Developing and maintaining a social media presence is seen as a necessary part of business and advertising.  A presence on social media involves not only advertising and running promotions through networking sites, but also becoming an active part of an ongoing dialogue with the ability to respond to customer feedback.  However, communicating in the social media sphere involves a good deal of legal and regulatory uncertainty, which makes some financial institutions hesitant to engage in this dialogue.

On December 11, 2013, the Federal Financial Institutions Examinations Council (FFIEC) (which includes the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Consumer Financial Protection Bureau) released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to social media activities, titled Social Media: Consumer Compliance Risk Management Guidance.  The final guidance is the result of a notice and comment period, which we covered back on February 8, 2013.  In the final guidance, the FFIEC defines social media as interactive online communication in which users generate and share content via text, images, audio, or video.  Examples of social media for purposes of this definition include:  Micro-blogging sites (e.g., MySpace and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr); professional networking sites; virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille).  Messages sent via text or traditional e-mail do not constitute social media (although messages sent via social media channels are covered social media).

The FFIEC identifies three areas of risk regarding the use of social media:

  • Compliance and legal risks,
  • Reputational risk, and
  • Operational risk.

With respect to compliance and legal risks, the FFIEC highlights those statutes and regulations that govern activities that are performed through social media avenues, such as advertising and account origination.  As the FFIEC points out, customer interaction through social media can be “both informal and dynamic” and is often less secure, so institutions need to be aware of how current rules affect their social media endeavors.  Note that for those financial institutions that choose to originate loans via social media, Regulation Z’s timing and form requirements for providing disclosures will apply.

Reputational risk includes threats from fraud and to the financial institution’s brand, partnering with third parties, privacy concerns, and customer complaints and comments.  Social media adds a wrinkle to these areas by increasing the ways consumers can access, talk to, and talk about financial institutions.  Consider that financial institutions have to carefully monitor social media for customer complaints and unconfirmed stories that may go “viral.”  Operational risk stems from inadequate or failed processes, people, or systems, and here, social media is encompassed in the broader sphere of IT-related risks.  To address social media’s operational risk, the FFIEC directs institutions to consult its Information Technology Examination Handbook.

The overarching purpose of the final guidance is two-fold.  First, financial institutions are alerted that existing consumer protection and compliance regulations apply within the sphere of social media.  Second, financial institutions are reminded of the risks inherent with social media and of the need to address these risks.  The FFIEC concludes with a reminder that social media is like any other product channel, in that the risks to the institution and the consumer must be addressed.