In The Social Network, a movie about the creation of Facebook, “Sean Parker” and “Mark Zuckerberg” converse about the potential impact of Facebook:

Sean Parker: You don’t even know what the thing is yet.

Mark Zuckerberg: I said that exactly.

Sean Parker: How big it can get, how far it can go. This is no time to take your chips down.

In another scene, “Mark Zuckerberg” and “Eduardo Saverin” talk about the speed at which Facebook is growing and developing:

Mark Zuckerberg: I’m afraid if you don’t come out here you’re going to get left behind…

Eduardo Saverin: What did you just say?

Mark Zuckerberg: He’s moving faster than any of us ever imagined it would. It’s moving fast.

Eduardo Saverin: What did you mean get left behind?

And while these exchanges may not be entirely accurate; you can’t argue with the fact that Facebook and other social networks like Twitter have become very big and gone very far at a speed faster than most of us could ever have imagined. There is a scene in the movie where Facebook celebrates its millionth user. Now, just a few years later, Facebook recently surpassed the mark of having one billion users. Yes, I said a billion.

With social media growing and evolving at such a rapid pace, it is difficult if not impossible for regulation to keep up. While this is true for all areas of potential regulation, the area involving the use of social media is of particular interest. Responding to requests by various industry and consumer interests for guidance on the application of consumer protection laws to activities conducted via social media, financial regulators — specifically the Federal Financial Institutions Examination Council (“FFIEC”) — recently proposed guidance.

The FFIEC is composed of several agencies — one of which you’ve undoubtedly recently heard about — the Consumer Financial Protection Bureau (“CFPB”). Among other things, the FFIEC develops procedures used by the agencies in examinations of financial institutions.

The proposed guidance, entitled “Social Media: Consumer Compliance Risk Management Guidance,” was released by the FFIEC on January 22, 2013 (“Guidance”). The Guidance specifically addresses the applicability of federal consumer protection laws to activities conducted via social media by banks, savings associations, credit unions and nonbank entities supervised by the CFPB (collectively “financial institutions”). The Guidance is intended to help financial institutions understand the risks associated with the use of social media, and the expectations for managing these risks. Although it does not impose additional obligations on financial institutions, the Guidance notes that financial institutions must manage these risks.

So what is “social media”? The Guidance explains that social media is considered to be a form of interactive online communication in which users can generate and share content through text, images, audio and video; and can take many forms including but not limited to micro-blogging sites (Facebook, Google Plus, MySpace, Twitter), forums, blogs, customer review Web sites and bulletin boards (Yelp), photo and video sites (Flickr and YouTube), sites that enable professional networking (LinkedIn), virtual worlds (Second Life), and social games (FarmVille and CityVille).

The Guidance discusses three general risk areas, specifically compliance and legal risks, reputation risk, and operational risk. Although all of these risk areas are important, understanding and managing legal risks is critically important because the failure to adequately address such risks can expose an institution to enforcement actions and/or civil lawsuits. Although the Guidance discusses a number of different laws and regulations which may be relevant to a financial institution’s social media activities, some of these laws are of particular note.

While the Fair Debt Collection Practices Act (“FDCPA”) does not apply to finance companies collecting their own debts and using their own name (the FDCPA generally applies to debt collectors collecting debts owed or due another, and to creditors collecting their own debts but which use a name other than its own), the Guidance’s discussion of the FDCPA is nevertheless notable because certain states have enacted their own collection practices laws which contain many of the same prohibitions as the FDCPA and which do apply to finance companies. Florida, for example, is one such state. The Guidance specifically notes the FDCPA’s prohibition against conveying information regarding a debt to persons other than the debtor; against conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt; and against using any false, deceptive, or misleading representation or means in connection with the collection of any debt. Finance companies should be aware of these laws when using social media, and take steps to ensure compliance.

Also of importance to the finance company is the Guidance’s reference to Section 5 of the Federal Trade Commission Act (“FTC Act”) as well as Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, both of which prohibit unfair and/or deceptive practices. It is again notable that many states (including Florida) have enacted their own deceptive and unfair trade practices acts. These statutes are sometimes used by plaintiff’s lawyers as a “catch all” despite a finance company’s technical compliance with other laws. The Guidance notes that a financial institution should not engage in any practice via social media that could be deemed “unfair,” “deceptive,” or “abusive.”

The Guidance also addresses fair lending laws. The Guidance points out that creditors must observe the time frames outlined under Regulation B for notifying applicants of the outcome of their applications or requesting additional information for incomplete applications, whether those applications are received via social media or through other channels. The Guidance also notes that when denying credit, a creditor must provide an adverse action notice detailing the specific reasons for the decision or notifying the applicant of his or her right to request the specific reasons for the decision; and that this requirement applies whether the information used to deny credit comes from social media or other sources. It is also important to note that creditors may not, with limited exceptions, request certain information, such as information about an applicant’s race, color, religion, national origin, or sex. Since social media platforms may collect such information about consumers in various ways, a creditor should ensure that it is not requesting, collecting or otherwise using such information in violation of applicable fair lending laws.

A final area of interest is privacy laws. Title V of the Gramm-Leach Bliley Act (“GLBA”) establishes requirements relating to the privacy and security of consumer information. Institutions using social media should make sure they comply with the GLBA and other privacy rules.

The Guidance also addresses a number of other laws, and further addresses certain reputation and operational risks as well.

In addition to covering various risk areas, the Guidance also sets forth compliance risk management expectations for social media. Components of a risk management program should generally include: a) a governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution and establishes controls and ongoing assessment of risk in social media activities; b) policies and procedures regarding the use and monitoring of social media and compliance with consumer protection laws and Guidance; c) a due diligence process for selecting and managing third-party service provider relationships in connection with social media; d) an employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and defining impermissible activities; e) an oversight process for monitoring information posted to social media sites administered by the financial institution or a contracted third party; f) audit and compliance functions to ensure ongoing compliance with policies, applicable laws, and Guidance; and g) parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the social media program and whether the program is achieving its stated objectives.

To summarize, you should be aware of the risks set forth in the Guidance, and ensure that you are taking steps to manage those risks. You don’t want to get left behind.

And finally (no pun intended), the Guidance is not yet “final.” So when will it be finished? Although the agencies comprising the FFIEC will issue it as supervisory guidance to the institutions they supervise upon completion and after consideration of comments received from the public (comments must be received on or before March 25, 2013), guidance and regulation will continue to evolve as social media continues to evolve. As “Mark Zuckerberg” points out in The Social Network: “It won’t be finished…I’m talking about the idea of it. And I’m saying that it’s never finished.”

You may obtain and review the Guidance, which is located at the following web address: www.ffiec.gov/press/pr012213.htm.