Insights

On December 11, the Federal Financial Institutions Examination Council released guidance on the applicability of consumer protection and compliance laws, regulations, and policies to social media activities by banks, savings associations, credit unions, and nonbank entities supervised by the Consumer Financial Protection Bureau. The Guidance, entitled "Social Media: Consumer Compliance Risk Management Guidance," does not impose new requirements on financial institutions, but intends to help financial institutions understand potential consumer compliance and legal risks, and reputation and operational risks, associated with the use of social media, along with expectations for managing those risks. Importantly, the Guidance makes clear that financial institutions are expected to manage risks associated with all types of consumer and customer communications, no matter the medium.

The Guidance provides that a financial institution should have a risk management program to identify, measure, monitor, and control the risks related to social media, and that the risk management program should be commensurate with the breadth of the financial institution's involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. However, in accordance with its own risk assessment, a financial institution that has chosen not to use social media should still consider the potential for negative comments or complaints that may arise within the many social media platforms described above, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them.

So, for example, a social media risk management program would anticipate and avoid fiascos like the #AskJPM hashtag on Twitter that a bank started as a way to connect with its customers, but that the public at large took as a mechanism for communicating its disgust with the financial markets and the recession of 2008. Shortly after debuting the hash tag, the bank announced it was no longer communicating through hashtags. The Guidance specifically addresses the kind of reputation risk, or risk arising from negative public opinion, that the #AskJPM debacle created. Activities that result in dissatisfied consumers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any law. The Guidance calls on financial institutions to be prepared to respond to negative publicity and complaints generated by social media forays such as this, in order to ensure compliance with applicable laws and towards preserving the safety and soundness of the institution.

To preserve its reputation and comply with law, the institution should adopt a risk management program with the following components:

• A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
• Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
• A risk management process for selecting and managing third-party relationships in connection with social media;
• An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
• Parameters for providing appropriate reporting to the financial institution's board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

All social media is effectively advertisement, and the Guidance highlights that any social media communication in which a creditor advertises credit products must comply with the Truth in Lending Act and Regulation Z's advertising provisions. Further, fair lending is a significant concern of the Guidance, and institutions are advised to ensure that their use of social media does not violate fair lending laws and regulations.

The guidance took effect immediately upon its publication in the Federal Register, so institutions should ensure that they incorporate it into their existing risk management of compliance teams

Catherine M. Brennan is a partner in the Maryland office of Hudson Cook, LLP. Cathy can be reached at 410-865-5405 or by email at cbrennan@hudco.com.