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks. It also provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media. Although this Guidance does not impose any new requirements on financial institutions, as with any process or product channel, financial institutions are expected to manage potential risks associated with social media usage and access.

The Final Rule is meant to highlight and manage potential risks to financial institutions and consumers; however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged, including, but not limited to, the risks outlined within the Guidance.

In this article, I will set forth an outline of the Guidance along with suggestions to manage the risks associated with the use of social media.* I have also published a helpful article on this topic, entitled Social Media and Networking Compliance, which may be downloaded from our Library. 


For purposes of the Guidance, messages sent via traditional email or text message, standing alone, do not constitute social media, although such communications may be subject to a number of laws and regulations discussed in the Guidance. However, messages sent through social media channels are social media. According to the Guidance, social media is considered to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites; forums, blogs, customer review web sites and bulletin boards; photo and video sites; sites that enable professional networking; virtual worlds; and social games. Social media can be distinguished from other online media in that the communication tends to be more interactive. 


The Guidance suggests that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium.

For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. An observation made in the Guidance, and worth noting, is though a financial institution’s own risk assessment indicates that it has chosen not to use social media, nevertheless, it should “still consider the potential for negative comments or complaints that may arise within the many social media platforms”, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and determine if a response is needed. 


The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Financial institutions should also provide guidance and training for employee official use of social media.

The Guidance stipulates at least seven components of a risk management program. These include, but are not limited to:

1. A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for instance, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;

2. Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;

3. A risk management process for selecting and managing third-party relationships in connection with social media;

4. An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;

5. An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;

6. Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and

7. Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives. 


The use of social media to attract and interact with customers can impact a financial institution’s risk profile, including:

· Risk of harm to consumers
· Compliance and legal risks
· Operational risks, and
· Reputation risks.

In our own reviews on behalf of our clients, we have found that the foregoing risks are increased due to poor due diligence, oversight, or control on the part of the financial institution.

Let us now give consideration to each of the Risk Areas, with respect to the risks posed by Social Media. Suggestions are emboldened in each synopsis.