September 16, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

Avoiding A Digital Catastrophe: Considerations for Managing Social Media Risks

Social media have revolutionized how financial institutions interact with customers and the public. Facebook, Twitter, Google Plus, LinkedIn, Flickr, YouTube, Yelp and other social media sites permit institutions to market products and services, provide incentives, facilitate new account applications, invite performance feedback, recruit employees, and receive and respond to complaints in new and effective ways.

The benefits of leveraging social media are enormous, but not without corresponding risks. The dynamic and informal nature of financial institution interactions with customers and potential customers through social media creates risks of harm to consumers, plus compliance/legal risks, operational risks, and reputational risks to institutions.

FFIEC Guidance Requires Attention

Five members of FFIEC – the OCC, the Fed, the FDIC, the NCUA and the CFPB – will apply the Guidance when exercising their supervisory functions, and the sixth FFIEC member, the State Liaison Committee, is encouraging its state regulatory agency members to adopt the Guidance as well. Board members, senior management, and compliance officers of financial institutions will be expected to develop social media risk management programs that address the Guidance.

FFIEC Guidance Summary

The Guidance provides that a financial institution should have a risk management program that allows it to "identify, measure, monitor and control the risks related to social media." The size and complexity of the program should be commensurate with the institution's use of social media. The Guidance recommends that any social media risk management program should be designed with participation and input from specialists in technology, information security, legal, compliance, human resources, and marketing.

The Guidance identifies three main risks that should be addressed by a financial institution's social media risk management program: (1) compliance/legal risk, (2) reputational risk, and (3) operational risk.

Compliance/Legal Risk

Compliance/legal risk arises from a financial institution's noncompliance with laws, regulations, guidance, ethical standards, and internal policies and procedures. This risk is heightened when an institution's internal policies and procedures do not keep pace with changes in the marketplace.

An institution's compliance/legal risk does not come from new requirements imposed by the Guidance. Rather, the Guidance makes clear that existing banking laws and regulations apply even though most predate the existence of social media. As a result, an institution needs to carefully consider its obligations under all existing laws and regulations as a result of social media usage, including the following:

  • TISA/Reg. DD (for example, an institution's communications to consumers through social media must include all necessary disclosures and avoid misleading or inaccurate information regarding the institution's deposit accounts);
  • Fair Lending Laws (ECOA/Reg. B and Fair Housing Act) (an institution generally must not use social media to collect, request or otherwise use information regarding an applicant's race, color, religion, national origin, or sex);
  • TILA/Reg. Z (any advertisements made or consumer credit application received through social media must include all necessary disclosures);
  • RESPA (an institution must not accept any kickbacks or other value in exchange for referrals made through social media for settlement service business);
  • FDCPA (if acting as a debt collector, an institution must avoid communications through social media, to a consumer or otherwise, that publicly disclose a consumer's debt or inappropriately attempt to collect a debt);
  • Federal Trade Commission Act;
  • Dodd-Frank Wall Street Reform and Consumer Protection Act;
  • Electronic Fund Transfer Act/Reg. E;
  • Bank Secrecy Act;
  • Gramm-Leach-Bliley Act (for example, an institution using social media must clearly disclose its privacy policies to consumers and protect any consumer information collected through social media); and
  • FCRA.

Reputational Risk

The use of social media also increases a financial institution's reputational risk, which can arise by virtue of fraudulent impersonations of the institution on social media, direct attacks against the institution's brand, failure of third-party service providers to properly perform services, privacy and security breaches, failure to timely and appropriately respond to consumer complaints, inquiries or comments, or an employee's inappropriate use of social media that is perceived by the public to reflect the views of the institution. An institution should consider the use of monitoring tools to identify these and other risk factors and to respond to problems timely and appropriately.

Operational Risk

Finally, the use of social media increases operational risk – the possibility of losses from human error or inadequate or failed processes or technology. The root cause can be internal or external events. Social media are vulnerable to account takeover and the distribution of malicious software, or "malware." A financial institution should ensure that the controls it has in place (or implements) to protect its systems and safeguard customer information from malware include a social media usage component.

The identification, monitoring, and management of IT-related security risks is addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance and general IT security publications.

Recommended Elements of a Social Media Risk Management Program

The following elements should be included in a financial institution's social media risk management program:

  • A governance structure that establishes clear roles and responsibilities whereby the board of directors or senior management determine how using social media contributes to the strategic goals of the institution and shape the institution's policies in this regard.
  • Policies and procedures regarding the use and monitoring of social media and compliance with applicable law, and incorporation of the Guidance as appropriate. Such policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
  • A risk management process for selecting and managing third-party relationships in connection with social media (see Managing Third Party Relationships: New Regulatory Guidance for Banks in the January 14, 2014 edition of Commercial Law Update).
  • An employee training program for official, work-related use of social media, and potentially for personal use of social media.
  • An oversight process for monitoring information posted to proprietary social media sites administered by (or on behalf of) an institution.
  • Audit and compliance functions to ensure ongoing compliance with internal policies and procedures and applicable law, and incorporation of guidance as appropriate.
  • Parameters for providing appropriate reporting to an institution's board of directors or senior management that enable periodic evaluation of the social media risk management program's efficacy.
  • A plan for responding to security events such as a data breach or account takeover through social media or otherwise. Such planning should include provisions for insurance coverage for breach and compliance costs, breach notification protocols and budgets, pre-selected and retained credit monitoring services, a definition of who will be in charge of an incident response and internal reporting channels, public relations and media management, and breach incident response exercises to test the efficacy of the plan.
©2019 von Briesen & Roper, s.c

TRENDING LEGAL ANALYSIS


About this Author

William Taibl, Von Briesen Roper Law Firm, Milwaukee, Real Estate Law Attorney

Bill Taibl has an extensive practice in nearly all areas of financial institution representation and in a wide variety of real estate related matters. He regularly provides counsel on law and regulatory compliance issues related to consumer and operational matters, including Truth in Lending, RESPA and ECOA, required Board policies, branching activities, new product development and subsidiary transactions. He has handled major troubled loan workouts in Wisconsin and around the country. He has been involved in a wide variety of real estate sales and purchase...

414-287-1213
Mark Foley, von Briesen Roper Law Firm, Milwaukee, Bankruptcy and Litigation Law Attorney

Mark F. Foley is a Shareholder at von Briesen & Roper, s.c. with more than 25 years experience meeting the complex business and legal needs of clients ranging from individual business owners to industry trade associations and Global 500 companies.

Mark has successfully tried cases before judges and juries in federal and state courts, represented debtors and creditors in bankruptcy courts throughout the United States, and arbitrated matters before AAA and NASD panels. He has directed and conducted the nationwide defense of recurring product litigation, conducted recalls, and negotiated standards with regulatory agencies. Mark has successfully argued appeals to the Wisconsin Supreme Court and the U.S. Courts of Appeals for the Seventh and Eighth Circuits.

Mark has established data privacy, security, SOX whistleblower, and data retention policies and procedures for multinationals operating in dozens of countries; negotiated information technology licenses, and acquisition and development agreements; developed effective product warning and litigation avoidance programs; created software applications to manage and report on litigation; and designed and implemented e-discovery processes. Mark authored the eBook “What Every CEO Needs to Know About Data Security”, part of the Digital Thought Leadership Series. 

414-287-1404
Brion Winters, von Briesen Roper Law Firm, Milwaukee, Corporate and Finance Law Attorney

Brion is a Shareholder at von Briesen with a unique background and skillset that service the diverse needs of his clients.  Brion’s clients come in all shapes and sizes from closely-held businesses, start-up companies and individuals to well-established financial institutions and municipalities. Brion’s commitment to customer service, attention to detail and unending desire to provide value serves his business, banking, developer, municipal and individual clients well.  

In 2008, Brion joined von Briesen from M&I Wealth Management where he...

414-287-1561
Mark Schmidt, von Briesen Roper Law Firm, Milwaukee, Construction and Litigation Law Attorney

Mark Schmidt is a Shareholder in the Litigation and Risk Management Practice Group and the Construction Law and Litigation Section in the Milwaukee office.

Mark helps clients resolve their most challenging and complex problems by focusing on practical solutions and efficient business results. Mark is directly involved in all aspects of negotiation, strategic planning, risk assessment, arbitrations, mediations and court and jury trials in state and federal court.

Mark is listed in The Best Lawyers in America®...

414-287-1249