Credit Unions I FEBRUARY 27, 2014

On Compliance: Social Media Risk Management

Social media guidance clarifies old rules apply to new media

In December 2013, the Federal Financial Institutions Examination Council (FFIEC) finalized guidance on Social Media Risk Management (the “Guidance”). The FFIEC includes the National Credit Union Administration and the State Liaison Committee has encouraged state regulators to adopt the Guidance. Thus, the Guidance applies to both state and federally-chartered credit unions.

What is Social Media?

The guidance defines social media broadly as a “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” Examples include Facebook, Google Plus, Twitter, blogs, consumer review websites such as Yelp, Flickr, YouTube, and LinkedIn.

No New Requirements?

The Guidance clearly states that “it does not impose any new requirements on financial institutions.” Rather, the FFIEC indicates the Guidance was issued to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with using social media. In other words, the Guidance clarifies the existing regulatory requirements apply equally to social media as they do to other media. For example, the same advertising disclosure rules that apply to a newspaper ad also apply to a Facebook ad. This clarification from the FFIEC – and, specifically, the lack of any exemptions for social media – increases the risks facing credit unions using social media.

Importance of Risk Management Program

Engaging with members in social media is not a free lunch. Credit unions face increased compliance, legal, operational and reputation risks. A key component to a credit union’s social media approach needs to be a comprehensive risk management program. The FFIEC’s guidance indicates a successful program includes:

  • A governance structure with clear roles and responsibilities and a directive from the Board or senior management on how social media contributes to the strategic goals of the credit union;
  • Established controls and ongoing assessment of risk in social media activities;
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations;
  • A due diligence process for selecting and managing third-party relationships;
  • An employee training program that incorporates the credit union’s policies and procedures for official, work-related use of social media;
  • An oversight process for monitoring information posted to social media sites;
  • Audit and compliance functions to ensure ongoing compliance with internal policies and applicable consumer protection laws and regulations; and
  • Parameters for providing appropriate reporting to the credit union’s Board or senior management that enables periodic evaluation of the effectiveness of the social media program.

In short, credit unions engaging members (and non-members) in social media need to understand, review and manage the risks related to that engagement.

Specific Risks – Advertising Disclosures

While an overall risk assessment is a necessity, so is establishing specific compliance and legal reviews of the credit union’s social media activity. For example, posting a Facebook update about the credit union’s mortgage rates or the credit union’s “refer a member” campaign could trigger advertising disclosure requirements. This can prove especially difficult for social media – such as Twitter – that include character limitations.

While the Guidance does not provide any exceptions for social media advertisements, credit unions can utilize existing flexibility for electronic advertisements by providing disclosures via an electronic link. As usual, the flexibility is not uniform and credit unions must review which disclosures can be provided through links and which ones must be included directly in the advertisement. To help manage the compliance and legal risks, credit unions should establish procedures to review social media advertisements to ensure they include all the required disclosures.

Specific Risks – Member Complaints

Social media provides a unique way for credit unions to engage with their members (and potential members). However, it also presents members with a unique way to engage with the credit union. Members are not shy about voicing their frustrations through social media and credit unions should have procedures in place to handle member complaints. For example, a member’s complaint on social media not only presents reputation risks but could also trigger the credit union’s error resolution requirements for a debit card or a mortgage loan or even be considered a direct dispute under the Fair Credit Reporting Act. Detailed member complaint procedures and appropriate employee training can help the credit union manage compliance and reputation risks simultaneously.


While the specific risks above are examples, a credit union needs to have a comprehensive risk management program to properly assess and manage social media risks. Further, the continued use of unfair, deceptive or abusive acts or practices (UDAAP) powers by regulators clearly demonstrates this need. As a credit union’s social media usage expands and evolves, its risk management procedures must be reviewed and analyzed as well. By doing so, the credit union will help ensure a valuable avenue to engage with existing and future members.