Privacy & Information Security Law Blog

On January 23, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released proposed guidance, Social Media: Consumer Compliance Risk Management Guidance (the “Guidance”) to address how federal consumer protection laws may apply to the social media activities of financial institutions that are supervised by the Consumer Financial Protection Bureau. Comments on the guidance must be submitted within 60 days (before March 25, 2013). After consideration of the public comments, and once the guidance is finalized, financial institutions will be expected to “use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media.” Rather than imposing additional obligations on financial institutions, the Guidance is intended to help financial institutions comply with existing federal requirements as they apply to the use of social media platforms.

The Guidance indicates that financial institutions should implement a “risk management program that allows [them] to identify, measure, monitor, and control the risks related to social media.” These risk management programs should be tailored to the relevant financial institution’s level of engagement with social media. That said, even institutions that do not use social media should have a risk management program to address employee use of social media and public complaints raised in social media forums. Some key features of an effective risk management program, as defined by FFIEC, include the following:

• “[a] governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution,”
• “[p]olicies and procedures…regarding the use and monitoring of social media and compliance with all applicable consumer protections laws,” and
• “[a]n oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.”

Noting that there are no social media exceptions in the federal regulations imposed on financial institutions, the Guidance highlights certain regulations that may pose particular problems in the social media context. For instance, under the fair lending laws, a financial institution generally cannot request information about an applicant’s color, national origin, race or sex. Because social media platforms may collect these types of details, financial institutions that engage with users of these platforms must ensure that they are not using, collecting or requesting prohibited information in making credit determinations.

The Guidance also reminds financial institutions to be aware of risks involved with social media that may not be specifically addressed in federal regulations, such as customer complaints and fraudulent uses of the institution’s brand that appear on social media sites.