An Invitation to Connect: The FFIEC Embraces Social Media Regulation

Financial Institutions in the United States have a new “friend” to contend with in their social media circle.

Given the exponential increase in the influence social media has had upon the financial institution landscape in recent years, compliance professionals could have anticipated the recent Federal Register notice. On January 23, 2013 the Federal Financial Institutions Examination Council (FFIEC), composed of the OCC, the Federal Reserve Board of Governors, the FDIC, the NCUA, the CFPB and the State Liaison Committee (“the Agencies”) jointly issued proposed guidance for public comments to be received by March 25, 2013.

This broad-based guidance proposes to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau.¹  Viewed in the broader context of enterprise risk management, the Agencies are seeking to ensure that all supervised financial institutions are effectively assessing and managing risks associated with activities conducted via social media. Specifically, the financial institutions will be expected to incorporate consumer compliance and legal risks, as well as reputation and operational risks associated with social media activities into their governance structure.

The FFIEC’s entry into social media regulation will likely be met with mixed reviews by financial industry compliance professionals. While many organizations have sought to craft policies and procedures to address this multifaceted communication phenomenon, other organizations have struggled with developing a consensus around how to approach social media governance. For organizations that have yet to create or adequately revise social media policies and procedures to encompass its growing importance to commerce, the FFIEC action may provide the impetus that Chief Compliance Officers can leverage to guide corporate boards and C-suite executives to create a social media governance structure.

I read the proposed guidance with great interest. I had expected the FFIEC to provide guidance regarding a financial institution’s active use of social media in its business and by its employees, both in their capacity as employees as well as off-duty. The proposed guidance directly addresses the Compliance and Legal Risks posed by social media with regard to deposit and lending products, payment systems, anti-money laundering and financial privacy. The regulation of an active social media presence clearly reflects the consumer protection best practices that an organization would apply to its other outbound channels, including print, television, and radio marketing, as well as authorized corporate communications.

The portion of the proposed guidance that I found even more insightful was the Reputation Risk topics the FFIEC chose to explicitly consider. Some executives offer the opinion that if their organizations don’t actively foster a social media identity, then the need for social media governance is eliminated. The FFIEC instead acknowledges that even an organization that chooses to forgo promoting an active social media presence is subject to the risks that can be thrust upon an organization by the public. Noting that reputation risk is the risk arising from negative public opinion, the proposed guidance delves into the realm of dissatisfied consumers and negative publicity that can cause significant harm to a law-abiding financial institution. In addition to Fraud and Brand Identity and Third Party Concerns, the FFIEC directly addresses a financial institution’s affirmative obligation to monitor Consumer Complaints and Inquiries initiated via social media.

In an economy overflowing with consumers clamoring to ensure that “there’s an app for that,” financial institutions have worked actively to develop social media channels to harness consumer demand to varying degrees. Additionally, those same consumers who routinely update their social networks (both personal and professional) from their smartphones while waiting for the train or purchasing a latte’, will also launch a Twitter rant or a scathing and aptly-named blog post about your organization before they’ve left your premises. This proposed guidance, which will likely receive many comments before being issued in its final form, is going to eventually become part of your prudential regulator’s examination process.

I would propose that now is the time to address your organization’s social media governance process. Working with your board of directors and your senior leadership colleagues, you can assess the current status of your policies and procedures; identify and address perceived gaps; and provide appropriate guidance to employees within your organization before the regulators arrive to test your practices. Action now will likely ensure that your regulator hits the “Like” button later.

1         Federal Financial Institutions Examination Council [Docket No. FFIEC-2013-0001]: “Social Media: Consumer Compliance Risk Management Guidance,” http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf

COMPLIANCE NEVER SLEEPS

Ever so slowly a consensus appears to be emerging that the economy has been improving in the United States. Though some economic indicators, including the unemployment rate and consumer sentiment, remain stagnant, we are witnessing a rebound in private sector hiring, new construction, and equities investing. Equity is returning to homeowners and mortgage refinancing has returned. Innovation continues to flourish across industries.

And the imperative for vigilant corporate compliance programs and professionals has never been greater.

Lest you brand me a killjoy at the party of renewed American prosperity, let me encourage you to pause and reflect upon the post-recessionary periods of the past several decades.

When organizations emerge from the austerity and uncertainty of a recession, like action movie survivors emerging from a post-apocalyptic underground bunker, leaders seek to return to the familiar and comfortable patterns of pre-recession growth. We want to sell things. We want to build things. We hire people and purchase systems and tools to do both. And we want to do it quickly to make up for lost time and to satisfy pent-up consumer demand.

I propose that, as leaders, we should also pause to reflect upon the patterns and practices that led to the recession in the first place. On a microeconomic level, the organizations whose actions precipitated the recessionary events often succumbed to false notions of success built upon skewed compensation plans, short-term corporate financial results, and process or quality breakdowns. While the industries may change from financial crisis to financial crisis, the factors that string the past two decades’ mortgage banking, energy trading, and technology busts together are not very dissimilar.

So, what is the difference between the company that succumbs and the company that succeeds over the long term in the very same industry? I would conclude that it rests upon universal adherence to an unwavering compliance program. Like guardians at the gate, the joint efforts of Compliance, Audit, Security, and Ethics professionals stand firm against cultural shifts within some organizations that allow foundations to crack.

As we move beyond this most recent recession into our blossoming period of prosperity, I encourage you to take a moment to re-evaluate your investment in your organization’s compliance program. Even as you bolster production and sales efforts to meet consumer demand, bolster compliance resources within the organization.

·         Publicize your Code of Conduct and Ethics Hotline.

·         Revisit traditional and emerging high-risk areas of compliance and control exposure.

·         Renew your leadership commitment to the truth that your corporate compliance program is a competitive advantage.

Preparing your compliance program today to withstand the inevitable recession of tomorrow will ensure long-term prosperity for your organization.