IBA Compliance Connection

Your go to source for compliance!

Some of our employees have been contacting our customers through Facebook Messenger to request that the customer contact the bank regarding various matters such as discussing delinquent loan payments or advising that a customer’s box of checks is ready for pickup. The messages are not being sent for the purpose of advertising a bank product or service. We ask customers to sign the Telephone Consumer Protection Act (TCPA) consent form at the time an account is opened or a loan is made, but it doesn’t appear to cover Facebook messaging. Are we allowed to contact a customer through Facebook Messenger about an account they have with our bank? If so, does the message need to include a method for the customer to opt out if it does not contain any advertising?

by

admin

We are unaware of any law or regulation that would prohibit contacts with customers through Facebook Messenger or other instant messaging apps, but we believe that this is a risky practice and do not recommend allowing it to continue without substantial safeguards in place to ensure that your bank can view, retain, monitor and control these communications.

First, it is unclear whether your customers have consented to being contacted through instant messages. It is unlikely that your bank’s TCPA consent form covers more than phone calls and text messages; while the TCPA covers phone calls and text messages, it is unclear whether it also covers instant messages that can be received on a desktop computer, phone, or other devices, as is the case with Facebook Messenger. However, obtaining your customer’s consent before contacting them does not mitigate all the potential risks and compliance issues posed by your employees’ use of Facebook Messenger to communicate with bank customers.

Other potential issues include compliance, reputational and IT risks. The FFIEC’s guidance on social media generally focuses on the use of social media to broadcast messages to a broad audience, rather than on one-on-one communications through instant messaging, but it highlights several risks that could apply here. For example, these communications could create privacy or fair lending issues if your bank employees obtain personal information when contacting customers or adding them as “friends” through Facebook Messenger, and contacting customers regarding delinquent loan payments also could risk violations of debt collection requirements, whether from the Fair Debt Collection Practices Act (if applicable) or your institution’s internal debt collection policies.

In addition to potential compliance risks, a bank employee’s use of Facebook Messenger may pose unique reputational risks. Bank employees could use a personal Facebook profile to communicate with customers through Facebook Messenger, and their personal profiles or postings “may be viewed . . . as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution.” Also, your institution likely would be unable to directly control what employees post on Facebook through their personal profiles, as Illinois’ Right to Privacy In the Workplace Act generally prohibits employers from accessing employees’ personal online accounts (with certain exceptions).

Instant messaging also poses IT and cybersecurity risks. The FFIEC guidance covers IT issues generally applicable to social media, and the FDIC has issued guidance specific to IT issues posed by bank employees using instant messaging. (While the FDIC guidance now is over a dozen years old, we believe that instant messaging through Facebook is similar to the “Public IM” technology discussed in this guidance.) Use of Facebook Messenger on bank computers and/or phones also could expose the bank to the risks of malware being installed and customer information being exposed publicly. Additionally, cybercriminals could impersonate bank customers through Facebook to obtain personal and financial information about your customers.

The FFIEC and FDIC guidance include several suggestions for controlling the risks discussed above. For example, the FFIEC recommends that financial institutions address these risks with policies and training, including “methodologies to address risks from online postings, edits, replies, and retention.” The FDIC recommends adopting a policy on instant messaging, along with several IT measures to protect the bank from viruses and other malicious uses of instant messaging. Also, the OCC has noted that banks must maintain customer instant messaging records and ensure that examiners can access such records (albeit in a slightly different context than internal instant messages among bank employees).

Even with proper employee training, monitoring and retention practices in place, it may be difficult to control all the risks created when employees communicate with customers through Facebook Messenger, particularly due to Illinois’ limitations on employer access to employees’ personal online accounts. Consequently, your bank may wish to set up a business profile on Facebook and limiting use of Facebook Messenger for official bank business to the business profile, if that is possible. We do not recommend continuing to allow employees to use personal social media profiles to contact bank customers.

If your bank does decide to continue contacting bank customers through Facebook Messenger, we certainly recommend providing a method for customers to opt-out of such contacts.

For resources related to our guidance, please see:

  • TCPA Regulations, 47 CFR 64.1200(a)(3) (“No person or entity may: . . . Initiate any telephone call to any residential line using an artificial or prerecorded voice to deliver a message without the prior express written consent of the called party, unless the call; . . . Is made for a commercial purpose but does not include or introduce an advertisement or constitute telemarketing
  • Federal Communications Commission, Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, 80 Fed. Reg. 61129 (October 9, 2016) (“Text messages are ‘calls’ subject to the TCPA, as previously determined by the Commission.”)
  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines.[. . . . Whenever a financial institution collects, or otherwise has access to, information from or about consumers, it should evaluate whether these rules will apply. The rules have particular relevance to social media when, for instance, a financial institution integrates social media components into customers’ online account experience or takes applications via social media portals.

A financial institution using social media should clearly disclose its privacy policies as required under GLBA.

Even when there is no ‘consumer’ or ‘customer’ relationship triggering GLBA requirements, a financial institution will likely face reputation risk if it appears to be treating any consumer information carelessly or if it appears to be less than transparent regarding the privacy policies that apply on one or more social media sites that the financial institution uses.”)

  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“Fair Lending Laws: Equal Credit Opportunity Act/Regulation B [3] and Fair Housing Act. . . . It is also important to note that creditors may not, with limited exceptions, request certain information, such as information about an applicant's race, color, religion, national origin, or sex. Since social media platforms may collect such information about participants in various ways, a creditor should ensure that it is not requesting, collecting, or otherwise using such information in violation of applicable fair lending laws. Particularly if the social media platform is maintained by a third party that may request or require users to provide personal information such as age and/or sex or use data mining technology to obtain such information from social media sites, the creditor should ensure that it does not itself improperly request, collect, or use such information or give the appearance of doing so.”)
  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“The Fair Debt Collection Practices Act (FDCPA) restricts how debt collectors (generally defined as third parties collecting others’ debts and entities collecting debts on their own behalf if they use a different name) may collect debts. The FDCPA generally prohibits debt collectors from publicly disclosing that a consumer owes a debt. Using social media to inappropriately contact consumers, or their families and friends, may violate the restrictions on contacting consumers imposed by the FDCPA. Communicating via social media in a manner that discloses the existence of a debt or to harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall) or making false or misleading representations may violate the FDCPA.”)
  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“Financial institutions should be aware that employees’ communications via social media may be viewed by the public as reflecting the financial institution's official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk, operational risk, as well as reputation risk. Therefore, as appropriate, financial institutions should take steps to address these risks, such as establishing policies and training to address employee participation in social media representing the financial institution.”)
  • FDIC Explains Social Media Guidance – BankInfoSecurity Interview with Elizabeth Khali, February 14, 2014 (“[F]inancial institutions have to be especially mindful of reputation risk. They should be aware of activities they might be engaging in that could harm that place of trust. People are paying a lot of attention to how consumer information is used within the social media context.”)
  • Right to Privacy In the Workplace Act, 820 ILCS 55/10(b)(1) (“Except as provided in this subsection, it shall be unlawful for any employer or prospective employer to: (A) request, require, or coerce any employee or prospective employee to provide a user name and password or any password or other related account information in order to gain access to the employee’s or prospective employee's personal online account or to demand access in any manner to an employee's or prospective employee's personal online account; (B) request, require, or coerce an employee or applicant to authenticate or access a personal online account in the presence of the employer; . . .”)
  • Right to Privacy In the Workplace Act, 820 ILCS 55/10(b)(6)(B) (“‘Personal online account’ means an online account, that is used by a person primarily for personal purposes. ‘Personal online account’ does not include an account created, maintained, used, or accessed by a person for a business purpose of the person’s employer or prospective employer.”)
  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“Social media is one of several platforms vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.”)
  • FFIEC Social Media Consumer Compliance Risk Management Guidance, 78 Fed. Reg. 76297 (December 17, 2013) (“A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. . . . Financial institutions should also provide guidance and training for employee official use of social media. Components of a risk management program should include the following: . . . Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention; . . .”)
  • FDIC Financial Institution Letter, FIL-84-2004, Guidance on the Risks Associated With Instant Messaging (July 21, 2004) (“The risks associated with the use of IM include revealing confidential information over an unsecured delivery channel, spreading viruses and worms, and exposing the network to backdoor Trojans which are hidden programs on a system that perform a specific function once users are tricked into running it. IM is vulnerable to denial-of-service attacks, hijacking sessions and legal liability resulting from downloading copyrighted files.”)
  • FDIC Financial Institution Letter, FIL-84-2004, Guidance on the Risks Associated With Instant Messaging (July 21, 2004) (“Public IM transmits unencrypted information, so it should never be used for sensitive or confidential information. The information is on the Internet and may be accessed by anyone.”)
  • FDIC Financial Institution Letter, FIL-84-2004, Guidance on the Risks Associated With Instant Messaging (July 21, 2004) (“Information received by IM is not authenticated. There is no way to verify that a message really originated from the sender with whom the recipient believes he or she is communicating during the session. Chat sessions can be hijacked and users can be impersonated.”)
  • FDIC Financial Institution Letter, FIL-84-2004, Guidance on the Risks Associated With Instant Messaging (July 21, 2004) (“The numerous vulnerabilities inherent in IM dictate that senior management perform a risk assessment on the business benefit of allowing the use of public IM on financial institution networks. Financial institutions should consider the following practices regarding IM as part of an effective information security program:

Establish a policy to restrict public IM usage and require employees to sign an acknowledgement of receipt of the policy.

Consider implementing an intrusion detection system to identify IM traffic. Assess the need for other IM security products.

Create rules to block IM delivery and file-sharing.

Consider blocking specific IM vendors.

Ensure a strong virus protection program.

Ensure a strong patch (software update) management program.

Include the vulnerabilities of public IM in information security awareness training.”)

  • OCC Bulletin 2016-13, Guidance for Banks’ Maintenance of Records, Records Retention, and Examiner Access (April 27, 2016) (“Bank management must ensure that its adoption of any communications technology continues to allow for examiner access to appropriate bank records. Record retention practices that are consistent with OCC expectations will enhance effective oversight by banks’ compliance and internal audit functions as well as comply with established governance, compliance, and risk management practices.”)
     
  • FINRA Regulatory Notice 10-06 — Guidance on Blogs and Social Networking Web Sites (“Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110. SEC and FINRA rules require that for record retention purposes, the content of the communication is determinative and a broker-dealer must retain those electronic communications that relate to its ‘business as such.’”)