Consumer Compliance Outlook
Consumer Compliance Risk Management for Social Media
Do you remember not too long ago when chat rooms, one of the earliest forms of social media, were the primary means to communicate online? But in recent years, social media has evolved significantly into many different forms, and its use has grown exponentially worldwide. For example, Facebook, the world’s largest social networking site, reported that it had 1.19 billion users worldwide as of September 30, 2013.1 This figure accounts for roughly 17 percent of the world’s population.2 Through social media, financial institutions are reaching consumers in ways previously unimaginable.
Although financial institutions have identified a number of ways to use social media strategically, its use is not without risks. It is important that the board of directors and senior management identify and manage these risks appropriately, including compliance risks. If you use social media at your financial institution, consider the following: Do you know the level of your risk exposure? Do you know if and how your employees are using social media to solicit business or otherwise interact with customers? Are you aware of potential compliance or other risks inherent in this form of communication?
Because of financial institutions’ increased use of social media and the attendant risks, the Federal Financial Institutions Examination Council (FFIEC) issued supervisory guidance, titled “Social Media: Consumer Compliance Risk Management Guidance” (Guidance), in December 2013, to highlight potential compliance risks and sound risk management practices.3 This article focuses on this Guidance, which the FFIEC issued to help financial institutions understand how existing requirements and supervisory expectations apply to the use of social media.
What Is Social Media?
First, we need to define social media under the Guidance. Although social media is commonly thought of in the context of “friending,” “tweeting,” or “pinning,” the Guidance defines it more broadly to include “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Therefore, while common social networking sites such as Facebook, Twitter, and Pinterest are included in the definition of social media, the Guidance also applies to other forms of media communication such as blogging, customer review forums, and virtual worlds (e.g., Second Life). E-mail and text messages, standing alone, do not fall under this definition of social media; however, they may be otherwise subject to a number of consumer protection laws and regulations discussed in the Guidance.
How Are Financial Institutions Using Social Media?
Social media may provide varying benefits depending upon a financial institution’s strategic execution. Perhaps the most common social media strategy for financial institutions is marketing products and services. However, as the use of social media expands, institutions are implementing it in a variety of ways. While certainly not an exhaustive list, social media has been used by financial institutions to advertise loan incentives and loan pricing, generate applications for new accounts, track and respond to customer complaints and feedback, facilitate outreach, inform consumers of community events, and assist in debt collection efforts. Although social media can provide great rewards for financial institutions with a simple “click of a button,” its use also presents unique risks and risk management challenges for financial institutions.
Compliance Risk Management
The board of directors and senior management should identify, measure, monitor, and control risks associated with an institution’s use of social media for banking activities. To manage potential risks, financial institutions should ensure risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the institution is engaged. The Guidance discusses the following strategies for the board of directors and senior management to consider for managing social media compliance risk.
- Create a governance structure. The board of directors and senior management should clearly define the appropriate use of social media and how its use contributes to the institution’s strategic goals. Further, this structure must have clearly defined roles and responsibilities for establishing controls and ongoing monitoring of risk related to social media activities.
- Develop policies and procedures. Policies should establish the expectation to comply with all consumer protection laws and regulations that are applicable to the institution’s use of social media. Procedures should also be developed for monitoring risk that may arise from receiving and responding to online postings from consumers.
- Manage third-party relationships. Risk management processes should be developed to identify, select, and manage third-party relationships.
- Provide employee training. Employees should be provided with training regarding management’s guidelines for official, work-related use of social media.
- Institute audit and compliance monitoring. These functions should ensure compliance with internal policies and procedures on proprietary social media sites.
- Listen to your customers. Oversight processes should be established to monitor online postings to proprietary social media sites, whether administered directly or by a contracted third party. Content posted by consumers may assist in identifying potential areas of compliance or reputational risk. Management teams can use this information to monitor trends and red flags and conduct compliance-monitoring reviews, as necessary.
- Report to the top. The board of directors and senior management should be given information that will provide a comprehensive understanding of the risks present in the institution’s social media activities and whether the social media program is achieving its stated objectives.
Consumer Compliance Risks
What are the consumer compliance risks inherent in the use of social media? This seems to be the $64,000 question, particularly as the capabilities of social media continue to expand. The Guidance addresses a number of areas in which social media may have consumer compliance implications. Each financial institution should ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable federal, state, and local laws and regulations, as appropriate. It is important to note that the laws and regulations discussed in the Guidance and summarized below are illustrative and not exhaustive.
Marketing of Deposit and Lending Products
Financial institutions commonly use social media to market and advertise various deposit and lending products or services. When social media is used for these purposes, financial institutions should consider the following consumer compliance laws and regulations:
- Regulation Z — Regulation Z broadly defines advertisement as “a commercial message in any medium that promotes, directly or indirectly, a credit transaction.”4 Therefore, financial institutions promoting a credit transaction via social media should be mindful to comply with all advertising requirements as well as to provide clear and proper disclosure of actually available terms and should recognize that different advertising requirements apply to open-end5 and closed-end6 credit.
- Regulation DD — Regulation DD provides a similar definition of advertisement for deposit products.7 Financial institutions promoting deposit products via social media should ensure that advertisements are not misleading or inaccurate and should be aware of certain terms that trigger additional disclosure.8
- Deposit or Share Insurance — Advertisements of insured products delivered by social media must include required deposit insurance or share insurance disclosures. As such, the Federal Deposit Insurance Corporation (FDIC) Member logo9 or the official advertising statement of the National Credit Union Administration (NCUA)10 should be included in an institution’s social media messages, as applicable.
- Equal Housing Lender — For financial institutions engaged in residential mortgage lending, each social media site administered by such institutions should disclose the Equal Housing Lender logo and legend.11
- Nondeposit Investment Products — For financial institutions that promote nondeposit investment products, there should be clear disclosure that the products are not insured by the FDIC or NCUA, are not deposits or other obligations of the institution and are not guaranteed by the institution, and are subject to investment risks, including possible loss of the principal invested.
The use of social media may also raise fair lending concerns. Therefore, financial institutions should ensure that their use of social media complies with fair lending laws and regulations. For example, Regulation B, which implements the Equal Credit Opportunity Act, prohibits creditors from making “any oral or written statement, in advertising or otherwise, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.”12
The Fair Housing Act (FHA) also makes it unlawful to advertise or make any statement that indicates a limitation or preference based on race, color, national origin, religion, sex, familial status, or handicap.13 Similarly, the Federal Reserve Board prohibits member banks from publishing advertisements for dwelling-secured loans, or loans to purchase, construct, improve, repair, or maintain a dwelling, that “contain any words, symbols, models, or other forms of communication that express, imply, or suggest a discriminatory preference or policy of exclusion in violation of the provisions of the Fair Housing Act or the Equal Credit Opportunity Act.”14 Therefore, social media postings by financial institutions, regardless of purpose (e.g., marketing, consumer feedback), should not directly identify or infer a preference for, or exclusion of, a particular group of applicants on a prohibited basis.
Unfair or Deceptive Acts or Practices (UDAP)
When using social media for any purpose, it is important to consider Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive acts or practices,15 and Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.16 Financial institutions should keep in mind that UDAP not only applies to all products and services generally but also applies to related activities over the entire life cycle of a product. Therefore, UDAP risk may increase when financial institutions use social media for marketing and advertising purposes. Bank advertisements should be designed to avoid unfairness or deception. To accomplish this, as stated in CA Letter 07-08,17 advertisements should be clear, balanced, and timely and present not only the benefits of products or services but also any potential risks.
Customer Feedback and Complaints
Many financial institutions use social media to connect directly with their customers by accepting customer complaints or feedback and providing real-time responses. Financial institutions are not expected to monitor and respond to all Internet communications, but they should be aware that certain consumer laws and regulations may apply to communications that occur through social media.
Whether communicated through blogs, consumer review sites, an institution’s social networking page, or a written consumer complaint, negative feedback can be a red flag for financial institutions in identifying broader and more serious issues, including unfair or deceptive acts or practices, or fair lending violations. Because consumers can connect immediately with a large consumer network through these online communities, negative feedback provided online can also represent reputational risk for an institution. Based on the institution’s risk assessment, a financial institution may want to consider monitoring social media forums to identify and, when appropriate, address negative feedback.
Some consumers may not appreciate the risks in providing account information in a public social media forum. Financial institutions should maintain procedures to address any public posting of confidential or sensitive information on the institution’s social media page or site.
The Guidance also provides the following considerations for privacy-related activities:
- Gramm-Leach-Bliley Act (GLBA) Privacy Rules — Whenever a financial institution collects, or otherwise has access to, information from or about consumers, it should evaluate whether these rules apply. The Guidance reminds financial institutions using social media to clearly disclose privacy policies as required under GLBA.
- CAN-SPAM Act and Telephone Consumer Protection Act — These acts and their implementing rules establish requirements for sending unsolicited commercial messages (“spam”) and unsolicited communications by telephone or short message service text messages, respectively. Financial institutions delivering unsolicited communications through social media should evaluate whether their activities trigger the application of these laws.
- Children’s Online Privacy Protection Act (COPPA) — COPPA and the FTC’s implementing regulation imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting information from a child under 13 years of age. The Guidance recognizes that certain social media platforms require users to attest that they are at least 13 years of age and indicates that financial institutions may consider relying on such policies. In addition, the Guidance states that a financial institution maintaining its own social media site should be careful to restrict access to those users 13 years of age and older.
- Fair Credit Reporting Act (FCRA) — The Guidance clarifies that FCRA restrictions and requirements apply for making solicitations using eligibility information, responding to direct disputes, and collecting medical information in connection with loan eligibility when social media is used for these activities.
Community Reinvestment Act (CRA)
Depository institutions subject to the CRA must maintain all written comments received from the public for the current year and each of the prior two calendar years that specifically relate to the institution’s performance in helping to meet community credit needs.18 These comments must be retained in the bank’s CRA public file. The Guidance clarifies that comments made about the institution through Internet sites that are not administered by the institution are not necessarily deemed to be received by the institution and, thus, would not need to be retained. However, if comments are received through websites or social media pages run by or on behalf of the institution, such comments should be retained in the public file.
The Guidance identifies a number of legal, reputational, and operational risk areas in addition to the consumer compliance risks previously noted. Notable risk areas include the Bank Secrecy Act, payment systems, fraud and brand identity, and third-party concerns. Financial institutions should identify the laws and regulations that apply to their social media activities and manage all risks appropriately.
Many financial institutions have concluded that social media can play a pivotal role in achieving business goals. However, the rewards from the use of social media do not come without risks, especially as social media capabilities continue to evolve at a rapid pace. As new advances are made in technology, it is essential that the board of directors and senior management teams stay on top of emerging risks because the proper risk management infrastructure for compliance can only be built upon risks that are adequately identified and assessed. Specific issues and questions should be raised with your primary regulator.