New Social Media Guidance Issued by FFIEC

December 13, 2013

The Federal Financial Institutions Examination Council (FFIEC) issued final guidance on Dec. 11, 2013, on the applicability of consumer protection and compliance laws, regulations and policies to activities conducted via social media by banks, savings associations and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance is effective immediately.

The guidance does not create new duties. Rather, it clarifies what has been a controversial issue in the banking and technology space — that is, to what extent do certain banking regulations apply in the social media space? The new guidance seeks to help financial institutions understand compliance as well as regulatory, reputational and operational risks. It also provides some strategies that financial institutions may find useful in conducting risk assessments and crafting social media policies and procedures.

We urge you to be aware that while this FFIEC guidance is helpful in understanding the banking risk associated with social media, there are other equally concerning risks that arise in other legal regimes. For instance, the SEC also issued a social media alert in April 2013 and financial institutions will still be bound by common law respondeat superior duties for the acts of their employees within the course and scope of those employees’ duties for the financial institution. This can raise not only 10b-5 risk for investment banks, but also common law fraud and misrepresentation claims.

If your bank or financial services company does not have well-defined social media policies in place and has not thoroughly trained management and staff on these policies, the time to act is now. The regulators are increasingly focused on institutions’ online representations and the risk for noncompliant banks is increasing.

Our data security and banking teams are ready to help get you and your organization up to speed quickly. We can help you put in place effective, reasonable policies and practices to protect your organization and manage your risk