Financial Institutions and Social Media

The Federal Financial Institutions Examination Council has come out with some great information regarding social media. This is some of the valuable information that we enjoyed from the following website: http://files.consumerfinance.gov/f/201309_cfpb_social_media_guidance.pdf

Financial institutions are using social media as a tool to generate new business and interact with consumers. Social media, as any new communication technology, has the potential to improve market efficiency. According to the article, social media is a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille) messages sent via email or text message, standing alone, do not constitute social media, although such communications may be subject to a number of laws and regulations.

The great news is institutions are aware of their responsibilities to oversee and control risks that involve social media. Each institution is responsible for carrying out an appropriate risk assessment and maintaining a risk management program that is appropriate and tailored to the particular institution’s size, activities, and risk profile. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Financial institutions should also provide guidance and training for employee official use of social media.

Components of a risk management program should include the following:

• A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;

• Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;

• A risk management process for selecting and managing third-party relationships in connection with social media;

• An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;

• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;

• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and

• Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

Therefore, to the extent that a financial institution uses social media to engage in lending, deposit services, or payment activities, it must comply with applicable laws and regulations as when it engages in these activities through other media. Financial institutions should remain aware of developments involving such laws and regulations.

Each financial institution should ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable federal, state, and local laws and regulations, and incorporation of guidance, as appropriate. It is expected to take steps to ensure that advertising, account origination, and document retention are performed in compliance with applicable consumer protection and compliance laws and regulations. However, under the CRA, comments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be required to be retained. Rather, the institution should retain comments made on sites run by or on behalf of the institution that specifically relate to the institution’s performance in helping to meet community credit needs. The CAN-SPAM Act and TCPA, and their implementing rules,28 establish requirements for sending unsolicited commercial messages (“spam”) and unsolicited communications by telephone or short message service (SMS) text message.

Activities that result in dissatisfied consumers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any law. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media environments. Therefore, a financial institution engaged in social media activities is expected to be sensitive to, and properly manage, the reputation risks that arise from those activities.

Reputation risk can arise in areas including the following: Financial institutions should be aware that protecting their brand identity in a social media context can be challenging. Risk may arise in many ways, such as through comments made by social media users, spoofs of institution communications, and activities in which fraudsters masquerade as the institution. Financial institutions should consider the use of social media monitoring tools and techniques to identify heightened risk, and respond appropriately. Financial institutions should have appropriate policies in place to monitor and address in a timely manner the fraudulent use of the financial institution’s brand, such as through phishing or spoofing attacks. This final Guidance clarifies that financial institutions are not expected to conduct such monitoring. Working with third parties to provide social media services can expose financial institutions to substantial reputation risk.

A financial institution should regularly monitor the information it places on social media sites. This monitoring is the direct responsibility of the financial institution, as part of a sound compliance management system, even when such functions may be delegated to third parties the institution should be aware of matters such as the third party’s reputation in the marketplace; the third party’s policies, including policies on collection and handling of consumer information, including the information of the institution’s customers; the process and frequency by which the third party’s policies may change; and what, if any, control the institution may have over the third party’s policies or actions.

Financial institutions should be aware that employees’ communications via social media may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk, operational risk, as well as reputation risk. Therefore, as appropriate, financial institutions should take steps to address these risks, such as establishing policies and training to address employee participation in social media representing the financial institution. For example, if an employee is communicating with a customer regarding a loan product through an approved social media channel, policies should include steps to ensure the customer is receiving all of the required disclosures.

This Guidance does not address any employment law principles that may be relevant to employee use of social media. In addition, the Guidance is not intended to impose any specific requirements for policies or procedures regarding employee personal use of social media. Each financial institution should evaluate the risks for itself and determine appropriate policies to adopt in light of those risks. We have worked with financial institutions on managing their social media and they prefer to hire a third party to monitor all activity.

What did you learn new in this article? What other insight do you have to add?

Speak Your Mind

*

* 1+7=?