By Kurtis Haygood, Fair Lending and UDAP Compliance Risk Coordinator, Federal Reserve Bank of San Francisco
Do you remember not too long ago when chat rooms, one of the earliest forms of social media, were the primary means to communicate online? But in recent years, social media has evolved significantly into many different forms, and its use has grown exponentially worldwide. For example, Facebook, the world’s largest social networking site, reported that it had 1.19 billion users worldwide as of September 30, 2013.1 This figure accounts for roughly 17 percent of the world’s population.2 Through social media, financial institutions are reaching consumers in ways previously unimaginable.
Although financial institutions have identified a number of ways to use social media strategically, its use is not without risks. It is important that the board of directors and senior management identify and manage these risks appropriately, including compliance risks. If you use social media at your financial institution, consider the following: Do you know the level of your risk exposure? Do you know if and how your employees are using social media to solicit business or otherwise interact with customers? Are you aware of potential compliance or other risks inherent in this form of communication?
Because of financial institutions’ increased use of social media and the attendant risks, the Federal Financial Institutions Examination Council (FFIEC) issued supervisory guidance, titled “Social Media: Consumer Compliance Risk Management Guidance” (Guidance), in December 2013, to highlight potential compliance risks and sound risk management practices.3 This article focuses on this Guidance, which the FFIEC issued to help financial institutions understand how existing requirements and supervisory expectations apply to the use of social media.
First, we need to define social media under the Guidance. Although social media is commonly thought of in the context of “friending,” “tweeting,” or “pinning,” the Guidance defines it more broadly to include “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Therefore, while common social networking sites such as Facebook, Twitter, and Pinterest are included in the definition of social media, the Guidance also applies to other forms of media communication such as blogging, customer review forums, and virtual worlds (e.g., Second Life). E-mail and text messages, standing alone, do not fall under this definition of social media; however, they may be otherwise subject to a number of consumer protection laws and regulations discussed in the Guidance.
Social media may provide varying benefits depending upon a financial institution’s strategic execution. Perhaps the most common social media strategy for financial institutions is marketing products and services. However, as the use of social media expands, institutions are implementing it in a variety of ways. While certainly not an exhaustive list, social media has been used by financial institutions to advertise loan incentives and loan pricing, generate applications for new accounts, track and respond to customer complaints and feedback, facilitate outreach, inform consumers of community events, and assist in debt collection efforts. Although social media can provide great rewards for financial institutions with a simple “click of a button,” its use also presents unique risks and risk management challenges for financial institutions.
The board of directors and senior management should identify, measure, monitor, and control risks associated with an institution’s use of social media for banking activities. To manage potential risks, financial institutions should ensure risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the institution is engaged. The Guidance discusses the following strategies for the board of directors and senior management to consider for managing social media compliance risk.
What are the consumer compliance risks inherent in the use of social media? This seems to be the $64,000 question, particularly as the capabilities of social media continue to expand. The Guidance addresses a number of areas in which social media may have consumer compliance implications. Each financial institution should ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable federal, state, and local laws and regulations, as appropriate. It is important to note that the laws and regulations discussed in the Guidance and summarized below are illustrative and not exhaustive.
Financial institutions commonly use social media to market and advertise various deposit and lending products or services. When social media is used for these purposes, financial institutions should consider the following consumer compliance laws and regulations:
The use of social media may also raise fair lending concerns. Therefore, financial institutions should ensure that their use of social media complies with fair lending laws and regulations. For example, Regulation B, which implements the Equal Credit Opportunity Act, prohibits creditors from making “any oral or written statement, in advertising or otherwise, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.”12
The Fair Housing Act (FHA) also makes it unlawful to advertise or make any statement that indicates a limitation or preference based on race, color, national origin, religion, sex, familial status, or handicap.13 Similarly, the Federal Reserve Board prohibits member banks from publishing advertisements for dwelling-secured loans, or loans to purchase, construct, improve, repair, or maintain a dwelling, that “contain any words, symbols, models, or other forms of communication that express, imply, or suggest a discriminatory preference or policy of exclusion in violation of the provisions of the Fair Housing Act or the Equal Credit Opportunity Act.”14 Therefore, social media postings by financial institutions, regardless of purpose (e.g., marketing, consumer feedback), should not directly identify or infer a preference for, or exclusion of, a particular group of applicants on a prohibited basis.
When using social media for any purpose, it is important to consider Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive acts or practices,15 and Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.16 Financial institutions should keep in mind that UDAP not only applies to all products and services generally but also applies to related activities over the entire life cycle of a product. Therefore, UDAP risk may increase when financial institutions use social media for marketing and advertising purposes. Bank advertisements should be designed to avoid unfairness or deception. To accomplish this, as stated in CA Letter 07-08,17 advertisements should be clear, balanced, and timely and present not only the benefits of products or services but also any potential risks.
Many financial institutions use social media to connect directly with their customers by accepting customer complaints or feedback and providing real-time responses. Financial institutions are not expected to monitor and respond to all Internet communications, but they should be aware that certain consumer laws and regulations may apply to communications that occur through social media.
Whether communicated through blogs, consumer review sites, an institution’s social networking page, or a written consumer complaint, negative feedback can be a red flag for financial institutions in identifying broader and more serious issues, including unfair or deceptive acts or practices, or fair lending violations. Because consumers can connect immediately with a large consumer network through these online communities, negative feedback provided online can also represent reputational risk for an institution. Based on the institution’s risk assessment, a financial institution may want to consider monitoring social media forums to identify and, when appropriate, address negative feedback.
Some consumers may not appreciate the risks in providing account information in a public social media forum. Financial institutions should maintain procedures to address any public posting of confidential or sensitive information on the institution’s social media page or site.
The Guidance also provides the following considerations for privacy-related activities:
Depository institutions subject to the CRA must maintain all written comments received from the public for the current year and each of the prior two calendar years that specifically relate to the institution’s performance in helping to meet community credit needs.18 These comments must be retained in the bank’s CRA public file. The Guidance clarifies that comments made about the institution through Internet sites that are not administered by the institution are not necessarily deemed to be received by the institution and, thus, would not need to be retained. However, if comments are received through websites or social media pages run by or on behalf of the institution, such comments should be retained in the public file.
The Guidance identifies a number of legal, reputational, and operational risk areas in addition to the consumer compliance risks previously noted. Notable risk areas include the Bank Secrecy Act, payment systems, fraud and brand identity, and third-party concerns. Financial institutions should identify the laws and regulations that apply to their social media activities and manage all risks appropriately.
Many financial institutions have concluded that social media can play a pivotal role in achieving business goals. However, the rewards from the use of social media do not come without risks, especially as social media capabilities continue to evolve at a rapid pace. As new advances are made in technology, it is essential that the board of directors and senior management teams stay on top of emerging risks because the proper risk management infrastructure for compliance can only be built upon risks that are adequately identified and assessed. Specific issues and questions should be raised with your primary regulator.
Complete Issue (2.35 MB, 20 pages)
Kenneth Benton, Editor
Copyright 2014 Federal Reserve System. This material is the intellectual property of the Federal Reserve System and cannot be copied without permission.
Links with the orange box icon () go to pages outside of the website.