It May be Time to Update that Social Media Policy: FFIEC Releases Social Media Guidance

Intellectual Property   |   March 31, 2014

On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final supervisory guidance entitled "Social Media: Consumer Compliance Risk Management Guidance" (the Guidance). The Guidance became effective upon its release. The FFIEC is an interagency body for the following five federal regulatory agencies: Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); and the Consumer Financial Protection Bureau (CFPB) (collectively, Agencies). The FFIEC is empowered to prescribe uniform principles and standards for the examination of financial institutions and to make recommendations to promote uniformity in their supervision. The Agencies will use the Guidance in their supervision of institutions, and the FFIEC’s State Liaison Committee will encourage state regulators to adopt the Guidance.

The Guidance states that it does not impose any new requirements on financial institutions, but is designed as a guide to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with social media use. The Guidance defines "social media" as any form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. It notes that messages sent via traditional email or text message, standing alone, do not constitute social media, but messages sent through social media channels are considered social media.

The Guidance states that financial institutions should have a risk management program in place allowing them to identify, measure, monitor, and control the risks related to social media. The scope of the institution’s program should be commensurate with the breadth of its involvement in social media. The program should include a governance structure, policies and procedures for social media use, a risk management process for selecting and monitoring third party relationships in connection with social media, an employee training program, an oversight policy for monitoring information posted on proprietary social media sites, audit and compliance functions, and parameters for reporting to the board of directors or senior management to enable their periodic evaluations of the program.

The Guidance identifies three broad categories of social media risk: compliance and legal risk; reputational risk; and operational risk; and sets forth guidelines for managing each. With respect to compliance and legal risk, the Guidance establishes guidelines broken down by specific laws and regulations relating to deposit and lending products; payment systems; Bank Secrecy Act/Anti-Money Laundering; Community Reinvestment Act (CRA); and privacy. Financial institutions are likely to find the compliance and legal risk section the most detailed, relevant, and instructive of the three broad categories. The described reputational risks overlap somewhat with the compliance and legal risks category, and also include guidance for managing social media risk associated with fraud and brand identity, consumer complaints, and employee use of social media. The operational risk guidance is brief, and refers to previously-issued guidance.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.