Agency Offers Guidance on Social Media Compliance

FFIEC highlights potential legal, reputational, and operational risks.

March 24, 2014
/ PRINT / ShareShare / Text Size +

In December 2013, the Federal Financial Institutions Examination Council (FFIEC) agencies released guidance on managing social media compliance risks.

The guidance doesn’t impose new requirements on financial institutions. Rather, it’s intended to “help institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks.”

For purposes of the guidance, “social media” is a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.

Social media can take many forms, including but not limited to microblogging sites (e.g., Facebook and Twitter); forums, blogs, customer review websites, and bulletin boards (Yelp); photo and video sites (Flickr and You- Tube); professional networking sites (LinkedIn); virtual worlds (Second Life); and social games (FarmVille).

Credit unions might use social media in a variety of ways including advertising and marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential members—for example, by receiving and responding to complaints, or providing loan pricing.

The use of social media can impact a financial institution’s risk profile. So credit unions should have risk management programs in place that allow them to identify, measure, monitor, and control the risks related to social media. These risks include:

• Compliance and legal risks arising from the potential for violations of—or nonconformance with—laws, regulations, prescribed practices, internal policies and procedures, or ethical standards.

Further, the potential for defamation or libel risk exists where there is broad distribution of information exchanges. Failure to adequately address these risks can expose a credit union to enforcement actions and/or civil lawsuits.

• Reputation risks arising from negative public opinion. Activities that result in dissatisfied members and/or negative publicity could harm the reputation and standing of the credit union, even if the institution hasn’t violated any law. Privacy and transparency issues, as well as other consumer protection concerns, arise in social media.

That’s why any financial institution engaged in social media activities should be sensitive to, and properly manage, the reputation risks that arise from those activities.

• Operational risks resulting in losses from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Social media is one of several platforms vulnerable to account takeover and the distribution of malware.

A credit union should ensure the controls it implements to protect its systems and safeguard member information from malicious soft ware adequately address social media usage. The incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.

Employee communications can also subject the credit union to reputation and compliance risks. So credit unions should take steps to address these risks, such as establishing policies and training to address employee participation in social media representing the institution.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive