Agency Offers Guidance on Social Media Compliance

FFIEC highlights potential legal, reputational, and operational risks.

March 24, 2014

In December 2013, the Federal Financial Institutions Examination Council (FFIEC) agencies released guidance on managing social media compliance risks.

The guidance doesn’t impose new requirements on financial institutions. Rather, it’s intended to “help institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks.”

For purposes of the guidance, “social media” is a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.

Social media can take many forms, including but not limited to microblogging sites (e.g., Facebook and Twitter); forums, blogs, customer review websites, and bulletin boards (Yelp); photo and video sites (Flickr and You- Tube); professional networking sites (LinkedIn); virtual worlds (Second Life); and social games (FarmVille).

Credit unions might use social media in a variety of ways including advertising and marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential members—for example, by receiving and responding to complaints, or providing loan pricing.

The use of social media can impact a financial institution’s risk profile. So credit unions should have risk management programs in place that allow them to identify, measure, monitor, and control the risks related to social media. These risks include:

• Compliance and legal risks arising from the potential for violations of—or nonconformance with—laws, regulations, prescribed practices, internal policies and procedures, or ethical standards.

Further, the potential for defamation or libel risk exists where there is broad distribution of information exchanges. Failure to adequately address these risks can expose a credit union to enforcement actions and/or civil lawsuits.

• Reputation risks arising from negative public opinion. Activities that result in dissatisfied members and/or negative publicity could harm the reputation and standing of the credit union, even if the institution hasn’t violated any law. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media.

That’s why any financial institution engaged in social media activities should be sensitive to, and properly manage, the reputation risks that arise from those activities.

• Operational risks resulting in losses from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Social media is one of several platforms vulnerable to account takeover and the distribution of malware.

A credit union should ensure the controls it implements to protect its systems and safeguard member information from malicious soft ware adequately address social media usage. The incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.

Employee communications can also subject the credit union to reputation and compliance risks. So credit unions should take steps to address these risks, such as establishing policies and training to address employee participation in social media representing the institution.