Editor’s Note: The column below discusses the multi-agency Federal Financial Institutions Examination Council’s (FFIEC’s) proposed guidance regarding “the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB)….” The draft FFEIC guidelines consitute yet another demonstration of federal commitment to regulate the cyber-related activities of major companies. The FFEIC Risk Management Guidance should be interpreted by financial institutions in light of the Securities and Exchange Commission’s (SEC’s) 2012 Risk Alert guidiance on Investment Advisor use of social meda and in light of the SEC’s Cyber Risk Disclosure Guidance.
U.S. financial examiners’ guidelines underline increasing role of social networks
By Bora Yagiz, Compliance Complete
NEW YORK, Feb. 13 (Thomson Reuters Accelus) – The guidelines on social media proposed by bank regulators comprising the Federal Financial Institutions Examination Council (FFIEC) in January are intended as a basic tool to help financial institutions identify potential trouble areas and address them as part of an overall risk management program.
The council identified potential risks for financial institutions in the areas including deposit insurance, debt collection practices, use of payments systems, equal access for credit, and bank-secrecy anti-money laundering processes.
The council is an interagency body that coordinates principles, standards, and report forms used in the examinations of federally supervised financial institutions. It is composed of six regulatory agencies: the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Consumer Protection Bureau, and a State Liaison Committee.
Social media is loosely defined as Internet-based networking applications such as Facebook or Twitter, that allow for the creation and exchange of user-generated content. Increased use of such networks has been perceived as potentially posing reputational and operational risk to financial institutions, whose businesses are intimately linked to consumer confidence.
Taken on its face, banks will find little concrete advice in this 31-page document on how to align their risk management practices to be in compliance with their social media activities. Instead, the guidelines offer general advice, and urge that the principles should be respected over social media in the same manner as elsewhere. This vagueness, however, may be precisely where the guidelines’ strength lies.
“The fact that the guidelines are not providing prescriptive rules gives an adequate amount of flexibility to banks in devising their own risk-management practices,” says Denyette DePierro, senior counsel with the American Bankers Association.
The guidelines are as relevant to banks without social media outlets as to those with them, because all institutions are affected by social media. “A financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms,” the document said.
Other regulators have previously tackled the issue. Financial Industry Regulatory Authority has lead the charge, issuing two regulatory notices in 2010 and in 2011. The notices provide detailed guidance on social media, specifically in the areas of record retention, suitability of recommendations for the client’s needs, and supervision of interactive communication sites.
The Securities and Exchange Commission issued a Risk Alert in 2012, examining how investment advisors use social media to promote their brand and make investment recommendations while respecting regulatory requirements.
Many state insurance regulators have also encouraged adoption of policies, procedures and controls by the industry, to ensure that insurers can properly supervise and review the content posted through electronic social media communications.
The FFIEC guidelines constitute the first time regulators have treated the regulation of social media exclusively from the banking perspective. They enumerate a dozen specific regulations, mostly pertaining to disclosure requirements that are relatively easy to comply with. Some banking regulations, however, are expected to be more challenging for banks to cope with than others, especially in the areas of reputational and operational risks.
Privacy laws such as 2003 “CAN-SPAM” act regulating commercial email, and Title V of the Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act, which deregulated banking, may prove especially important. The treatment of customer information obtained through social media portals, customer’s online accounts, or through phishing attempts by third parties by sending spam to customers under the guise of a bank’s identity may expose the bank to reputational risk. Further risk can arise from the ever-changing privacy standards of certain social media websites, which may be tricky to monitor.
Bank Secrecy Act and anti-money laundering (AML) compliance will also be difficult to track via social media. Illegitimate actors are increasingly using virtual games to launder money. It is uncertain how the traditional BSA/AML controls, such as customer identification, due diligence, and monitoring suspicious transactions will apply.
Files kept under the Community Reinvestment Act, which requires a bank to maintain a public file of all written communication between the institution and a client for the current and the two prior calendar years, will now have to include public comments made on social media sites, even if those sites are run by a third-party vendor.
Banks also have to beef up their technology and information security departments’ defenses, as interaction through various social media platforms make them vulnerable to operational risk through account takeover or malware distribution.
There has not been a social media-related scandal in the banking sector so far comparable to one faced by Progressive, an insurance company, in which a comedian upset over the treatment of his wife criticized the company and drew tens of thousands of negative comments via the social media platform Tumblr. Nevertheless, recognizing the significance of the risks posed by the use of social media, most of the systemically important banks have already successfully contracted third party vendors that track Internet activity, and provide analysis and recommendations on a regular basis.
Social media need not always be seen under a negative light. It also has benefits. “Banks can make use of social media to build or deepen customer relationships, to advertise a product, to provide consumer services, or simply to gather perceptions and reactions of consumers to particular issues arising in the course of business,” said Mercedes Tunstall, Of Counsel with Ballard Spahr LLP.
Indeed, many banks have been able to identify specific complaints in social media and communicate privately with the customer to address the issue. They have also set up forums and reached out to small business owners in order to help them with general advice and financing decisions. New technology-related products and services have also successfully been tested in social media platforms, before being launched on a larger scale.
The Bank of Georgia, a small community bank, is a case in point. The bank hired the services of Gladiator Social Media Compliance, a consulting company specialized in social media platforms, to systemically transform much of its communication with its clients into the less formal social media channels. The goal was to adopt a friendlier face with its customers, while also identifying threats and vulnerabilities and employing risk mitigation controls.
Regulation of the social media is just getting off the ground. It is up to the banks to adopt adequate monitoring, and supervision tools to shape their compliance program to utilize it to their advantage without tarnishing their reputation.