Regulatory Shocker On Social Media In Banking Coming Soon

Skip To Page: 1 2

Regulators in the US have issued a draft of proposed guidelines governing social media use by banks and credit unions — everything from Twitter to FarmVille. The bottom line? You’ll need to have a formal written strategy, monitor social mentions and yes… even measure ROI.

The Federal Financial Institutions Examination Council (FFIEC) has released proposed guidance on policies concerning social media usage by banks, savings associations and credit unions.

Subscribe TodayThe FFIEC says the use of social media by financial institutions to attract and interact with customers can affect their risk profile. The FFIEC policy document outlines the potential consumer compliance, legal, privacy, reputational and operational risks associated social media, along with guidelines for how those risks should be managed. (You can view the original FFIEC document in its entirety here.)

The FFIEC considers “social media” to include any form of interactive online communication in which users can generate and share content through text, images, audio and/or video — including, but not limited to, micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille).

The FFIEC says every financial institution’s social media plan should be designed with participation from compliance, IT, information security, legal, human resources and marketing. The size and complexity of each financial institution’s plan would be dependent on the scale of their involvement in social media.

The guidelines suggest even financial institutions that aren’t currently engaged in social channels might be required to have a plan in place: “A financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within social media platforms, and provide guidance for employee use of social media.”

In other words, the FFIEC wants all banks and credit unions to be prepared for the (inevitable) negative feedback they will (eventually) encounter somewhere in the online social sphere.

( Read More: Financial Marketers Slam Proposed Social Media Regs )

So What Are the Specifics?

Here’s how the FFIEC proposes financial institutions should manage social media risks. The components of the plan include:

Social Media Strategy Now Required – A governance structure with clear roles and responsibilities whereby the board of directors and/or senior management spell out how use of social media contributes to the strategic goals of the institution, while also spelling out what kind of controls will be put in place, and how ongoing social media risks will be assessed.

Regular Reporting of ROI – The FFIEC is calling for regular reports to the financial institution’s board of directors and/or senior management, “enabling a periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.” Sounds like financial marketers will have to start tracking social media’s ROI. Gulp…

Monitoring of Social Channels Mandated – The FFIEC is calling for all financial institutions to have an oversight process for monitoring information posted to social media sites administered by the financial institution or a contracted third party.

Put Formal Social Media Policies & Procedures in Place – All financial institutions need to implement policies regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws. Social media policies should incorporate procedures addressing risks from online postings, edits and replies.

Tightly Manage Third-Party Vendors to Ensure Customers Are Protected – Customer privacy and security of their financial data are a top concern. Financial institutions working with third-party social media vendors will be required to manage those relationships within defined parameters to ensure compliance with all regulations.

You Have to Tell Employees What’s Okay and What’s Not – Banks and credit unions will need an employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.

Compliance Protocols – Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.

Don’t Show This List to Your Compliance Department

The 31-page document issued by the FFIEC contains a laundry list of various laws and regulations they say apply to a financial institution’s use of social channels. This amounts to hundreds — possibly even thousands — of pages of regulatory material. It’s enough to paralyze any compliance person to the point where nothing would seem appropriate to post on any social network. Ugh…

  • Truth in Savings Act/Regulation DD and Part 707
  • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3
  • Fair Housing Act
  • Truth in Lending Act/Regulation Z
  • Real Estate Settlement Procedures Act
  • Fair Debt Collection Practices Act
  • Unfair, Deceptive, or Abusive Acts or Practices
  • Deposit Insurance or Share Insurance
  • Electronic Fund Transfer Act/Regulation E
  • Bank Secrecy Act
  • Community Reinvestment Act
  • Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines
  • CAN-SPAM Act
  • Telephone Consumer Protection Act
  • Children’s Online Privacy Protection Act
  • Fair Credit Reporting Act

Have an Opinion? Give ’Em an Earful

The FFIEC is inviting comments, saying it wants to hear from both banks and credit unions on any aspect of the proposed guidance. They are specifically seeking feedback on the following questions:

  • Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  • Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  • Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

You can submit your comments, or view others’ comments and materials related to the FFIEC’s guidelines, by visiting the Federal eRulemaking Portal. Go to and click the “Advanced Search” option (located in the bottom-right corner of the “Search” box). Scroll down to the ”By Docket ID” search box, then type “FFIEC-2013-0001,” and hit “Enter.”

Comments must be received mid-March. Be careful what you say though: All comments will be posted without change at, including any personal information provided.

Skip To Page: 1 2

This article was originally published on January 23, 2013. All content © 2018 by The Financial Brand and may not be reproduced by any means without permission.


  1. Blergh…my compliance people forwarded this to me this morning. Thank you for reporting on it in a language I can actually understand.

  2. Dear FFIEC — Very nice..

    The idea of having this type of compliance let’s us into the minds of the people that almost sent us to our ruin, economically..

    This might as well have been written by our friends, “The Borg”..

    Stay out of it, so we can resist our mock and scorn for your incompetence and lack of understanding about social media..

  3. Tim McAlpine says:

    Thanks for the great recap Jeffry. I’ll have to dig in and read the full proposal document. I agree with James Robert’s points. As a starting point, all FIs should get their social media policy in place. There’s a great free tool, that can help you get started. The end product should be vetted by HR and compliance.

    I also like the idea of posting your policies directly on your public website as well. Vancity in Canada does a nice job of this. Here and here Straight forward language that everyone can understand.

  4. Wow… where to begin? This is a reactive and obviously out of touch group of people enacting “law” without fully thinking it through. However there are some positive aspects as well that I think may be for the best for everyone. My take below:

    Social Media Strategy Now Required – Totally down with this. It will help eliminate the majority of the crappy posts/updates many credit unions are making about rates, weather and closings. But a strategy takes time and I thought social media was free. Wrong: social media is not free

    Regular Reporting of ROI – Makes sense. If you take the time to do an actual strategy beyond “we’re going to post 2 times a day, once in the morning and once in the afternoon” you may actually be able to show some kind of return. But I thought social media was free and we don’t have the time/resources to implement the strategy AND report on if its working. Wrong: social media is not free

    Monitoring of Social Channels Mandated – I can dig this if it means that a credit union must do more than just one way communication about rates, weather and closings. Taking the time to actually listen (monitor), learn and engage could be a good thing. But I thought social media was free and we don’t have the time/resources to monitor our social channels. Wrong: social media is not free

    Put Formal Social Media Policies & Procedures in Place – I am all about creating policies and guidelines which is very much needed in this realm as it will help to clean up alot of the social BS and for sure kill the idea that “social media is free”.

    Tightly Manage Third-Party Vendors to Ensure Customers Are Protected – I see this is where it can get very tricky very quickly. Does this mean Hootesuite will have to be managed by every single credit using them? What about Facebook, Twitter, YouTube or any other social integration app? How about Hubspot? MailChimp? What about Currency Marketing and their relationships with credit unions running the Young Free program.

    You Have to Tell Employees What’s Okay and What’s Not – Having guidelines is good but at the same time it can not be pre-written robotic scripts. Keep in mind the first word of social media is “social”. Someone may have to go off script from time to time to be human.

    Compliance Protocols – And this is where it just gets downright stupid. The compliance you noted makes any social media effort at this point useless due to the amount of time needed to “audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.”

    Many good points I agree with from a strategic side however I think a reactive stance on this from a government regulatory body might take things to far without thinking things all the way through.

    Before you know it, we could be back to sending letters through the mail. Oh wait… now there is a real conspiracy theory behind all this. Let’s make it almost impossible for FIs to use or want to use social media so that we force them to send mail once again and resurrect the US Postal Service.

  5. James, good questions about managing social media vendors.

    The primary issues are privacy and data security. The final, formal wording of the policy will probably say something along the lines that a “financial institution will take the steps necessary and perform proper due diligence to ensure consumer data remains private and secure.” Regulators will probably extend a lot of leeway to major sites like Twitter and Hootsuite. But what about Facebook…? Well, that could be an entirely different story. As we all know, Facebook could care less about people’s privacy.

    The spirit of the regulation is that financial institutions should be asking questions and investigating the security of their social media vendors. How can you be sure the vendor isn’t accessing the data as well, perhaps using it for some other purpose (maybe not even intentionally)? Do you know their servers are reasonably secure?

    The easiest workaround would be to exchange no sensitive customer data. This would seem to be the case with Young & Free, which is primarily a marketing program. The biggest concern the Young & Free folks will probably have is making sure no one can get a hold of members’ contact info like email addresses (which Y&F is probably already doing sufficiently).

    Really, the regulations are effectively calling for more stringent due diligence when customer service is provided in social channels (okay, really we’re just talking about Twitter, and maybe Facebook). Essentially no customer data is exchanged in YouTube, Hootsuite, Hubspot, and other sites. If you just publish a blog, some YouTube videos, a few tweets and some Facebook posts (like most FIs), you probably won’t have to worry. You can even exchange information publicly with people — like answering common questions — without raising red flags.

    The sad truth is: Very few banks and credit unions get ANY customers saying ANYTHING to them, so most won’t have to worry about this at all — whether they use social media vendors or not.

    Bottom line? What regulators seem to be saying is, “If what you’re doing anything that triggers any compliance laws, rules or regulations, then you need to hold your social media vendors accountable at the same standards as you would yourself.”

    Protect customer data, obey the laws and make sure your vendors do the same, and everything should be alright.

    As an example, think about some of the banks that are toying with “virtual branches” on Facebook. The bank has to partner with a developer to build the Facebook app. It’s the bank’s responsibility to ensure the app developer can’t access to sensitive customer data, and that the app is built in secure manner — something that can’t be easily hacked. The bank needs to understand how the vendor intends to “route” data through the web — how many nodes, how many servers will data be stored on, where are these servers and who has access to them? What kind of encryption is involved?

  6. Helpful article. These types of conversations have been happening for several years within the securities industry, so there are key learnings that may be applied to the retail banking world. There are four areas of risk that need to be mitigated before deploying social media:

    1) Data leakage – need to prevent firm and client information from being leaked out either inadvertently or maliciously from the enterprise.

    2) Incoming threats – social media users are susceptible to malware as they view themselves as part of a tribe and tend to click on any link sent by a “friend.”

    3) Compliance – there are thousands of rules and regulations that govern the communications of publically held corporations, banks and firms in general. For example, Securities regulators didn’t issue new rules and regulations around social media — as it’s viewed as just another form of written communications. In short, business communications need to be captured, archived and made available for ediscovery. Firms also need to demonstrate to the regulators that they are supervising these communications to make sure they are appropriate.

    4) User Behavior – now that every employee can be the face of the business, you either have a powerful marketing tool or your worst nightmare.

    All these risks can be mitigated by strong corporate polices, backed up with technology and training.

    You may find my blog about FFIEC Guidance helpful for more details.

    “Upcoming Guidance for the Use of Social Media for Retail Banking from FFIEC”

  7. Great insights. Thanks for sharing Joanna.

  8. I appreciate all the comments here, as well as the recap article that is provided. James Robert, I agree with all of your points and think that a lot of this is fine and a good idea to implement. At Verity, we do a lot of social media, but we do have written guidelines in place and every employee is required to sign a social media policy. Considering the goals of social media are important, but what if you don’t think it is about ROI through the channel and your board is ok with that? Do we need to show that “I spent x amount of time and that generated x new accounts” or something like that? It is so difficult to track that sort of thing and determining ROI in this channel is incredibly difficult and up for interpretation. As long as it stays in the broad scope and just requires everyone to think and plan what they want to do and hope to accomplish through the channel, I think it is ok. Editor, I really liked the comments you provided as well. The one thing that really concerns me is the potential impact of all those regulatory acts and things that may need to be taken into account on every post…

  9. Steve Topper says:

    What’s really important here is “who” is actually behind this draconian legislation, “who” stands to gain if it becomes law, and “what” do they stand to gain. I see it as a “follow the money” exercise.

  10. Deb Schaffer says:

    Thanks for breaking down the 31 pages. And, thanks to those who’ve commented thus far. The insight is most helpful.

    Right on, James Robert! Social media is NOT free. (Or rather, it CAN be. And we all know “you get what you pay for”, right?)

    If the acronyms TOS, RT, HT, MT, PRT, DM, ROI and SEO can’t be explained by your social media manager, you might want to consider another employee for the position. And, if NO ONE on staff has any experience with social media besides their own personal FB accounts, you just might want to look to a social media marketing firm to manage your accounts for you.

    Many FIs have flocked to social media as they perceive it as a “free medium” to advertise. (Yawn.) While the tools are free, you need to know how to use them. And sadly…a lot of marketers don’t understand that this medium operates unlike any platform we have seen before.

    While there has most likely been a lot of “eye rolling” going on in the last week, let’s face it…we NEED these regulations as desperately as we need qualified social media managers/marketers.

  11. Steve,

    You are absolutely right: “following the money” would almost always lead you to the real motives and characters behind any political decision. But that doesn’t seem to be the case here. It’s hard to see where there’s any money involved. While some folks will find the proposed regulations annoying, even perhaps “draconian,” it seems this is just another instance of run-of-the-mill bureaucracy. You’ve got a committee — the FFIEC — comprised of other committees, all tasked with regulating the financial industry. So that’s what they’re trying to do… “regulate.”

    The creation of the FFIEC traces back to March 1979. The FFIEC has six voting members:

    • one Governor from the board of the Federal Reserve System
    • the Chairman of the FDIC
    • the Chairman of the NCUA
    • the Comptroller of the Currency
    • the Director of the CFPB
    • the Chairman of the State Liaison Committee

  12. Certainly a broad and overwhelming guideline given the number of regulations it touches and broad mix of technologies that could potentially be classified as “social media.”

    Regardless the spirit of the guideline is in the right place given the potential risks financial institutions face from regulatory, liability and brand perspectives if they don’t set a cross-organization governance program to control and manage their social media efforts. Clearly a flexible framework that addresses the various forms and touch points of social media is required to bring transparency and accountability to this area regardless on whatever emerges as the final set of guidelines and invariably resultant additional regulations. Working with clients we have found the following as some of the key points to address.
    – Not taking a wait and see approach – social media is already being used within your organization and outbound to the market, whether you know about it or like it or not
    – Understanding the different roles in defining and executing a social media strategy – boards members, executives, risk, marketing, IT, third-party vendors/suppliers and rank and file staff
    – Balancing rules based and principles based social media policies and procedures that remain enforceable as social media continues a rapid evolution
    – Clearly articulating rules, policies and procedures and training the workforce on social media compliance; note this is an ongoing and recurring process
    – Developing contingency, remediation and enforcement plans for when policies and procedures lapses invariably occur, from small scale infractions to major breaches

    We have produced a series of articles collectively entitled The Social Banker that address these and other key points in managing and exploiting (in a good way!) social media’s usage in financial institutions, including some good real world case studies and examples. Follow the this link to access these articles.

  13. Credit unions using social media should already have a written policy that contains guidelines and rules. That part of any new legislation shouldn’t be difficult to handle.

    As for ROI – it looks as if the credit union itself will define the “investment.” As long as the rules are being followed and the credit union’s management can show the board that members are being better engaged, this shouldn’t cause an issue either.

    The section above “Don’t Show This List To Your Compliance Department” states that there could be thousands of pages involved in regulations like this. TRANSLATION: credit unions have plenty of time to prepare for all of this.

    And as James Robert seems to suggest – if the burdens become too heavy, credit unions will simply not use social media anymore – THEN the FFIEC will probably hear from the members – 93 million or so at last count – many of which subscribe to their credit union’s social media feeds.

  14. Does anyone have any general idea when the final approved guidance will be released?

  15. This article covers all the touch points for prudent risk management within a financial institution. I wholeheartedly agree with the proposed regulations, which address some of the risk factors and internal controls necessary to mitigate social media activities. As a former banker who has integrated emerging technologies into organizations, rolled out new products, and established infrastructures for efficiency purposes, all functional areas impacted by the change require attention.

    What I find interesting in this proposal is that whether the entity participates in social media or not, a program still needs to be created to address the negative comments for brand management purposes.

    Good job FFIEC in covering most of the basis.

  16. One point of clarification, Cathy. The proposed regs say you have to have a plan, but it doesn’t say you have to respond to negative comments. A plan might include monitoring the social web for negative comments, capturing any and circulating among management to see if a response is warranted, then respond within 24 hours if necessary/appropriate. It’s possible that a plan could be to not respond to any comments — positive or negative.

  17. April Alford says:

    Do you have any helpful information in reference to a person identifying themselves as a customer of your bank on social media? Are there rules against this? We are being told we should delete this post because the customer said they had several CD’s with us.

  18. Hi April,

    Compliance people and lawyers are going to tell you to do anything and everything to protect customers, even if it isn’t required by regulators. Is it a little risky for a customer to announce on the internet where they have their banking relationships? Yes, because they are setting themselves up to get phished. But it’s also their own fault/decision. Personally, I don’t think it’s very smart and I wouldn’t do it, but I don’t think there are any regulations against it. I think that posting personal information like account numbers and SS# is something you’d be expected to delete, and quickly. But if you look around the web, you’ll see tens of thousands of people declaring they have [financial product X] at [bank Y].

    If what your compliance people are saying is true, then all the Twitter accounts like @BofA_Help @Ask_Citi and others couldn’t even exist. They have people flooding in daily announcing they have some sort of relationship with those institutions, and those tweets aren’t deleted.

    Jeffry Pilcher, The Financial Brand

  19. April Alford says:


    Thank you so much for your response! I have done a good bit of research and I haven’t found any regulations against it either, but I understand that protecting our customers privacy should be number one. I am from a Marketing backgroud though, and I think from the perspective of as far as social media is concerned, deleting comments (negative or positive) is frowned upon.

Speak Your Mind


Show Comments