Attorney stands in a coworking space

Social Media Compliance

Social Media Compliance for Banks & Credit Unions: The Complete FFIEC Guide

Key Highlights

  • What FFIEC social media guidance requires from banks and credit unions
  • Which federal regulations apply to financial institution social media activity
  • The seven core components of an FFIEC-aligned risk management program
  • Advertising disclosure requirements for deposit accounts, credit, and lending products
  • Legal rules governing bank and credit union giveaways and sweepstakes on social media
  • Common compliance gaps identified during regulatory examinations
  • When to involve a social media attorney for banks in your compliance program

Social media has become a primary channel for customer engagement, product promotion, and community outreach at banks and credit unions across the country. It has also become one of the most scrutinized areas of compliance. Every post, comment, sponsored ad, and employee interaction on social media is subject to the same federal laws and regulations that govern traditional bank marketing; and regulators expect financial institutions to have documented programs in place to manage that risk.

The Federal Financial Institutions Examination Council’s (FFIEC) Social Media: Consumer Compliance Risk Management Guidance — commonly called the FFIEC Social Media Guidance — is the primary framework for understanding what regulators expect. It does not create new laws. Instead, it clarifies how existing consumer protection requirements apply to social media activity and establishes supervisory expectations for governance, oversight, and risk management.

This guide covers the full scope of social media compliance obligations for banks and credit unions: the regulatory framework, what an FFIEC-aligned program must include, advertising disclosure requirements, giveaway rules, and the compliance gaps most commonly identified during examinations.

What Is FFIEC Social Media Guidance and Why Does It Matter?

The FFIEC Social Media Guidance applies broadly across the financial services sector: to banks supervised by the FDIC, Federal Reserve, and Office of the Comptroller of the Currency, as well as credit unions, savings associations, and other covered institutions. 

Its core message is straightforward: existing compliance obligations do not disappear because a financial institution is communicating on social media rather than in a branch or a print advertisement.

Regulators increasingly evaluate social media activity as part of marketing, complaint management, and overall compliance controls during examinations. Institutions without documented policies and oversight processes face elevated regulatory risk. The guidance makes clear that each institution must tailor its social media compliance program to its size, complexity, and level of activity. A large regional bank running paid social campaigns faces materially different obligations than a small community credit union with a single Facebook page. That said, both need a documented program.

Which Federal Regulations Apply to Bank Social Media Activity?

The FFIEC guidance consolidates obligations from multiple existing laws. Key regulations that directly affect how financial institutions use social media include:

  • Truth in Savings Act (TISA): requires clear disclosure of fees, APY, interest rates, and account terms when promoting deposit products.
  • Truth in Lending Act (TILA): requires accurate disclosure of credit terms and fees in any social media content advertising loans or credit products.
  • Equal Credit Opportunity Act (ECOA): prohibits discriminatory advertising or marketing in credit promotions.
  • Fair Housing Act (FHA): prohibits discriminatory marketing of housing and mortgage products; requires Equal Housing Lender disclosures.
  • Community Reinvestment Act (CRA): requires institutions to monitor, preserve, and respond to social media comments and complaints for their public file.
  • Bank Secrecy Act (BSA): applies recordkeeping and monitoring obligations to social media communications.
  • UDAAP (Unfair, Deceptive, or Abusive Acts or Practices): Consumer Financial Protection Bureau (CFPB) standard that applies to all consumer-facing social media content, including promotional posts.
  • FTC Truth in Advertising: applies to all financial institution marketing, including influencer partnerships and sponsored content.

For a plain-English breakdown of how each of these regulations applies specifically to social media posts, see: Which Regulations Cover the Use of Social Media by Financial Institutions?

What Must an FFIEC Social Media Risk Management Program Include?

The FFIEC guidance requires every financial institution that uses social media to maintain a formal, documented social media risk management program. 

There is no one-size-fits-all template — the program must reflect the institution’s specific risk profile, platforms used, and level of social media activity. Examiners will look for evidence that the program is actively maintained, not just written down.

The seven core components regulators expect to see are:

  • Governance structure: senior management accountability and board-level awareness of social media risk. Clear assignment of oversight responsibility.
  • Written policies and procedures: covering acceptable platforms, content standards, approval workflows, escalation processes, and compliance obligations. Generic or outdated policies are a common examination finding.
  • Employee training: covering both the institution’s HR social media policy (personal use) and marketing/compliance training on advertising requirements.
  • Third-party risk management: oversight of vendors, agencies, and influencers posting on the institution’s behalf or under its brand.
  • Consumer complaint monitoring and response: active monitoring of all social media channels for complaints, with documented timely responses.
  • Content preservation and recordkeeping: archiving posts, comments, and metadata for regulatory review and CRA compliance.
  • Audit and oversight: periodic review of the program’s effectiveness and updates as platforms, regulations, or institutional activity changes.

For a detailed guide to building each component, see: How to Create a Social Media Risk Management Program for Banks and Credit Unions

Advertising Disclosure Requirements for Bank Social Media Posts

Social media posts promoting financial products are advertisements subject to the same disclosure requirements as print, broadcast, and digital ads. The standard is clear and conspicuous placement. Disclosures must be visible and understandable without requiring the audience to search, scroll, or click away from the post.

FDIC and NCUA Advertising Statement Requirements

Any social media post promoting an insured deposit product must include the official advertising statement: “Member FDIC” for banks, or “Federally Insured by NCUA” for credit unions. This requirement applies to both the institution’s profile page and to individual posts promoting insured products, including posts that appear in users’ news feeds.  The statement must appear on the post itself, either in the text or in the image, and must be prominently placed. It is not sufficient to include it only in a website footer or linked document.

For a practical breakdown of exactly when and where the statement is required, see: How to Correctly Add the Member FDIC Statement on Social Media

Credit and Loan Advertising on Social Media

Any social media content advertising credit or loan products must include accurate, complete information about rates, fees, and terms. The most common compliant approach is to include a clearly visible hyperlink directing users to the complete terms and conditions. Promoting “low interest loans” or “best rates” without qualifying detail or an APR disclosure may constitute a UDAAP violation. Compliance and legal review of promotional content before posting is standard practice at well-governed institutions.

For CRA-specific recordkeeping obligations related to social media comments and complaints, see: Social Media Compliance for Banks: CRA Compliance

Can Banks and Credit Unions Run Social Media Giveaways?

Yes, but with significant legal constraints that do not apply to non-regulated businesses. Banks and credit unions that run social media giveaways or sweepstakes must navigate both standard sweepstakes law and financial institution-specific compliance requirements simultaneously. Getting one wrong creates risk under the other.

From a sweepstakes law perspective, any promotion must avoid the three elements of an illegal lottery: prize, chance, and consideration. For financial institutions, “consideration” is particularly important: requiring someone to open an account, make a deposit, or take any financial action to enter a giveaway may constitute illegal consideration under state law. Promotional rules must be clearly written, conspicuously disclosed, and legally reviewed before the promotion launches.

From a compliance perspective, any giveaway promoted on social media must go through the institution’s standard marketing approval workflow, include required advertising disclosures, and be documented in accordance with recordkeeping requirements. Institutions that boost giveaway posts as paid ads face additional FTC disclosure obligations.

For a full breakdown of what banks need to run a legally compliant giveaway, see: What Do Banks Need to Run Giveaways? 

Common Social Media Compliance Gaps Identified During Examinations

Based on examination findings and enforcement patterns, the compliance gaps regulators most frequently identify at financial institutions include:

  • Outdated or generic social media policies: policies that have not been updated to reflect current platforms, posting practices, or regulatory requirements.
  • Inadequate FDIC/NCUA statement placement: missing or insufficiently prominent advertising statements on posts promoting insured products.
  • No documented complaint monitoring process: failure to actively monitor, respond to, and preserve social media comments and complaints.
  • Third-party oversight gaps: no formal review process for content posted by marketing agencies, influencers, or vendors on the institution’s behalf.
  • Insufficient employee training: employees unaware of the institution’s social media policy or advertising compliance requirements.
  • No content archiving program: failure to preserve social media posts and interactions for CRA public file and regulatory review purposes.

When Should a Bank or Credit Union Involve a Social Media Attorney?

A social media attorney for banks is most valuable during three distinct moments: before launching a new social media program or platform, before a regulatory examination, and when a compliance issue has already been identified. In each case, the cost of legal guidance is substantially lower than the cost of an examination finding, an enforcement action, or a consumer complaint that escalates.

The Social Media Law Firm has worked with banks and credit unions on social media compliance for over a decade. Our team conducts social media risk assessments, builds and updates risk management programs, reviews marketing content for compliance, and advises on giveaway and influencer engagement rules. Institutions operating on a retainer model benefit from ongoing guidance as platforms and regulations evolve, rather than seeking legal review only after a problem has emerged.

For a full overview of how legal support integrates into a compliance program, see: Social Media Risk Assessments. To discuss your institution’s compliance program, contact us for a free consultation.

Frequently Asked Questions

Does FFIEC social media guidance apply to all financial institutions?

Yes. The FFIEC Social Media Guidance applies broadly to banks supervised by the FDIC, Federal Reserve, and OCC, as well as credit unions, savings associations, and other covered financial institutions. Even institutions with minimal social media activity — such as a small community bank with only a Facebook page for community updates — are expected to have a documented risk management program in place. The scope and complexity of that program should be proportionate to the institution’s size, activities, and risk profile, but the requirement to have one is universal.

Does every social media post need a Member FDIC disclosure?

No. Only posts promoting insured financial products require the Member FDIC or Federally Insured by NCUA statement. Posts about community events, employee spotlights, or general brand content do not trigger the disclosure requirement. However, the line between general brand content and product promotion can be blurry, particularly for posts that reference savings accounts, checking products, or interest rates in any context. 

When in doubt, including the statement is the safer approach. Institutions should establish clear internal guidelines about which content categories require the disclosure and build that review into the content approval workflow.

Can a bank or credit union use influencers for social media marketing?

Yes, but influencer content is subject to the same compliance requirements as institution-owned posts. This includes FTC disclosure requirements for sponsored content, advertising accuracy standards under TILA and UDAAP, and the institution’s own content approval process. 

Financial institutions cannot outsource compliance responsibility to the influencer. If an influencer posts non-compliant content on the institution’s behalf, the institution remains accountable. Any influencer partnership should be governed by a written agreement and reviewed before launch by the compliance and legal team. See also: Influencer Marketing Compliance for Banks and Credit Unions.

What happens if a bank fails a social media compliance examination?

Examination findings related to social media compliance can range from informal guidance and required corrective action to formal enforcement orders and civil money penalties depending on severity and the institution’s history. Common outcomes include required policy updates, mandatory staff training, enhanced monitoring obligations, and in serious cases, referral to the institution’s primary regulator for formal action. Institutions that can demonstrate a documented, actively maintained compliance program — even one with identified gaps — are generally in a better position than those that have no formal program at all. Proactive compliance review before an examination is consistently more cost-effective than reactive remediation.

How often should a bank’s social media compliance program be reviewed?

At minimum annually, and whenever there is a material change in the institution’s social media activity, platforms used, or applicable regulations. 

Common triggers for an interim review include launching a new platform, beginning paid advertising, introducing influencer partnerships, hiring new marketing staff, or receiving a compliance complaint related to social media content. 

Many institutions build a formal annual review into their compliance calendar and supplement it with quarterly spot checks of content approval workflows and complaint monitoring logs. Working with a social media attorney on a retainer basis ensures that regulatory changes are addressed promptly rather than discovered during an examination.

Author
Ethan Wall, Esq.
Founding Attorney, The Social Media Law Firm
Nationally Recognized Social Media Lawyer

Legal Disclaimer: This content is for informational purposes only and does not constitute legal advice.

For more legal tips, give us a follow on InstagramTikTokLinkedin, or check out our YouTube Channel.

Subscribe to The Social Media Lawcast on Spotify Podcasts.


The Social Media Lawcast logo

Let us help you protect and grow your business.

READY TO GET STARTED?

SEND US A MESSAGE

    As featured on

    Have questions about your situation? Get answers in a consult. Schedule a Free Consultation →