Back To Top

FFIEC Guidance on Social Media

Greetings! It’s been a while since I’ve had a chance to churn out a blog.  I plan to correct that right now.

The deTECH team spends most of our time doing IT Audit and assurance work for Financial Institutions (FI). And although the goal of deTECH is broader than FI’s, sometimes we need to let you, our terrific readers, know about relevant stuff—like FFIEC’s Docket No. FFIEC-2013-001. Boring name. Interesting implications. And for those of you outside of banking, we love you too.  Just know that often, a regulation or recommendation that happens inside the banking world ends up affecting other industries.  Plus, examiners are doing this to protect you, the consumer. So don’t check out just yet.

If you haven’t heard, all the cool kids are doing “Social Media” on the internet. Always the quintessential cool kid, the FFIEC has proposed guidance on FIs’ use of Social Media.  More specifically, the guidance addresses the risk management of using social media.  This post isn’t designed to be a comprehensive overview, but rather 1) to make sure FI’s know that guidance is forthcoming and 2) give you an opportunity to comment, as requested by the FFIEC.  No, they haven’t established a Facebook page for you to submit your comments.

FFIEC defines social media as,

A form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms including, but not limited to, micro-blogging sites; forums, blogs; customer review websites and bulletin boards; photo and video sites; sites that enable professional networking; virtual worlds; and social games. Social media can be distinguished from other online media in that the communication tends to be more interactive.

They also list some specific sites,

·         Facebook

·         Google+

·         MySpace

·         Twitter

·         Yelp

·         Flicker

·         YouTube

·         LinkedIn

·         Second Life

·         FarmVille


I chuckle at the thought of an auditor or examiner reviewing your Facebook Farm or Second Life account. But I digress. The Guidance outlines how FI’s are expected to manage social media risk, and all the basics of risk management are here: Governance with clear roles and responsibilities; Policies and Procedures (and we can assume risk assessments); Due diligence for selecting third party service provider relationships in connection with social media; employee training; audit and compliance to ensure procedures are aligned with policies; reporting and periodic evaluation by the Board or senior management.


The compliance piece of the social media risk may prove the most voluminous and cumbersome to navigate. This is really important if your FI is in the business of opening accounts through some form of social media.   When implementing a social media program, you’ll have to make sure all of the applicable laws and regulations are met, including, but not limited to, Truth in Savings/Truth in Lending, Fair Housing Act, RESPA, FDCPA, etc. Not to mention customer information protection requirements like GLBA.  Consider a less sophisticated user using your bank’s Facebook page to request a transfer or activity on their account.


You may be thinking that your bank doesn’t participate in social media. The reality is, whether your bank does or does not, it does.  If you search LinkedIn or Facebook for your bank’s name, it will appear, your logo will be there, and maybe even contact information is included. A risk exists that someone other than an officer of your bank can take ownership and make changes to that site.

Perhaps the most visible area to consider is the fast two way communication between customer and bank using social media. Or even the communication between customer (or perhaps former customer) and potential customers. An uncontrolled message can quickly grow and create a myriad of unintended consequences.  The overarching goal of the FFIEC’s guidance, from what I gather, is that the Bank must control the message delivered through social media, and respond to any customer complaints and comments.

Uses of Social Media

The most common uses of social media I’ve seen include Facebook pages to promote new products, highlight community activities by bank employees, and provide contact and location information. Another use is creating a YouTube channel and post promotional or instruction videos.  I’m a fan of the thorough training program from Target. The Guidance touches on employees’ use of social media as well, basically saying the FI should establish its own policies on dealing with it.

In the end, social media appears to be staying put. Like we did with the internet, we can embrace social media or banish it until our customers start asking for it.  It’s going to evolve and change and provide benefits and risks. Regardless, it looks like the examiners will want to know your stance and risk management strategy for social media.