Final guidance for the use of social media by mortgage lenders and financial institutions acknowledges the value of the medium while discussing the risks and requirements for social media users.
The final guidance defines social media as a form of interactive online communication in which users can generate and share content through text, images, audio and video.
Among the many forms of social media identified are Facebook, LinkedIn and Twitter. Messages sent by e-mail or text are not considered social media unless they are sent through social media channels.
The final guidance, Social Media: Consumer Compliance Risk Management Guidance, was issued Wednesday by the Federal Financial Institutions Examination Council and reflects consideration of 81 comments received since it published proposed guidance in January.
While it doesn’t impose any new requirements, it does address how existing federal consumer protection and compliance laws apply to social media.
The guidelines will be utilized by the Consumer Financial Protection Bureau, Federal Deposit Insurance Corp., Federal Reserve Board and Office of the Comptroller of the Currency to use as supervisory guidance for the institutions they regulate.
“The guidance provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media,” the FFIEC said. “Thus, rather than discouraging the use of social media or establishing any new obligations related to the use of this technology, the guidance is intended to help financial institutions understand and successfully manage risks in this area.”
Poor due diligence, oversight or control over the medium on the part of financial services firms can increase risk and harm consumers.
While much of the proposal was adopted for the final guidance, some modifications were made in response to comments received.
Training and guidance should be provided for employees when they are using social media in an official capacity. Financial institutions are advised to conduct evaluations of, and perform due diligence on, risks posed by third parties with which a financial institution does not have a traditional vendor relationship.
“Commenters also expressed concerns that this guidance would require financial institutions to monitor all communications about the institution on Internet sites other than those maintained by or on behalf of the institution,” the FFIEC said. “This final guidance clarifies that financial institutions are not expected to conduct such monitoring.”
Institutions are also not expected to monitor the Internet for complaints and inquiries, though they should take into account the results of their own risk assessments in determining the appropriate approach to take regarding monitoring of, and any response to, such communications.
The report recommends that the size and complexity of social media risk management programs should be commensurate with the degree to which they use the medium.
Senior management or the board of directors should determine the strategic goals of social media and what controls are put in place to monitor activity. The goals might include increasing brand awareness, product advertising or researching new customer bases.
The guidance is effective immediately.