While social media continues to be a popular way for people to communicate, for financial institutions, it can be viewed as a vehicle to connect with their customers and attract new ones. Although social media carries benefits, institutions must ensure that they properly maneuver around and mitigate risks to avoid compliance violations in their examinations and audits. As part of this article, we will identify five key areas where social media carries compliance risk and how institutions can address it.
1. Algorithms and Filtering
One key benefit that many social media platform algorithms offer is that for individual users, content can be specifically filtered based on factors such as connections, follows, clicked advertisements, and more. This customization supplies an avenue for institutions to specifically cater their messaging to a target audience. However, they must ensure their messaging is in compliance with fair lending rules. Fair lending rules such as Regulation B, prohibit discrimination and discouragement based on prohibited factors. This includes race, sex, religion, national origin, age, and other characteristics. Therefore, institutions must ensure that the methodology of any filtering criteria does not purposely exclude or highlight a particular audience based on a prohibited basis.
For example, a financial institution offers a first-time home buyer program that provides discounts on the interest rate and closing costs. The institution works with a social media platform to only target its advertising to individuals between the ages of 18 – 39, believing them to be the most likely individuals to be a first-time home buyer. This focus will cause fair lending concerns due to the institution’s assumption that first-time homebuyers are only individuals in a particular age range. Therefore, by only offering these services to individuals in this age range, individuals 40 and up will be excluded from any discounts and in turn, provided more adverse terms.
To avoid these issues, institutions should ensure that fair lending concerns are considered with respect to all aspects of the advertising campaign, including the determination of a target audience. Additionally, the institution should work with the social media platform to identify what filtering criteria are being used and identify not only who is being included, but who is also being excluded. Any criteria that results in excluding a particular group based on a prohibited basis should be excised from the methodology.
2. Advertising Disclosures
Social media is a great way for financial institutions to market their products and services. Unfortunately, it can be a lengthy process for the federal government to update laws and regulations to accommodate recent technologies and methods of communication. Predominantly, the advertising rules that institutions are required to follow were written in an age before social media existed and have not been updated to specifically accommodate social media as an advertising platform. Therefore, it is important for institutions to successfully maneuver their way through any advertising disclosure rules, even if they come off as counterintuitive or difficult when using a social media platform.
In addition, using links within social media posts to bring the user to a separate landing page on the institution’s website is one way many institutions handle the bulk of their advertising disclosures. Nevertheless, institutions should always ensure that the link brings the user directly to the required disclosure information, rather than to a general category or “hub” where the user will still have to search for the required disclosures.
However, this approach is not a one size fits all solution. There will be some instances where institutions must include certain relevant disclosures within the social media post itself. Some terms being advertised, such as tiered rate deposit accounts under Regulation DD or discounted loan products under Regulation Z, carry requirements where disclosures must be made in equal prominence and near the statement triggering the disclosure (most commonly a numerical rate). In these instances, linking to another page is not sufficient and the post itself will need to contain the required information.
Below, we break down best practices for institutions to comply with regulations:
- Institutions must ensure a thorough advertising compliance review is performed for any social media posts intended to market a product or service offered through the institution.
- Institutions should use checklists or tools to confirm that the necessary disclosure information is included prior to the post being made public.
- Rather than wait until a challenge over a specific advertisement arises, institutions that regularly advertise through social media should prepare templates, guidelines, and additional instructions on how individuals can construct the advertisements in a manner to comply with applicable laws and regulations.
These controls should prevent “fire drills” or other future issues when an advertisement needs to be radically changed last minute due to regulatory concerns.
3. Rogue Employee Promotions
Institutions can have a concern about employee social media usage due to the reputation risk involved. Often, institutions must juggle a difficult balance between imposing upon their employee’s freedom and privacy, while also avoiding reputational risk that can occur if employees make statements that reflect poorly on the institution. Beyond this, however, institutions should also be cautious about the steps that employees with sales responsibilities or goals are taking with their social media accounts. As social media popularity continues to increase, sales staff can potentially begin using their personal networks as a means for business.
For example, there may be instances where employees use their own personal account(s) to promote an institution’s product or service. Since these posts/communications occur through a personal social media account, the lack of oversight from managerial or compliance personnel at the institution could result in a violation of advertising rules.
Institutions should set forth formal standards and restrictions on their employee’s personal social media accounts regarding products and services offered by the institution. For instance, many institutions impose a restriction that no promotions can occur through a personal social media account. Those institutions that allow it should ensure that controls are in place such that the employee receives approval for any of these posts prior to them being made. In these instances, the institution may need to consider asking for access to view the employee’s public social media account to ensure that periodic monitoring can take place.
4. Privacy and Security
Institutions will want to be careful to ensure that privacy rules are not violated with respect to social media activity. Social media is a platform where a consumer may share a lot of personal information about their life. Regardless of what the consumer shares on a social media platform, a financial institution must ensure that any of its activity, including reactions to customer postings, do not violate privacy rules. Generally, if a customer starts posting information about one’s account, specific transactions or other information on social media, an institution should try to move the conversation “offline” as much as possible. Additionally, the institution should arrange to have detailed conversations via the phone, private email, in person, or other means so the general public cannot see the specific information being mentioned.
Many individuals may start participating on social media at early ages and institutions will want to ensure compliance with the Children’s Online Privacy Protection Act (COPPA). This law applies to situations where institutions are offering services or collecting information from children under 13 years of age. Institutions should ensure that parental consent is received prior to collecting such information. Based on the nature of many social media platforms that collect significant amount of information on their users, there may be instances where information is being collected without the institution’s knowledge.
Therefore, institutions should be as proactive as possible in determining what the target audiences are of the social media platforms they use and what type of information is obtained. Guidance has indicated that institutions can rely on attestations from social media platforms when these platforms require users to attest that they are at least 13 years of age.
Even if an institution doesn’t use a particular social media platform, there are privacy and security risks that can come into play. It is possible for fraudsters to spoof or disguise as the financial institution. This can result in situations where consumers give up information to fraudulent parties, as well as carry a reputation risk for the institution. In this case, institutions will want to make sure that they perform periodic monitoring, including visiting popular platforms that they don’t use to ensure that situations like this do not arise.
5. Consumer Complaints
Institutions are expected to have robust consumer complaint management programs. Social media has become a public forum where many consumers have lodged complaints against companies that they have dealt with, including their financial institution. Thus, institutions should ensure that there are appropriate controls in place to consider complaints that are made through social media. Additionally, institutions should perform periodic monitoring of their social media pages. Even if an institution does not have its own account on a popular platform, that platform may still be a location where consumers communicate complaints about the institution. Therefore, the institution should consider implementing monitoring on these platforms, similar to “negative news searches” that institutions at times may perform on customers or potential customers for Bank Secrecy Act (BSA) or fraud prevention purposes.
Another challenge that financial institutions face is the reputational risk imposed when consumers make complaints about them in a public forum. The institution will want to weigh any considerations on whether it responds publicly or privately. As mentioned above, the privacy of the customer is of extreme importance. The institution should consider social media platforms as a means through which it can collect complaint information, but should be cautious about how much information relating to any complaint lodged is made public, especially when it involved any non-public personal information. There may be times where the institution must accept that something negative has been said without responding publicly due to the risk that would arise if private information became public.
In its communication with consumers on social media platforms, institutions will also want to consider any rules surrounding the submission of disputed information to the institution. For example, Regulations E, V, X and Z each have rules mandating institutions to perform investigations relating to matters such as electronic fund transfers, credit reports, or loan activity when the consumer has submitted certain information. If the institution has collected the required pieces of information via a social media platform, it should proceed with any necessary investigations required by these rules. Written policies and procedures should also be structured to consider written or telephone submitted requests, as well as the social media platforms where the institution accepts customer submissions.
Conclusion
While these are some of the more important compliance areas of concern for a financial institution using social media, it is paramount for institutions to analyze each law and regulation that applies to them, and consider how their social media activities can be fashioned in a sense to ensure regulatory compliance. As technology continues to advance at a significant pace, institutions will need to be nimble and flexible in their approaches to ensure that both compliance, and the ability to sufficiently interact with their customers and potential customers are met.
