Social Media and Networking

When you think of advertising, do you include social media? These days, most of you do!

However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.

We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.

Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.

This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.

In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*

_______________________________________________________

IN THIS ARTICLE

Defining Social Media

Use of Social Media

Risks of Social Media

Risk Management

Risk Areas

Laws and Regulations

Major Risks

Policy and Procedures

_______________________________________________________

Defining Social Media

Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. 

Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

A simple test to distinguish social media from other online media is that the social media communication tends to be more interactive.

_______________________________________________________

Use of Social Media

Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.

For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.

To manage potential risks to financial institutions and consumers, however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged.

_______________________________________________________

Risks of Social Media

The use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. 

The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk. 

Increased risk can arise from a variety of directions, including poor due diligence, oversight, or control on the part of the financial institution. Obviously, procedures must be implemented that help financial institutions to identify potential risk areas and appropriately address as well as ensure that they are aware of their responsibilities to oversee and control these risks within their overall risk management program.

Therefore, financial institutions should address the applicability of existing federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the CFPB.

_______________________________________________________

Risk Management

A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. 

FFIEC gives this rule of thumb: a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. 

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. FFIEC makes it clear that a financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms and provide guidance for employee use of social media. 

Anti-Money Laundering Debuts for Mortgage Brokers

A new era in filing requirements is about to begin.* For the first time, the Financial Crimes Enforcement Network, known as “FinCEN,” will require nonbank mortgage lenders and originators to implement an Anti-Money Laundering program (“AML Program”) and file Suspicious Activity Reports (“SARs”) for certain loan transactions.[i] FinCEN is establishing this AML program in accordance with the Bank Secrecy Act (“BSA”).[ii]

The guidelines relating to the AML requirement became effective on April 16, 2012, and the AML Program’s effective compliance date is August 13, 2012.[iii]

The AML program and SAR filing regulations, which I will refer to as “FinCEN’s rule,” are considered to be “the first step in an incremental approach to implementation of regulations for the broad loan or finance company category of financial institutions.”[iv]

The Bank Secrecy Act defines the term "financial institution" to include, in part, a loan or finance company. This terminology, however, can reasonably be construed to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. Thus, nonbank residential mortgage lenders and originators, and mortgage brokers, are grouped into the "loan or finance company" category.[v] However, the term ‘‘loan or finance company’’ is actually not concisely defined in any FinCEN regulation, and there is no legislative history on the term itself.

Nevertheless, FinCEN is applying this term to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. [vi] Therefore, residential mortgage lenders and originators (“RMLOs”) are covered by the scope of the ‘‘loan or finance company’’ term. I will use the acronym “RMLO” in this article, inasmuch as my principal focus herein relates to residential mortgage lenders and originators.

FinCEN can issue regulations requiring financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Federally regulated depository institutions have been required to have AML Programs,[vii] and now, as of the aforementioned effective compliance date, RMLOs must also comply with FinCEN’s regulations relating to implementing an AML Program and the filing of SARs.

Over the last few years,[viii] FinCEN has issued studies and analyses that used SARs to discover suspected mortgage fraud and money laundering that involved both banks and residential mortgage lenders and originators.[ix] According to FinCEN, these reports “underscore[d] the potential benefits of AML and SAR regulations for a variety of businesses in the primary and secondary residential mortgage markets.”[x]

Residential mortgage lenders and originators, the RMLOs, are considered to be the primary providers of mortgage finance, and have a unique position with respect to direct contact with the consumer. Thus, they are presumably able to assess and identify money laundering risks and fraud.[xi] At this time, FinCEN is not proposing a definition of “loan or finance company’’ that would encompass other types of consumer or commercial finance companies, or real estate agents and other entities involved in real estate closings and settlements.

In this article, I am going to unpack the AML Program for you in a way that will give you some familiarity with its scope, while perhaps also making its implementation a bit less daunting than it might otherwise seem to be. Nevertheless, many RMLOs will find that setting up the AML Program will be a challenging endeavor. Information, issuances, and relevant documentation are available in the FinCEN section of my firm’s website Library.

Please keep in mind that, as is the case with many applications of legal and regulatory compliance, there are aspects and nuances that will require recourse to a competent risk management professional to obtain comprehensive guidance and reliable information.[xii]

AML Program

Residential mortgage lenders and originators, the RMLOs, are required to establish an AML

Program that includes, at a minimum:

(1) Development of internal policies, procedures, and controls.

(2) Designation of a compliance officer.

(3) Ongoing employee training program.

(4) Independent audit function to test for compliance.

To effectuate the AML Program, FinCEN has given a definition of an RMLO that is broad in scope and covers most nonbank residential mortgage originators.

The AML Program covers any business that, on behalf of one or more lenders, accepts a completed mortgage loan application, even if the business does not in any manner engage in negotiating the terms of a loan. Also covered are businesses that offer or negotiate specific loan terms on behalf of either a lender or borrower, regardless of whether they also accept a mortgage loan application.

Note that the word “accept” is intended to differentiate the FinCEN rule from the SAFE Act. FinCEN is ensuring that persons who either accept an application or offer or negotiate the terms of a loan are covered. Furthermore, the AML rule applies to residential mortgage originators, regardless of whether they receive compensation or gain for acting in that capacity.

Obviously, these changes create differences between the definitions in the FinCEN rule and those used in the SAFE Act and other federal mortgage-related statutes. Clearly, this was done intentionally to differentiate the FinCEN requirements from those other statutes, so that FinCEN’s interpretation is not based on the interpretation of those statutes.[xiii] Moreover, FinCEN has taken the position that the registration and training requirements under the SAFE Act are not sufficient to address all of the concerns and accomplish all of the goals related to AML and SAR programs. In any event, FinCEN has announced that it intends to dialogue with the Conference of State Bank Supervisors (“CSBS”) to coordinate the identification and examination of mortgage originators subject to FinCEN’s rule.[xiv]

The AML Program applies to businesses, including sole proprietorships, but does not contemplate coverage of an individual employed by a financial institution.[xv] To state this precisely: FinCEN’s rule does not incorporate any exceptions for businesses based on their form of organization.

There are no exceptions for a certain arbitrary number of employees or net worth, nor is there a “small business” exclusion or exception for businesses with fewer than five employees, or for businesses that satisfy some other arbitrary size, net worth or similar criteria. Similarly, there is no “de minimis” exception for businesses that lend or broker loans under a relatively low value, or low aggregate volume of transactions within a set time period. The only exclusion is given to individuals financing the sale of their own real estate.

Generally, purchase money mortgage loans and traditional refinancing transactions facilitated by RMLOs are covered in the AML Program. Yet, because any transactions conducted by the RMLO could reasonably be considered to be extending a residential mortgage loan or offering or negotiating the terms of a residential mortgage loan, within the meaning of the definitions of ‘‘residential mortgage lender’’ and ‘‘residential mortgage originator,’’ as provided in FinCEN’s rule, the AML Program would seem to apply to transactions involving funds or programs under the Troubled Asset Relief Program and similar Federal programs, or any similar state housing authority or housing assistance program. However, to the contrary, FinCEN’s rule does not directly apply to the Federal or state housing authorities and agencies administering such programs. Therefore, excluded from the AML Program is any Federal or state agency or authority administering mortgage or housing assistance, fraud prevention or foreclosure prevention program, though RMLOs participating in such programs must comply with FinCEN's rule to the extent that any transactions could reasonably be considered to be extending a residential mortgage loan or offering or negotiating the terms of a residential mortgage loan.[xvi]