FFIEC Releases Final Guidance on Social Media Risks

Posted on 03.14.14

McAuliffe_Scott_2012

Author: Scott McAuliffe, CPA, CISA, CFE

On December 13, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final guidance, effective immediately, on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media.  It is important to note that the guidance was intended to help financial institutions understand and manage the compliance, legal, reputation, and operational risks associated with social media.

The guidance indicated that financial institutions’ risk management programs should allow them to identify, measure, monitor, and control the risks related to social media, to include:

  • A governance structure with clear roles and responsibilities to direct how using social media contributes to the strategic goals of the institution.
  • Policies and procedures regarding the use and monitoring of social media.
  • The policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention.
  • A risk management process for selecting and managing third-party relationships.
  • An employee training program.
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.
  • Audit and compliance functions to ensure ongoing compliance.
  • Providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program.

As with all risk management activities, the size and complexity of the financial institution’s risk management program should be commensurate with its involvement in social media. However, the guidance does state that financial institutions that are not using social media should still develop policies and procedures for responding to negative consumer comments and complaints posted via social media platforms.

The guidance reminds financial institutions that numerous regulations must be complied with when using social media, including the Truth in Savings Act, Real Estate Settlement Procedures Act, Regulation E, Bank Secrecy Act, Community Reinvestment Act, Gramm-Leach-Bliley Act to name a few. The guidance provides examples of how social media activities could impact each of the regulations.

Now that the guidance has been finalized, financial institutions should be expecting more questions from their examiners on their social media risk management programs.  Accordingly, financial institutions should be spending time getting their programs in place, even if it does not participate in social media activities.

Questions? Contact your Keiter representative or information@keitercpa.com | 804.747.0000