Is your bank or credit union active on social media? If so, the law requires you to maintain a social media risk management program, and through this comprehensive guide, we’re going to show you how.
As a social media attorney for banks and a social media attorney for credit unions, our founder, Ethan Wall, has helped banks and credit unions maximize their social media presence while minimizing legal risks for over a decade at The Social Media Law Firm. We’ve assisted financial institutions just like yours in being both social and safe, and we’re here to guide you through the process.
In this article, we’ll cover three critical areas:
We’ll delve into the common social media risks that banks and credit unions face on a daily basis. These encompass advertising risks through your official bank channels, reputational risks stemming from your employees’ personal social media use, and compliance risks when employees use personal channels for bank business.
We’ll dissect the specific legal requirements imposed on banks and credit unions to maintain an active social media presence. We’ll discuss the Federal Financial Institution Examination Council (FFIEC), Social Media Guidance Memorandum, and the complexities of compliance.
We’ll provide actionable steps to develop a robust social media risk management program. This includes establishing clear roles and responsibilities, crafting comprehensive social media policies, educating and training employees, third party risk management, monitoring and responding to social media activity, preserving social media content, and ensuring senior management oversight.
So, what are we waiting for? Let’s dive in!
There are three main types of risks that banks and credit unions face on social media:
Below, we’ll give you examples of how your financial institution can suffer serious legal consequences:
Your social media content is governed by the very same laws as other forms of advertising. This means that each post, story, or online interaction is governed by laws such as, Fair Lending Laws, Anti-Discrimination Laws, Truth in Lending, Truth in Savings, the Equal Credit Opportunity Act, Community Reinvestment Act, and many more.
Your bank can violate these laws by not including the required disclosures on all of your content, failing to provide up to date and accurate hyperlinks to applicable terms, or boosting or advertising your content in a way that unlawfully discriminates.
Your financial institution can also get in serious trouble with regulators if you don’t actively monitor and timely respond to all questions and complaints, preserve your social media content on a regular basis, or monitor your employees’ social media use.
Failure to follow these laws can result in serious compliance, legal, and operational risks – including but not limited to, strict regulator scrutiny. So, developing proper guidelines, controls, and procedures is absolutely necessary.
What your employees say and do on social media can absolutely be used against you. All too often, employees will post harmful, insensitive, or sometimes downright rude comments on their personal social media profiles – especially in today’s politically charged climate.
These hurtful commentaries often occur away from work time and not on work hours. But your employees also list on your profiles that they work for your bank or credit union. This often leads to a series of complaints against your financial institution that can seriously damage your reputation.
But taking action against employees can be tricky. Employees have certain rights to communicate about their work and working conditions on social media – and firing someone based on their personal social media content could create employment-law risks for your financial institution.
So, maintaining adequate and lawful social media policies – and training your employees on these policies – is not only a best practice, its required.
We will dive deeper into social media employee training later in this article.
Lastly, but equally as important, there is a growing trend over the last couple years for employees to use their personal social media profiles and devices to conduct bank business.
The most common occurrence are commercial and residential loan officers using their personal LinkedIn profiles to drum up new businesses by promoting their expertise, financial products, and connecting with potential customers.
Some bank employees are even using their personal devices and messaging apps, such as WhatsApp, to communicate with potential clients about securities and market updates.
This activity can have a major impact on your bank’s risk level – as the same laws that govern your official channels also extend to these personal profiles. Your bank or credit union needs to have special guidelines and training for these bank employees, or you can be held responsible for not properly overseeing these online activities.
As you can see, there are many dangerous risks that arise when your bank or credit union – and more specifically – your employees are active on social media.
This is exactly why the federal government requires all financial institutions to follow strict legal requirements to protect banks and consumers from harm. Let’s dive into exactly what is required.
A few years ago, the Federal Financial Institution Examination Council (FFIEC) released its Social Media Consumer Compliance Risk Management Guidance Memorandum.
Through this memorandum, the FFIEC confirmed that a wide array of financial laws applied to bank and credit union social media use – and put financial institutions on notice that non-compliance would not be tolerated.
But there were two problems with the FFIEC social media guidance:
First, it was supposed to provide short, easy to follow guidance on how various laws applied to social media. But this massive twenty plus page memorandum reads more like a complicated legal treatise. Upon diving into it, it seems longer than our Constitution, the Declaration of Independence, and even the financial laws themselves!
Secondly, while the memorandum is clear that compliance is necessary, there is no clear guidance on how to comply with the laws themselves. When it comes to social media, compliance can be especially complicated because certain laws govern what you can or can’t say, while others set forth what you can or can’t do. And the memo isn’t clear on any of this.
What the memorandum is clear on, however, is that every financial institution – big or small – that uses social media, or who has employees that use social media, must maintain a Social Media Risk Management Program that includes seven key components:
In the next few parts of this article, we’ll break down each of these seven key components of your risk management program.
In just a moment, we’re going to break down what is required under each of the seven elements of a social media risk management program. But before we do, allow us to supply some context into how our law firm helps put this together for our clients.
The first order of business, once we are retained, is to schedule a Kickoff Call with members of the bank or credit union’s social media team. Since the FFIEC requires that the program be designed with participants from all aspects of the bank, including Marketing, HR, and Compliance, we invite all social media stakeholders to attend.
During that call, each member of the team introduces themselves, raises their key areas of responsibilities and concerns over social media, and asks any questions they may have. My colleagues and then explain the process of preparing the risk management program which can be fully put into place within a 3 to 6-month period. Best of all, all social media activities can continue while we put the program in place.
Next, we collect all existing social media policies, procedures, guidelines, and training programs that are already in place. This helps us analyze your current level of compliance and prioritize what needs to be updated or created. Thereafter, we set forth a roadmap of all the social media risk management deliverables and training that will be created to ensure you’re fully compliant.
Each month, our firm creates, revises, or implements aspects of the risk management program based on your bank or credit union’s priorities – and what the law requires. We schedule monthly status update calls to keep everyone on track – and remain available for questions throughout the entire program to give you complete peace of mind.
Now, with this backdrop in mind, let’s tackle each of the seven requirements of a Social Media Risk Management Program.
Below you will find the requirements of a social media risk management program. These requirements are necessary to protect your financial institution from social media legal dangers per the FFIEC.
The first aspect of the risk management program is to maintain clear roles and responsibilities as it relates to social media. In other words, regulators want to see who is managing the social media process from a legal, compliance, and marketing standpoint and understand their specific responsibilities.
Since these roles and responsibilities need to be laid out in a clear and easy-to-follow way, we collect an Organizational Flowchart that regulators are accustomed to seeing that can easily be updated as your organization grows or new team member step into these roles.
The most comprehensive part of your social media risk management program are your policies and procedures. The law requires you to maintain internal and up-to-date guidelines that cover the risks on all the different type of social media and online activities your institution and employees engage in. We dive deeper into these in the next section of this article.
Whether it’s training your employees on the do’s and don’ts of your social media policy or training your marketing and compliance department about how to comply with financial laws and regulations when sharing content on social media – training programs are required by law.
We recommend at least 2-3 training programs for your financial institution to be in compliance. Not sure what type of training you need? No need to fear! We discuss this in depth later in this article.
Your financial institution must maintain reasonable practices to manage third party risk when it comes to social media. For example, your bank or credit union might hire a PR agency, a marketing agency, a technology vendor, or independent contractors that might be using social media in some form or another on your behalf. Since you are ultimately responsible for managing your social media presence and protecting your customer’s information, you must properly manage this risk through contracts, oversight, and vendor management procedures.
Your risk management program must also include an oversight and monitoring procedures so that someone at your bank or credit union or someone that you hire is always monitoring questions, comments, and complaints and responding to people timely.
This doesn’t necessarily mean that you have someone monitoring comments 24/7, but you do need someone responsible for monitoring inquiries by consumers, escalating complaints and negative feedback appropriately, and responding timely to online comments.
According to the FFIEC, banks are required to preserve their social media content for compliance with the Community Reinvestment Act. Pursuant to the CRA, all questions, comments, and complaints about serving the community’s credit needs must be preserved for a three-year period and placed in a Public File. Since social media questions, comments, and inquires can trigger CRA compliance, preservation of social media is a must.
Credit unions should also consider preserving their social media for risk management purposes. Consumers commonly complain about their comments going unanswered or seeing rates advertised that were not offered to them. The best way to defend against these charges are by preserving your social media regularly to prove the exact rates offered, the terms and conditions displayed with those rates, and responses to all online comments and inquiries.
Lastly, the FFIEC requires that you have sufficient senior management reporting sand oversight for your social media activities. In other words, senior management must be involved in your social media strategy and how it helps to advance your bank or credit union’s strategic goals. They must also participate in your risk management program so regulators can confirm they can understand what risks are in place and that they are properly managing it.
Now that we’ve covered the essential social media risk management program requirements, let’s dive deeper into some of the most common policies, procedures, and guidelines, starting with guidelines designed to address the Advertising Risks Through Your Official Bank Channels that are likely carried out by your marketing team:
If you maintain a social media profile that promotes products or services or even just community engagement, you must maintain guidelines and checklists for how to lawfully promote products and services. This comprehensive deliverable aids the marketing and compliance department on where, when, and how to include disclosures such as the Member FDIC or NCUA statement, Fair Housing Act compliance, or even links to your financial products terms and conditions.
Our firm prepares these checklists with a table of contents for each different financial product, so you know exactly what is required for each type of post.
Often, there is confusion about when, where, and how disclosures must be displayed. We recommend creating a visual guide that shows options for where these disclosures can be included on various social media platforms such as Facebook, Instagram, and Twitter.
Nearly all financial institutions have a procedure for handling complaints, but not when it comes to social media. Since questions and complaints can come anytime – day or night – and a quick response is often required, your financial institution needs to maintain guidelines for when and how to respond to positive, neutral, and negative feedback.
Our firm will update your existing procedures or create a new one to address social media specifically. We also create a bank of pre-approved responses to ensure your social media manager gets it right every time.
If your bank or credit unions “boosts” its post or advertises certain content to people who match certain demographics such as location, age, gender, or interests – you must comply with the Equal Credit Opportunity Act, Fair Housing Act, and Fair Lender laws or you risk a serious claim for discrimination.
We prepare guidelines for low risk, medium risk, and high-risk content so that you have safe procedures in place to enable your marketing department to innovate their advertising without the risk.
Running online giveaways are great, but if not done correctly, you may be running an illegal lottery. For bank to run contests, sweepstakes, and online giveaways, you need a template for official rules which are legally required to be published in connection with any online giveaways – along with checklists for when, where, and how legally required disclosures must be displayed.
This is just a representative sample of Advertising Guidelines that may be required for your financial institution. But there are many more that could be legally required such as:
Next, let’s discuss what policies are needed to guard against the Reputational Risks from your Employees Personal Social Media Use mentioned above. Without these policies, you can experience major reputational risks and uncertainty on how to control or discipline harmful employee speech:
If your bank has employees that use social media on the job or in their personal time, which spoiler alert is all of you, you must have an employee social media use policy. This HR-policy sets forth the dos and don’ts for social media use for everyone from your President and CEO to the newest hire in your customer service department. Many banks and credit unions have this policy, but it is likely outdated and in need on major updates. This is the most common social media policy for banks that every financial institution needs.
If your employees leave online reviews about your bank or credit union, or post about your financial institution on their personal social media profiles, they could be inadvertently violating Truth in Advertising laws without you knowing it. In many occasions, employees need to clearly identify they work for you when leaving positive comments and reviews for your bank. By having Employee Advocacy Guidelines in place, you can be confident your employees leave online reviews or promote the bank in a compliant manner.
Employees want to participate in your social media activities and often share your content onto their personal pages. But, if employees modify your content, add their own caption, or share job postings to their friends and followers, you could experience significant legal risks since their content isn’t run through compliance. These guidelines will make sure you and your employees are on the same page about what to share and how to share it.
Finally, let’s address Compliance Risks from Employees Using their Social Media for Bank Business. This is a mission-critical area to address as more-and-more loan officers wish to use their profiles to get new clients without having their activities approved by compliance:
These guidelines, procedures, and checklists are for employees who are authorized to use their professional social media profiles (including but not limited to, LinkedIn profiles) on the bank or credit union’s behalf to build relationships. The guidelines can include an appendix to address the use of Home Loan Officers that may be promoting mortgages or residential lending solutions to make sure it’s done safely and with the proper disclosures.
These are just an example of the types of policies and procedures that may be needed to guard you from risk. An evaluation of your unique online activities will present a clearer picture.
With this solid foundation, it’s time to focus on the training component of your social media risk management program. The FFIEC mandates that all banks and credit unions using social media maintain appropriate training. Depending on your institution’s social media activities, you may need different types of training programs. Let’s explore these training programs in detail:
This program is a fundamental requirement for every financial institution. It educates your entire workforce, from top management down to new hires, about your existing employee social media use policy, which is likely included in your employee handbook. Typically, this training program is pre-recorded and delivered to new employees during onboarding. It should also be conducted annually and updated to reflect any changes in social media policies, guidelines, or procedures. Training on employee social media use is crucial for proactive risk management and enforcement of policies.
This live training program is essential for your social media governance team, which includes members from marketing, compliance, legal, HR, and other relevant departments. Conducted through platforms like Zoom or WebEx, it provides an overview of the legal obligations and risks associated with your institution’s social media activities. The training covers topics such as fair lending laws, the Fair Housing Act, anti-discrimination laws, and how they apply to your specific social media practices. Additionally, it familiarizes team members with the various guidelines, policies, and procedures that comprise your social media risk management program. This training ensures that your governance team understands the legal framework and the tools available to mitigate risks effectively.
If you have employees who use their personal social media profiles for conducting bank or credit union business, you’ll need specialized training programs known as “line of business guidelines training.” These programs are specific to employees within particular lines of business, such as residential loan officers or commercial loan officers. The training ensures that these employees understand the policies, guidelines, procedures, and compliance requirements relevant to their roles. It’s crucial to have these training programs tailored to the specific needs and risks associated with each line of business.
By implementing these training programs, your financial institution can foster a culture of compliance and risk awareness among employees, reducing the likelihood of social media-related issues.
Additionally, having well-documented training records can serve as a valuable defense in case of legal disputes, as demonstrated in the example of the employee who posted defamatory content online.
Remember that training is an ongoing process. As social media platforms and regulations evolve, your institution must adapt and update its training programs to remain compliant and effectively manage social media risks.
Now that you understand the legal requirements for banks and credit unions on social media, the next step is to take action.
If your financial institution already has a social media risk management program in place, your next steps would be to conduct a social media risk assessment to evaluate your existing social media activities and determine whether you have all the required policies, procedures, and training programs in place to guard against these risks.
You’ll also want to evaluate whether you have implemented all the necessary components of an FFIEC-complaint risk management program we discussed, and if not, begin implementing them immediately.
If your bank or credit union doesn’t have a social media risk management program, or if you’re unsure whether you have a compliant program in place, we’d be happy to help.
At The Social Media Law Firm, we’ve helped hundreds of banks and credit unions learn about their social media risks and implemented solutions on how to manage them. We can evaluate your level of risk and implement a social media risk management program that is tailored to your specific organizational needs in as little as three months.
Best of all, our firm works on a fixed monthly retainer – so you know exactly how much it will cost to get your social media risk management in place and get all your marketing activities back online safely. Just contact us, and we’d be happy to schedule a free consultation.
For more legal tips, follow The Social Media Law Firm on YouTube, Instagram, Facebook, or TikTok – and feel free to comment with questions any anytime.
