February 27, 2014
Credit Union Management magazine’s Web-only “On Compliance” column runs the fourth Thursday of the month.
The same advertising disclosure rules that apply to a newspaper ad also apply to a Facebook ad, according to guidance from the Federal Financial Institutions Examination Council, released in December. This clarification from the FFIEC – and, specifically, the lack of any exemptions from existing rules for social media – increases the risks facing credit unions using social media.
Indeed, FFIEC’s new guidance on social media risk management doesn’t impose any new requirements on credit unions, but rather clarifies that existing requirements and supervisory expectations apply to new media. Because FFIEC includes the National Credit Union Administration and because the State Liaison Committee has encouraged state regulators to adopt this new guidance, it applies to both state- and federally chartered credit unions.
The guidance defines social media broadly, as a “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Examples include Facebook, Google+, Twitter, blogs, and such consumer review websites as Yelp, Flickr, YouTube and LinkedIn.
Implications for Risk Management
Engaging with members in social media is not a free lunch. Credit unions using social media face increased compliance, legal, operational and reputation risks. A key component to a credit union’s social media approach needs to be a comprehensive risk management program. FFIEC’s guidance indicates that a successful program includes:
- a governance structure with clear roles and responsibilities and a directive from the board or senior management on how social media contributes to the strategic goals of the credit union;
- established controls and ongoing assessment of risk in social media activities;
- policies and procedures about the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations;
- a due diligence process for selecting and managing third-party relationships;
- an employee training program that incorporates the credit union’s policies and procedures for official, work-related use of social media;
- an oversight process for monitoring information posted to social media sites;
- audit and compliance functions to ensure ongoing compliance with internal policies and applicable consumer protection laws and regulations; and
- parameters for providing appropriate reporting to the credit union’s board or senior management that enables periodic evaluation of the social media program’s effectiveness.
In short, credit unions engaging members (and non-members) in social media need to understand, review and manage the risks related to that engagement.
In addition to doing overall risk assessment, credit unions need to establish compliance and legal reviews specific to a credit union’s particular social media activity. For example, posting a Facebook update about the credit union’s mortgage rates or the credit union’s “refer a member” campaign could trigger advertising disclosure requirements. This can prove especially difficult for social media that include character limitations, such as Twitter.
While the FFIEC guidance does not provide any exceptions for social media advertisements, credit unions can utilize existing flexibility for electronic advertisements to provide required disclosures via an electronic link. As usual, the flexibility is not uniform and credit unions must review which disclosures can be provided through links and which ones must be included directly in the advertisement. To help manage compliance and legal risks, credit unions should establish procedures to review social media advertisements to ensure they include all required disclosures.
In addition, social media provides a unique way for credit unions to engage with their members (and potential members). However, it also presents members with a unique way to engage with the credit union. Members are not shy about voicing their frustrations through social media and credit unions should have procedures in place to handle member complaints.
For example, a member’s complaint on social media not only presents reputation risk, but could also trigger the credit union’s error resolution requirements for a debit card or a mortgage loan or even be considered a direct dispute under the Fair Credit Reporting Act. Detailed member complaint procedures and appropriate employee training can help the credit union manage compliance and reputation risks simultaneously.
While the specific risks above are examples, a credit union needs to have a comprehensive risk management program to properly assess and manage social media risks. As a credit union’s social media usage expands and evolves, its risk management procedures must be reviewed and analyzed as well. By doing so, the credit union will help ensure a valuable avenue to engage with existing and future members.
Steve Van Beek is an attorney and counselor at Howard & Howard Attorneys PLLC, Royal Oak, Mich. He focuses his practices on helping credit unions serve their members by successfully managing their compliance, legal and strategic risks. He can be reached at SVB@h2law.com.