Final FFIEC Guidance - "Social Media: Consumer Compliance Risk Management Guidance"


On December 17, 2013, the Federal Financial Institutions Examination Council (the “FFIEC”) issued the Social Media: Consumer Compliance Risk Management Guidance for financial institutions. The Guidance does not impose any new obligations but “is intended to help financial institutions understand and successfully manage risks in this area.”

The final Guidance is substantially similar to the proposed guidance1 issued on January 23, 2013, but clarifies and highlights certain provisions, including:

1. The Guidance is not imposing a “one-size-fits-all” approach; rather, each financial institution is expected to assess and manage its own risks, which may vary due to the institution's size, complexity, activities, and business relationships.

2. The Guidance outlines seven components that should be included in a risk management program addressing social media activity by or on behalf of a financial institution.

3. The Guidance is not intended to pertain to e-mails and text messages, except for those sent through social media.

4. The Guidance is not intended to govern employee personal use of social media, but financial institutions should address risks posed by employee communications, such as providing training to address official employee communications sent on behalf of the financial institution.

5. Before engaging with a third party to provide social media services, a financial institution should conduct appropriate risk evaluation and due diligence on that social media vendor.

6. A financial institution need not monitor all Internet communications about the institution. Rather, the institution would do well to monitor its own sites. It may also be appropriate to (a) establish a specific channel that customers must use to submit complaints or disputes directly to the institution, and (b) monitor certain third-party forums to review and address comments or complaints. In fact, a financial institution that decides to not establish an official social media presence should nevertheless evaluate how to monitor or respond to comments on social media.

If you have any questions about this topic, please contact one of the following members of our Social Media or Financial Regulatory Practice Groups.

1 For a summary of the proposed guidance, please see


Email Disclaimer