Recent FFIEC guidance on social media use reflects growing sophistication among both regulators and bank marketers; an ABA expert details key points
In December the Federal Financial Institutions Examination Council issued final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks and other financial institutions.
As the council said upon its release, “the guidance does not impose any new requirements on financial institutions. Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks, associated with the use of social media, along with expectations for managing those risks.”
However, the 19-page document does go into detail about what the regulatory agencies expect of their covered institutions. Denyette DePierro, senior counsel at ABA, recently detailed what the guidance says and how it may fit in with bank’s plans for compliance.
She spoke during the recent ABA briefing/webcast “Let’s Talk Social Media Compliance and Risk,” which is part of a series of such briefings sponsored by ABA. (For more information, go to http://www.bankingexchange.com/old//Training/teleweb/Pages/tb2013-14SocialMediaSeries.aspx.)
“The first thing to realize is that regulators are actually quite active and are sophisticated users of social media themselves,” DePierro says. “They know how social media works and understand how the messaging works.”
In fact, she says, bank examiners since at least 2010 have included in their exam questions pointed questions about bank use of social media. These include: do you offer and maintain a social media presence? If you do, describe the use of the presence and whether or not you’re using social media to promote products and services. And what are your controls, and, specifically, do you have policies and procedures?
The recent guidance more or less echoes these queries, with seven specific regulatory expectations. These are:
• A governance structure for social media use.
• Policies and procedures.
• A risk management process.
• An employee training program.
• An oversight process for monitoring.
• Audit and compliance.
• An appropriate reporting to the financial institution’s board of directors or senior management.
“There’s not necessarily much new in the guidance but there are some tweaks you need to be aware of,” DiPierro says. These include, she says:
• It’s not overly prescriptive. “It is very idiosyncratic [and recognizes] that banks are all over the spectrum in their sophistication, their level of use, where they are active, how they are active, and who’s allowed to post.”
• It applies not only to banks that are active in social media, but to those that are not. “Even if you’re not active on social media there are expectations that you are going to be monitoring [this area] and that you have some amount of employee training.”
• It does not provide a comprehensive review of the applicable rules and regulations. “We [ABA] had asked for at least a listing of requirements that apply.”
• It does provide a definition of social media. “This is a bit new, although it has an interesting exception for the use of email.”
According to the guidance, FFIEC defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Later it says, in part, “For purposes of this Guidance, messages sent via email or text message, standing alone, do not constitute social media.”