On Dec.11, the FFIEC issued final supervisory guidance, “Social Media: Consumer Compliance Risk Management Guidance” that will be used by the NCUA when supervising credit unions. Credit unions are expected to use the guidance to ensure their policies and procedures provide oversight and controls commensurate with the risks of the social media they are engaged in. The guidance was issued to address the applicability of federal consumer protection and compliance laws, regulations and policies to activities conducted via social media. The guidance does not impose any new requirements on credit unions. Instead, the guidance is to help credit unions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.
The guidance clarifies that messages sent via email or text message, standing alone, do not constitute social media, although those types of communications may be subject to a number of laws and regulations discussed within the guidance.
The guidance primarily addresses the increased risks associated with social media, which can include the risk of harm to consumers, compliance and legal risk, operational risk and reputation risk. Credit unions will need to identify potential risk areas and appropriately address those risks within their overall risk management program.
The guidance was revised from the original proposal to clarify and point to the longstanding principle that financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the size, complexity, activities and third-party relationships, as opposed to a “one-size-fits-all” approach. The final guidance also provides clarification regarding complaints or inquiries received on social media sites, risk management practices for third parties and due-diligence requirements, the definition of social media for purposes of the guidance and clarification about the requirement for financial institutions to monitor all communications about the institution on Internet sites other than those maintained by or on behalf of the institution.
Credit unions that don’t participate in social media should still read the guidance. It indicates that credit unions who are not engaged in social media still need to consider the potential for negative comments or complaints that may arise within the many social media platforms and evaluate what, if any, action it will take to monitor for such comments and or respond to them.
The guidance also provides necessary components of a risk management program by addressing the types of risk and relevant risk areas. Within each risk category there is a summary of considerations and relevant laws and regulations for the credit union to analyze. Every credit union should review this guidance and create or amend their social media risk management program accordingly. The guidance can be found on the FFIEC website, located here.