FFIEC Releases Final Guidance on Social Media Risks

FFIEC Releases Final Guidance on Social Media Risks

Posted on

Author: Scott McAuliffe, CPA, CISA, CFE

On December 13, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final guidance, effective immediately, on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media.  It is important to note that the guidance was intended to help financial institutions understand and manage the compliance, legal, reputation, and operational risks associated with social media.

The guidance indicated that financial institutions’ risk management programs should allow them to identify, measure, monitor, and control the risks related to social media, to include:

  • A governance structure with clear roles and responsibilities to direct how using social media contributes to the strategic goals of the institution.
  • Policies and procedures regarding the use and monitoring of social media.
  • The policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
  • A risk management process for selecting and managing third-party relationships.
  • An employee training program.
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.
  • Audit and compliance functions to ensure ongoing compliance.
  • Providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program.

As with all risk management activities, the size and complexity of the financial institution’s risk management program should be commensurate with its involvement in social media. However, the guidance does state that financial institutions that are not using social media should still develop policies and procedures for responding to negative consumer comments and complaints posted via social media platforms.

The guidance reminds financial institutions that numerous regulations must be complied with when using social media, including the Truth in Savings Act, Real Estate Settlement Procedures Act, Regulation E, Bank Secrecy Act, Community Reinvestment Act, Gramm-Leach-Bliley Act to name a few. The guidance provides examples of how social media activities could impact each of the regulations.

Now that the guidance has been finalized, financial institutions should be expecting more questions from their examiners on their social media risk management programs.  Accordingly, financial institutions should be spending time getting their programs in place, even if it does not participate in social media activities.

Questions? Contact your Keiter representative or information@keitercpa.com | 804.747.0000

About the Author

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing cybersecurity services, internal audits, information technology audits, Service Organization Control (SOC) audits, and Sarbanes-Oxley assistance. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe, CPA, CISA, CFE

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


How Can We Help You and Your Business?

Innsbrook Corporate Center
4401 Dominion Boulevard
Glen Allen, Virginia 23060

804.747.0000 or 804.273.6200