Consumer Compliance Outlook: Second Quarter 2014

Consumer Compliance Risk Management for Social Media

By Kurtis Haygood, Fair Lending and UDAP Compliance Risk Coordinator, Federal Reserve Bank of San Francisco

Do you remember not too long ago when chat rooms, one of the earliest forms of social media, were the primary means to communicate online? But in recent years, social media has evolved significantly into many different forms, and its use has grown exponentially worldwide. For example, Facebook, the world’s largest social networking site, reported that it had 1.19 billion users worldwide as of September 30, 2013.1 This figure accounts for roughly 17 percent of the world’s population.2 Through social media, financial institutions are reaching consumers in ways previously unimaginable.

Although financial institutions have identified a number of ways to use social media strategically, its use is not without risks. It is important that the board of directors and senior management identify and manage these risks appropriately, including compliance risks. If you use social media at your financial institution, consider the following: Do you know the level of your risk exposure? Do you know if and how your employees are using social media to solicit business or otherwise interact with customers? Are you aware of potential compliance or other risks inherent in this form of communication?

Because of financial institutions’ increased use of social media and the attendant risks, the Federal Financial Institutions Examination Council (FFIEC) issued supervisory guidance, titled “Social Media: Consumer Compliance Risk Management Guidance” (Guidance), in December 2013, to highlight potential compliance risks and sound risk management practices.3 This article focuses on this Guidance, which the FFIEC issued to help financial institutions understand how existing requirements and supervisory expectations apply to the use of social media.

What Is Social Media?

First, we need to define social media under the Guidance. Although social media is commonly thought of in the context of “friending,” “tweeting,” or “pinning,” the Guidance defines it more broadly to include “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Therefore, while common social networking sites such as Facebook, Twitter, and Pinterest are included in the definition of social media, the Guidance also applies to other forms of media communication such as blogging, customer review forums, and virtual worlds (e.g., Second Life). E-mail and text messages, standing alone, do not fall under this definition of social media; however, they may be otherwise subject to a number of consumer protection laws and regulations discussed in the Guidance.

How Are Financial Institutions Using Social Media?

Social media may provide varying benefits depending upon a financial institution’s strategic execution. Perhaps the most common social media strategy for financial institutions is marketing products and services. However, as the use of social media expands, institutions are implementing it in a variety of ways. While certainly not an exhaustive list, social media has been used by financial institutions to advertise loan incentives and loan pricing, generate applications for new accounts, track and respond to customer complaints and feedback, facilitate outreach, inform consumers of community events, and assist in debt collection efforts. Although social media can provide great rewards for financial institutions with a simple “click of a button,” its use also presents unique risks and risk management challenges for financial institutions.

Compliance Risk Management

The board of directors and senior management should identify, measure, monitor, and control risks associated with an institution’s use of social media for banking activities. To manage potential risks, financial institutions should ensure risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the institution is engaged. The Guidance discusses the following strategies for the board of directors and senior management to consider for managing social media compliance risk.

  1. Create a governance structure. The board of directors and senior management should clearly define the appropriate use of social media and how its use contributes to the institution’s strategic goals. Further, this structure must have clearly defined roles and responsibilities for establishing controls and ongoing monitoring of risk related to social media activities.
  2. Develop policies and procedures. Policies should establish the expectation to comply with all consumer protection laws and regulations that are applicable to the institution’s use of social media. Procedures should also be developed for monitoring risk that may arise from receiving and responding to online postings from consumers.
  3. Manage third-party relationships. Risk management processes should be developed to identify, select, and manage third-party relationships.
  4. Provide employee training. Employees should be provided with training regarding management’s guidelines for official, work-related use of social media.
  5. Institute audit and compliance monitoring. These functions should ensure compliance with internal policies and procedures on proprietary social media sites.
  6. Listen to your customers. Oversight processes should be established to monitor online postings to proprietary social media sites, whether administered directly or by a contracted third party. Content posted by consumers may assist in identifying potential areas of compliance or reputational risk. Management teams can use this information to monitor trends and red flags and conduct compliance-monitoring reviews, as necessary.
  7. Report to the top. The board of directors and senior management should be given information that will provide a comprehensive understanding of the risks present in the institution’s social media activities and whether the social media program is achieving its stated objectives.

Consumer Compliance Risks

What are the consumer compliance risks inherent in the use of social media? This seems to be the $64,000 question, particularly as the capabilities of social media continue to expand. The Guidance addresses a number of areas in which social media may have consumer compliance implications. Each financial institution should ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable federal, state, and local laws and regulations, as appropriate. It is important to note that the laws and regulations discussed in the Guidance and summarized below are illustrative and not exhaustive.

Marketing of Deposit and Lending Products

Financial institutions commonly use social media to market and advertise various deposit and lending products or services. When social media is used for these purposes, financial institutions should consider the following consumer compliance laws and regulations:

Fair Lending

The use of social media may also raise fair lending concerns. Therefore, financial institutions should ensure that their use of social media complies with fair lending laws and regulations. For example, Regulation B, which implements the Equal Credit Opportunity Act, prohibits creditors from making “any oral or written statement, in advertising or otherwise, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.”12

The Fair Housing Act (FHA) also makes it unlawful to advertise or make any statement that indicates a limitation or preference based on race, color, national origin, religion, sex, familial status, or handicap.13 Similarly, the Federal Reserve Board prohibits member banks from publishing advertisements for dwelling-secured loans, or loans to purchase, construct, improve, repair, or maintain a dwelling, that “contain any words, symbols, models, or other forms of communication that express, imply, or suggest a discriminatory preference or policy of exclusion in violation of the provisions of the Fair Housing Act or the Equal Credit Opportunity Act.”14 Therefore, social media postings by financial institutions, regardless of purpose (e.g., marketing, consumer feedback), should not directly identify or infer a preference for, or exclusion of, a particular group of applicants on a prohibited basis.

Unfair or Deceptive Acts or Practices (UDAP)

When using social media for any purpose, it is important to consider Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive acts or practices,15 and Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.16 Financial institutions should keep in mind that UDAP not only applies to all products and services generally but also applies to related activities over the entire life cycle of a product. Therefore, UDAP risk may increase when financial institutions use social media for marketing and advertising purposes. Bank advertisements should be designed to avoid unfairness or deception. To accomplish this, as stated in CA Letter 07-08,17 advertisements should be clear, balanced, and timely and present not only the benefits of products or services but also any potential risks.

Customer Feedback and Complaints

Many financial institutions use social media to connect directly with their customers by accepting customer complaints or feedback and providing real-time responses. Financial institutions are not expected to monitor and respond to all Internet communications, but they should be aware that certain consumer laws and regulations may apply to communications that occur through social media.

Whether communicated through blogs, consumer review sites, an institution’s social networking page, or a written consumer complaint, negative feedback can be a red flag for financial institutions in identifying broader and more serious issues, including unfair or deceptive acts or practices, or fair lending violations. Because consumers can connect immediately with a large consumer network through these online communities, negative feedback provided online can also represent reputational risk for an institution. Based on the institution’s risk assessment, a financial institution may want to consider monitoring social media forums to identify and, when appropriate, address negative feedback.

Customer Privacy

Some consumers may not appreciate the risks in providing account information in a public social media forum. Financial institutions should maintain procedures to address any public posting of confidential or sensitive information on the institution’s social media page or site.

The Guidance also provides the following considerations for privacy-related activities:

Community Reinvestment Act (CRA)

Depository institutions subject to the CRA must maintain all written comments received from the public for the current year and each of the prior two calendar years that specifically relate to the institution’s performance in helping to meet community credit needs.18 These comments must be retained in the bank’s CRA public file. The Guidance clarifies that comments made about the institution through Internet sites that are not administered by the institution are not necessarily deemed to be received by the institution and, thus, would not need to be retained. However, if comments are received through websites or social media pages run by or on behalf of the institution, such comments should be retained in the public file.

Additional Risks

The Guidance identifies a number of legal, reputational, and operational risk areas in addition to the consumer compliance risks previously noted. Notable risk areas include the Bank Secrecy Act, payment systems, fraud and brand identity, and third-party concerns. Financial institutions should identify the laws and regulations that apply to their social media activities and manage all risks appropriately.


Many financial institutions have concluded that social media can play a pivotal role in achieving business goals. However, the rewards from the use of social media do not come without risks, especially as social media capabilities continue to evolve at a rapid pace. As new advances are made in technology, it is essential that the board of directors and senior management teams stay on top of emerging risks because the proper risk management infrastructure for compliance can only be built upon risks that are adequately identified and assessed. Specific issues and questions should be raised with your primary regulator.