Social media has become the forum of choice for questions, news, and information for over 1.73 billion people. Embracing social media is now a necessity in a marketplace where nearly one in four people worldwide are plugged in to a social platform. Social media broadly distributes information to users of financial services, yet also creates a new sphere for potential compliance risks.
Social Media and Mortgage Servicing
In December 2013, the Federal Financial Institutions Examination Council released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by nonbank entities supervised by the Consumer Financial Protection Bureau.
The guidance defines social media as any form of "interactive online communication in which users can generate and share content through text, images, audio, and/or video," including Facebook, LinkedIn, Yelp, YouTube and Twitter.
Because social media is interactive, it can expose a financial institution to risks if a customer uses social media to communicate issues or concerns directly with a financial entity, such as an error dispute under Regulation X or a direct dispute about information furnished to a consumer reporting agency under the Fair Credit Reporting Act.
Social Media Compliance Risks
There are multiple compliance risks inherent in social media, but two risks have not been fully addressed by the current guidance and merit a closer look: (1) responding to consumer complaints and (2) retention of communications with customers through social media.
The guidance clearly states that financial institutions are not required to monitor and respond to all consumer complaints, posts, tweets, or other social media communications. The Guidance appears to rely, in part, on Reg. X, which states that a servicer may designate a specific address for receiving notices of error. Therefore, if an institution designates a specific address, arguably a complaint submitted through a social media site is not a properly lodged complaint. However, in a remarkable side note, the guidance states that it "expects" the financial entity to "take into account" complaints posted on social media sites in determining the appropriate approach to monitor and respond to such communications.
The guidance also appears to consider how an institution uses social media to determine how that entity should respond to complaints or posts. By the same token, institutions should consider how their customers are using social media and adopt social media privacy policies that enact measures to minimize the risks associated with users posting personal or account information on a social media site.
Under Reg. X, a mortgage servicer is also required to "retain records that document actions taken with respect to a borrower's mortgage loan account until one year after the date a mortgage loan is discharged or servicing of a mortgage loan is transferred by the servicer to a transferee servicer." Arguably, this includes records and communications documented via social media. While the guidance does not address record keeping in the context of Reg. X, given the changing face of business via social media, it is advisable to have a clear, concrete written policy regarding maintaining loan account records that document actions taken, when those records are created via social media websites. Of course, the institution adopting the social media policy must ensure that the policy is fully operational and not just a written artifact.
Social Media Risk Management Plan
When developing a risk management program, the FFIEC advises financial institutions to consider the following components:
1. Develop policies that delineate clear roles and responsibilities on who is directing and controlling the use of social media and how social media contributes to the strategic goals of the institution;
2. Develop policies and procedures to monitor social media use and ensure compliance with all applicable laws and regulations, and address risks from online postings, edits, replies, and retention of records;
3. Develop a risk management process for selecting and managing third-party relationships in connection with social media;
4. Ensure that all employees are trained on the institution's policies and procedures for official, work-related use of social media, including defining impermissible activities;
5. Implement an oversight process for monitoring information posted to proprietary social media sites;
6. Conduct internal audits and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations; and
7. Set parameters and policies for reporting to appropriate senior management regarding the effectiveness of the social media program and whether the program is achieving its stated objectives.
A social media risk management plan should endeavor to identify, measure, monitor, and control the risks related to social media. Ultimately, each financial institution should evaluate its use of social media and implement appropriate policies and procedures to ensure that an effective and sustainable risk management plan is in place.
Erin Jane Illman is an attorney with Bradley Arant Boult Cummings LLP, located in Charlotte, N.C., and a member of the firm's Financial Services Litigation and Compliance practice group. She can be reached at firstname.lastname@example.org or 704.338.6026.