Federal Regulators Issue Guidance on Social Media and Mobile Privacy

On Jan. 22, the FFIEC requested comments on its proposed consumer compliance risk management guidance for federally supervised financial institutions, as well as nonbanks supervised by the CFPB, that are engaged in social media activities. The guidance proposes a broad definition of social media, describing it as 'a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.' Social Media Guidance, Fed. Reg. at 4849. The guidance distinguishes social media from other types of online services, calling it 'more interactive' and providing examples such as Facebook, Twitter, YouTube and LinkedIn. Id. Interestingly the guidance also includes virtual worlds in its description, including Second Life and social games such as FarmVille. Id.

The FFIEC guidance addresses three risk areas: compliance and legal risk, operational risk, and reputation risk. The compliance and legal risk section focuses for the most part on the application of existing consumer protection laws to social media activities. The guidance addresses laws and regulations such as the Truth in Savings and Truth in Lending Acts, Equal Credit Opportunity Act, Fair Housing Act, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, Unfair, Deceptive, or Abusive Acts or Practices, Electronic Fund Transfer Act, CAN-SPAM Act, Children's Online Privacy Protection Act (COPPA) and Fair Credit Reporting Act. The FFIEC is careful to emphasize that the guidance does not add any new expectations to existing compliance requirements, but rather reinforces the need to adhere to these rules when utilizing social media to communicate with consumers. Id.

The section on reputation risk, which the guidance describes as 'the risk arising from negative public opinion,' focuses on a variety of issues that financial institutions need to manage during their social media activities, above and beyond simply whether an activity violated any laws. Id. at 4853. This includes: protecting and monitoring an institution's brand identity, particularly from fraud; monitoring any social media activity that an institution delegates to third parties; ensuring that consumer privacy is maintained; responding appropriately to consumer complaints and inquiries made via social media; and establishing appropriate policies for employee participation in social media. Id. The final risk area, operational risk, emphasizes the management and monitoring of risks related to technology and directs institutions to the FFIEC's Information Technology Examination Handbook. Id. at 4854.

FTC's Mobile Privacy Disclosures Report

The FTC's guidance is aimed at the 'unique privacy challenges' presented by mobile devices, particularly given the personalized nature and quantity of sensitive data such devices can contain. Mobile Privacy Disclosures at 2. Drawing on the FTC's prior efforts to address mobile privacy and concluding that mobile users are concerned but confused about how their personal information is treated, the guidance endeavors to create a set of best practices for the mobile industry participants in three key areas: platforms, apps and advertising.

The FTC's major recommendations for platforms focused broadly on building transparency, accessibility and personalization into a platform's privacy settings. Specifically: 1) providing 'just-in-time' disclosures and obtaining affirmative consent before allowing apps to access sensitive information; 2) creating a centralized location, referred to as a 'dashboard' where consumers can review the privacy settings of programs; 3) using an icon or symbol to alert users when sensitive information is being accessed; and 4) offering a 'do not track' mechanism to allow users to opt out of tracking and advertising. Id. at 14-20.

Similarly the FTC's recommendations for apps and developers emphasized clear and accessible privacy policies, just-in-time disclosures to obtain affirmative express consent before collecting information, and improved communication with ad networks and third parties. Id. at 22. Finally, the FTC recommended that advertisers work with app and platform developers to create effective disclosures and privacy options. Id. at 25.

Flexible Guidelines Protect and Encourage Innovation

Encouragingly, both the FFIEC and FTC recognize the important and changing role social media and mobile technology can play in an institution's business. The FFIEC identifies social media as a 'new communication technology' which 'has the potential to improve market efficiency,' while the FTC notes that 'mobile technology benefits consumers through innovative content, products, and services.' Social Media Guidance, Fed. Reg. at 4849; Mobile Privacy Disclosures at 28. The new and innovative nature of these fields creates a persuasive argument for flexible recommendations and guidelines that protect consumers while encouraging innovation, a fact the FTC explicitly acknowledges. Mobile Privacy Disclosures at 13. Given the speed at which social media and mobile technology are growing, a strict regulatory regime would be burdensome for regulators and institutions. It would require regulators to constantly update regulations while leaving institutions in a state of regulatory uncertainty as to how new technology, or new uses for existing technology, will be treated. Perhaps as a result, neither the FTC nor the FFIEC imposes a new legal or regulatory framework; instead both identify areas where existing laws or policies should be considered and create guidelines that allow institutions flexibility to adapt to new technology and emerging uses.

However, both sets of guidance also set forth clear expectations. This is valuable, particularly given the treatment both institutions appear to plan for the guidance. While the FTC notes that its guidance is not intended to serve as a template for enforcement or regulations under current laws, to the extent it goes beyond such legal requirements the report concludes by 'strongly encourag[ing] companies in the mobile ecosystem to work expeditiously to implement the recommendations' made by the report. Id. at 14, 29. The report also notes that the FTC would view strong privacy codes developed by the industry 'favorably in connection with its law enforcement work.' Id. at iii. The FFIEC similarly explains that its guidelines do not impose additional obligations, but that covered financial institutions 'will be expected to use the guidelines' in ensuring that the risks raised by social media activities have been appropriately and adequate addressed. Social Media Guidance, Fed. Reg. at 4848-49. Appropriate policies will be necessary for institutions to meet those expectations. Therefore, even though no new legal regimes have been created, both sets of guidance may require covered entities to take additional steps to adapt existing compliance programs.

The FFIEC's guidance provides specific details on what a social media compliance program should look like, stating that covered financial institution, even those that may not use social media, should have in place some kind of 'risk management program that allows it to identify, measure, monitor, and control the risks related to social media.' Id. at 4850. The FFIEC then identifies seven key components of such a program:

1. Having clear roles and responsibilities in the institution's governance so that senior management can direct social media use in light of the institution's strategic goals.'
2. Policies and procedures for using and monitoring social media to ensure compliance with all applicable laws.'
3. An appropriate process for working with third-party relationships related to social media.'
4. Appropriate employee training.'
5. Oversight and monitoring processes if proprietary social media sites are administered by the institution.'
6. Audit functions to ensure compliance.'
7. Mechanisms for providing reporting social media effectiveness to senior management.'

While much of the critical structure for a social media risk management program will likely be in place already, institutions should avoid simply lumping social media into an existing compliance program. Financial institutions should conduct a detailed review to ensure that any program is 'commensurate with the breadth of the financial institution's involvement' and appropriately tailored to the nature and role of social media at the institution. Id. at 4850. For example, an institution which allows social media to be used directly to address individual consumer complaints may want to consider a more robust privacy component, while an institution that uses social media to advertise specific products may consider focusing on a more detailed program for ensuring legal compliance.

Mobile Privacy

While the FTC's guidance does not explicitly propose a risk management program for privacy on mobile devices, such a program would nevertheless be useful to mobile industry participants. Some of the FFIEC's recommendations could provide a transferable template. Mobile industry participants will likely want to: ensure that senior management can direct privacy policy in light of the institution's strategic goals; review any policy to ensure it complies with applicable laws; have monitoring and auditing in place to ensure adherence to the policy; and provide employee training regarding the policy. And like the program recommended by the FFIEC, mobile industry participants will need to tailor any program to the way in which their product uses private or personal information. App developers will more likely focus on a program to ensure that the app's privacy policies are current, accurate and clear, as well as a monitoring system to ensure that the company and employees are complying with the policy. If the FTC's recommendations for 'best practices' or industry self-regulatory programs are adopted, all participants will need to ensure that they are in compliance with those programs, as well.

Conclusion

The FFIEC and FTC guidance documents offer a blueprint for protecting the interests of both consumers and financial institutions while avoiding a rigid structure that could stifle innovation. The flexible guidelines allow institutions to innovate and experiment with emerging media and technology, while still providing clear, actionable expectations for institutional behavior. And covered institutions will be well-advised to pay particular attention to those expectations, given the likely role that the guidance will play in FFIEC examinations and FTC enforcement actions. Since failure to follow the guidance could well lead to more traditional, and less flexible, regulatory action, and since the kind of adaptable environment the guidance will help foster is highly desirable, financial institutions should pay careful attention as a matter of enlightened self-interest, as well as good policy.

Margo Tank is a Partner, R. David Whitaker is counsel, and Ian Spear is an associate at BuckleySandler LLP, a financial services law firm in Washington, DC, New York, Los Angeles and Orange County, CA. They advise financial services providers and technology companies on structuring business programs and online platforms in compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), and on compliance with other state and federal laws governing electronic and mobile financial services transactions, privacy and data security. The authors can be reached at [email protected], [email protected], or [email protected], respectively.

In a sign of the role new technology is playing in existing business models, two federal regulators recently released guidance covering two rapidly expanding technology markets: social media and mobile technology. The first set of guidance, entitled Social Media: Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 4848 (proposed Jan. 23, 2013), was issued as a proposal for comment by the Federal Financial Institutions Examination Council (FFIEC), which represents the examination arm of the primary federal bank regulators (including the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve, Federal Deposit Insurance Corporation, National Credit Union Administration, and the Consumer Financial Protection Bureau (CFPB)). Shortly after, the Federal Trade Commission (FTC) released a staff report entitled Mobile Privacy Disclosures: Building Trust Through Transparency (2013).'

Both sets of guidance are broadly aimed at extending existing consumer protection frameworks. In doing so, the guidance recognize the evolving and expanding nature of social media and mobile technology, setting guidelines which allow flexibility while protecting both consumers and financial institutions rather than creating new, inflexible regulatory regimes with the potential to stifle innovation. However, institutions will still need to carefully consider both sets of guidance when engaging with social media or mobile technology, as the FFIEC and the FTC establish a clear set of expectations which will likely play a role in examinations and enforcement actions.

FFIEC's Risk Management Guidance for Social Media

On Jan. 22, the FFIEC requested comments on its proposed consumer compliance risk management guidance for federally supervised financial institutions, as well as nonbanks supervised by the CFPB, that are engaged in social media activities. The guidance proposes a broad definition of social media, describing it as 'a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.' Social Media Guidance, Fed. Reg. at 4849. The guidance distinguishes social media from other types of online services, calling it 'more interactive' and providing examples such as Facebook, Twitter, YouTube and LinkedIn. Id. Interestingly the guidance also includes virtual worlds in its description, including Second Life and social games such as FarmVille. Id.

The FFIEC guidance addresses three risk areas: compliance and legal risk, operational risk, and reputation risk. The compliance and legal risk section focuses for the most part on the application of existing consumer protection laws to social media activities. The guidance addresses laws and regulations such as the Truth in Savings and Truth in Lending Acts, Equal Credit Opportunity Act, Fair Housing Act, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, Unfair, Deceptive, or Abusive Acts or Practices, Electronic Fund Transfer Act, CAN-SPAM Act, Children's Online Privacy Protection Act (COPPA) and Fair Credit Reporting Act. The FFIEC is careful to emphasize that the guidance does not add any new expectations to existing compliance requirements, but rather reinforces the need to adhere to these rules when utilizing social media to communicate with consumers. Id.

The section on reputation risk, which the guidance describes as 'the risk arising from negative public opinion,' focuses on a variety of issues that financial institutions need to manage during their social media activities, above and beyond simply whether an activity violated any laws. Id. at 4853. This includes: protecting and monitoring an institution's brand identity, particularly from fraud; monitoring any social media activity that an institution delegates to third parties; ensuring that consumer privacy is maintained; responding appropriately to consumer complaints and inquiries made via social media; and establishing appropriate policies for employee participation in social media. Id. The final risk area, operational risk, emphasizes the management and monitoring of risks related to technology and directs institutions to the FFIEC's Information Technology Examination Handbook. Id. at 4854.

FTC's Mobile Privacy Disclosures Report

The FTC's guidance is aimed at the 'unique privacy challenges' presented by mobile devices, particularly given the personalized nature and quantity of sensitive data such devices can contain. Mobile Privacy Disclosures at 2. Drawing on the FTC's prior efforts to address mobile privacy and concluding that mobile users are concerned but confused about how their personal information is treated, the guidance endeavors to create a set of best practices for the mobile industry participants in three key areas: platforms, apps and advertising.

The FTC's major recommendations for platforms focused broadly on building transparency, accessibility and personalization into a platform's privacy settings. Specifically: 1) providing 'just-in-time' disclosures and obtaining affirmative consent before allowing apps to access sensitive information; 2) creating a centralized location, referred to as a 'dashboard' where consumers can review the privacy settings of programs; 3) using an icon or symbol to alert users when sensitive information is being accessed; and 4) offering a 'do not track' mechanism to allow users to opt out of tracking and advertising. Id. at 14-20.

Similarly the FTC's recommendations for apps and developers emphasized clear and accessible privacy policies, just-in-time disclosures to obtain affirmative express consent before collecting information, and improved communication with ad networks and third parties. Id. at 22. Finally, the FTC recommended that advertisers work with app and platform developers to create effective disclosures and privacy options. Id. at 25.

Flexible Guidelines Protect and Encourage Innovation

Encouragingly, both the FFIEC and FTC recognize the important and changing role social media and mobile technology can play in an institution's business. The FFIEC identifies social media as a 'new communication technology' which 'has the potential to improve market efficiency,' while the FTC notes that 'mobile technology benefits consumers through innovative content, products, and services.' Social Media Guidance, Fed. Reg. at 4849; Mobile Privacy Disclosures at 28. The new and innovative nature of these fields creates a persuasive argument for flexible recommendations and guidelines that protect consumers while encouraging innovation, a fact the FTC explicitly acknowledges. Mobile Privacy Disclosures at 13. Given the speed at which social media and mobile technology are growing, a strict regulatory regime would be burdensome for regulators and institutions. It would require regulators to constantly update regulations while leaving institutions in a state of regulatory uncertainty as to how new technology, or new uses for existing technology, will be treated. Perhaps as a result, neither the FTC nor the FFIEC imposes a new legal or regulatory framework; instead both identify areas where existing laws or policies should be considered and create guidelines that allow institutions flexibility to adapt to new technology and emerging uses.

However, both sets of guidance also set forth clear expectations. This is valuable, particularly given the treatment both institutions appear to plan for the guidance. While the FTC notes that its guidance is not intended to serve as a template for enforcement or regulations under current laws, to the extent it goes beyond such legal requirements the report concludes by 'strongly encourag[ing] companies in the mobile ecosystem to work expeditiously to implement the recommendations' made by the report. Id. at 14, 29. The report also notes that the FTC would view strong privacy codes developed by the industry 'favorably in connection with its law enforcement work.' Id. at iii. The FFIEC similarly explains that its guidelines do not impose additional obligations, but that covered financial institutions 'will be expected to use the guidelines' in ensuring that the risks raised by social media activities have been appropriately and adequate addressed. Social Media Guidance, Fed. Reg. at 4848-49. Appropriate policies will be necessary for institutions to meet those expectations. Therefore, even though no new legal regimes have been created, both sets of guidance may require covered entities to take additional steps to adapt existing compliance programs.

The FFIEC's guidance provides specific details on what a social media compliance program should look like, stating that covered financial institution, even those that may not use social media, should have in place some kind of 'risk management program that allows it to identify, measure, monitor, and control the risks related to social media.' Id. at 4850. The FFIEC then identifies seven key components of such a program:

1. Having clear roles and responsibilities in the institution's governance so that senior management can direct social media use in light of the institution's strategic goals.'
2. Policies and procedures for using and monitoring social media to ensure compliance with all applicable laws.'
3. An appropriate process for working with third-party relationships related to social media.'
4. Appropriate employee training.'
5. Oversight and monitoring processes if proprietary social media sites are administered by the institution.'
6. Audit functions to ensure compliance.'
7. Mechanisms for providing reporting social media effectiveness to senior management.'

While much of the critical structure for a social media risk management program will likely be in place already, institutions should avoid simply lumping social media into an existing compliance program. Financial institutions should conduct a detailed review to ensure that any program is 'commensurate with the breadth of the financial institution's involvement' and appropriately tailored to the nature and role of social media at the institution. Id. at 4850. For example, an institution which allows social media to be used directly to address individual consumer complaints may want to consider a more robust privacy component, while an institution that uses social media to advertise specific products may consider focusing on a more detailed program for ensuring legal compliance.

Mobile Privacy

While the FTC's guidance does not explicitly propose a risk management program for privacy on mobile devices, such a program would nevertheless be useful to mobile industry participants. Some of the FFIEC's recommendations could provide a transferable template. Mobile industry participants will likely want to: ensure that senior management can direct privacy policy in light of the institution's strategic goals; review any policy to ensure it complies with applicable laws; have monitoring and auditing in place to ensure adherence to the policy; and provide employee training regarding the policy. And like the program recommended by the FFIEC, mobile industry participants will need to tailor any program to the way in which their product uses private or personal information. App developers will more likely focus on a program to ensure that the app's privacy policies are current, accurate and clear, as well as a monitoring system to ensure that the company and employees are complying with the policy. If the FTC's recommendations for 'best practices' or industry self-regulatory programs are adopted, all participants will need to ensure that they are in compliance with those programs, as well.

Conclusion

The FFIEC and FTC guidance documents offer a blueprint for protecting the interests of both consumers and financial institutions while avoiding a rigid structure that could stifle innovation. The flexible guidelines allow institutions to innovate and experiment with emerging media and technology, while still providing clear, actionable expectations for institutional behavior. And covered institutions will be well-advised to pay particular attention to those expectations, given the likely role that the guidance will play in FFIEC examinations and FTC enforcement actions. Since failure to follow the guidance could well lead to more traditional, and less flexible, regulatory action, and since the kind of adaptable environment the guidance will help foster is highly desirable, financial institutions should pay careful attention as a matter of enlightened self-interest, as well as good policy.

Margo Tank is a Partner, R. David Whitaker is counsel, and Ian Spear is an associate at BuckleySandler LLP, a financial services law firm in Washington, DC, New York, Los Angeles and Orange County, CA. They advise financial services providers and technology companies on structuring business programs and online platforms in compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), and on compliance with other state and federal laws governing electronic and mobile financial services transactions, privacy and data security. The authors can be reached at [email protected], [email protected], or [email protected], respectively.