On Tuesday, the Federal Financial Institutions Examination Council released proposed guidance on regulations and policies that will affect the social media activities of banks and non-bank entities supervised by the CFPB.
In response to guidance requests from industry participants and consumer advocates, the FFIEC, of which the OCC, Federal Reserve Board of Governors, FDIC, CFPB, National Credit Union Administration and State Liaison Committee are members, released the guidance to assist financial institutions in understanding the potential risks associated with the rules and expectations for risk management.
Financial institutions use social media to engage with existing and potential customers, advertise incentives, market products and services, invite public feedback, provide loan rates, and receive and respond to complaints.
“The use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile,” the guidance said. “The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk and reputation risk.”
In stating its expectations for risk management programs, the guidance said that financial institutions should establish a risk management system that allows it “to identify, measure, monitor and control the risks related to social media,” adding that “the size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium.”
The FFIEC guidance also said that financial institutions’ risk management programs should be designed with input from specialists in a number of fields, including legal, human resources, marketing, technology, compliance and information security.
Risk management programs, under the proposed guidance, are required to have a governance structure with clear roles and responsibilities, policies and procedures regarding the use and monitoring of social media and compliance with all laws, regulations and guidance, a due diligence process for selecting and managing third-party service provider relationships in connection with social media, an employee training program, an oversight process, audit and compliance functions and parameters for providing appropriate reporting to the financial institution’s directors or senior management.
The FFIEC guidance recommended that financial institutions using social media to market new products or accounts also ensure that their activities comply with federal laws. Financial institutions may also be subject to reputation risk, which may arise through fraud or brand identity, third party concerns, privacy concerns, consumer complaints and inquiries and employee use of social media.
Additionally, financial institutions may encounter operational risk resulting from “inadequate or failed processes, people or systems.” The guidance recommends that institutions response protocol account for a data breach or social media account takeover.
After the FFIEC considers public comment on their proposed guidance, the agencies will issue it as supervisory guidance to supervised entities, which will then be expected to use the guidance to ensure the adequacy of their risk management policies and procedures. After the guidance is finalized, the SLC, which is comprised of representatives from five state financial regulators, will encourage state regulators to adopt the guidance.