Within first direct, there is an understanding that social media is a channel we should be developing and engaging in, so in essence, that ‘internal sell’ is the easy bit.

The hard part however, is overcoming the way people think about regulation and compliance, and having both the confidence and strategy to feel comfortable working within these confines.

Banking differs from other industries where brands can interact with consumers around products and services easily. Financial institutions have to ensure every piece of marketing and communications activity is in accordance with an abundance of group, industry body and relevant authority regulation.

As marketers, we hear the term “social media” linked with “regulation” together more so than “public relations”, “marketing” and “customer service”. Why? Because social media is extrinsic – it’s open, ultimately in the voices, mouths and hands of the public online.

This is a frightening thing for a bank that puts customer service and relationships based on trust at the forefront of its offering, whilst operating and safeguarding customer privacy entirely online. 

But, we overcame all that and here’s how.

Recognising the relevant regulatory frameworks


The Financial Services Authority takes a “media-neutral” approach to marketing communications in that the focus is on the content of the financial promotion, rather than the medium used to communicate it.

This means organisations must apply the same advertising compliance regulations to more two-way and informal communications such as Twitter and Facebook.

CAP Code

The Advertising Standards Authority takes a specific and stringent approach to social and digital media, with the CAP Code’s revised remit to cover digital marketing communications that came into effect March 2011.

The new rules apply to marcomms directly connected with the supply or transfer of goods and services, the promotion of causes or ideas and non-paid for, owned space online.

The latter of which applies to social media and the code enforces that organisations must be able to substantiate and evidence claims, ensure communication is legal, transparent and truthful, and guarantee widespread offence isn’t caused and specific rules aren’t broken.   

Identifying the risks

Protecting customer data

 We never collect any personally identifiable information from people entering and engaging in the “public” areas of our site (places that are accessible without a password) such as Facebook, Lab and Twitter, however we do collect the traffic figures and location data.

For password protected, customer only sites such as Little Black Book, we collect personal information and make it clear how it will be used in accordance with the Data Protection Act 1998 and the Lending Code.

Not identifying customers as being customers

Along with not wanting to compromise the privacy of first direct customers, we can’t legally identify them on our social media channels.

However we can state if people ask us for help, we will respond and direct accordingly. 

We overcame reluctance, and continue to adapt to new regulation and customer privacy issues

This was in two fundamental ways:

Demonstrating and practising openness 

Being clear about the purpose of our own channels that either allow or facilitate dialogue.

This includes stipulating our Twitter stream is purely for media relations purposes and to provide information to journalists, making it clear our Facebook page is a ‘brand’ page and clearly advising ‘fans’ not to publish personal and/or financial information.

Also, by explicitly setting out the house rules on our forum Talking Point and by being open about our privacy policy, content storage and how we are a division of HSBC. 

Devising an internal BAU (Business As Usual) process 

This is to ensure all social media activity is embraced as part of our overall comms strategy.

To allow internal teams both to understand and implement this, we introduced a ‘risk matrix’ that presents a line of tolerance against varying degrees of ‘risk’ the activity might incur – it puts the risk of activity against the potential impact and clearly signposts the level of sign off needed to undertake any proposed activity.

For example activity seen to have low risk, would only require local sign off.  

Financial institutions using “regulation” as an excuse not to engage in social media are really using “regulation” as an excuse not to be proactive.

It all really comes down to the way financial marketers view regulation, in that rather seeing it as a list of things ‘you can’t do’, it’s a framework for things you can.