The FFIEC and Me

By Melissa Grindel

In 2013, which feels like a lifetime ago, the Federal Financial Institutions Examination Council (FFIEC), released guidelines to help financial organizations remain compliant in regard to social media. Since then, the social media landscape has continued to grow and evolve, but these regulations have remained steadfast in their applicability.

There are three types of risk that come with the use of social media: legal risks, reputational risks, and operational risks. According to the guidance, independent mortgage lenders, banks and credit unions must have a risk management program that identifies, measures, monitors, and controls these risks.

The FFIEC suggests a lenders risk management program include:

  • a clear governance structure
  • a written P&P
  • a third-party management process
  • an oversight program for monitoring
  • reporting metrics for executives

In addition, the more your company uses social media to market itself and interact with prospects and clients, the more comprehensive and detailed the risk management program needs to be.

Social Media Defined

Social media can fall into a variety of consumer interest categories and all of them need to be addressed when lenders create a social media risk management program. Social media includes all sites available for people to interact and share content with the world, whether it be in text, image, video, or audio. Although this does not include texting and email, it does include blogs, Facebook, LinkedIn, YouTube, TikTok, Alignable, Yelp, Zillow, and the wide variety of sites that encourage social sharing and can be used as an online interactive communication tool with consumers.

Legal Risk Management

Social media can be an excellent marketing tool: free marketing and networking opportunities, large pools of accessible consumers, and free analytics on interactions with business pages. However, this tool needs to be compliant with existing advertising and consumer communication rules to be used safely by lenders and loan officers. Though it doesn't seem like it, all involvement with social media, from profile creation, to posting updates, to messaging with consumers, and beyond is considered advertising and needs to meet federal, state and regulatory guidelines.

Consumer comments posted on social sites need to be included in your record of public comments as well. The CRA requires lenders to keep this record for the current year and the two prior calendar years. So, reviews on Yelp and Zillow count. If you have not “claimed” a media site (you appear there because the social site or a user posted the information), you are not required to retain or respond to consumers on that site.

Reputation Risk Management

In addition to making sure your social media footprint is legally compliant, you should monitor social media to protect your brand’s reputation. You can do this by reviewing negative comments, removing consumer privacy concerns, looking for instances of fraud, and separating individual opinions (political or social) from the brand.

Lenders need to keep in mind that their employee’s activities on social media can reflect back on their brand, as was mentioned in our post about social media horror stories. Lenders should devote time to creating social media policies and institute employee training to educate employees on appropriate, and compliant, social media practices.

Operational Risk Management

As with all online accounts, social media profiles can be hacked and taken over. Lenders should actively partner with their IT departments to protect systems and safeguard customer data that may be found on social media sites. Often, auditors will request documentation regarding these policies and procedures, as well as any internal audits connected to this subject.

In Conclusion

The list of rules, laws, and regulations that impact social media compliance is long and ever evolving. They include: TISA, Fair Lending, FDCPA, BSA/AML, and more. For a complete list and highlights from each, check out our FFIEC Social Media Guidance page.

Keeping abreast of the potential problems your organization might face when it comes to social media can help you develop an appropriate risk management program and develop policies that will help you mitigate the three types of social media risk.