A Guide to Surviving a Social Media Compliance Audit

More community banks and credit unions are embracing the marketing opportunities of social media. With increased activity comes an increased urgency for regulatory bodies to ensure that financial institutions are keeping themselves and their consumers safe. This means that every institution should be prepared to undergo a social media compliance audit.


We Lack a Single Comprehensive Guide


Depending on the scope of your institution's services, several different governmental agencies will regulate your social media presence;

While each of these agencies provides some guidance, the rapid evolution of channels, media types, and consumer expectations creates a gap of coverage between guidance and today's common social media practices.


Social Media Risks are Real


Social media risks exist whether your institution is advertising on social media or not;


Employees will be using social media.


An investment firm fails a social media compliance audit for failing to provide employee training. Source;



Consumers will go online to talk about your brand.


An example of a consumer complaint that would pose risk to a community bank or credit union even if they were not on social media A screenshot of a Yelp review for a Credit Union that was not responded to. Source;



Malicious entities might try and spoof your brand and deceive your consumers.


A fake twitter for a bank shows why you need to have a listening strategy in your social media compliance audit. Criminals engaging through a fake Twitter account. Source;



For most of us, it is a matter of time before we have an issue as a result of one of these triggers.


What Do You Need for a Social Media Compliance Audit?


The documents you need will vary depending on the scope of your social media activities. Here is a list of documents and policies that most financial institutions should have:

Prepare by holding regular fire drills to practice how your institution will use the documents to resolve a social media emergency.

You should create these documents with a group of stakeholders; the marketing department, legal department, compliance, IT, and HR are a good starting point.


Learn More in this Video


To help understand more about social media and compliance, we interviewed Social Media and Compliance expert, Forbes contributor, and former FINRA advisor, Joanna Belbey.



Details on Recommended Documents


Employee Social Media Policy: A social media policy should cover an employee training program, training schedule, and rules of engagement. You should include Do's and Don'ts; this is mandated by the NLRB guidance. Here are some suggestions for creating your social media employee policy.

Documented Listening Strategy: At a minimum, your strategy should include listening for mentions of your brand across the most popular social media channels; Facebook, Twitter, Yelp, and Google+. Check out this post on listening to the web if you need help constructing your social media listening strategy.

Documented Content Strategy: A content strategy is the use of published materials to help solve our customer's problems and educate them about your products and services. Your documentation should include the goal of your strategy, what topics you will address, and the mediums you will use to distribute your content.

Social Media Playbook: Your playbook is where you should house the day-to-day operational instructions. It will house your social media brand guidelines, including your voice on different channels, how you respond to complaints, and your design style. You should also outline your content approval process and which metrics you will be tracking and reporting on. At Kasasa, we house our social media best practices and the results of internal experiments. It allows for continuity across personnel in addition to keeping record of our activities for compliance.

Social Media IT Document: Employees pose significant risks for social engineering. Social media is a favorite channel for hackers who are looking to exploit vulnerabilities. As such, your IT department should document how intends to manage and secure devices, audit any 3rd party tools you'll be using, and how you will train employees against the risks of social engineering.

Social Media Crisis Response Grid: A crisis is an inevitability. Your only option is to anticipate and prepare for them. A social media crisis response grid is a tool to help assess the severity of a crisis and activate an appropriate response plan.

Social Media Risk Assessment: A risk assessment is a listing of every potential threat and an evaluation of its likelihood, the impact, and if you have items in place to help mitigate the risk. If you need help, check out this guide to creating a social media risk assessment along with some other sample policies.

Social Media Privacy Policy: You have a responsibility to protect your consumers and the Social Media Privacy Policy is a way to help inform customers how to stay safe on your social media properties. It should make transparent your rules (no hate speech), recommendations (never share personal data), and how you use any digital data (remarketing). You can see an example of our two-tiered approach on our Facebook page's about section.

An Accessible Archive of Past Engagement: Most institutions use 3rd party tools to ease the burden of recording all social media engagement. However, most platforms give you an option to export your data upon request.

Tags: Marketing, Compliance