The Federal Financial Institutions Examination Council on Wednesday issued final guidance aimed at helping, banks, credit unions and other financial institutions manage risks related to social media.
The final guidance differs from the proposal released in January in several respects, taking into account the 81 responses received during a public comment period.
It also clarifies that emails and text messages do not fall under the definition of social media but warns banks and credit unions to stay abreast of existing laws for those platforms, which may overlap with social media regulations.
The FFIEC also acknowledges that financial institutions' approaches to managing social media risk will vary according to their size, complexity, activities and relationships with third parties. Commenters had previously expressed concerns that the proposal appeared to recommend a "one-size-fits-all" approach for all lenders.
The new guidance delves further into the relationship between social media activity and specific laws, including the Community Reinvestment Act. The CRA requires financial institutions to keep a public record of all written comments related to its community performance for a three-year period, along with responses to the comments.
The FFIEC explains that this requirement applies only to comments made on sites that are run by or on behalf of the institutions.
Some of the 81 comments received by the FFIEC raised concerns that the guidance would require banks and credit unions to monitor all online communications that mention their institutions. The guidance clarifies that this is not the case.
Commenters had also worried that the original proposal asked banks and credit unions to treat all negative comments on its social media sites as official complaints. Financial institutions may establish official channels that customers must use in order to submit complaints, according to the guidance.
The guidance also addresses commenters' questions about how financial institutions are expected to manage risks with third parties that are not traditional vendors. Lenders are expected to consider the potential risks posed by all third parties before doing business with them, according to the guidance.