Let’s be honest, COVID-19 is not going away. But social distancing is being replaced with reasonable reopening. As I write this, the news feeds report that 21 reopened states have increasing rates of infection. That means that businesses need to be smart about how they bring customers back in, but it is not likely that we will retreat to our caves—uh, homes—and restore strict stay-at-home orders. So, banks that are reopening their lobbies are implementing reasonable safety procedures to protect their customers and employees. These include plexiglass shields at teller windows, masks on employees and maybe on customers, and possibly hand-sanitizing stations at entries, plus frequent wipe-downs of commonly used surfaces.
Meanwhile, delivery of an array of banking services online and through mobile banking has gotten a big shot in the arm. And perhaps bank officers are using social media more and more as they try to stay in touch with their customers—or maybe just blow off a little steam now and then. Even with phased-in reopening, electronic banking and marketing are likely to continue to grow in importance. The Interagency Guidance on Social Media: Consumer Compliance Risk Management is well worth a fresh look.
The 2013 guidance provides a road map for potential consumer compliance and legal risks that is critical in developing a bank’s policies and procedures to manage social media practices. For our purposes, “social media” is defined as a form of interactive online communication in which users can generate and share content through text, images, audio and/or video. These include Facebook, Instagram, Google Plus, Twitter, LinkedIn, YouTube, Yelp and various virtual-world sites. Social media can be an effective way to reach out to current and potential customers. However, it must be deployed in a manner that is legally compliant and that is subject to proper oversight. Here are a few of the highlights from the guidance.
Compliance and Legal Risks. One use of social media is marketing products and originating new accounts/loans. When messages create an “ad,” then specific requirements in Reg DD (new accounts), Reg Z (consumer loans), Fair Housing Act (mortgages) or FDIC membership (deposits) can be triggered. In addition, messages should always be evaluated to test for unfair, deceptive or abusive acts or practices (UDAAP) risk.
Privacy. Systems should be in place to assure that nonpublic personal information is never made public! Strong cybersecurity procedures are vital—particularly if a bank integrates social media components into customers’ online account experience or accepts applications via social media portals. Unsolicited commercial email messages and unsolicited communications by telephone or text messages are regulated by the CAN SPAM Act and the Telephone Consumer Protection Act (TCPA). Litigation has proliferated, especially over noncompliance with the prior consent provisions in the TCPA. On the other hand, text messaging about a possible unauthorized use of a debit/credit card or a transaction that will overdraw an account are actually very desirable services to your customers. Still, these should be clearly agreed to in writing by consumers. (Remember that “writing” includes electronic communications if ESIGN has been satisfied.)
Reputation. It is much easier today to tear down a person’s or business’ good name through social media than was true in the past. Banks should regularly check to see whether disgruntled consumers have posted complaints about them online, such as on Yelp. Then follow up with the unhappy consumer and get the adverse post removed, if possible. This should be a part of the bank’s complaint policies and procedures, with a regular report to the board.
In addition, posts should be evaluated to determine whether they constitute a comment for the bank’s Community Reinvestment Act file. Generally, comments on sites that are not run by or on behalf of the bank will not constitute a “public” comment. However, a bank should retain comments made on sites run by or on behalf of the bank that specifically relate to its performance in helping to meet community credit needs.
Social media monitoring tools should be put into place to routinely scan for the bank’s name and logo. This can detect complaints early. Remember that risk can also arise through spoofs of the bank’s communications and activities in which fraudsters masquerade as the bank. Monitor and address fraudulent use of the bank’s brand, such as through phishing or spoofing attacks.
Employee use of social media sites. Whether or not a post by an employee is approved by the bank, it will reflect on the institution—for good or bad. Thus, banks should have careful HR policies in addition to their social media policy that address employee usage. This can be tricky, as federal law protects statements that could relate to union organizing. Also, passionate employees may claim that the bank is infringing on their First Amendment rights—which really do not apply to private businesses, but rather prohibits government infringement. During the demonstrations regarding police practices triggered by the George Floyd incident, some otherwise powerful people have had their wings clipped due to inflammatory posts. Socially aware consumers are ready to “punish” businesses that take unpopular positions.
As we continue to use Facebook and Twitter to communicate from our home offices, we lose the nuances of person-to-person contact. We don’t see the facial expression or hear the tone of voice. So, it is especially important to have clear standards in place to limit misunderstandings.
Conclusion. Social media is here to stay—as both a tool and a weapon. Update your policies and procedures to assure that you have managed the risks and maximized your benefits.
I am signing off for now so I can go check my Instagram feed for cute grandchildren pics!