sumer’s Personally Identifying Information (PII) such as a full
name, birthdate, and address/hometown as listed on the social
media site. You should determine how this information is used
guidance. The FINRA guidance also warns against using a hyper-link to a site that may contain false or misleading content, which
could potentially raise UDAAP concerns as well.
Considerations: Personal v.
One of the increasing challenges in the area of communications is
to understand the difference between an individual’s rights, and
the employer’s interest in controlling “business activity.” Importantly, the National Labor Relations Board has issued memoranda
intended to help employers avoid social media policies that are
overly broad, vague, and thus unlawful.
PnPs should include definitions to specifically define and provide
examples to help employees understand what conduct is appropriate
and expected. For example, a policy that requires an employee’s
posts to social media sites to be “accurate and not misleading,” or
that require employer approval before posting, could be interpreted
as overbroad if it is not clarified or further defined by examples.
Consider, do your PnPs specifically define acceptable forms
of “outreach?” Is it acceptable to use text messaging for business
messages, and what is required by your record retention policy?
FINRA and the SEC developed a concept of “business as such.”
The “business as such” requirement is based on the content of
the communication, not the type of device or technology used
to receive or send the communication. This concept helps an FI
define to what extent an employee can mention one’s firm without
having it be deemed as business communication. For example, to
what degree can an employee share or promote a charity event
that the institution is sponsoring, or a branding initiative?
Compliance should work carefully with HR to craft these PnPs,
and Legal should always be consulted, as this area continues to
evolve, especially under the new administration. HR and Legal
should provide guidance to ensure that PnPs do not adversely
impact an employee’s ability to communicate with co-workers,
third parties, the media or the government.
Social media has become a valuable extension of an FI’s brand and
profile. The FINRA guidance contains predictions from media
outlets that within the next five years, revenue earned from native advertising in online publications (such as periodicals and
social media sites), will outstrip other forms of online display
advertising. It is more important than ever to be aware of your
brand’s growing footprint of posts and tweets. ■
ABOUT THE AUTHOR
BARBARA BOCCIA, CRCM, MBA, JD, is a senior director and
manages the Advisory Services and Regulatory Relations team
at Wolters Kluwer across a wide range of consulting engage-
ments, including fair lending, CRA, HMDA and UDAAP. She brings
more than 30 years of professional experience to strategic and
technical regulatory compliance engagements relating to con-
sumer protection regulations, including reviews of Compliance
Management Systems (CMS), Compliance Risk Assessments
(including fair lending and UDAAP), Complaint Management
Programs, and Third Party Vendor Management programs. Her
work includes helping clients with regulatory change manage-
ment, preparing for exams, resolving regulatory enforcement
actions, assisting with remediation efforts and Board training.
She is a frequent speaker at industry events. She can be reached
Defining Social Media
Defining the realm of “social media” is a
challenge for every institution, and a necessary
first step as you revisit your PnPs—and then
revise your program to keep up with the
evolution of technology and methods of social
FFIEC acknowledges that social media is
dynamic and constantly evolving, and it provides
the following illustrative—but not exhaustive—
guidance: “Social media” is a form of interactive
online communication in which users can
generate and share content through text, images,
audio, and/or video. Social media can take many
forms, including, but not limited to:
■ ■ ■ Micro-blogging sites (e.g., Facebook, Google Plus,
■ ■ ■ Forums, blogs, customer review web sites, and
bulletin boards (e.g., Yelp, TripAdvisor, Pinterest);
■ ■ ■ Photo and video sites (e.g., Instagram, Snapchat,
Flickr, You Tube);
■ ■ ■ Sites that enable professional networking (e.g.,
■ ■ ■ Virtual worlds (e.g., Second Life); and
■ ■ ■ Social games (e.g., Angry Birds, SimCity).
For purposes of the FFIEC guidance, messages
sent via email or text message, by themselves
do not constitute social media, although such
communications may be subject to a number of
laws and regulations discussed in the Guidance.
Overall, the most critical definition of “social
media” is to define it in terms of what is being
done at your institution. If you are not sure, then
it is critical to ask a lot of questions to get clarity.
Your Social Media Program must continually
evolve to keep up with the actual behaviors of
your lines of business, marketing department
and your employees.