The financial services industry has increasingly embraced social media to stay connected with its customers and prospects. At the same time, financial institutions find themselves facing greater regulatory scrutiny than ever before. The net result is that, while banks and other financial institutions feel increasing pressure to employ social media networks, they must also exercise great care to make sure that their use of Facebook, Twitter, YouTube, Yelp, LinkedIn, and other social media outlets does not conflict with their need to comply with the Real Estate Settlement Procedures Act, Equal Credit Opportunity Act, Truth in Lending Act, Fair Credit Reporting Act, Fair Debt Collection Practices Act, and other applicable legal and regulatory requirements.
The Federal Financial Institutions Examination Council (FFIEC) recently published guidance on social media activity. The FFIEC guidance, which defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video,” can be found at www.ffiec.gov/press/pr121113.htm. Reference to the FFIEC guidance can be helpful for financial institutions in developing policies and procedures to avoid risks related to their social media activities.
Financial institutions can employ social media for advertising and marketing purposes to take loan and deposit applications, to garner informal public feedback on services, and to otherwise engage with customers. Special regulatory, reputation, and operational risks, however, are associated with the use of social media for these purposes. To address and manage these risks, the FFIEC guidance calls for a risk management program featuring the following elements:
• Governance structure: directed by senior management, evaluates how social media involvement adds to strategic goals.
• Policies and procedures (stand-alone or incorporated): address social media use, monitoring functions and compliance with consumer protection laws and regulations.
• Risk management process:manages third-party relationships and social media.
• Employee training program: incorporates work-related use of social media and outlines impermissible uses.
• Oversight process: monitors information posted to social media sites, administered by the financial institution or a contracted third party.
• Reporting process: conducted by senior management, periodically evaluates the effectiveness of a social media program.
While social media networking is a communications phenomenon that may appear somewhat exotic and novel, it is just another means of communication. The laws and regulations that apply to written, telephonic, and electronic communications also apply to social media interactions. There is no exception for social media, but there may be added risks.
The following regulatory requirements are among those to consider when using social media for deposit, lending, loan administration, payment processing, and general customer communications.
• Truth in Lending Act/Regulation Z: TILA advertising and disclosure requirements.
• Truth in Savings Act/Regulation DD and Part 707: TISA advertising and disclosure requirements.
• Fair Lending Laws: Equal Opportunity and Fair Housing Act: ECOA advertising, application and notice requirements, and antidiscrimination prohibitions.
• Real Estate Settlement Procedures Act: RESPA anti-kickback rules.
• Fair Debt Collection Practices Act: FDCPA prohibitions on harassing debtors.
• Unfair, Deceptive, or Abusive Acts or Practices: Section 5 of FTC Act (Sections 1031 and 1036 of Dodd-Frank Wall Street Reform and Consumer Protection Act).
• Deposit insurance or share insurance requirements: requirements such as “Member FDIC” language
• Electronic Fund Transfer Act/Regulation E: EFTA disclosure and error resolution requirements.
• Rules applicable to check transactions: Regulation CC requirements regarding availability of funds and collection of checks
• Compliance program addressing, among others, customer identification and suspicious activity reporting requirements.
• Depository institutions need to take into account comments received through social media sites run by or on behalf of the institutions.
• Gramm-Leach-Bliley Privacy Rules: Privacy and security of consumer information and disclosure of privacy policies.
• CAN-SPAM Act: Restrictions on sending unsolicited information to consumers through social media
• Fair Credit Reporting Act—restrictions and requirements on collection, use, and error resolution relating to consumer eligibility information.
• Children’s Online Privacy Protection Act (COPPA).
• Since the average age of social media users is decreasing every year, financial institutions may wish to be aware of the possibility of inadvertently collecting personally identifiable information of social media users aged 13 years or younger.
• For example, a financial institution that maintains a Facebook or Twitter page and responds to comments or queries by Facebook or Twitter users may wish to consider having policies and procedures in place to avoid inadvertently collecting information from individuals covered by COPPA through social media platforms.
Positive and negative information that individual customers disseminate via social media reaches other customers faster, and controlling the spread can be beyond an institution’s control.
As is the case with all third-party vendors, when a financial institution decides to outsource the management of its social media accounts and sites to third-party contractors, it should maintain a monitoring system to prevent reputational risk if the third-party contractor does not perform.
The FFIEC guidance states that financial institutions need to be aware that employees’ communications through social media may be viewed by the public and may be construed as the institution’s official policies or reflect poorly on its image. Financial institutions may reduce potential exposure to reputation and regulatory risks by training employees on how to communicate appropriately with customers through a social media platform regarding products and services that they offer. Proper employee training can actually generate business.
Additionally, the Stored Communications Act (SCA) presents a challenge to employers who directly or indirectly (through a third-party vendor) seek to collect data from employees’ social networking sites. In that connection, the SCA prohibits employers from collecting information contained on employees’ social media pages, which would be considered personal.
Accordingly, financial institutions may wish to consider implementing policies and procedures governing social media use by employees, which include:
• Employee education on social media use (including the regulatory repercussions of noncompliance).
• Communicating risks of use to employees.
• Accountability for misuse of social media platforms.
• Assignment of the financial institution’s social media account to internal managers.
Due to the public’s increasing dependence on technology-based interactive platforms for communication, financial institutions that develop a social media presence are well served to do so in the framework of internally established policies and procedures. The breadth of policies and procedures needed for any given institution depends on the size and specific involvement of that institution. When looking to increase existing involvement or begin involvement in social media, financial institutions might first want to consider the legal, compliance, and reputational risks associated with such a presence.•