Compliance and Social Media Q&A

By Sarah Oliver, CRCM

Have you heard about the bank compliance professional who actually supports social media—and thinks that banks should be in it? Confession: that person is me. I have been entrenched in each for well over a decade. And what I’ve found is, when it’s done right, bank engagement on social media can be not only fully compliant, but also fully effective.

Over the years, I’ve had to field the brunt of countless questions from my own bank and later, from banking clients.

Here are some of the most common ones.

“Member FDIC.”

Question: Regulations require, whenever a depository institution advertises FDIC-insured products, the institution must include the official advertising statement of FDIC membership. The statement must appear in any advertisement that promotes deposit products or promotes nonspecific banking products if the name of the depository institution is included in the ad.  How can this be accomplished and what about sponsorships for instance, that only mention the bank’s name?

Answer: There is no one size fits all. I have seen banks add Member FDIC to every post, tweet, and share (and that’s okay).  I have also seen banks embed Member FDIC into their profile picture so it’s always there, beside every post, tweet, or share.  Another common practice is embedding Member FDIC (and the EHL Logo for that matter) in the background picture on the institution’s home page. That way, any post viewed from the institution’s page is guaranteed to have the disclosures. However, when posts or tweets are viewed in ‘feeds’ the viewer will not see those disclosures, so make certain that any post, tweet, or share that promotes the bank, it’s products, or services contains the words ‘Member FDIC.’ Yes, it will count against your 140 characters.

Employees’ social media activity.

Question: The FFIEC Guidance on Social Media Risk Management is very broad as to employee communications.  Are we required to do spot checks on our employees’ and directors’ personal social media sites?  If so, how are banks monitoring this?  Not everyone tags the bank in their mentions of us so I’m not sure how we would know. Is this just a risk we accept and hope that training/policy holds them accountable? 

Answer: It’s all about the training (apologies to Meghan Trainor). Employees should have a good grasp over what is acceptable and what is not.  But be vigilant in that your employee social media policy does not unlawfully inhibit employees’ rights—such as to discuss wages and conditions of employment.  Since social is here to stay and brand image is vital to success, this may be an area worthy of having legal counsel review.  It is a business decision to attempt to monitor employees’ personal accounts, but proceed with caution.  For those employees who just want to brag on their bank, try giving them sharable content or access to a library of pre-approved content so they don’t get too creative and everyone wins.  And don’t forget, record retention rules apply to social media too.

Posting the event pics.

Question: My bank often sponsors local events or joins other events in setting up a table/tent. If we take a picture that depicts clients, do we need to have each client sign our consent form?  What about taking pictures of crowds?  Can we post these without consent from every single belly-button?

Answer: First, let’s address the children.  I wouldn’t recommend posting organic pictures that contain children (unless they are yours).  Pictures of children pose a higher level of risk. Even with signed waivers or releases you may run into issues with federal and state children’s privacy laws and regulations.

As for the adults, reasonability—or what some call common sense—should come into play.  Because banks are held to strict privacy laws and regulations, I would be cautious of posting pictures (including group or crowd photos) where it might not have been clear to the subject person that not only are they in a photo, but that it may be posted to public SM platforms.  Since the beginning of time we’ve heard stories of someone not being where they said they were, and with not who they said they were with.

Consumers undoubtedly hold their banks to a higher standard of privacy than the local hardware or grocery store for example.  So, if it isn’t obvious, then obtain waivers or don’t post.  In a recent podcast, Ethan Wall, president of The Social Media Law Firm, discusses this exact issue, as well as employee policies.

Unofficial and unauthorized social pages for banks.

Question: I heard Facebook takes its own initiatives to create accounts for businesses, including banks.  How are we supposed to be responsible for something like that?

Answer: While stories of unauthorized business pages abound, let’s first make a distinction between “unauthorized” and “unofficial.” Unofficial accounts may be automatically created through web crawling and data aggregation tools, whether controlled by Facebook or not. Some of this continues to be a mystery to me as well, although I have read that when someone checks themselves into a business location that does not have an official business page, an unofficial one is created, presumably for informational purposes only.

If you see “Unofficial Page” near the background image you are free to “claim” the page, with minimal due diligence.  Whether or not you intend to actively use the page, it may be a good idea to claim the page, before someone else does.  Think of it as a placeholder so to speak.  If you find however the page has already been claimed, verified, or authorized, go to the online Facebook Help Center for direction in reclaiming your page as an administrator.  While not responsible for the World Wide Web, banks have a responsibility to be aware of what is being said, especially complaints, and to address issues as they occur.  Google Alerts is a start. However, more and more banks are beginning to utilize wide ranges of third party software or technology that can manage web mentions as well as social posts, and may even offer services such as record retention.

Social media risk assessments.

Question: Should we have a risk assessment for our social media practices?

Answer: Remember the kid in grade school who would remind the teacher she forgot to assign homework or asked if they could have more work? Sorry, but you are that kid. And the answer is yes.

Depending on the extent to which your institution uses social, related risk should be assessed, measured, and mitigated.  The format and process should be commensurate with the range of social (how many and which platforms) and the why of social (advertising, brand image, community involvement, or client care).  Board support and management involvement will also move the risk meter.  Depending on your social profile, you may decide to incorporate social risk into the enterprise-wide risk assessment or you may have a standalone risk assessment.

In any case, the risk assessment should address factors such as information security, account access, unauthorized content, loss of content, public relations, children’s privacy laws, advertising laws, etc. to name a few.


As with any new product or service, most of the work is often on the front end, and includes a commitment to policies, procedures, and training.  While there are no shortcuts to going and growing social, once the program is up and running I’ve found it to be rewarding in many aspects, one of which is the interconnection of internal departments or lines of business that otherwise have gone solo.  After all, social was originally fashioned to bring likeminded people together and form relationships, right?

Just don’t forget to invite your compliance officer to the sandbox.

Sarah Oliver is a consultant in the Financial Institutions Advisory Group of Saltmarsh, Cleaveland & Gund. Her primary areas of expertise include providing compliance reviews, assisting with special research matters and consulting on deposit and lending related regulations as well as social media approaches for financial institutions. Email: [email protected].