How Should a Financial Institution Handle Social Media? Navigating the Federal Financial Institutions Examination Council’s Consumer Compliance Risk Management Guidance for Social Media

How Should a Financial Institution Handle Social Media? Navigating the Federal Financial Institutions Examination Council’s Consumer Compliance Risk Management Guidance for Social Media

by Onyinyechi Muilenburg


On December 11, 2013, the Federal Financial Institutions Examination Council (“FFIEC”) published “Social Media: Consumer Compliance Risk Management Guidance” (the “Guidance”), which is effective immediately.  For purposes of the FFIEC, social media is defined as a “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  Given the extreme breadth of this definition, it is difficult to imagine any financial institution including banks, savings associations, or credit unions that do not engage in some form of social media.  These guidelines likely effect any and all financial institutions that have any sort of online presence, whether such presence is meant to be social media in the traditional sense or not.  Therefore, it is of utmost importance that these financial institutions review and understand the FFIEC’s new guidelines.

The FFIEC is made up of the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Consumer Financial Protection Bureau, and the State Liaison Committee.  The then proposed Guidance was initially issued on January 23, 2013 for public comment, which such public comment purportedly has been addressed in the final version published on December 11, 2013.  This Guidance was created and published in order to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureaus.  More specifically, the Guidance is intended to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.

It is important to note that while the definition of social media used by the Guidance is quite broad, it specifically excludes messages sent via email or text message, standing alone.  However, the Guidance does not appear to exclude online chatting with a customer service representative initiated through the financial institution’s website or mobile app.  Therefore, it can be presumed that such texted conversation is expected to follow and adhere to the Guidance.  In addition, the Guidance acknowledges that other forms of social media may emerge in the future that financial institutions should also consider as falling under the Guidance.

As financial institutions continue to explore the increase in use of social media to market, provide incentives, facilitate applications for new accounts, invite feedback, respond to complaints, or provide loan pricing, their risk profile will also increase.  Such an increase in risk can include risk of harm to consumers, compliance and legal risk, operational risk and reputation risk.  In order to deal with such risks, a financial institution is expected to have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media.  This risk management program is supposed to be created by specialists in compliance, technology, information security, legal, human resources, and marketing.  In addition, the financial institution is to provide guidance and training for employee official use of social media.

Compliance Risk Management Expectations for Social Media

The components of this risk management program should include the following:

1.    A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution and establish controls and ongoing assessment of risk in social media activities.  One must take note that the responsibility, as with a lot of things, is now thrust onto the board of directors or senior management.  It is important to make sure the members of the board or the senior manager are properly educated in the use of social media as it is no longer a social distraction, but is now a responsibility with clear liability.  Special emphasis should be added to the requirement of clear roles and responsibilities given the fact that events that take place through social media happen rapidly and instantaneously.  A mess of liability could rear its head in an instant if roles are not defined and the responsible board of directors or senior manager is not savvy on the use and misuse of social media;

2.     Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate.  This gives a financial institution very little guidance.  However, one must keep in mind that the size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in the social media.  In other words, the more extensive that a financial institution is involved with the broadly defined medium of social media, the more extensive the content should be within the policies and procedures;

3.    A risk management process for selecting and managing third-party relationships in connection with social media.  It is unclear what a “third-party relationship” is in this context.  Is this a vendor that signs up customers for accounts with portable tablet at an event, is it a third-party that runs the social media website or is it in reference to a third-party that accesses the social media?  This component is unclear;

4.    An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.  This is especially important when communicating with customers through social media;

5.    An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or contracted third party.  While it is difficult to imagine a financial instate that does not have an oversight process in place, if none exists, then a monitoring process should be implemented.  Such efforts and overhead might bring into question how easily accessible and malleable to make a social media site, if at all, for a financial institution;

6.    Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and

7.    Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.  This might be the most important component as a board of director or senior manager’s naivety and ignorance will clearly not be tolerated as to social media.

To the extent that a financial institution uses social media to engage in lending, deposit services, or payment activities, it must comply with applicable laws and regulation.  Social media may be used to market products and originate new accounts.  When doing so, the financial institution is expected to take steps to insure that it is in compliance with applicable consumer protection and compliance laws and regulations.

The Truth in Savings Act

The Truth in Savings Act imposes disclosure requirements in order for consumers to make informed decisions about deposit accounts.  Such disclosures include disclosures about fees, annual percentage yield, interest rate, and other terms.  A depository institution may not advertise deposit accounts in a way that is misleading or inaccurate or misrepresents the depository institution’s deposit contract.  If an electronic advertisement displays terms such as “bonus” or “APY”, then that advertisement is required to clearly state certain information, such as the minimum balance required to obtain the advertised APY or bonus.  Such required information may be provided via a link that directly takes the consumer to the additional information.  The depository institution should closely monitor and regulate how it advertises on a third-party social media platform in order to avoid the obvious pitfalls that present themselves regarding these required disclosures.
The Equal Credit Opportunity Act, Regulation B, and Gramm-Leach-Biley Act

The Equal Credit Opportunity Act, implemented in Regulation B prohibits creditors from making any oral or written statement, in advertising or other marketing techniques, to applicants or prospective applicants that would discourage a reasonable person from making or pursuing an application.  The creditor must observe the timeframes outlined in Regulation B for notification of application outcomes as well as preserve prescreened solicitations.  A creditor must also provide notice regarding specific reasons for application denial.  Additionally, the creditor cannot, with limited exceptions, request certain information regarding race, sex, national origin, age or religion.  Social media can create a multitude of legal issues associated with these regulations.  This is especially true when dealing with a third-party, be they a web host, customer service representative communicating through instant messaging or just third-party individuals commenting about a financial institution’s Twitter feed or Facebook page.  Constant vigilance is required to avoid comments and dealings that may intimidate or require personal information input to interact such as an age verification or demographic survey conducted by a third-party.  Additionally, real-time applications via social media must have a trigger mechanism that will comply with any notice time frame as required by Regulation B.  Finally, if a financial institution integrates social media components into customers’ online account experience or takes applications via social media portals, then it should clearly disclose its privacy policies as required by the Gramm-Leach-Bliley Act.  The method of providing such notices introduces the financial institution with additional challenges.  All of these issues circulate back to the Guidance requiring clear roles and responsibilities as well as parameters for providing appropriate reporting to the board of directors and senior management for periodic evaluation of the social media programs.

The Community Reinvestment Act and Fair Credit Reporting Act

In addition to the problems that forums, Facebook pages and twitter feeds pose to a financial institution’s ability to comply with Regulation B, comments associated with these sites also can complicate compliance with the Community Reinvestment Act and the Fair Credit Reporting Act.  If a financial institution that acts as a depository institution must preserve written comments received from the public that specifically relate to the institution’s performance in helping meet the community’s needs, how is it going to handle the potentially colossal amount of comments received through a social media site that falls into this category?  This requirement is only meant for sites run by or on behalf of the institution.  What if a customer is directly disputing something through social media?  Is customer service through instant messaging a worthwhile convenience when dealing with these issues?  Is it worthwhile for an institution to allow comments to be made through their social media site?

Regulation Z

Any communication through a financial institution’s social media program in which credit products are advertised must comply with Regulations Z’s advertising provisions, given the broad scope of Regulations Z’s advertising definition.  A financial institution’s social media program must comply with the clear and conspicuous disclosure requirements for annual percentage rates, specific credit terms with the actual terms of credit and other loan features.  It should be noted that Regulation Z does provide for electronic advertisements to contain the required information on a table or schedule that is located on a different page if clearly conspicuous and with a clear reference to the new page or location.  Social media does not exempt a financial institution from the required time frames of disclosure for a loan application.  The financial institution must make sure that any third-party operator of the social media program must be constantly watching for any logistical breakdown of these disclosures.  If a link is inoperable or a disclosure is confusing or inconspicuous amongst the busy social media page applications, then the ultimate responsibility still lies with the board of directors or senior management.

The FDIC, NCUA, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, and Section 5 of the Federal Trade Commission Act

The FDIC, NCUA, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, and Section 5 of the Federal Trade Commission Act all have a hand in shaping a financial institution’s social media risk management program.  Is a third-party associated with a financial institution’s social media program obtaining some sort of direct incentive for referrals to the financial institution?  Are there any independent social media websites that are conspicuously referring potential customers to the financial institution?  If so, what is the motivation?  Is a debt collector for the financial institution communicating to a debtor or associates of debtor via social media?  If so, how are they communicating and what are they disclosing to the rest of the world?  Even if the debt collector believes a communication is exclusively with a debtor, how is the identity of the debtor verified through social media?  Are comments made on a financial institution’s social media platform abusive, unfair, and deceptive and therefore in violation of Dodd-Frank and/or Section 5 of the Federal Trade Commission Act?  Are all of these social media programs giving proper advertisement of FDIC membership or NCUA share insurance if deposit products are involved?  All of these issues require constant monitoring by the financial institution in order to afford it proper regulatory protection.

The Bank Secrecy Act

The Bank Secrecy Act requires depository institutions to have a compliance program that incorporates training from the operational staff to the board of directors, which is designed to limit and control risks and to achieve compliance with the Act.  Ultimately, the Bank Secrecy Act seeks the institution to: maintain internal controls to implement a customer identification program; implement a risk-based customer due diligence policy, procedure and process; understand expected customer activity; monitoring for unusual or suspicious transactions; and maintaining records of electronic funds transfers.  Obviously, a financial institution’s social media program will complicate these requirements.  Knowing the identities of those using the social media, money laundering and other illicit activities are all areas of concern that must be handled through the guidelines of the Bank Secrecy Act.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act, the Telephone Consumer Protection Act, and the Children’s Online Privacy Protection Act

In addition to all of the regulatory issues previously mentioned, a financial institution will also need to make sure that the social media program in place is taking into account relevant portions of the Controlling the Assault of Non-Solicited Pornography and Marketing Act, the Telephone Consumer Protection Act and the Children’s Online Privacy Protection Act.  In other words, is the financial institution inadvertently collecting information from a child visiting its social media cite and what kind of spam if any is being directed to visitors or participants of these cites?


In summary, the purpose of the Federal Financial Institutions Examination Council’s “Social Media: Consumer Compliance Risk Management Guidance” publication is to help financial institutions understand and successfully manage the risks associated with the use of social media.  However, given the broad definition of social media put forth by the Guidance, it appears that managing the risks associated with social media is quite extensive and complicated.  Faced with accomplishing this task, a financial institution will either need to pull back on the use of social media or expand its risk management program in such a way that it can adequately monitor activity and provide effective information to the board of directors or responsible senior management.  Social media is no longer the wild west of cyberspace, and financial institutions are expected to recognize and adapt to this change.

No information in this article is intended to constitute legal advice.  For specific legal advice, please contact an attorney.

If you have any questions or would like more information about the Federal Financial Institutions Examination Council’s Consumer Compliance Risk Management Guidance on Social Media, please contact Eric Mettenbrink at 713.220.9141 or