Since the preliminary guidance was released in January of 2013, Banks, Credit Unions and the third-parties who support them have been waiting for final guidance. “The Guidance do not contain exceptions regarding the use of social media” but helps to convey the applicability of existing laws, regulations and policies that pertain to financial institutions. As the Social Media Management tool for Financial Services, Social Assurance helps banks, credit unions, agencies and outsourced compliance vendors to provide compliant social media solutions and services.
The FFIEC’s guidelines address these 4 core areas:
Social Media Governance and Operational Risk
“A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution.”
Outlining guidance structures for social media includes delegating social tasks, understanding the objectives for social (customer-acquisition, brand awareness, customer services, etc) and insuring the institution and an employee training program. This enterprise view of social should help to focus your institution’s objectives in social as well as employee’s use… “establishing policies and training to address employee participation in social media representing the financial institution.”
There are several types of third-parties who engage FIs in social media, including Social Platforms (Facebook, Twitter, LinkedIn, etc)
“Even if a social media site is owned and maintained by a third party, consumers using the financial institution’s part of that site may blame the financial institution for problems that occur on that site…” As FIs, we rarely utilize third-parties that both own the data and do not give us SLAs. When choosing which platforms to utilize, consider their reputation, stability, etc.
Agencies who may produce content and campaigns are addressed clearly: “Working with third parties to provide social media services can expose financial institutions to substantial reputation risk.” However, if controls are imposed to insure agency content, campaigns, etc are clearly overseen by the FI, risks may be dramatically reduced through process and software.
Service providers or software providers who provide software to post, reply are also addressed. Consider what, “if any, control the institution may have over the third party’s policies or actions.” Mitigating risk through rule and role-based software to keep individuals, platforms and third-parties in-check can reduce risk.
Monitoring / Fraud and IT Security
“Financial institutions should consider the use of social media monitoring tools and techniques to identify heightened risk, and respond appropriately.” These monitoring techniques and tools should also address “fraudulent use of the FI’s brand”. While many institutions focus on the fear of consumer complaints, the Guidelines focus on taking “into account the results of its own risk assessments in determining the appropriate approach to take regarding monitoring of and responding to, such communications.” The guidelines recognize that these comments may occur in locations where the FI is not expecting and suggests that FIs “consider the risks, particularly the reputation risk, inherent in not responding to complaints and disputes received through other channels.” So are FIs expected to boil the ocean and never miss an alert, no, “this Guidance does not require FIs to monitor and respond to all Internet communications.” So where do we draw the line as FIs? Filtering for relevant messages requires well-configured tools.
Existing regulations and their effect
Laws specifically mentioned in the guidance include:
- Truth in Savings – Depository institutions require disclosures about fees, APY, interest rate and other terms. (Reg DD Part 707)
- Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act
Creditors must observe timeframes for applications, denial action notice, but perhaps more-importantly is keeping information that social sites often collect such as age, religion, origin, etc from being information solicited by creditors.
- Truth in Lending Act / Reg Z
Advertising of credit products must comply. Advertising review becomes critical for institutions when marketing products across any channel. The speed at which this occurs on social media and the space provided by these third-party sites often require using disclaimers on separate web pages. We often handle this with auto-generated disclaimer pages.
- Real Estate Settlement Procedures Act
RESPA prohibits some actions for mortgages. Disclosures must be clear and have specific timing.
- Fair Debt Collection Practices Act
- FDCPA prohibits publicly disclosing a consumer’s debt obligation. Collecting utilizing social media could not be done through public means.
- Unfair, Deceptive, or Abusive Acts or Practices
Section 5 of FTC Act is cited which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Again, the complexity with social media is often the length of space given to promote or discuss a product.
- Deposit Insurance or Share Insurance.
FDIC or NCUA advertising apply when marketing products that apply. Since social media is a “commercial message” the FDIC and NCUA statements (and/or logos) will need to be present.
- Electronic Fund Transfer Act/Regulation E
- Check Transactions
- Bank Secrecy Act (BSA) Include training, risk management and compliance with recordkeeping.
- Community Reinvestment Act
- Gramm-Leach-Billey Act
Disclose privacy policies as required by GLBA. In social media, making sure to treat consumer information even without naming consumer or customer relationship.
- CAN-SPAM Act and Telephone Consumer Protection Act
Applies to social media when collecting information.
- Children’s Online Privacy Protection Act
COPPA and FTC need to be evaluated to insure children are over 13. Relying on Facebook’s policy may be in consideration, but FIs need to take precautions that children not be accessing their pages.
- Fair Credit Reporting Act