Dealing with FFIEC’s Social Media Guidance: Are Your Risk-Management Plans In Place?

By Justin K.L. Whitesides,
Farleigh Wada Witt

Social media is often viewed as a cost-effective marketing and communications tool for credit unions, but significant risks arise from failing to devote sufficient resources and attention to a credit union’s social media presence.

The Federal Financial Institutions Examination Council (FFIEC) recently issued supervisory guidance (which NCUA, CFPB, and likely state regulators will use) that outlines its expectations for adequately addressing social media risks, even for institutions that do not use social media.

Credit unions must implement the following risk management practices, as applicable:

  • A governance structure with clear roles and responsibilities, directing how using social media contributes to the institution’s strategic goals;
  • Policies and procedures regarding the use and monitoring of social media, including compliance with applicable consumer protection laws and regulations;
  • A risk management process for third-party relationships;
  • An employee training program;
  • An oversight process for monitoring information on social media sites;
  • Audit and compliance functions to ensure ongoing compliance; and
  • Parameters for providing appropriate reporting and evaluation of the social media program’s effectiveness.

The foundation for implementing these seven elements is a credit union’s social media policies and procedures, which should address the risks discussed below. Credit unions should develop social media policies and procedures as applicable (or improve existing policies and procedures) in light of the FFIEC Guidance, which became effective in December 2013.

Identifying the Risks – Two Key Considerations

The FFIEC expects credit unions to manage risks associated with all types of communications, “no matter the medium.” The two key considerations in assessing social media risk are:

  • The same legal and regulatory rules that apply to other types of communication (i.e. advertising compliance, fair lending, information security, defamation, etc.) also apply to social media; and
  • Social media users have tremendous power to rapidly broadcast information—good or bad—that can sink an institution’s reputation in a matter of hours.

Consider the following statistics from 2013:

  • Facebook has more than 1.15 billion total users, 23 percent of whom check their account more than five times a day;
  • 350 million photos are uploaded to Facebook every day;
  • 4.2 billion people use their mobile device to access social media sites;
  • Every second on Instagram, 8,000 users like a photo and 1,000 comments are posted; and
  • The fastest growing age demographics on Facebook and Twitter since 2012 are 45-54 and 55-64, with growth rates of 46 percent and 79 percent respectively.

The numbers are clear: communications spread to thousands (potentially millions) of users immediately, and those users are not just teen-agers.

Addressing the Risks

An effective risk management program should identify, measure, monitor and control social media risks. The program should be tailored to the credit union’s size, activities and risk profile. While it is clear heavy social media users should have a detailed risk management program, even credit unions that do not use social media must develop procedures to address negative comments or complaints on social media.

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources and marketing. Finally, credit unions should provide guidance and training for employees’ official use of social media.

The seven required risk management practices identified above should address the following key risks:

Reputation Risks and Complaints: Social media communication is instantaneous and far-reaching, like a phone conversation to, from and among thousands of people at once. Credit unions with a significant social media presence must be prepared to respond immediately when posts go viral in a negative way.

A bad post alone can cause significant damage; a failure to effectively address it compounds the negative image. For instance, a famous “fail” involved British Airways’ defensive response to a complaint on Twitter. The airline took more than eight hours to respond, stating that their Twitter feed is only open “from 9 to 5” and that they could not help for several reasons (which were not true). The response went viral: “How does a billion-dollar corp only have 9-to-5 social media support for a business that operates 24/7?” The complaint was a “Promoted Tweet,” meaning the consumer actually paid money to ensure his complaint was broadcast farther.

Credit unions must also be vigilant of the fraudulent use of their brand, particularly phishing or spoofing attacks. Further, third-party risks can be significant, depending on the social media platform used. There are hundreds of social media sites and, like any other services provided by a third-party, credit unions must perform adequate due diligence to assess the risks and advantages of associating its brand with a particular platform.

Compliance and Legal Risks: There are no exceptions to existing regulations when an action is taken on social media. Fair lending, Truth-in-Savings, Truth-in-Lending, RESPA, CAN-SPAM and the Telephone Consumer Protection Act, among others, apply with equal force in advertising through social media.

Outside of advertising, the Fair Debt Collection Practices Act requires special vigilance over debt collectors (some are pushing the limits and clearly breaking the law through social media). If social media is used to facilitate electronic banking, the Electronic Funds Transfer Act (Reg. E) and Bank Secrecy Act also apply. A credit union must also follow all privacy rules, which are a particular concern if social media is integrated into the members’ online account experience or if a credit union takes applications through social media. Complaints received through social media may also trigger error and dispute resolution obligations under Reg. E, Reg. Z and the Fair Credit Reporting Act.

Operational Risks: The risk of loss resulting from inadequate or failed processes, people or systems is present in social media as an IT-related risk. The FFIEC encourages credit unions to review the FFIEC Information Technology Examination Handbook, particularly the booklets “Outsourcing Technology Services” and “Information Security,” in light of social media risks.

For example, social media can be vulnerable to account takeover and the distribution of malware. A credit union should ensure that it protects its systems and safeguards member information from malicious software. Additionally, credit unions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media as appropriate. Thus, credit unions should include social media in existing IT risk assessment and management programs.

Bottom Line: Manage Potential Risks

Credit unions and other financial institutions are effectively using social media as a tool to generate new business and provide a dynamic environment to interact with members. As with any product channel, credit unions are expected to manage potential risks — to the credit union and to members — by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within the FFIEC Guidance. If it has not already, your credit union should be looking at updating or adopting social media policies and procedures consistent with this Guidance. 

If nothing else, remember: If you would not do it offline, do not do it online.

Justin Whitesides, an attorney with Farleigh Wada Witt, counsels credit unions in Oregon, Washington and nationwide in providing electronic communications through websites, emails, text messages and social media in compliance with state and federal regulatory requirements. He can be reached at 503.228.6044 or

Questions about this story? Contact Gary M. Stein: 503.350.2216,

Posted in Compliance News, Marketing & Communications.