Compliance Corner


Covering the Bases

New FFIEC guidance helps clarify how banks should manage the various opportunities and potential problems using social media

By Nanette Stanley

The Federal Financial Institutions Examination Council says that its new Social Media Guidance, released in December, does not impose any new requirements on financial institutions. “Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks, associated with the use of social media, along with expectations for managing those risks,” the agency reports.

The FFIEC guidance defines social media as “a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.” It also states, “For purposes of this Guidance, messages sent via email or text message, standing alone, do not constitute social media.”

Bank examiners since at least 2010 have included in their exams pointed questions to banks about their use of social media. These questions include whether banks use social media to promote their products and services and what controls they have in place, including policies and procedures. As a result of the updated guidance, regulatory expectations for banks using social media will begin to include the following types of controls:

An authority structure for the use of social media. This may include direction from the board of directors or senior management on how social media should contribute to the bank’s goals. The direction should also address risk guidance for social media.

Policies and procedures that establish the use and controls of social media. It is advisable to establish an online posting policy that details, among other requirements, acceptable language for the bank and its staff to use over social media channels.

A risk management process for selecting and managing third-party relationships. Regulators are concerned about the “reputational” risks to which these providers could expose banks.

An employee training program that addresses policies and procedures for using social media. These programs should also identify what use of social media is not permitted. Employee statements over social media can be viewed by the public as being reflective of the financial institution’s official policies.

A process designed to monitor and respond to information posted to proprietary social media sites.

Effective audit and compliance oversight to ensure compliance with internal policies, laws and regulations.

Appropriate reporting to the board of directors or senior management that permits the periodic evaluation of the financial institution’s social media efforts.

The FFIEC guidance says that social media can be used to communicate a number of forms of information, including marketing campaigns for new products and services, customer complaints, loan pricing, and deposit interest rates.
There are some additional aspects of the Social Media Guidance of which you should be aware:

The guidance is flexible. It recognizes that banks vary widely in their complexity, usage, where and how they are operating, and who is permitted to post.

The guidance does not provide a complete review of the applicable rules and regulations. All advertising requirements apply to social media.

The guidance applies to banks that are active on social media and to those that are not. Even if your bank is not active on social media there are still expectations that it will address the activity in its policies and procedures. Your bank’s employee training should also address the topic.

The guidance provides a definition of social media which is slightly new, though it has a noteworthy exception for the stand-alone use of email in its normal daily use.

Social media records should be maintained for two years from the date of release.

In summary, the FFIEC guidance says that social media, if used appropriately, can be a constructive tool that can yield immediate and measurable results. If not used properly and not thoroughly monitored, however, it can result in reputational exposure accompanied by compliance, legal and operational risks that would need to be documented thoroughly.

It’s clear that regulators want to stay informed because there are still many unknowns. A decision to enter or stay in this aspect of customer communications should be well thought out and deliberate.

Nanette Stanley ( is a compliance director with Chartwell Compliance.