Today's Trends in Credit Regulation

Using Social Media to Advertise Consumer Financial Services Products
By Elizabeth C. Yen

Social media (including websites such as LinkedIn or Facebook, as well as blogs and Twitter) are increasingly in the news these days. For example, Facebook recently completed a highly publicized initial public stock offering. MySpace and the Federal Trade Commission (FTC) recently announced a proposed consent agreement concerning the sharing of users’ personal information with advertisers.

Consequently, it shouldn’t be a great surprise that the use of social media to advertise consumer financial services products is receiving more regulatory attention and may soon become the focus of new regulatory guidance. For example, an FTC workshop held on May 30, 2012 about online advertising and privacy disclosures may eventually result in additional FTC guidance about social media advertising disclosures. In the meantime, the FTC has been reminding businesses that pay for online endorsements and testimonials about the need to disclose such payments, and also reminding businesses that post favorable product endorsements on websites about the required disclosure of material connections or affiliations between the endorser and the manufacturer or seller, due to 16 CFR Part 255 – as revised in the fall of 2009, this FTC endorsement and testimonial guidance includes updated examples of using blogs and other social media to advertise consumer products.

The FTC has also been paying increased attention recently to advertising by car dealers on, and whether those advertisements include required disclosures and disclaimers in legible print for a reasonable period of time. Recently announced FTC settlements with various car dealers based in several different states appear to have arisen in significant part because of advertisements deemed by the FTC to be inaccurate and deceptive with regard to prospective buyers’ “under water” (negative equity) trade-in vehicles.

The technical ease with which employees may post and modify advertisements on, Facebook, and other websites should create heightened attention internally to marketing compliance issues. For example, employees may not always appreciate that special advertising provisions in Regulations M and Z applicable to certain radio and television advertisements do not apply to Internet advertising.

As another example of recent increased regulatory attention to social media marketing, the National Association of Insurance Commissioners (NAIC) has a social media working group that has been preparing a white paper about how insurance companies and insurance agents use social media to promote insurance products and provide customers and prospective customers with insurance-related information. (See here.)

The NAIC white paper notes that, although state insurance regulators might consider certain uses of social media to be advertising (thereby triggering advertising-related compliance and recordkeeping requirements), as a practical matter, it may be difficult for many state regulators to monitor their regulated entities’ use of social media websites because of state policies that often block state employees’ access to third party social media web pages from state-issued computers.

Similar issues exist in the non-insurance consumer financial services sectors. For example, employees of state banking departments could experience difficulty monitoring their regulated entities’ Internet marketing activities, especially such activities on social media websites. Compliance personnel working for regulated entities may face similar internal constraints on their ability to access their own employers’ and colleagues’ LinkedIn and Facebook pages.

If independent, unaffiliated agents (such as licensed insurance producers or securities brokers) are able to use social media to market third party insurance or other consumer financial services products, under circumstances where such marketing is difficult to monitor and control, this may create serious risk of regulatory noncompliance as well as reputation risk for the party whose products are marketed in this manner. The NAIC white paper indicates that “[a] not-insignificant number of insurance companies, concerned about the novelty of the medium, the lack of explicit regulatory and legal guidance and very real practical and technical issues, have either banned the use of social media outright or taken an approach of benign disregard relative to the use of social media in connection with their insurance business.”

The practical difficulties that some regulators or compliance auditors might experience in accessing and monitoring a company’s use of social media should not create a false sense of security or comfort. For example, examiners may ask for copies of all marketing materials (including electronic marketing) as part of a compliance examination. As one such example, the Consumer Financial Protection Bureau’s UDAAP (unfair, deceptive, or abusive acts or practices) examination procedures manual specifically instructs examiners to obtain copies of “promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising)” as part of the process of identifying potential areas of UDAAP concern. More generally, CFPB examiners are required to review publicly available information, including “[n]ewspaper articles, web postings, or blogs that raise examination related issues,” when developing the risk focus and scope of any compliance examination. The CFPB Supervision and Examination Manual notes that the Dodd-Frank Act specifically requires the CFPB to “use, to the fullest extent possible, information … reported publicly” when exercising its supervisory authority. (See, e.g., 12 USC Sections 5515(b)(3)(B) and 5516(b)(1)(B).)

Employees charged with marketing compliance oversight should periodically verify that online marketing practices remain consistent with the organization’s hard copy and traditional mass media marketing compliance procedures and requirements. Ideally, all marketing (regardless of the medium) should articulate the same consistent message with the same consistent disclosures and disclaimers, and should also be consistent with the contractual terms and conditions associated with the services and products that are offered to members of the general public.

Social media marketing practices should also be consistent with an organization’s e-mail and other customer communication policies and procedures. For example, federal bank regulators may review and evaluate an institution’s consumer complaint response practices, by looking at how an institution responds to consumer complaints and inquiries, including complaints and inquiries received via e-mail and other electronic means. The CFPB’s UDAAP examination procedures manual notes that a bank customer has several different avenues for filing complaints, including “the institution itself, the Better Business Bureau, State Attorneys General, the FTC’s Consumer Sentinel, the CFPB Consumer Response Center, other Federal and State agencies, or on-line consumer complaint boards such as or” Social media websites could be another potential forum for consumer complaints. CFPB examiners are supposed to “determine whether an institution itself receives, monitors, and responds to complaints filed against subsidiaries, affiliates, and third parties.” A regulated entity may receive a more favorable consumer complaint management rating if it “tracks all types of complaints,” “actively monitors complaints to identify issues that may require changes in products, procedures, and/or training,” and resolves consumer complaints “without requiring the direction or involvement of executives, regulators, or third parties (such as the Better Business Bureau), or the prospect of litigation or enforcement actions.”

The FDIC has also noted that questions and complaints fielded by a bank’s customer service representatives and tellers “could be a red flag to management that marketing or disclosures are not as clear and conspicuous as they should be.” (See here.) The FDIC also recommends that businesses designate one “individual or group within the organization” through whom (or which) any information intended to be “posted on the company website or through third party blogs and social media outlets should flow” for prior approval. (See here.)

The FDIC has also reminded businesses that they must protect customer confidentiality and pay attention to other privacy-related issues when creating appropriate social media posting policies and procedures for employees. No confidential, sensitive, private, or otherwise protected information should be posted or commented on, since “due to the viral nature of social media, it becomes almost impossible to recall or contain” after information has been posted. (See here.)

The FDIC has also flagged banks’ social media usage as an emerging information technology (IT) hot topic, and has cautioned banks about increased risk of viruses, “cyber attacks” and other IT threats, as well as increased risk to banks’ reputations as a result of social media. (See, e.g., here and here.)

Pending the issuance of more specific regulatory guidance, the FDIC recommends “appropriate risk management” by its regulated financial institutions in the use of social media. (See, e.g., here.) This is good advice for the consumer financial services industry generally, including non-FDIC regulated entities.

Elizabeth C. Yen is a partner in the Connecticut office of Hudson Cook, LLP. Elizabeth can be reached at 203-776-1911 or by email at

Article Archive

2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009