Check Your Watch: It’s Time to Update Your Social Media Policy Again | Wolters Kluwer
  • Insights

  • Check Your Watch: It’s Time to Update Your Social Media Policy Again

    by Barbara Boccia, CRCM, MBA, JD

    Published May 23, 2018

    When was the last time you reviewed and updated your Social Media policy and procedures? Today, Facebook is firmly entrenched as a daily news source, Twitter has expanded its limits from 140 to 280 characters, and emojis now replace words. Now is the time to revisit your Social Media Program and think more about how your institution interacts with the public, as well as consider ways to identify, measure, monitor and mitigate associated risks.

    Looking Back 

    Back in the early 2000’s, social media was taking root by early adopters, and blossomed about the time of Facebook’s launch to the general public in 2006. Compliance had very little regulatory guidance at the time, as we scrambled to transfer principles from the paper world over to the electronic world.

    Financial Industry Regulatory Authority (FINRA) was the first regulator to issue guidance on social media. In 2010, FINRA issued Regulatory Notice 10-06, providing guidance for broker dealers and registered investment advisors on communications with the public via blogs and social media sites. General principles established the need for recordkeeping, and provided guidance relating to the suitability of content and supervision. FINRA followed up with additional clarifications and applicability to new technologies with Regulatory Notice 11-39 in 2011. While not all financial institutions (FIs) were subject to FINRA, given the silence of prudential regulators, many FIs adopted social media policies and procedures (“PnPs”) to some degree guided by these general guidelines, creating “best practices.”

    In 2013, the Federal Financial Institutions Examination Council (FFIEC) issued guidance which, while not imposing any specific requirements on FIs, did help FIs understand potential consumer compliance and legal risks. It also provided guidelines on conducting risk assessments, and on crafting and evaluating PnPs for social media and website communications. Additional guidance for social media and website communications has issued from the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the National Labor Relations Board (NLRB) and the Federal Trade Commission.  (The FTC has a good online resource center for Advertising and Marketing that includes a section for Online Advertising and Marketing:

    Most recently, in April 2017, FINRA revisited this growing online presence with Regulatory Notice 17-18, which may once again influence “best practices” for the entire financial services industry. It takes on more complicated issues that have evolved, including the increasingly blurred lines between business and personal communications, the explosion of text messaging as a standard form of communication, the potential responsibility for content via hyperlinks, and customer testimonials.

    FINRA also provided an update on the prevalence of social media ( It cited an October 2015 study from the Pew Research Center, indicating that 65% of adults use social networking sites as compared to 7%, just 10 years earlier. In April 2016, Facebook Messenger reported 900 million monthly active users, and WeChat reported in March 2016 that it had added nearly 200 million monthly active users in the previous year.

    It seems as if social media changes at the speed of light. Every time policies and procedures are set, technology advances and it is time to review the plan again. While every review is different, and guidance may change and evolve, the following “how to” guide should be helpful for updating your social media policies.  

    Step One: Take Inventory 

    It is no easy task to take inventory of your institution’s social media channels and website footprint. Social media involves more than just your marketing department promoting or advertising products or services. It can be very granular, at the branch level, through loan officers or other E2C avenues (e.g., employee to consumer outreach) or C2E (e.g., consumer discussions, feedback, complaints to an employee)—and this engagement can be with existing or potential customers. This form of instantaneous, interactive consumer dialogue tends to be both informal and dynamic, and because it occurs in real time—in a less secure environment—it presents some unique challenges to financial institutions.

    Social media and other websites also frequently enable the use of “native advertising,” where advertising content matches the form and function of the platform on which it appears. This may make it difficult for a consumer to discern that this is actually advertising, so it could be misleading or deceptive without the FI realizing the potential for inadvertently creating a UDAAP (unfair, deceptive or abusive act or practice) issue.

    Institutions often engage third parties to assist in spreading their social media footprint, and those vendors may generate posts or replies to consumers. Social media presence might also be generated by social media sites without the FI’s knowledge. For example, LinkedIn might associate the institution’s brand and logo in communications that an employee otherwise perceives as personal or private. Facebook could generate a page by web-crawling for information purposes (compliments of Facebook) and tag it as an “unofficial” page. However, once “someone” at the FI validates the page, Facebook will replace the “unofficial” tag with a checkmark, meaning it is now an official page.

    Step Two: Define Your Social Media Risk Management Program

    While this blend of technology and personal interaction can create value for an institution, social media can also significantly impact an FI’s risk profile. The speed and spread of information can be extraordinary—in a matter of minutes, an FI’s brand and reputation, consumer confidence, and stock value could all plummet. Does your institution have a “what if” scenario in place to respond?

    The FFIEC guidance is intended to help FIs identify social media risk across every regulation, and encourages oversight and risk management by specialists from Compliance, Legal, Technology, Information Security, and Human Resources—all in addition to Marketing. This goes beyond simple training to avoid obvious risks such as RESPA kickback violations. This requires a top-down approach, with a governance structure set by the Board of Directors and senior management to direct clear roles and responsibilities for how social media should be used to align with strategic goals.

    Therefore, it is not surprising that some institutions go beyond wrapping social media risks within a generic “marketing” risk, or carrying just a single line item for “social media” on their Risk Assessment. A focused Social Media Risk Assessment will be specific in identifying who is posting, where, and what is being posted. This includes:

    • Identification of all potential risks impacted by social media, including but not limited to risks related to Complaint Management systems,  Deposit and Lending products, Payment systems , BSA/AML programs, CRA programs, privacy issues, fraud, brand and identity concerns, third party management systems, operational risks, and related fraud, identity, brand, and reputation  concerns.
    • A situational analysis of social channels currently in use that may impact risks, documentation of activity, and methods for monitoring to identify where communication pops up across social media. .
    • The identification of controls to mitigate risks, including detailed  PnPs and training that set forth the institution’s “rules of engagement”—clearly helping employees understand what is, and is not, permitted; a review and approval process; and how to escalate issues and observations.
    • A Risk Management Plan tailored to the FI’s size, activities and risk profile. It should also provide for a defined record retention component, which can get complicated with an ever-changing online environment.
    • The institution’s Complaint Management and Third-Party Vendor Management programs should integrate issue identification and response controls to follow social media communications throughout the institution’s processes and social footprint.

    (Guidance can be found at

    Step Three: The Feedback Loop—Monitoring, Fraud and IT Security


    FFIEC specifically requests that FIs consider the use of monitoring tools and software that monitor not only for consumer complaints, but also for other mentions, including the fraudulent use of the institution’s brand. It is critical to set up your “listening channels”,—and there are a wide variety of automated tools to help you, such as:

    • A dedicated email address to help sort through updates, and then identify a variety of automated solutions to cast a wide net tailored to your institution’s footprint;
    • Google Alerts to track where and when your institution’s name is mentioned;
    • LinkedIn Connections, Facebook and Twitter profile settings and services to notify you about mentions; and
    • Paid services such as Cision, can be used to monitor when your FI is mentioned in the press. It can also be used to monitor key words or phrases that are important to your institution.

    Additionally, FIs may be exposed to or have access to a consumer’s Personally Identifying Information (PII) such as a full name, birthdate, and address/hometown as listed on the social media site.  You should determine how this information is used by your  FI, and be sure your Privacy Policy specifically provides guidance.The FINRA guidance also warns against using a hyperlink to a site that may contain false or misleading content, which could potentially raise UDAAP concerns as well.

    Considerations: Personal v. Business Communications 

    One of the increasing challenges in the area of communications is to understand the difference between an individual’s rights, and the employer’s interest in controlling “business activity.” Importantly, the National Labor Relations Board has issued memoranda intended to help employers avoid social media policies that are overly broad, vague, and thus unlawful.

    PnPs should include definitions to specifically define and provide examples to help employees understand what conduct is appropriate and expected.  For example, a policy that requires an employee’s posts to social media sites to be “accurate and not misleading,” or that require employer approval before posting, could be interpreted as overbroad if it is not clarified or further defined by examples. 

    Consider, do your PnPs specifically define acceptable forms of “outreach?” Is it acceptable to use text messaging for business messages, and what is required by your record retention policy? FINRA and the SEC developed a concept of “business as such.” The “business as such” requirement is based on the content of the communication, not the type of device or technology used to receive or send the communication. This concept helps an FI define to what extent an employee can mention one’s firm without having it be deemed as business communication. For example, to what degree can an employee share or promote a charity event that the institution is sponsoring, or a branding initiative?

    Compliance should work carefully with HR to craft these PnPs, and Legal should always be consulted, as this area continues to evolve, especially under the new administration.  HR and Legal should provide guidance to ensure that PnPs do not adversely impact an employee’s ability to communicate with co-workers, third parties, the media or the government.

    Future Trends  

    Social media has become a valuable extension of an FI’s brand and profile. The FINRA guidance contains predictions from media outlets that within the next five years, revenue earned from native advertising in online publications (such as periodicals and social media sites), will outstrip other forms of online display advertising. It is more important than ever to be aware of your brand’s growing footprint of posts and tweets.

    SIDEBAR: Defining Social Media

    Defining the realm of “social media” is a challenge for every institution, and a necessary first step as you revisit your PnPs—and then revise your program to keep up with the evolution of technology and methods of social communication.

    FFIEC acknowledges that social media is dynamic and constantly evolving, and it provides the following illustrative—but not exhaustive—guidance: “Social media” is a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to:

    • Micro-blogging sites (e.g., Facebook, Google Plus,  Tumblr, Twitter);
    • Forums, blogs, customer review web sites, and bulletin boards (e.g., Yelp, TripAdvisor, Pinterest);
    • Photo and video sites (e.g., Instagram, Snapchat, Flickr, YouTube);
    • Sites that enable professional networking (e.g., Linkedln);
    • Virtual worlds (e.g., Second Life); and
    • Social games (e.g., Angry Birds, SimCity).

    For purposes of the FFIEC guidance, messages sent via email or text message, by themselves do not constitute social media, although such communications may be subject to a number of laws and regulations discussed in the Guidance. Overall, the most critical definition of “social media” is to define it in terms of what is being done at your institution. If you are not sure, then it is critical to ask a lot of questions to get clarity. Your Social Media Program must continually evolve to keep up with the actual behaviors of your lines of business, marketing department and your employees.


    Barbara Boccia, CRCM, MBA, JD, is a senior director and manages the Advisory Services and Regulatory Relations team at Wolters Kluwer across a wide range of consulting engagements, including fair lending, CRA, HMDA and UDAAP. She brings more than 30 years of professional experience to strategic and technical regulatory compliance engagements relating to consumer protection regulations, including reviews of Compliance Management Systems (CMS), Compliance Risk Assessments (including fair lending and UDAAP), Complaint Management Programs, and Third Party Vendor Management programs. Her work includes helping clients with regulatory change management, preparing for exams, resolving regulatory enforcement actions, assisting with remediation efforts and Board training. She is a frequent speaker at industry events. She can be reached at

  • Please take a moment and tell us what you think of our content.