IBA Compliance Connection

Your go to source for compliance!

Can you provide any guidance on drafting a social media policy?

by

admin

A bank’s social media policy, at a minimum, should address two areas of risk: (1) the bank’s use of social media for advertising purposes and (2) bank employees’ use of social media for personal purposes that could affect the bank. Both are more fully described below. Also, an important starting point for drafting a social media policy is the Social Media Guidance from the Federal Financial Institutions Examination Council (FFIEC), which was released in December 2013. The FFIEC Guidance states that financial institutions should have “policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media,” and it details the compliance and reputation risks that your policies and procedures should address. See Page 76299 of the Guidance.

Also, the IBA offers on demand webinars that deal with the compliance risks of social media.

Bank’s use of social media

Most experts advise that you treat new social media pages as you would treat any new banking product or marketing campaign. The process of launching new social media pages should involve conducting a risk assessment, updating your policies and procedures (including record retention policies), training employees, and monitoring employees and any third-parties involved with your social media pages.

Many compliance requirements apply to your social media pages, because they are considered advertising for the bank. See FFIEC Guidance, “Compliance and Legal Risks.” Note that while the Truth in Savings Act regulations exempt some electronic advertising from the advertising disclosure requirements, that exemption does not apply to internet advertisements. Official Interpretations, 12 CFR 1030, Section 8(e)(1)(i), Comment 1. And, the Truth in Lending Act does not exempt internet advertising from its disclosure requirements. See 12 CFR 1026.16, 12 CFR 1026.24.

Below is a mere sampling of the many regulations that apply to your institution’s social media activities:

  • Truth in Savings Act/Regulation DD advertising rules, 12 CFR 1030.8:
  • Similar to the Regulation DD requirements described above, social media posts with triggering terms related to loans must “clearly refer” users to a location where they can find the additional required information. 12 CFR 1026.16(c)(1)(ii) (open-end credit); 12 CFR 1026.24(e)(1)(ii) (closed-end credit).
  • Because the rates stated in advertising dwelling-secured credit must be “reasonably current,” electronic advertisements must display rates that were in effect within thirty days before a social media post is viewable by the public. Official Interpretations, 12 CFR 1026, Paragraph 16(d), Comment 6(ii) (open-end credit); Paragraph 24(f), Comment 6(ii) (closed end credit). This requirement may necessitate the removal of social media posts with outdated interest rates.
  • The FFIEC Guidance (under Fair Lending Laws) warns financial institutions about violations of Regulation B’s advertising requirements, timelines for responding to applications, adverse action requirements, and more.
  • In addition, the FFIEC warns about the restrictions on using social media to collect or use demographic information about customers or potential customers. Third party social media sites often “data mine” demographic information, so financial institutions must be careful to not request, collect, or use consumer information in violation of ECOA or FHA. 
  • Also, the FFIEC includes a reminder to display the “Equal Housing Opportunity” logo on social media pages, if the financial institution is engaged in residential mortgage lending.
  • The FFIEC Guidance points out that institutions subject to the CRA should include comments received through social media in their public files, which must include any written comments that specifically relate to an institution’s performance in meeting community credit needs. See FFIEC Guidance, Community Reinvestment Act.
  • Children’s Online Privacy Protection Act (COPPA) (16 CFR 312)
  • COPPA imposes obligations on commercial websites that collect data, with active knowledge, from children under 13. Institutions using third party social media sites may rely on their verifications of user ages, but should still monitor their communications in case a child posts information on the institution’s site. Institutions maintaining their own social media site should establish careful policies to restrict access to users under 13 to comply with COPPA. See FFIEC Guidance, Children’s Online Privacy Protection Act.

Also, keep in mind any record retention and destruction requirements (including your internal policies and procedures) will apply to any posts and tweets. You also may be responsible for keeping secure any personally-identifiable information that customers post on your pages. See FFIEC Guidance, Fraud and Brand Identity.

Employees’ use of social media

The FFIEC’s Guidance clearly indicates that bank employees who use social media may open institutions up to compliance risk as well as reputational risk. See FFIEC Guidance, Employee Use of Social Media Sites. To ensure compliance with all applicable laws, your human resources policies or handbooks should cover employees’ use of social media. In addition, our organization has held many regulatory panels at various conferences and events, and the regulators on those panels have often repeated that all banks must monitor social media for “unofficial” pages set up by your employees (or former employees). Specifically, a regular panelist from the Illinois Department of Financial and Professional Regulation (IDFPR) often points out instances in which bank management has been surprised to learn that an employee set up a bank Facebook or Twitter page without the bank’s knowledge or oversight. Often, these employee-created social media pages do not comply with all the regulations described above.

If your employees will be updating your institution’s social media pages (in an official, bank-sanctioned capacity), we recommend that your policy include some oversight and monitoring of these activities. As stated in the FFIEC Guidance, you should “provide guidance and training for employee official use of social media,” and the FFIEC describes each step in creating a risk management program. See FFIEC Guidance, under Compliance Risk Management Expectations for Social Media. For example, one rule to note is in the FTC rules on endorsements and testimonials, which require employees who post on social media about their employer’s products or services to “clearly and conspicuously disclose” their relationship with their employer. 16 CFR 255.5FTC Guides Concerning Use of Endorsements and Testimonials in Advertising. In general, employees should be careful not to post anything that could be considered deceptive or misleading. See FFIEC Guidance, Unfair, Deceptive, or Abusive Acts or Practices.

One issue that the FFIEC Guidance does not address is the protection of certain employee social media activities under the National Labor Relations Act (NLRA). The NLRA protects employees’ rights to engage in “concerted activities,” particularly employee communications that discuss the “terms and conditions of their employment.” 29 USC 15729 USC 158NLRB v. City Disposal Sys., Inc., 465 U.S. 822, 830 (1984). NLRA-protected communications include the use of social media to discuss the terms and conditions of employment. The National Labor Relations Board (NLRB) has released a Fact Sheet and three case summaries that describe its holdings on various employer policies that allegedly violated NLRA requirements:

  • Operations Management Memo, OM 12-31 — Report on Social Media Cases (January 24, 2012) (press release
  • Operations Management Memo, OM 11-74 — Report on Social Media Cases (August 18, 2011) (press release)