If you are using social media to attract and interact with customers, you should review the recent supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC). The guidance, titled “Social Media: Consumer Compliance Risk Management Guidance,” (“Guidance”) was released on December 11, 2013, and was immediately effective. The Guidance applies to all banks, savings associations, and credit unions and to all nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB). Among other things, the Guidance reminds financial institutions that the existing privacy rules have a “particular relevance” in the social media space.
For purposes of the Guidance, “social media” includes any form of interactive online communication in which users can generate and share content through text, images, audio, or video—for example, blogging websites, online forums, chat rooms, customer review websites, complaint submission and processing websites, and online bulletin boards. The Guidance recognizes that social media is a dynamic and constantly evolving technology, so the “definition” of social media is for illustration purposes only. Emails and text messages, standing alone, do not constitute social media. However, messages sent through social media channels are subject to the Guidance.
The Guidance identifies certain key issues that all financial institutions need to incorporate into their social media compliance programs, including the following:
The Guidance reminds financial institutions that they should include social media issues in their overall risk management programs. Financial institutions are expected to establish a governance structure for the use of social media, including the implementation of controls and ongoing risk assessments of the institution’s social media activities and the establishment of policies and procedures regarding the use and monitoring of social media. The governance structure should identify and address the compliance and legal risks, reputation risks, operational risks, and risks of harm to consumers associated with the institution’s use of social media.
The Guidance reminds financial institutions that they are expected to conduct evaluations of, and perform due diligence appropriate to, the risks posed by third-party social media providers, even if the financial institution does not have a traditional vendor relationship with the provider.
Additionally, the Guidance notes that financial institutions should provide training and guidance on social media compliance issues that incorporates the institution’s policies and procedures for official work-related use of social media. Training should be provided to all employees who officially communicate on behalf of the financial institution through any social media channels and also highlight impermissible social media activities.
Complaint Submission and Processing
The Guidance notes that financial institutions should implement an oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third-party vendor. Financial institutions are not, however, expected to monitor all communications about the institution, including complaints or inquiries about the institution, on internet sites other than those maintained by or on behalf of the institution.
A financial institution is not expected to treat all negative comments made on its proprietary social media sites as complaints or inquiries. A financial institution may, consistent with other applicable legal requirements, establish one or more specified channels that customers may use for submitting communications directly to the institution. The Guidance notes that even if a financial institution has elected to not use social media, it still should consider the potential for negative comments or complaints that may arise within social media platforms and, when appropriate, evaluate what, if any, action the institution will take to monitor and/or respond to such comments.
The Guidance reminds financial institutions that all of the legal and regulatory requirements otherwise applicable to their deposit, lending, payment services, marketing, advertising, and other activities remain applicable to the same activities conducted via social media channels. There are no social media exceptions to these requirements. The Guidance includes examples of the regulatory requirements that remain applicable in the social media space, including the following privacy requirements:
GLBA Privacy Rules and Interagency Data Security Guidelines
Social media channels permit financial institutions to collect or otherwise have access to information from or about consumers. As such, financial institutions should evaluate whether their social media activities must comply with the privacy requirements under the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. The Guidance notes that financial institutions should clearly disclose their privacy policies via their social media channels. Even when there is no “consumer” or “customer” relationship triggering the GLBA requirements, a financial institution likely will face reputation risk if it does not appear to be protecting the confidentiality and security of any consumer information or if it appears to be less than transparent about the privacy policies that apply to the social media sites it uses.
Although not addressed in the Guidance , financial institutions should remember that state data security breach notification laws also may apply to information collected through social media activities. If that information is breached, a financial institution may have notification obligations to its “followers” or other social media participants independent of any GLBA requirements.
CAN-SPAM Act and Telephone Consumer Protection Act
The Guidance reminds financial institutions to review the requirements under the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 and the Telephone Consumer Protection Act (TCPA) before sending unsolicited communications to consumers via social media. The CAN-SPAM Act and the TCPA and their implementing regulations establish requirements for sending unsolicited commercial messages that may apply to some social media activities.
Children’s Online Privacy Protection Act
The Guidance reminds financial institutions that their social media activities may be subject to the Children’s Online Privacy Protection Act (COPPA) and its implementing regulation, which generally impose obligations on operators of websites or online services if personal information from children under age 13 is collected, used, or disclosed. If a social media platform requires users to attest that they are at least 13, a financial institution using the site may rely on such self-certification policies. A financial institution should still, however, monitor whether it is collecting any personal information of a person under age 13 on those sites.
A financial institution maintaining its own social media site should be even more diligent in establishing, posting, and following policies that limit access to the site to users 13 or older. Sites that use or link to animation, cartoons, videos, games, and virtual worlds, for example, may appeal to younger users.
The guidance notes that the Fair Credit Reporting Act (FCRA) and its implanting regulations may also apply to certain activities conducted through social media. Financial institutions should review their credit solicitation practices and other activities to ensure FCRA compliance in their social media channels.
Other Privacy Issues
The Guidance reminds financial institutions to consider the potential reaction by the public to their display or use of consumer information via social media. For example, members of the public may post confidential or sensitive information such as account numbers on an institution’s social media page or website. An institution’s procedures should provide for a monitoring plan to address such privacy concerns and the implementation of a “takedown” protocol, as appropriate, to minimize the risks associated with the personal information of users remaining in the social media space.
Social media platforms are vulnerable to account takeovers, denial of service attacks, and the distribution of malware. Financial institutions should ensure that they protect the information technology and other systems used in their social media platforms from such issues in order to safeguard the confidentiality and security of customer information. Additionally, a financial institution’s data security breach incident response program should address social media breach and account takeover issues, as appropriate.
If you post, tweet, blog, or otherwise use social media, your social media compliance program could benefit from a “selfie” review using the new Guidance as a “viral” benchmark. Privacy compliance should be embedded—like a hashtag—in all of your social media activities.
This summary provides only a brief overview of the new social media guidance from the FFIEC. Financial institutions may review the complete guidance at here. If you have questions regarding the new social media guidance, please contact Elena A. Lovoy or one of the other attorneys on the Privacy and Information Security team at Bradley Arant Boult Cummings LLP.
Elena A. Lovoy is a member of the Banking and Financial Services practice group and Privacy and Information Security team at Bradley Arant Boult Cummings LLP. She focuses her practice on state and federal regulatory compliance issues that impact the delivery of consumer financial services products and services by banks and other financial services companies. Elena has extensive experience working with companies on privacy and data security issues and has assisted financial services, retail, and health care companies in responding to data security breaches. Elena received her B.S., M.B.A., and J.D. from the University of Alabama. She is licensed to practice law in Alabama, Illinois, and Louisiana and is also a Certified Compliance and Ethics Professional (CCEP), Certified Information Privacy Professional/United States and Canada (CIPP/US and C), and Certified Anti-Money Laundering Specialist (CAMS).