Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 6, the FTC released a data spotlight showing that more scams have originated on social media than on any other method of contact with consumers, accounting for $2.7 billion in consumer losses from 2021 to 2023. The FTC reports that the most frequently reported frauds in 2023 were online shopping scams on social media. However, promotions of fake investment opportunities, mostly those relating to cryptocurrency, on social media had the largest overall monetary losses. The FTC also provided a list of tips for consumers to limit their risks of fraud on social media, including restricting who can contact them on these platforms.
On September 30, the U.S. District Court for the Northern District of California certified a stipulation and proposed order regarding a permanent injunction and dismissal to abandon remaining allegations against an Israel-based company and a Delaware company (collectively, defendants) related to their use of data scraping from the parent company of large social media platforms (plaintiff). In 2020, the plaintiff alleged that the defendants developed and distributed internet browser extensions to illegally scrape data from the plaintiff’s platform and other platforms. The order noted that the court’s prior summary judgment decision concluded that the defendants collected data using “self-compromised” accounts of users who had downloaded the defendants’ browser extensions. The order further noted that the defendants stipulated that the plaintiff had established that it suffered “irreparable injury” and incurred a loss of at least $5,000 in a one-year period as a result of one of the companies’ unauthorized access. The order further noted that judgment has been established “based on [the Israel-based company’s] active data collection through legacy user products beginning October 2020, and based on [the Israel-based company’s] direct access to password-protected pages on [the plaintiff’s] platforms using fake or purchased user accounts.” Under the injunction, the defendants are immediately and permanently barred from accessing or using two of the plaintiff’s social media platforms without the plaintiff’s express written permission, regardless of whether the companies are using the platforms directly or via a third party. The defendants are also banned from collecting data or assisting others collect data without the plaintiff’s permission, and are required to delete any and all software, scripts or code that are designed to access or interact with two of the plaintiff’s social media platforms. Additionally, the defendants are prohibited from using or selling any data that they have previously collected from the plaintiff’s social media platforms.
On January 27, the FTC released a blog post regarding scam data usage on social media. Reports to the FTC showed that social media is increasingly used by scammers and “that social media was far more profitable to scammers in 2021 than any other method of reaching people.” The blog post, Social media a gold mine for scammers in 2021, reported that more than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. Additionally, the FTC noted that investment scams and romance scams had the most reported dollars lost.
On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.
On April 2, the SEC issued a report that allows companies to use social media outlets to announce key information in compliance with Regulation Fair Disclosure (Regulation FD), provided investors have been alerted about which social media will be used to disseminate such information. The report reviews 2008 SEC guidance that clarified that websites can serve as an effective means for disseminating information to investors if the investors have been made aware in advance. The report determined that the policy is equally applicable to current and evolving social media communication channels. The report states that disclosure of material, nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the site may be used for this purpose, is unlikely to comply with existing regulations, even if the individual in question has a large number of subscribers, friends, or other social media contacts, such that the information is likely to reach a broader audience over time.
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.