Managing the Compliance Risks of Social Media

on by Michael Angstadt, Solution Architect

Managing risk at a financial institution is no simple job.  Between increasing regulation, managing vendor relationships, and making sure your policies keep up with emerging technologies, – it’s no wonder independent community financial institutions are overwhelmed.  A huge focus in emerging technologies when it comes to compliance is social media.  It introduces a unique set of risks in that it both connects millions of people and yet anonymously exposes potentially sensitive personal information or communications.  Popular social media outlets thrive on lowering the barriers to communication access for virtually everyone on the planet with an Internet- enabled device; but what you say is on the record publicly and permanently.  As a brand communication tool, the potential to develop new business, personally engage your current customers, and establish an audience for your brand is certainly intriguing, but is not without its share of additional complexity.

For years, regulatory agencies like the FFIEC have been monitoring financial institutions’ capabilities to manage the risks associated with social media digital communication outlets.  The FFIEC Final Guidance issued in 2013 in conjunction with the OCC, Board of Governors of the Federal Reserve, FDIC, NCUA, CFPB, and the SLC established the foundation for most institutions when it comes to guiding their processes and policies.  For a community institution, there are a few key areas outlined within the guidance to focus on when it comes to social media policy and compliance.


It is a common and required practice to maintain an organization-specific social media risk policy which governs various aspects of digital and social communication.: Here are a few things to consider when developing and implementing such policies.

– If you’re using social media for FI marketing:

  • What are the goals?
  • How does social media fit into the strategy of the bank or credit union?
  • How are you monitoring what is being said? (by you or a third3rd party consultant publishing content on your organization’s behalf)

– In terms of employees:

  • What are your policies for social media usage?
  • What checks do you have in place to ensure you’re internally compliant?
  • Do you have internal training or on-boarding that addresses your social media policies?
  • How do these policies fit into on-going compliance at large for your organization?
  • What is the cadence for auditing these external and internal policies?

Of course, aspects of these policies all of this policy needs to be coordinated and approved by the Board of Directors so that they’re thoroughly abreast of the strategic position of the FI in terms of social media.

Why Is It A Big Deal?

By breaking down privacy walls and engaging a global audience, social media has a unique ability to expose all sorts of opportunities to violate consumer protection regulations, compromise sensitive data and, introduce internal ethical dilemmas, as well as tarnish your institution’s brand or reputation the brand of your institution. Those additional risks, even just reputational, have the opportunity to significantly impact your FI.

When it comes to protecting the consumer, it’s all about documentation and disclosure— — there is no casual use of social media at a financial institution.  Your organization’s employees have to be conscious that social media is considered your customer’s personal information and needs to be disclosed if it is used in a decision- making process— – especially when it comes to lending.  If your business development team is using social media as a source for lead generations, – they’re required to preserve any search and filtering criteria they’ve used in order to identify those potential customers.

Reputational risk is a real thing that which can have a significant impact in an industry where credibility is so foundational.  Before you embark into new social media channels, consider the implications of managing this new outlet.  Who is responsible for generating content?  What about access control?  Is this outlet for sales, marketing, customer service, or all three?

The reality is that the medium is new, the penalties aren’t.  Although social media presents a variety of new ways to connect people around the world, social media activity is still very much governed by the same consumer protection, information access and, & public communications regulations which have always applied to financial institution’s’ interactions with the public.

Who Needs to Be Involved in Creating Your Social Media Risk Management Policy?

The FFIEC recommends that participants from a variety of disciplines at your organization (including compliance, legal, technology, marketing and human resources) be involved in the formulation of the social media risk management policy. How in-depth your policy needs to be depends on how much your organization leverages social media communication outlets.

Need a place to start? Check out what CBANC has to offer for social media risk assessments and policies here.

What Is Your Organization Saying?

Nothing a financial institution prints—even on social media—is off the record. If your organization is going as far as to engage and procure new customers via social media, the same rules as traditional advertising apply. That means you can’t tweet anything about ‘APR’ without including all of the same disclaimers required for a similar newspaper advertisement.  Establishing a plan for what your organization’s online voice will be is an important aspect of brand management.

What Are Your Employees Saying and Seeing?

Your key team members’ personal accounts present the same opportunity for reputational risk. Merely reading potential customers’ social media content could be a violation of consumer protection regulations if it provides personal consumer information to employees outside the boundaries of legal procurement.

Internal Training

New social media outlets are invented everyday, so it helps to stay fresh with your team about the organization’s expectations around these budding technologies. By teaching your team how to use social media professionally and encouraging them to engage your market at large, your credit union or bank can generate new business, deliver higher quality personalized service to existing customers and expand the positive reach of your brand.

Digging Deeper

Managing the social media policies and procedures for your organization can be daunting—especially with so much else on your plate as a community financial institution. Start by breaking down the components required by compliance, and tackle what makes pragmatic sense for your market and size. Then, begin the internal conversation and you’ll be well on your way to making social media work for you.

About CBANC:

We are the professional network for the banking industry, powering the largest online community of banks and credit unions in the world. Every business day, CBANC helps thousands of verified financial professionals and their institutions make more intelligent vendor decisions, navigate compliance challenges, and answer questions.

Our software leverages the network effects inherent in our community, enabling our members and the vendors that serve them to work together to solve problems. The results are more efficient operations, the ability to better serve customers, and an improved competitive position for our members and the US banking system.

About the Author:

Michael Angstadt
Solution Architect