Proposed FFIEC Guidance on Financial Institution Social Media Use


The Federal Financial Institutions Examination Council (FFIEC) released for comment on January 17 its proposed Social Media: Consumer Compliance Risk Management Guidance. There is a 60-day comment period. The purpose of the guidance is to help banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB) understand and address the risks created by the applicability of federal consumer protection and compliance laws to activities conducted through social media.

The guidance begins with the premise that a financial institution’s use of social media to interact with customers can impact the institution’s risk profile, not only through legal and compliance risks, but also related risks of harm to operations and reputation. To address these risks, the FFIEC recommends that financial institutions adopt a risk management program to identify, monitor, and control the risks associated with its use of social media. The complexity of the program should be commensurate with the risks created by the nature and scope of the institution’s use of social media. The guidance identified seven components that the social media risk management program should contain: (1) a governance structure; (2) policies and procedures; (3) a vetting and management process for vendors; (4) employee training; (5) monitoring of posts to proprietary social media sites; (6) audit/compliance functions to ensure ongoing compliance; and (7) parameters for reporting on the effectiveness of the program to management. 

The guidance then discusses in greater detail the risks created by social media use. Under the compliance and legal risk section, there is a summary of laws and regulations that may apply when a financial institution uses social media. The laws discussed include Truth in Savings, Fair Lending, Fair Housing, Truth in Lending, RESPA, FDCPA, UDAAP, EFTA, BSA/AML, and  privacy (GLBA, COPPA, TCPA, CAN-SPAM). Under the discussion of reputational risk, there is a recommendation that financial institutions adopt policies to address employee participation in social media, which has employment law implications based on recent NLRB decisions. The operational risk discussion is brief and essentially says that institutions should safeguard customer data, especially because social media is vulnerable to account takeover and the distribution of malware. Accordingly, the guidance recommends that an institution’s incident response policy address social media as appropriate.

The FFIEC is specifically seeking comments by March 18 on the following questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.