Banks and credit unions operating social media accounts are not in an unregulated space. Every post, comment, sponsored advertisement, and employee interaction on social media is subject to the same federal laws and regulations that govern traditional bank marketing and communications. The channels have changed, but the legal obligations have not.
This creates a compliance challenge that many financial institutions underestimate. Laws written before social media existed were not designed with Instagram posts or TikTok promotions in mind, which means applying them to digital marketing requires deliberate interpretation and ongoing review. The Federal Financial Institutions Examination Council (FFIEC) addressed this directly through its Social Media: Consumer Compliance Risk Management Guidance, which clarifies how existing law applies to social media and what regulators expect institutions to have in place.
Below is a plain-English breakdown of the eight primary federal regulations that apply to financial institution social media use, including what each requires, and how it applies in practice.
The Federal Financial Institutions Examination Council’s Social Media Guidance does not create new law. Instead, it serves as the authoritative framework that consolidates existing regulatory obligations and clarifies how they apply to social media activity.
The guidance applies to all FFIEC member agencies: the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration, Consumer Financial Protection Bureau, and state regulators. This means that it covers banks, credit unions, and savings associations across the financial sector.
The guidance establishes that financial institutions must maintain a formal social media risk management program that addresses governance, written policies, employee training, third-party oversight, consumer complaint monitoring, and content archiving. Examiners review social media activity as part of routine compliance examinations. Institutions without documented programs face elevated regulatory risk regardless of the size or frequency of their social media activity.
For a full breakdown of what an FFIEC-aligned program must include, see: Social Media Compliance for Banks & Credit Unions: The Complete FFIEC Guide
TISA requires financial institutions to make specific disclosures when advertising deposit accounts, including savings accounts, checking accounts, and CDs. Required disclosures include fees, annual percentage yield (APY), interest rates, and applicable terms and conditions. Any social media post promoting a deposit product triggers TISA obligations. A post announcing “3.5% APY on savings accounts” must include the qualifying disclosures required by the regulation, either directly in the post or through a clear and prominent link to a page containing the complete terms.
TILA governs the disclosure of credit terms when advertising loans, mortgages, credit cards, and other lending products. Social media content that references rates, monthly payments, or promotional credit terms must include accurate, complete disclosures. Promotional language like “low rates” or “best mortgage in town” without APR or qualification details may constitute a TILA violation. The standard compliance approach is to include a hyperlink directing users to a landing page with the complete, regulation-compliant terms.
ECOA prohibits financial institutions from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, age, or receipt of public assistance. On social media, ECOA applies to how and where credit products are advertised, including the use of platform targeting tools. Using Facebook or Instagram’s audience targeting features to exclude protected classes from seeing credit product advertisements has been an active area of regulatory and enforcement focus. Financial institutions should review their social media advertising targeting practices against ECOA requirements.
The FHA prohibits discriminatory advertising in the sale, rental, and financing of housing. For financial institutions, this applies to social media promotion of mortgage products and real estate-related financial services. Posts promoting mortgage products must include the Equal Housing Lender logo or statement. Like ECOA, the FHA has been applied to algorithmic targeting decisions. Institutions using social media platforms to target housing-related ads must ensure their targeting parameters do not exclude protected classes.
UDAAP is the CFPB’s broad consumer protection standard that applies to all consumer-facing financial institution communications, including social media content. An act or practice is unfair if it causes or is likely to cause substantial consumer injury that is not outweighed by benefits and that consumers cannot reasonably avoid. It is deceptive if it misleads or is likely to mislead a reasonable consumer. It is abusive if it takes advantage of consumers’ lack of understanding or their inability to protect their own interests.
In practice, UDAAP applies to promotional posts that overstate benefits, obscure fees, make misleading comparisons, or omit material information that a consumer would need to make an informed decision. It is one of the most broadly applied regulations in CFPB examinations and one of the most common sources of enforcement actions related to digital marketing.
The CRA requires financial institutions to actively meet the credit needs of the communities they serve, including low- and moderate-income neighborhoods. On social media, CRA compliance manifests primarily through recordkeeping requirements: institutions must monitor, preserve, and respond to public comments and complaints received through social media channels, and maintain those records in their CRA public file. A comment on a Facebook post from a community member about a branch closure or lending practice is a public communication that may trigger CRA documentation obligations. For a detailed breakdown, see: Social Media Compliance for Banks: CRA Compliance
The BSA establishes recordkeeping and reporting requirements designed to prevent money laundering and financial crimes. While the BSA’s primary focus is on transaction monitoring and suspicious activity reporting, it extends to social media in the context of recordkeeping obligations. Communications made through social media channels — including direct messages, comments, and promotional content — may be subject to BSA recordkeeping requirements depending on their content and context. Institutions should ensure their social media archiving programs capture all relevant communications.
Federal Trade Commission advertising regulations apply to all financial institution marketing, including social media. This includes the requirement that all advertising claims be truthful, substantiated, and not misleading. For institutions that use influencers, ambassadors, or paid promoters to advertise on social media, FTC endorsement disclosure requirements apply — the material connection between the institution and the promoter must be clearly and conspicuously disclosed. Institutions cannot outsource compliance responsibility to the influencer; if non-compliant content is published on the institution’s behalf, the institution remains liable.
Depending on the institution’s activities, several additional regulatory frameworks may apply to social media use:
For guidance on FDIC/NCUA statement placement specifically, see: How to Correctly Add the Member FDIC Statement on Social Media
The breadth of regulation that applies to financial institution social media is the reason the FFIEC guidance emphasizes a formal, documented compliance program rather than ad hoc review.
No single staff member can hold all of these regulatory frameworks in mind simultaneously while reviewing a promotional post or responding to a customer comment. Compliance requires systems: written policies, approval workflows, employee training, monitoring processes, and documentation.
Institutions that treat social media as informal or unregulated consistently encounter examination findings. Those that have built structured programs with legal oversight find that social media becomes a manageable compliance function rather than a recurring source of regulatory risk.
The Social Media Law Firm has worked with banks and credit unions on social media compliance for over a decade. Our team conducts social media risk assessments, builds and updates compliance programs, reviews marketing content, and advises on the full range of regulatory obligations described above. If your institution needs a compliance review or program update, contact us for a free consultation.
No. The FFIEC Social Media Guidance does not create new legal obligations. It clarifies how existing federal consumer protection and compliance laws apply to social media activity, and establishes supervisory expectations for what regulators want to see in terms of risk management programs and oversight.
The underlying regulations — TISA, TILA, ECOA, UDAAP, and others — already applied to bank marketing before social media existed. The guidance simply makes explicit that these obligations extend to digital channels.
Not every post requires a formal legal disclaimer, but posts that promote specific financial products or services typically require disclosures.
Posts about deposit accounts must include TISA-required rate and fee disclosures. Posts promoting credit products must meet TILA requirements. Posts about housing-related financial products require Fair Housing Act disclosures. Community content, employee spotlights, and general brand posts typically do not trigger disclosure requirements — but the line between general brand content and product promotion can be blurry, and institutions should establish internal guidelines that address which content categories require legal review before posting.
Yes, but with significant compliance obligations. Influencer content published on behalf of a financial institution is subject to the same regulatory framework as institution-owned content — including TILA, TISA, UDAAP, and FTC disclosure requirements. Institutions cannot outsource compliance responsibility to the influencer.
Any influencer partnership should be governed by a written agreement that specifies compliance requirements, requires disclosure of the material connection, and subjects content to legal and compliance review before publication. Influencer content that violates advertising regulations creates liability for the institution, not just the influencer.
UDAAP violations identified during examinations can result in formal enforcement actions, civil money penalties, required remediation, and mandatory program improvements. The CFPB has broad enforcement authority over UDAAP and has pursued actions against financial institutions for misleading digital marketing practices including those conducted on social media. Even informal findings during examinations — short of formal enforcement — can require institutions to implement corrective measures and demonstrate improved compliance in subsequent reviews. The reputational consequences of a public UDAAP enforcement action can be significant for community banks and credit unions whose business depends on local trust.
At minimum annually, and whenever there is a material change in the institution’s social media activity, platforms used, or applicable regulations.
Common triggers for an interim review include launching on a new platform, beginning paid social media advertising, implementing influencer or ambassador partnerships, or receiving a compliance-related complaint through social media channels. T
he FFIEC guidance emphasizes that compliance programs must be tailored to the institution’s specific risk profile and updated as that profile changes. A static compliance program that is not regularly reviewed and updated is itself an examination finding waiting to happen.
Author
Ethan Wall, Esq.
Founding Attorney, The Social Media Law Firm
Nationally Recognized Social Media Lawyer
Legal Disclaimer: This content is for informational purposes only and does not constitute legal advice.
For more legal tips, give us a follow on Instagram, TikTok, Linkedin, or check out our YouTube Channel.
Subscribe to The Social Media Lawcast on Spotify Podcasts.
