By Tiffany M. Miller

Financial institutions are increasingly using social media as a means to interact with customers. Social media, which includes all forms of interactive online communication, may be used by financial institutions to market products to customers, provide incentives, facilitate the account application process, invite feedback, and respond to complaints. However, because social media tends to be a less formal form of communication with customers, financial institutions using social media to interact with customers may be at increased risk for compliance violations.

In December 2013, the Federal Financial Institutions Examination Council issued guidance intended to highlight the applicability of existing requirements to the use of social media by financial institutions (Guidance). Using the Guidance, financial institutions must ensure that their risk management programs incorporate policies and procedures designed to identify and monitor the risks associated with social media. A compliant risk management program should include: (i) policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws; (ii) an employee training program that incorporates the institution’s policies for official, work-related use of social media; and (iii) an oversight process for monitoring information posted to proprietary social media sites administered by the financial institution.

Compliance with Applicable Law

While the Guidance does not impose any new requirements, it highlights that many current federal consumer protection and compliance laws are applicable to a financial institution’s social media activities. For example, any advertisements conducted via social media should comply with the disclosure requirements of the Truth in Savings Act (Regulation DD) and the Truth in Lending Act (Regulation Z), as applicable. FDIC membership should also be disclosed when advertising any FDIC-insured product. Further, financial institutions should refrain from engaging in any act or practice through social media that may be deemed unfair, deceptive, or abusive. Finally, the privacy rules of the Gramm-Leach-Bliley Act (Regulation P) may be applicable to activity conducted via social media when, for example, a financial institution integrates social media components into online banking or takes applications via social media portals.

Employee Use of Social Media

Employees’ communications via social media may subject a financial institution to additional risk. Financial institutions should address these risks by providing training and establishing policies regarding employee participation in social media on behalf of the financial institution. For example, if the financial institution permits employees to communicate with customers regarding loan products through social media, the institution’s policies should include steps to ensure the customer is receiving all required loan disclosures. Notably, the Guidance does not impose any specific requirements for policies or procedures regarding employee personal use of social media.

Monitoring Social Media Comments

While the Guidance does not require financial institutions to monitor and respond to all comments posted on the Internet, a financial institution’s risk management program should include policies addressing the institution’s approach to monitoring and responding to customer complaints and questions posted on social media sites. Appropriate steps may include: (i) responding to comments received through social media sites run by or on behalf of the institution (and taking these comments into account when evaluating compliance with the Community Reinvestment Act), and (ii) establishing one or more specific channels for customers to use when submitting complaints or disputes directly to the institution for further investigation.

The Guidance is not intended to be a “one-size-fits-all” approach to risk management of social media activities. Rather, financial institutions must adopt a risk management program that is appropriate and tailored to the particular institution’s size, activities, and risk profile. For more information regarding tailoring a risk management program to address social media activities, please contact Tiffany Miller at

Davenport, Evans, Hurwitz & Smith, LLP, located in Sioux Falls, South Dakota, is one of the State’s largest law firms. The firm’s attorneys provide business and litigation counsel to individuals and corporate clients in a variety of practice areas. For more information about Davenport Evans, visit