Financial Services Law

American Bankers Association Asks FCC for Exemption From TCPA Liability


Why it matters

Seeking an exemption from Telephone Consumer Protection Act (TCPA) liability, the American Bankers Association (ABA) filed a petition with the Federal Communications Commission (FCC) to allow financial institutions to call or text customers on their mobile phones in the event of a data breach or fraudulent activity. The ABA’s two-pronged argument – the need to fulfill legal requirements as well as protect customers – could prove persuasive to the FCC, particularly in light of the Commission’s approval of an exemption for package delivery notifications earlier this year. If the Commission were to grant the group’s request, financial institutions could certainly breathe easier when sending fraud or breach notification messages without worrying about facing a potential TCPA consumer class action.

Detailed discussion

On behalf of its member banks, the ABA filed a petition with the FCC seeking an exemption under the TCPA for four categories of messages. Why the need for the request? The popularity of TCPA class action lawsuits, which offer plaintiffs uncapped statutory damages and often lead to multimillion-dollar settlements (like the $77 million deal Capital One Bank agreed to earlier this year).

While the ABA explained that research and experience have revealed that automated communications are best suited to the bank’s fraud alert and breach notification needs, the TCPA requires prior express consent for such messages sent to mobile phones. At least one court has agreed with a bank customer that although he provided his number to the bank for a particular reason, he did not specifically consent to receive fraud and identity theft alerts. Such rulings have left banks fearful of potential liability under the statute, the petition explained.

To alleviate concerns for its members, the ABA asked for an order pursuant to the Commission’s powers to grant exemptions under Section 227(b)(2)(C) that would permit financial institutions to send messages in four specific categories using an automatic telephone dialing system or an artificial or prerecorded voice without prior express consent by the recipient subject to any conditions the Commission might deem necessary.

The first category: messages required to protect consumers from fraud and identity theft, a huge – and growing – area of loss. Financial institutions monitor account activity and risk factors and use algorithms to detect potential fraud, the ABA explained. But “effective fraud prevention requires the earliest possible contact with the customer,” the group wrote. “The volume of these notifications, which average 300,000 to 400,000 messages per month for one ABA member alone, cannot be accomplished with acceptable speed and accuracy unless the process is automated.”

Banks are further required to verify a customer’s identity pursuant to the Fair Credit Reporting Act before authorizing the establishment of any new credit plan or extension of credit when a fraud alert has been placed on a file, the ABA added. “Financial institutions rely on the efficiency of autodialers and other automation techniques to contact these customers quickly,” the group wrote. “For those customers who can most efficiently be contacted at mobile telephone numbers, the inability to use automated calling methods is likely to delay the bank’s ability to contact the customer, resulting in embarrassment – or worse – for those customers.”

Data security breach notifications are another major communication issue for banks. The Gramm-Leach-Bliley Act, 47 states and the District of Columbia require financial institutions to establish response and customer notification programs following the unauthorized access of customers’ personal information. And banks protect their customers by alerting them to data breaches, even at third-party retailers, meaning they “deal in a high volume of data security breach notifications,” the ABA said, with a single financial institution responsible for 50,000 to 60,000 or more notifications per month.

Breach notifications must be timely and reliable, the group explained to the FCC, and should be exempt as the second category of messages provided to the recipient.

The third category, remediation messages, are notices to customers concerning measures they may take to prevent identity theft resulting from a breach, such as placing fraud alerts on credit reports or subscribing to credit monitoring services. Such messages are also sent in the wake of a breach to notify customers that they will be receiving new payment cards. “The volume and frequency of these remediation notices equal those of the original breach notification messages and present a similar case for exemption from TCPA prior express consent requirements,” the ABA said.

Finally, money transfer notifications are an increasingly popular method for customers to confirm that they have received or sent money to another account. Similar to the exemption the FCC granted for package delivery notifications earlier in the year, the money transfer notifications are often delivered to persons who do not have an ongoing relationship with the sending institution, the ABA wrote, and therefore have not consented to receive automated calls from that institution.

“Obtaining consent from recipients in these circumstances would be impractical and burdensome and would not serve consumers’ interests,” the group said, requesting that such notifications constitute the fourth category of the exemption.

The ABA said that it would abide by any reasonable conditions placed by the FCC on an exemption and pledged to work with wireless carriers and third-party service providers to ensure that recipients of notices are not charged for the messages. The group also proposed some conditions of its own, like identifying the name of the financial institution sending the message and including the sender’s contact information or reply instructions and promising that the messages subject to the exemption “will not contain any telemarketing, solicitation or advertisement.”

Financial institutions “will send no more automated messages than are required to complete the communications’ intended purpose,” the ABA wrote, but a single message may not always be sufficient to serve the purpose for which an organization might need to contact a consumer. For example, if a customer fails to respond to an identity theft or breach notification, the financial institution sends follow-up messages. Banks should be allowed to send a maximum of three messages per day, the ABA suggested, for each affected account and co-borrower or co-cardholder.

To read the ABA’s petition, click here.

back to top

Online Privacy Notice Rule Finalized by CFPB


Why it matters

A rule allowing financial institutions to post their annual privacy notices online (rather than having to mail them to customers individually) has been finalized by the Consumer Financial Protection Bureau (CFPB). While the CFPB estimates the change will save the industry $17 million, banks are not paper-free just yet. Financial institutions must still send a hard copy of the privacy policy if certain terms change or if a customer specifically requests a hard copy of the notice. The new alternative method for providing annual notices is available only if the financial institution does not include on its annual privacy notice an “opt out” under the Fair Credit Reporting Act (FCRA).

Detailed discussion

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide initial and annual notices to their customers regarding the institution’s privacy policy. In addition, if the institution shares nonpublic information about its consumer customers with third parties, both the GLBA and the FCRA require the bank to notify customers of that fact and, under some circumstances, provide an opportunity to opt out of the sharing.

Historically, the notice has been provided in an annual mailing.

Under the new rule, which largely tracks a proposal issued earlier this year, the CFPB established an alternative delivery method for annual privacy notices if certain requirements are met.

First, no opt-out rights can be triggered by the institution’s data-sharing practices or if required opt-out notices have already been provided; second, certain material information included in the privacy notice must not have changed since receipt of the prior notice; and finally, the financial institution must use the model form provided in Regulation P.

Additional requirements regarding availability of the notice include posting it “in a clear and conspicuous manner” on a page of the institution’s website without the need for a login or agreement to any conditions for access. To make customers aware that the annual privacy notice is available online, financial institutions “must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law,” the CFPB said.

This statement must explain to customers that the annual privacy notice is available on the institution’s website, that a physical copy can be obtained by making a request (with phone number provided), and that the notice itself hasn’t changed. If a customer requests a hard copy by phone, it must be provided within 10 days.

When a financial institution changes its privacy notice or policy on information sharing triggering a customer opt-out right, then it must revert to the pre-rule delivery methods.

The CFPB characterized the final rule as a win-win for consumers and financial institutions, with consumers receiving 24/7 access to privacy policies, educating them about the various types of privacy policies and potentially limiting the amount of an institution’s data sharing with third parties to avoid having to send additional notices, while institutions benefit from reduced costs.

“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” CFPB Director Richard Cordray said in a statement. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”

To read the final rule, click here.

back to top

Pushing for Security, President Signs Executive Order on Chip-and-PIN Tech


Why it matters

In an effort to push retailers to adopt heightened security for credit and debit cards, President Barack Obama signed an executive order mandating chip-and-PIN technology for government cards. While the order applies only to government-issued cards and card terminals, the President took the opportunity to urge all stakeholders to “drive[] the economy towards more secure standards to safeguard consumer finances and reduce their chances of becoming victims of identity theft – America’s fastest growing crime.” As part of the signing ceremony, the President also announced that several major retailers – like Home Depot, Target, Walgreens, and Walmart – have agreed to use the technology as well. “These new systems will, at a minimum, meet the global security standard of more secure microchips to store card numbers instead of unencrypted magnetic strips, and secure PIN functionality, like the kind featured on most ATM cards,” according to the order. “The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards swifter adoption of stronger security standards.”

Detailed discussion

President Obama visited the headquarters of the Consumer Financial Protection Bureau (CFPB) to sign the executive order. The order requires that by January 1, 2015, all retail payment card terminals at federal agencies be able to accept the chip-and-PIN technology; all federal government-issued cards should be equipped with the tech by the same date.

“Given that identity crimes, including credit, debit, and other payment card fraud, continue to be a risk to U.S. economic activity, and given the economic consequences of data breaches, the United States must take further action to enhance the security of data in the financial marketplace,” according to the order. “While the U.S. Government’s credit, debit, and other payment card programs already include protections against fraud, the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.”

The order also states that it shall not “be construed to preclude agencies from adopting additional standards or upgrading to more effective technology and standards to improve the security of consumer financial transactions as technologies and threats evolve.”

The rash of high-profile data breaches – from Target to JPMorgan Chase – has led to a dispute between banks and retailers over which industry should shoulder the associated costs. But both the National Retail Federation and the American Bankers Association (ABA) issued statements in support of the order.

“We applaud the President for highlighting the challenges facing American companies and consumers,” said Frank Keating, president and CEO of the ABA. “This initiative is part of an ongoing effort to use innovative technologies to better secure the system. Criminals are always looking for ways to exploit the payment system, and we will continue to adapt security measures to meet evolving threats.”

Industry was cited as doing its part in the President’s efforts, with MasterCard promising to provide customers with free identity theft monitoring and resolution support, while Visa has plans for a national public service campaign to educate consumers and merchants about chip technology. American Express will launch a program in January providing support to small businesses upgrading their point-of-sale terminals, the President noted.

President Obama also addressed other cybersecurity issues. To aid the prevention of identity theft, he announced support for the Federal Trade Commission’s efforts to launch IdentityTheft.gov, a one-stop resource for victims intended to streamline the reporting and remediation process with credit bureaus. The order also directed businesses to engage in “expanded information sharing” to aid federal investigators.

The President again called upon Congress “with urgency” to enact national data breach notification legislation in lieu of the current patchwork of state laws as well as cybersecurity legislation “that will help the Government better protect Federal networks and … appropriately balance[] the need for greater information sharing and strong protection for privacy and civil liberties.”

To read the executive order, click here.

back to top

Beware of Civil Copycat Suits Following Agency Enforcement Actions


Why it matters

Over the years, companies and individuals that have been the subject of enforcement actions by the Federal Trade Commission, state attorneys general, or other agencies have often found themselves on the receiving end of a plaintiff attorney civil lawsuit in the wake of the regulatory action. Now the subject of a Consumer Financial Protection Bureau (CFPB) action has been named in a putative class action suit after settling charges with the CFPB. Companies and individuals should be aware that the trend of copycat civil suits has now spread to the CFPB. While it can be difficult to limit agency actions in a way to prevent such suits, it may be more fruitful to take steps to limit the ability of the civil plaintiff to obtain the results of the agency’s investigation through Freedom of Information Act requests or other means. Experienced enforcement counsel should be consulted from the start of any investigation or inquiry to reduce the potential for follow-on litigation to the extent possible.

Detailed discussion

In July 2013, the CFPB filed suit against Castle & Cooke Mortgage LLC and related individuals. The Utah federal court complaint alleged that the defendants “developed and implemented a scheme by which the Company would pay quarterly bonuses to loan officers in amounts that varied based on the interest rates of the loans they originated,” in violation of the Federal Reserve Board’s Loan Originator Compensation Rule.

The defendants reached a deal with the CFPB by the end of 2013. In addition to a $4 million civil penalty and $9.2 million in restitution, they agreed to end the unlawful compensation practices. Importantly, the consent order also provided that “[r]edress provided by the Company shall not limit consumers’ rights in any way.”

Taking that provision to heart, Utah resident Luis Cabrales filed a putative class action suit against Castle & Cooke in July. Alleging violations of the Truth in Lending Act (TILA), the Real Estate Settlement Procedures Act (RESPA), and California and Utah state laws, Cabrales said he purchased a home in 2012 and financed the purchase using a residential mortgage loan with Castle & Cooke.

“At the time plaintiff entered into the mortgage loan with [the defendants], plaintiff was unaware that [they] had implemented a secret, illegal bonus program,” the complaint alleged. The suit referenced the CFPB action and stated that Cabrales received a check from the CFPB in May for $795.02, his share from the restitution fund.

“Plaintiff is owed additional amounts as a result of [the defendants’] illegal practices,” according to the complaint, adding that his claims were tolled until the date he received his check from the CFPB.

Cabrales sought to represent both a statewide and a nationwide class of consumers who obtained a mortgage loan where the defendants paid a bonus based on the terms and conditions of the loan. Class members are entitled to actual and statutory damages, three times their loan origination and settlement charges pursuant to RESPA, injunctive relief and restitution, plus attorneys’ fees and costs, the suit contends.

The defendants responded with a partial motion to dismiss the complaint. Leaving the TILA claims for another day, the defendants told the California federal court that the plaintiff failed to state a valid claim under RESPA and could not recover under his state law claims based on equitable remedies and unjust enrichment.

Cabrales alleged that “Castle & Cooke improperly compensated its own loan officers for work that they actually performed,” the defendants wrote. “But plaintiff does not allege any facts showing that Castle & Cooke paid a referral fee to a third party, or that it split charges with persons who did no work. Therefore, he cannot state a RESPA claim.”

RESPA doesn’t prohibit overcharges, the defendants added.

As for the state law claims, both were premised upon the lack of an adequate remedy at law, Castle & Cooke said. Because the plaintiff asserted a legal claim for violation of TILA, he cannot contend he lacks an adequate remedy at law, the defendants said, requiring dismissal of the claims.

To read the complaint in Cabrales v. Castle & Cooke Mortgage, LLC, click here.

To read the defendant’s motion to dismiss, click here.

back to top

FINRA: Firms Should Not Restrict Whistleblower Rights


Why it matters

In a new regulatory notice, the Financial Industry Regulatory Authority (FINRA) reminded regulated firms not to prohibit the exercise of whistleblower rights in settlement agreements with employees and customers. Notice 14-40 cautioned firms that including confidentiality provisions “that prohibit or restrict a customer or any other person from communicating” with regulatory authorities about a possible securities law violation constitutes a violation of FINRA Rule 2010. The guidance does not preclude confidentiality provisions per se, but suggests that financial institutions include in the provision language that “expressly authorize[s]” employees or customers to communicate with authorities such as the Securities and Exchange Commission (SEC). Financial institutions should tweak potentially problematic language in settlement agreements and consider using FINRA’s sample language going forward to avoid rule violations and disciplinary action.

Detailed discussion

In 2004, FINRA issued Notice to Members 04-44, where the regulator warned firms about prohibiting or restricting customers or others from disclosing to regulators the terms of a settlement and the underlying facts of the dispute.

Ten years later, Regulatory Notice 14-40 reiterated the importance of complying with FINRA Rule 2010, the Standards of Commercial Honor and Principles of Trade, “which requires firms to observe high standards of commercial honor and just and equitable principles of trade in the conduct of their business” when drafting settlement agreements.

A customer or any other person “may, at any time, alert FINRA to potentially fraudulent or suspicious activities by a firm or its associated persons through FINRA’s Investor Complaint Center or communicate directly with SEC staff regarding a possible securities law violation,” the guidance stated.

Instead of drafting a confidentiality provision in a settlement agreement to prohibit or restrict an individual’s ability to communicate with a regulatory authority, firms should take the opposite approach, FINRA said.

“Confidentiality provisions in settlement agreements should be written to expressly authorize, without restriction or condition, a customer or other person to initiate direct communications with, or respond to any inquiry from, FINRA or other regulatory authorities,” according to Notice 14-40.

The regulator noted that confidentiality provisions in settlement agreements are not verboten, providing an example of acceptable language: “Any non-disclosure provision in this agreement does not prohibit or restrict you (or your attorney) from initiating communications directly with, or responding to any inquiry from, or providing testimony before, the SEC, FINRA, any other self-regulatory organization or any other state or federal regulatory authority, regarding this settlement or its underlying facts or circumstances.”

FINRA added that discovery stipulations should not be used to foreclose whistleblower rights, either.

During the arbitration discovery process, the parties generally exchange documents and information. FINRA’s Discovery Guide allows for confidentiality agreements between the parties, stating that “[i]f a party objects to document production on grounds of privacy or confidentiality, the arbitrators or one of the parties may suggest a stipulation between the parties that the documents in question will not be disclosed or used in any manner outside of the arbitration of the particular case, or the arbitrators may issue a confidentiality order.”

Such stipulations do not impact the disclosure of documents to regulators, FINRA noted, and firms that use the confidentiality provisions in discovery agreements to prohibit or restrict an individual’s ability to communicate with regulators “may result in FINRA disciplinary proceedings for violation of FINRA Rule 2010.”

back to top