Does the Social Media Policy need to be approved by the BOD annually?

Considering there is no specific requirement to have a social media policy, it is really up to the bank to determine how they would like to manage the process.

In the Social Media: Consumer Compliance Risk Management Guidance issued by the FFIEC in December 2013, under section III (Compliance Risk Management Expectations for Social Media), states, "A financial institutions should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media...."

It goes on to describe, "Components of a risk management program should include the following..." and lists 7 components expected to be in the social media risk management program - the second of those components is "Policies and procedures" and the final component is related to reporting - the reporting section states, "Parameters for providing appropriate reporting to the financial institution's board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives."

So, the guidance doesn't really give a specific approval frequency - just "periodic" - I would suggest the frequency of reporting would likely be based on your involvement in social media - but a minimum of annually is probably not a bad idea.

I hope this helps some.

Thanks,
Russ

Thank you!

First, it isn't a required policy but you have many, many more policies than are "required" by law. Second, the idea of periodic reaffirmations of your policies isn't to adopt changes, but a confirmation that that the current policy is the direction the board wants the bank to follow. So I recommend an annual review of all policies. It worked well in my community bank, but it isn't a one size fits all.