Compliance Risk Management Considerations for Social Media Activity
Consumer Affairs Update
Published June 28, 2019
Increasing social media use over the past decade continues to expand how banks and their consumers interact with each other. A bank’s use of social media to attract and connect with potential and existing customers can affect its risk profile. CA Letter 13-22, Social Media: Consumer Compliance Risk Management Guidance, communicated interagency guidance to address the applicability of federal consumer protection laws, regulations, and policies regarding social media activities and to identify risk management considerations. This article highlights areas of potential risk associated with social media and identifies several risk management strategies.
Banks use social media in a variety of ways—for marketing, providing incentives, facilitating applications, inviting public feedback, and engaging with potential and existing customers. Social media interactions tend to be both informal and organic and may occur in less secure environments, which present unique risk management challenges. Social media usage can impact an institution’s compliance and legal, reputational, and operational risks.
Compliance and legal risks
Generally, compliance laws and regulations do not specifically exclude social media activity and, as a result, banks will want to ensure that their activity meets all applicable legal and regulatory requirements. Employees using social media platforms to advertise, market, and open new accounts may inadvertently trigger disclosure or other requirements by, for example, stating pricing information. Challenges can arise if the bank provides inadequate disclosures or does not deliver required information in a timely manner.
An institution’s interactions with consumers through social media may also require compliance under consumer protection laws. For example, comments related to the bank’s performance in meeting community credit needs received through social media are subject to the same Community Reinvestment Act requirements as comments received through other means. Similarly, notification of errors by consumers involving electronic fund transfers or open-end credit transactions through social media may require investigation under compliance rules. Finally, the broad definitions of advertising in several regulations mean that social media activity has the potential to fall within the scope of multiple requirements.
Social media can raise reputational risk due to the speed and magnitude of any potential exposure. For example, a consumer’s description of a negative experience, even if unfounded, is magnified by the visibility on social media. Additionally, a bank’s reputation can be influenced by risks related to using a third party to provide social media services or having another party fraudulently use the bank’s name or brand. Although often outside the direct control of the institution, the actions of others may affect public perception and its reputation.
An institution’s use of social media can elevate operational risk because of social media account takeover attempts and the distribution of malware. An institution’s hacked account may result in the distribution or loss of sensitive consumer and bank data, with possible financial, legal, and reputational consequences.
Institutions that participate in social media will want to consider having risk management programs that allow them to identify, measure, monitor, and control social media risks. A bank’s compliance program will want to address social media usage through effective board oversight, clear roles and responsibilities, policies and procedures, employee training, and an audit program that ensures compliance with internal procedures. Additionally, the bank may want to include in its risk management program an oversight process to monitor information posted to proprietary social media sites and a process for selecting and monitoring third-party providers.
As with any product or service, institutions can limit potential compliance risks and consumer harm through a risk management program appropriate for the volume and complexity of their social media activity. Banks may want to engage the following specialty functions in addition to compliance when designing a social media program: technology, information security, legal, human resources, and marketing. Banks may also want to evaluate the risk management program periodically to ensure ongoing compliance since guidance, laws, and social media usage change over time.
The interagency guidance does not establish new requirements. Rather, it highlights aspects of consumer protection laws and regulations likely to apply to social media activity, identifies areas where risk is potentially increased, and shares guidance on risk management practices. Many banks have continued to expand social media activity since CA 13-22 was issued. We encourage institutions to review CA 13-22 and make appropriate enhancements to their compliance programs in order to adequately manage the risks related to social media usage.
CA Letter 13-22, Social Media: Consumer Compliance Risk Management Guidance, https://www.federalreserve.gov/supervisionreg/caletters/caltr1322.htm
Consumer Compliance Outlook, Second Quarter 2012, “Consumer Compliance Risk Management for Social Media,” https://consumercomplianceoutlook.org/index-by-topic//sitecore/service/notfound.aspx?item=web%3a%7bA8C76362-10AE-4127-81DB-9021D51B9776%7d%40en/