Develop an Effective Social Media Policy

Manage the risks when your CU tweets, blogs, or chats.

February 14, 2011

Welcome to the 21st Century. In the past 40 years the credit union movement has embraced technology to allow members access to ATMs, the automated clearinghouse network, and both online and mobile banking. And the advent of social media sites such as MySpace, LinkedIn, Facebook, and Twitter has opened new avenues for marketing and communication.

Social media uses Web-based technologies that allow you to access sites for information and social interaction. The social media phenomenon has given individuals and businesses the ability to reach both small and large audiences, and showcase expertise, influence opinion, and bond groups of like-minded individuals.

How big is it? There are, for example, more than 500 million active Facebook users.

Before you get started

Before launching any type of social media program, determine whether it fits your strategic plan and philosophy. Consider:

  • The size and complexity of your credit union;
  • The potential risks;
  • Whether you have sufficient staff resources to manage the program; and
  • A cost-benefit analysis.

Four areas of potential risk for social media use by credit unions include:

1. Legal risk. Possibilities include compliance problems, defamation lawsuits, copyright infringement, employment discrimination, and an easier way for attorneys to assemble class-action lawsuits.

2. Reputational risk. Poorly worded statements or a single typo can result in months, even years, of negative public opinion in cyberspace—and posted complaints can generate a bad image.

3. Regulatory risk. Since the advent of websites, anything published online that’s visible to the general public may be considered advertising subject to compliance mandates—just one of a host of potential regulatory pitfalls.

4. Security risk. Incoming and outgoing communications increase the risk of system intruders.

Numerous federal laws and regulations can affect the contents of your social media information and member interactions. For example:

  • NCUA's security, advertising, and privacy rules;
  • Truth in Savings Act (NCUA’s Part 707);
  • Truth in Lending Act (Regulation Z);
  • Children’s Online Privacy and Protection Act (COPPA);
  • Electronic Funds Transfer Act (Reg E);
  • Expedited Funds Availability Act (Reg CC);
  • Fair lending laws (Equal Credit Opportunity Act, Fair Housing Act)
  • Electronic signatures (E-Sign Act).

This brief list shows why it’s important to have adequate staff to manage and monitor your program. Staff also must periodically review with the board whether your social media policy is sufficient. And there may be other federal laws and state rules to be aware of as you launch into this brave, new world.

Credit unions also must maintain sufficient security controls and regularly monitor them. Conduct regular website reviews, information technology risk assessments, and system-intrusion testing.


  • The importance and sensitivity of information that will appear on the site;
  • The likelihood of outside break-ins and insider misuse;
  • Risks posed by electronic connections with business partners; and
  • Possible liability if things go wrong.

Next: A social media policy

A social media policy

You’ve finished your due diligence and are ready for the next step: board approval.

The best way to show you’re committed to maintaining a quality and compliant social media program is to adopt a social media policy. But you’ll really want two policies (or one overall policy with two major subparts): one addressing issues surrounding the credit union-sponsored site and a second addressing your employees’ use of social media.

Thorough policies can be a deterrent to conflicts, misunderstandings, and litigation. Even if you choose not to use social media, consider adopting a policy to address potential issues that might arise from staff who do.

Consider these components of a social media policy:


The complexity and technology-related nature of social media will undoubtedly require specific definitions of terms your policy uses.

Designated contact

Designate a specific individual (name the position, not the person) as the “social media contact.”

This person’s duties should include (but aren’t limited to):

  • Managing social media tools and channels;
  • Responding to questions internally and externally about the social media site;
  • Addressing problems/providing direction for staff if a user becomes threatening, abusive, or harassing; and
  • Suggesting changes in the credit union’s social media policy when warranted.

This position also may be charged with two duties:

1. Working with other staff to make sure opportunities aren’t overlooked in marketing credit union services; and

2. Training staff to ensure they understand how to use the credit union’s social media program.


Senior management might or might not be the “public face” of your credit union’s social media program. But the policy should designate who will decide what positions at your credit union will have authority to contribute content—who can blog, tweet, or chat on your credit union’s behalf.

While some policies may include examples of appropriate and inappropriate content, selecting the correct professional staff who “speak for your credit union” should allay such concerns.

The policy (as well as the social media site) might want to include a statement that your credit union doesn’t endorse nor is responsible for any comments and/or viewpoints on social media or networking sites made by its employees unless they’re authorized representatives.

Your policy should state that your credit union will take the necessary steps to make sure the content complies with applicable laws and regulations. Management must determine who’s responsible for compliance.

For instance, marketing staff might not know that certain words or phrases trigger Truth in Lending advertising rules or require posting certain government logos. The designated “social media contact” might or might not be the appropriate person responsible for compliance, depending on the person’s expertise.

Disaster planning

The credit union policy may want to address how you will use social media in conjunction with your business continuity plan.

The policy also can address how the site will be used to quell fears and communicate accurate information regarding rumors, such as those that may arise when the credit union faces challenging economic conditions.


The policy should address technology safeguards, generally outlining such items as program administration responsibilities, regular system monitoring and testing, and dual controls for overseeing and auditing the program.

Content ownership

Include a statement in the policy that the credit union owns all authorized social media and networking content. This includes restrictions on terminated or separated employees from taking, saving, or sending any credit union content distributed via social media while they were employed with the credit union.

Employees’ use of social media

This section of your policy should address employees’ participation in social media and networking sites, including:

  • Restricting use of credit union resources (i.e., computer, phone) for such activities.
  • Prohibiting employees from using social media and networking as a forum to discuss the credit union, including any mention of confidential information and sensitive topics involving the credit union.

You might want to specifically indicate that employees aren’t supposed to list your credit union’s name or include its logo on social media and networking sites they participate in, or ascribe personal viewpoints to those of your credit union.

  • Advising employees that other users might know they’re employed by the credit union, so employees should make it clear that their social-media participation is in a personal capacity. For instance, communication should be written in the first person to make it clear the person isn't speaking on behalf of your credit union.
  • Stating that using social media that interferes with job responsibilities and work commitments, misrepresents the credit union’s position, or criticizes the credit union’s management practices could be grounds for discipline or termination. You might want to elaborate on the steps you’ll take.

After developing your credit union’s social media policy, an often overlooked but essential step is to make sure your credit union’s policy gets into the hands of every employee.

Because online activities inconsistent with your credit unions’ standards of conduct could result in liability for employees and your credit union, consider having employees sign a form that acknowledges they’ve received and read the policy.

And then get tweeting, blogging, and chatting! 

STEVE GIBBS is assistant vice president, shared compliance resources, for the Texas Credit Union League. Contact him at 800-442-5762, ext. 6637.