Social Media Risk Management Process for Banks, Step 1: Governance

Posted by Mikki Ware on June 14, 2017


When it comes to a bank getting on social media, banks and financial services companies have to consider and weigh the risks. While the Federal Financial Institutions Examination Council (FFIEC) has no regulations specifically about social media use (the FFIEC considers it another form of electronic communication, so those rules apply in a broad sense), they did outline guidance for handling social media use. It’s important to note that regulators do not oppose financial institutions using social media.

“First, we're not imposing any new requirements on banks and credit unions. That's an important point to get out,” says Elizabeth Khalil, of the Federal Deposit Insurance Corp., which is part of the FFIEC. “This is guidance, not a regulation. We intend for this to be helpful, not to impose any new regulatory burdens. We're also not trying to discourage financial institutions from using social media. We recognize that social media can be a useful tool for financial institutions. It can allow them to reach a wider universe of consumers. It can let them spread their brand identity more widely. It can let them deepen their relationships with existing customers and so forth. There are definitely good reasons for financial institutions to use social media.”

With that in mind, the main guidance of the FFIEC is for banks to create a risk management program to handle social media participation. According to the FDIC, even companies who choose to opt-out of social media must still have a plan in place to handle potentially negative comments happening on social media. In this series, we will discuss each step of a social media risk management program, and outline best practices that have worked for other banks who are succeeding with social.


Step 1: Governance Structure

According to the FFIEC, financial institutions participating in social media need to have a clear governance structure that outlines roles and responsibilities, as well as establishes controls. In other words, there are a few questions to ask before jumping in:

  1. Who is the Super Admin? This person will most likely have access to the company social media sites, and have final say in what is posted. This is the person who will be on the front lines should a social media crisis occur. This person might be in the compliance department, marketing, or a combination of both.

  2. Who is the Admin? This person has all the permissions of the Super Admin except account ownership. They can self-moderate posts and approve or disapprove posts from other users.

  3. Who are the users? Probably the most important decision – which employees can post to social on behalf of the company? This will be different for each organization, depending on their overall business goals and strategy. You might, for example, enable your relationship managers (sales team, executives, any customer-facing role) to post. Or perhaps it’s confined to the marketing department. Anything goes here, as long as everyone is on the same page. Users can post on behalf of the company, but will have posts with restricted or blocked keywords sent to Admins for approval.

  4. Who are the guests? These are your titular employees – interns, temporary employees, contractors, or non-management. This is the riskier group, so they have very tight restrictions, and cannot post without the content being approved by an Admin.

After you figure out your governance structure, it should be clearly outlined in a company social media policy.

Other components of your policy should include:

  1. Response guidelines
  2. How to identify yourself as an official representative for the bank
  3. Acceptable content
  4. Monitoring of social media activity on company devices
  5. What social networks and websites are included in the company policy
  6. Consequences of violating the policy


A word of caution when it comes to what you can and cannot prohibit on social media: The National Labor Relations Board (NLRB) released a memo in 2012 outlining how far companies can go in restricting what employees are allowed to say on personal social media accounts. In general, no company may produce a “chilling effect” on employees who choose to discuss their jobs on private accounts with other employees or personal connections.

Once your governance structure is in place, it’s time to think about how to execute. Stay tuned for the second post in this series, Social Media Risk Management Process for Banks, Step 2: Processes. In the meantime, download our FFIEC FAQ for a quick reference on what is and is not required when using social media.


Subscribe to the Gremlin Social Blog

Recent Posts