Mischief Managed: Managing Social Media Risk as Part of Your CMS

Having a compliance management system (CMS) is a well-known regulatory imperative, but did you know that mortgage lenders and financial institutions are also required to have a social media risk management program? As the Federal Financial Institutions Examination Council (FFIEC) makes clear in its Social Media: Consumer Compliance Risk Management Guidance, “Financial institutions are expected to manage risks associated with all types of consumer and customer communications, no matter the medium.” Thus, a robust, comprehensive CMS must include social media as part of its scope of oversight.  

The first step in managing social media risk is identifying potential risk sources. The FFIEC’s social media guide breaks these down into three (3) main categories. First is Compliance and Legal Risk. There are numerous rules and regulations that govern financial institution’s social media activities, including but not limited to: 

• Truth in Savings Act (TISA)/Reg DD; 
• Fair Lending – Equal Credit Opportunity Act (ECOA)/Reg B/and Fair Housing Act (FH Act); 
• Truth in Lending Act (TILA)/Reg Z; 
• Real Estate Settlement Procedures Act (RESPA); 

• Fair Debt Collection Practices Act (FDCPA); 
• Unfair, Deceptive, or Abusive Act or Practices (UDAAP); 
• Federal Deposit Insurance Corporation (FDIC)/National Credit Union Administration (NCUA) membership rules; 
• Electronic Funds Transfer Act (EFTA)/Reg E; 
• Reg CC/state rules applicable to check transactions; 

• Bank Secrecy Act (BSA)/Anti-Money Laundering (AML)Programs; 
• Community Reinvestment Act (CRA); 
• Graham-Leach-Bliley Act (GLBA); 
• CAN-SPAM and Telephone Consumer Protection Act (TCPA); 
• Children’s Online Privacy Protection Act (COPPA); and 

• Fair Credit Reporting Act (FCRA). 

Next is Reputational Risk. This is the risk arising from the potential negative public commentary and sentiment for a financial institution. This risk may stem from activities that result in dissatisfied consumers or negative publicity which could harm the reputation and public standing of the institution. Reputational Risk is particularly noteworthy, as losses are not easily quantifiable and may occur even if no law has been broken. The FFIEC outlines several areas of concern within this category, such as: 

• Fraudulent account access/activity that could damage a lender or financial institution’s brand identity; 

• Institutions’ liability when using third parties to host/manage social media accounts; 
• Posting of non-public personal information (NNPI) to social media accounts by employees or consumers; 
• Addressing consumer complaints and inquiries posted to social media; and  
• Employee social media use on both personal and company-affiliated accounts. 

Finally, we come to Operational Risk, which is centered primarily around IT/Cybersecurity concerns. The FFIEC directs lenders and financial institutions to leverage the FFIEC Information Technology Examination Handbook and the Outsourcing Technology Services and Information Security to ensure social media accounts, access and usage adhere to industry IT/cybersecurity standards. 

In addition to categorizing the areas of risk mortgage lenders and financial institutions face regarding social media, the FFIEC’s guide also outlines the specific components these organizations should have as part of their CMS to adequately manage these risks. These are as follows: 

• A clear governance structure; 

• Written policies and procedures; 
• Oversight of third-party relationships in connection with social media;  
• Employee social media training; 
• Social media monitoring;  
• Social media audits and compliance reviews; and  

• Periodic reporting to the board of directors or senior management. 

The FFIEC acknowledges that organizations will have different goals for their social media strategy, and as such, “The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium.” However, lack of social media use does not exempt lenders or financial institutions from establishing procedures to address social media risks from outside parties, such as negative comments or complaints. 

Furthermore, lenders and financial institutions should involve specialists from multiple areas within the organization to develop a comprehensive social media risk mitigation strategy. These functional areas include compliance, technology, information security, legal, human resources and marketing. 

Managing the risks posed by social media isn’t just good business sense – it’s also a regulatory requirement. By incorporating social media with the scope of an overall compliance management system, lenders and financial institutions can ensure they are adequately managing these risks while also meeting regulatory expectations for oversight and compliance. To learn more, check out our FFIEC Social Media Guidance page.