FFIEC Guidance on Use of Social Media

In December 2013, the FFIEC issued “guidance” detailing the risks involved with a financial institution’s use of “social media.” While the issuance is only a guidance, an institution is wise to take it seriously. As the FFIEC put it when they issued the proposed guidance,
Although the guidance does not impose additional obligations on financial institutions, the FFIEC expects financial institutions to take steps to manage potential risks associated with social media, as they would with any new process or product channel.

The guidance starts by defining “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Examples are Facebook, Google+, MySpace, Twitter, YouTube, and LinkedIn.

The function of the guidance is to alert institutions to the various risks involved in using social media. These risks are grouped into three categories: compliance and legal risk, reputation risk, and operational risk.

Because this is a deposit compliance manual, we will deal with the compliance and legal risks identified by the guidance that affect deposit accounts.

Following is a list of laws and regulations that the guidance identifies as potentially posing a compliance or legal risk to institutions through their use of social media.
  • Truth in Savings Act and its Regulation DD (or Part 707 for credit unions). When an institution uses social media to market or open accounts, the main regulatory concern is the advertising rules of the Truth in Savings Act and either Regulation DD or Part 707.
  • Unfair, Deceptive, or Abusive Acts or Practices. Institutions should be careful so that none of their advertising or marketing on social media is considered to be deceptive, unfair, or abusive.
  • Deposit insurance requirements. The FDIC and the NCUA have requirements that the institution’s membership be noted in advertisements—for example, “Member FDIC.” These requirements apply to ads appearing in social media.
  • The Electronic Funds Transfer Act and Regulation E. If social media is used to enable the consumer to make “electronic funds transfers,” then the Electronic Funds Transfer Act and Regulation E would apply. These rules have disclosure requirements and error resolution procedures.
  • Check transaction rules. If social media is used to facilitate a check-based transaction, then industry rules such as NACHA rules, as well as Article 4 of the Uniform Commercial Code and the check collection rules of Regulation CC, would apply.
  • Bank Secrecy Act/Anti-Money Laundering. The compliance programs required by these rules would apply to social media activity. For example, customer identification programs might apply. The same is true for risk-based customer due diligence policies.
  • Privacy rules. An institution should evaluate social media programs in light of the Gramm Leach Bliley Act and its implementing regulations.
  • Fair Debt Collection Practices Act. Using social media to inappropriately contact consumers, or their families and friends, may violate the restrictions on contacting consumers imposed by the FDCPA. Communicating via social media in a manner that discloses the existence of a debt or to harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall) or making false or misleading representations may violate the FDCPA.
  • CAN-SPAM Act and Telephone Consumer Protection Act. The CAN-SPAM Act and TCPA establish requirements for sending unsolicited commercial messages (“spam”) and unsolicited communications by telephone or short message service (SMS) text message.

For additional information about items in this list or about reputation and operational risks involved with social media, we refer you to the guidance itself.