On Oct. 25, 2022, the Director of the Consumer Financial Protection Bureau (CFPB), Rohit Chopra, announced at a fintech conference that the CFPB “will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans . . .”

As background, § 1033[1] of the Consumer Financial Protection Act, a/k/a, the Dodd-Frank Act, generally allows a consumer access to transactional information that a business holds related to products or services that were provided to the consumer.

Specifically, § 1033(a) provides:

“Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”

Of course, the rulemaking process under § 1033 was actually “launched” six years ago when the CFPB issued a Request for Information, which was followed by an Advance Notice of Proposed Rulemaking in 2020 that received 100 comments.

SMALL BUSINESS REGULATORY ENFORCEMENT ACT (SBREFA) PROCESS

Director Chopra’s announcement was aligned with the Spring 2022 Unified Agenda that indicated the CFPB would issue a Small Business Regulatory Enforcement Fairness Act Outline (“Outline”) in November 2022.  In fact, the CFPB ended up slightly ahead of schedule, issuing the Outline on Oct. 27.

The purpose of the Outline is “to assess the impact on small entities that would be directly affected by the proposals under consideration prior to issuing a proposed rule regarding section 1033.”  The CFPB will convene a Small Business Review Panel to request and receive feedback from small entity representatives, and others may submit comments by Jan. 25, 2023.

SBREFA OUTLINE

The Outline consists of 149 questions on these topics:

• Coverage of data providers subject to the proposals under consideration
• Recipients of information
• The types of information a covered data provider would be required to make available
• How and when information would need to be made available
• Third party obligations
• Record retention obligations
• Implementation period
• Potential impacts on small entities

COVERAGE OF DATA PROVIDERS

The CFPB is proposing rules that would require a defined subset[2] of covered persons[3] that are data providers[4] to make consumer financial information available to a consumer or an authorized third party.[5],[6],[7],[8]

The CFPB is beginning with these covered persons, in part, “because they both implicate payments and transaction data,” noting, however, that it “intends to evaluate how to proceed with regard to other data providers in the future.”

Initially, as proposed, the rules would apply to this subset of covered persons:

1. Financial institutions with consumer “accounts” as defined in Regulation E,[9] such as banks, credit unions and other entities holding consumer asset accounts; and

2. “Card issuers” as defined in Regulation Z.[10]

Regarding entities that meet the Regulation E definition, the CFPB identifies:

• Banks and credit unions that directly or indirectly hold a consumer asset account (including a prepaid account);

• Other persons that directly or indirectly hold an asset account belonging to a consumer (including a prepaid account); and

• Persons that issue an access device and agree with a consumer to provide electronic fund transfer (EFT) services (including mobile wallets and other electronic payment products).

Regarding entities that meet the Regulation Z definition, the CFPB identifies:

• Issuers of a credit card account under an open-end (not home-secured) consumer credit plan (as defined in Regulation Z § 1026.2(a)(15)(ii)), i.e., a credit card account under an open-end (not home-secured) consumer credit plan is any open-end credit account that is accessed by a credit card; and

• Issuers that do not hold consumer credit card accounts, but that issue credit cards, such as by issuing digital credential storage wallets, notwithstanding that those transactions rely on consumer credit card accounts held at another entity.

The CFPB is also considering exempting some data providers from a requirement to make data available via data portals based on thresholds, such as asset size of activity level.

RECIPIENTS OF INFORMATION

The CFPB is proposing that “a covered data provider would satisfy its obligation to make information available directly to a consumer by making the information available to the consumer who requested the information or all the consumers on a jointly held account.”  This section includes a discussion of third-party authorization requirements.

TYPES OF INFORMATION MADE AVAILABLE

The CFPB proposes covered data providers would make available the following types of information:

1. Periodic statement information for settled transactions and deposits, such as generally appear for asset and credit card accounts;

2. Information regarding prior transactions and deposits that have not yet settled, such as transaction histories commonly made available through online management portals;

3. Other information about prior transactions not typically shown on periodic statements or portals, such as data from payment networks;

4. Online banking transactions that the consumer has set up but that have not yet occurred, such as with bill pay services;

5. Account identity information, but balancing it with concerns about fraud, privacy, and security; and

6. Other information, such as:

• Consumer reports from consumer reporting agencies, such as credit bureaus, obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer;
• Fees that the covered data provider assesses in connection with its covered accounts;
• Bonuses, rewards, discounts, or other incentives that the covered data provider issues to consumers; and
• Information about security breaches that exposed a consumer’s identity or financial information.

HOW AND WHEN INFORMATION WOULD BE MADE AVAILABLE

Regarding direct access to information by consumers, the CFPB proposes that “a covered data provider would be required to make available information if it has enough information to reasonably authenticate the consumer’s identity and reasonably identify the information requested.”  Also, with proper authentication, that “covered data providers would be required to allow consumers to export the information covered by the proposals under consideration in both human and machine-readable formats.” 

The CFPB seeks input regarding consumer identity authentication, fees, included data elements, and data formats.

Related proposals regarding third-party access include:

Third-party portals that do not require an authorized third party to possess or retain consumer credentials;

Requirements to promote the availability, security, and accuracy of information made available to authorized third parties, including establishment of a general framework under which industry-set standards and guidelines can further develop;

• Third-party portal requirements related to factors affecting the quality, timeliness, and usability of the information;

• Required policies and procedures or performance standards to ensure that the transmission of information through the covered data provider’s third-party access portal does not introduce inaccuracies;

• Requirements to make information available to a third party only upon receipt of a third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity; and

• Requirements and restrictions regarding the provision of information to third parties that is known to be inaccurate.

THIRD PARTY OBLIGATIONS

Here, the CFPB’s proposals relate to the obligations of third parties, including:

• Prohibiting the collection, use, or retention of consumer information beyond what is reasonably necessary to provide the product or service the consumer has requested;

• Limitations on duration and frequency of information access;

• Limitations on third parties’ secondary use of consumer-authorized information;

• Deletion of consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service, or upon the consumer’s revocation of the third-party’s authorization;

• Compliance with the Safeguards Rule or Safeguards Guidelines, or development and implementation of security programs based on the third party’s size and complexity and the nature of the data;

• Requiring policies and procedures to ensure the accuracy of information collected and used;

• Requiring periodic reminders to consumers on how to revoke authorization; and

• Requiring a mechanism to request information about the extent and purposes of the authorized third party’s access.

RECORD RETENTION OBLIGATIONS

The CFPB is seeking feedback on its proposal for “record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule.”

IMPLEMENTATION PERIOD

The CFPB is seeking “input on an appropriate implementation period for complying with a final rule,” and how the timeframe may need to take into consideration smaller entities’ ability to operationalize the requirements.

POTENTIAL IMPACTS ON SMALL ENTITIES

A major part of this section is devoted to quantifying the number of small entities that may be affected by the proposals. The CFPB provides estimates for the following:

Small Depository Firms

• Commercial Banking and Savings Institutions
• Credit Unions

Small Nondepository Firms

• Software Publishers
• Data Processing, Hosting, and Related Services
• Sales Financing
• Consumer Lending
• Real Estate Credit
• Financial Transactions Processing, Reserve, and Clearinghouse Activities
• Other Activities Related to Credit Intermediation
• Investment Banking and Securities Dealing
• Securities Brokerage
• Commodities Contracts Brokerage
• Payroll Services
• Custom Computer Programming Services
• Credit Bureaus

IMPRESSION

The concepts and proposals in the Outline are similar to the consumer rights contained in the data privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut, with one major difference: there is no exemption for data or entities subject to the Gramm-Leach-Bliley Act.  Thus, businesses that fit the definition of a covered data provider and have previously relied in whole or in part on those GLBA exemptions should monitor this rulemaking closely and consider the new compliance challenges it will pose.

—————–

[1]  12 U.S.C. § 5533.

[2] “Covered data provider means a financial institution, as defined in Regulation E (EFTA), or a card issuer, as defined in Regulation Z (TILA), who is a data provider.”  Outline, p. 66

[3] “The term ‘covered person’ means: (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.”  12 U.S.C. § 5481(6).

[4] A “data provider” means a covered person, as defined under the Dodd-Frank Act (12 U.S.C. 5481(6)), with control or possession of consumer financial information. Outline, p. 66.

[5] “Third party refers, generally, to data recipients or data aggregators.” Outline, p. 68.

[6] “Data recipient means a third party that uses consumer-authorized information access to provide (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer.” Outline, p. 66.

[7] “Data aggregator (or aggregator) means an entity that supports data recipients and data providers in enabling consumer-authorized information access.” Outline, p. 66.

[8] “Authorized third party means a third party who has followed the procedures for authorization described in part III.B.2.” Outline, p. 66.

[9] “’Account’ means a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes.” 12 C.F.R. § 1005.2(b)(1).

[10] “Card issuer means a person that issues a credit card or that person’s agent with respect to the card.” 12 C.F.R. § 1026.2(a)(7).

In Wakefield v. ViSalus, Inc., the Ninth Circuit considered whether a jury verdict of $925,200,000 for cumulative statutory damages under the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) was constitutional in light of its harsh severity.  After a three-day trial, the jury delivered a verdict against ViSalus, finding that it sent over 1.8 million prerecorded calls to class members without prior express consent, in violation of the TCPA.   As the TCPA sets the minimum statutory damages at $500 per call, the total damage award against ViSalus was a staggering $925,220,000.

On appeal, the Ninth Circuit vacated and remanded the district court’s denial of ViSalus’s post-trial motion challenging the constitutionality of the statutory damages award under the Due Process Clause of the Fifth Amendment to permit reassessment of that question.  Turning to Supreme Court precedent from over a century ago, the Ninth Circuit reasoned that in certain extreme circumstances, a statutory damages award violates due process if it is so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.  The Court of Appeals held that this constitutional due process test should apply to aggregated statutory damages awards even where the statutory per-violation award is constitutional, which has been the case in individual TCPA actions. 

Providing a roadmap for district courts, the Ninth Circuit cited the factors it considered over three decades ago in Six Mexican Workers v. Arizona Citrus Growers, 904 F.2d 1301 (9th Cir. 1990), to determine whether an aggregated statutory damages award is disproportionately punitive:

• The amount of award to each plaintiff,
• The total award,
• The nature and persistence of the violations,
• The extent of the defendant’s culpability,
• Damage awards in similar cases,
• The substantive or technical nature of the violations, and
• The circumstances of each case.

Wakefield demonstrates that due process considerations are increasingly receiving traction from the Courts of Appeals.  In Parker v. Time Warner Entm’t Co., 331 F.3d 13, 22 (2nd Cir. 2003), the Second Circuit addressed this issue but only as a hypothetical in the context of a prospective aggregate statutory damages award under the Cable Communications Policy Act.  More recently, the Eighth Circuit, in Golan v. FreeEats.com, Inc., 930 F.3d 950 (8th Cir. 2009), affirmed a district court’s reduction of a $1.6 billion aggregate statutory damages award under the Due Process Clause. 

In light of this increasing trend, Wakefield may have powerful implications for putative class actions based on statutes, which permit large aggregate awards, in particular the TCPA.  A few of those implications are set forth below. 

New Challenge to Class Certification

If aggregate statutory damages have a potential to become unconstitutional, a class action cannot be viewed as a superior vehicle to litigating individual claims if the class members cannot get the full amount of statutory damages. 

Restructuring Settlement Leverage

Hypothetical aggregated jury statutory damage awards often drive outrageous settlement demands and results in less room for negotiation post class certification.  The risk of a challenge to an unfairly punitive damages award provides new settlement leverage. 

Traction for Constitutionality Defenses

Companies have been raising affirmative defenses that damages on a class wide basis are unconstitutional for years.  However, those companies have found little success until the Wakefield ruling.  This case may signal that affirmative defenses contesting constitutionality have some teeth.

Reconsideration of Statutory Damages By Congress

The TCPA, which provides statutory damages of $500 to $1,500 per call was enacted in 1991—a much less automated time.  In Wakefield, the Ninth Circuit recognized that “modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.”  Wakefield at 34.  The Ninth Circuit implicitly suggests that Congress may want to revisit the damages it assigned to more antique statutes. 

CHICAGO, Ill. — More than one in three (37%) collections firms are now using text/SMS messaging — a modest increase from last year when 31% were utilizing this communications channel with consumers. A different story emerges when broken out by large firms (100k or more accounts) and small firms (fewer than 100k accounts).  While more than half (56%) of large firms now utilize text/SMS messaging, only 17% of small firms have adopted the channel.

The findings were revealed today in the fourth annual industry report by TransUnion and Aite-Novarica, “Charting the Course and Steering Towards Success: The Collections Industry in 2022,” The report examines overall collections industry trends, challenges and opportunities and is informed by a survey of 140 third-party debt collection professionals conducted in Q2 and Q3 2022.

The report found that large firms continue to invest in solutions that create efficiencies within their compliance efforts for the Consumer Financial Protection Bureau’s Regulation F requirements. Meanwhile, small firms, likely constrained by budgets, are lagging this trend.

“The slow adoption of texting and SMS messaging was somewhat surprising, given the limitations Reg F placed on outbound calling and American consumers’ clear preference for text as a communications channel,” said Jason Klotch, vice president of third-party collections in TransUnion’s diversified markets business. “In general, the success of companies in this space will be dependent upon their adoption of digital solutions that create efficiencies and cost savings.”

Despite slower momentum in adoption of digital solutions, the industry appears to recognize the importance of utilizing new solutions and approaches. Overall, 34% of companies plan to add text/SMS messaging—among other tools—to their communications channels within the next two years. Again, this looks different when broken out by firm sizes. Larger firms appear poised to accommodate consumers’ preferences for communications channels, as well as their desire for on-demand, self-service capabilities.

Machine-learning on the horizon

Further down the list of priorities are machine-learning technologies. Currently, 31% of large firms are using an in-house or outsourced machine-learning solution, while 45% are considering one or the other. This tool will likely grow in popularity as the supply of data scientists improves, the technology is further developed, and regulation surrounding its use is shored up.

The primary reasons companies want these solutions are the ability to predict the communication channel most likely to get a consumer’s response; evaluate an account’s past activities to prescribe a next course of action; and to answer inbounds and take the consumer as far as possible.

“Right now less than a quarter of the collections industry is using some type of machine-learning solution, which makes sense because it’s a considerable investment,” said Klotch. “However, given this technology’s ability to help firms maximize efficiency and increase revenue, we’ll likely see it become an essential tool in the near future.”

A changing workforce

In line with this focus on new technology and solutions, collections firms indicate resources will shift accordingly. The survey found 55% agree or strongly agree that they plan to invest in agentless contact strategies, such as chatbots and text messaging. Relatedly, 53% agree or strongly agree that consolidation and technology innovation will lead to fewer jobs in the collections industry over the next year.

While the cause is not clear, nearly 80% of respondents agreed or strongly agreed that hiring is much harder than it was two years ago. A small silver lining: slightly less (67%) agreed or strongly agreed that retention is much harder than it was two years ago.

“This report really demonstrates a sea change as the industry evolves to meet regulators’ demands and consumers’ preferences. Larger firms will be able to more broadly leverage emerging technologies that reduce their reliance on direct contact by collections agents, while smaller firms will need to judiciously choose solutions that best augment their strengths for right-party contacts,” concluded Klotch.

About the report

Insights on the challenges, trends, and innovations occurring in the third-party collections industry are informed by a quantitative survey of 140 third-party debt collection professionals conducted late Q2 and early Q3 2022. Survey results are representative of the market at a 95% confidence interval with an 8-point margin of error. Any differences noted between survey respondents, such as breakouts by company size, collection footprint, or changes in year-over-year survey results, are significant at an 85% confidence interval. This is the fourth annual survey of the third-party collections industry conducted by TransUnion and Aite-Novarica Group. The full report is available here.

About Aite-Novarica Group

Aite-Novarica Group is an advisory firm providing mission-critical insights on technology, regulations, strategy, and operations to hundreds of banks, insurers, payments providers, and investment firms—as well as the technology and service providers that support them. Comprising former senior technology, strategy, and operations executives as well as experienced researchers and consultants, our experts provide actionable advice to our client base, leveraging deep insights developed via our extensive network of clients and other industry contacts. Visit us on the web and connect with us on Twitter and LinkedIn.

About TransUnion (NYSE: TRU)

TransUnion is a global information and insights company that makes trust possible in the modern economy. We do this by providing an actionable picture of each person so they can be reliably represented in the marketplace. As a result, businesses and consumers can transact with confidence and achieve great things. We call this Information for Good®.

A leading presence in more than 30 countries across five continents, TransUnion provides solutions that help create economic opportunity, great experiences and personal empowerment for hundreds of millions of people.

http://www.transunion.com/business

Good news! At least as of now…

So back in 2021, Jay Edelman was granted leave of court to file a complaint alleging an extremely dangerous argument that text message “chatbot” constitutes a prerecorded voice. Risher v. Adecco, No. 19-CV-05602-RS, 2021 WL 9182421 (N.D. Cal. Sept. 17, 2021)

Why is this extremely dangerous? Well, if they were to succeed then every text message, even if ATDS was not utilized, would be subject to the TCPA.

[article_ad]

This would open the floodgates for a massive number of lawsuits, but so far, the courts have been consistent with shooting this argument down. See Mina v. Red Robin International, Inc., Case No. 20-cv-00612-RM-KLM (August 18, 2022, D. Col.); see also Soliman v. Subway Franchisee Advert. Fund Tr., Ltd., No. 3:19-CV-592 (JAM), 2022 WL 2802347 (D. Conn. July 18, 2022); Eggleston v. Reward Zone USA LLC, 2:20-cv-01027-SVW-KS, 2022 U.S. Dist. LEXIS 20928 (C.D. Cal. January 28, 2022).

The Northern District of California followed suit here in Risher ruling that text messages are not “voices”—meaning that a text message cannot violate the provision of that TCPA prohibiting unsolicited calls made using an “artificial or prerecorded voice.” No. 19-CV-05602-RS, 2022 WL 17082667 (N.D. Cal. Nov. 18, 2022).

Mr. Risher’s argument here was that, yes, these texts did not have a “voice” as in audible spoken words, but the “chatbot” used was meant to “create the impression of an interactive human ‘voice.’”

The Court disagreed with Mr. Risher’s “metaphorical voice” argument here. They held simply that text messages are not considered “voices.” This is consistent with other courts finding that the language of the TCPA should be given its ordinary meaning.

This view of the interpretation is strengthened by the use of the word “prerecorded.” As to record is “to convert sound or visual scenes into permanent form.”

The Court dismissed this claim for relief without leave to amend.

The Northern District was a lot more generous here—going so far as to call the argument “not frivolous”—than the Central District was in Eggleston which was the first in the nation to rule text messages are not prerecorded voices. In Eggleston, this argument was called “beyond the bounds of common sense.”

So at least for now, we have consistency in various jurisdictions, and it stands that text messages do not fall under the provision prohibiting unsolicited calls using an “artificial or prerecorded voice.”

However, heed the Czar’s warning: “They’ll keep filing until they find the right combination of facts in the right court with the right opposing counsel.”

What remains of the Risher class action lawsuit is a single claim for violation of the National DNC Registry provision of the TCPA. Risher is claiming Adecco violated the TCPA by sending text messages inquiring about his interest in a potential employment opportunity. Now, Mr. Risher admittedly submitted his information back to Adecco back in 2008 when he was actually seeking employment. These allegedly illegal messages were sent 11 years after this in 2019. So, it will be interesting to see what ultimately happens here since prior consent may have been given in 2008.

Find the Court’s Order here. 

PALM SPRINGS, Calif. — The fifth annual Women in Consumer Finance (WCF) conference is officially underway. The event sold out a month in advance with over 400 women from across financial services signing up for the three-day experience. It is the largest attendance the conference has drawn to date. Attendees will participate in unique networking opportunities, build authentic connections, and develop business and leadership skills while in Palm Springs.

One of the most prominent event sponsors recently told us: “WCF has become the most impactful conference in our industry, ‘hands down.’ I hear from my team that it is incredibly difficult to pull off what you do. The feedback is so overwhelmingly and resoundingly powerful because they come back connected with people on a personal level. I hear similar feedback from others in the industry, and it shows in how quickly the event sold out.”

Stephanie Eidelman, CEO of The iA Institute and Co-founder & Chair of Women in Consumer Finance, added, “This is cherished feedback because it comes from a (male) champion who isn’t even eligible to attend the event. It means that our attendees really do benefit in the way we hope they will, and they carry that value – and that message – back to their organizations.”

Women in Consumer Fiance will be back in Palm Springs for 2023. The event will take place from December 4-6 and is expected to sell out again. 

About Women in Consumer Finance

Women in Consumer Finance is a community of women dedicated to building others up and sharing experiences that impact us all. The connections and bonds that are created through WCF are unique and hard to come by in day-to-day working scenarios. We provide inspiration, a guiding hand, and a support system women can leverage to recharge their careers and deliver value to their employers. 

WCF is not about compliance, best practices, or even finance. It’s about women, our common professional challenges, and how to tell our own career story – no matter where we are on our professional journey. Learn more about getting involved with Women in Consumer Finance here.

2022 Conference Sponsors

By partnering with WCF for 2022, conference sponsors demonstrated a commitment to inclusivity and advancing women’s careers. Representatives from each organization are attending the event.

On November 21, 2022, the Federal Communications Commission (FCC) issued a Declaratory Ruling and Order finding that companies must obtain consent before sending a “ringless voicemail” to a consumer’s phone because it constitutes a “call” made using an artificial or prerecorded voice and is subject to the provisions of the Telephone Consumer Protection Act (TCPA). “Ringless voicemails” are messages sent directly to voicemail inboxes without first triggering a call ringtone. The FCC found the calls should be regulated under the artificial or prerecorded voice prong of the statute, mooting any inquiry as to whether the “ringless voicemails” are sent with an automatic telephone dialing system.

Chairwoman Jessica Rosenworcel explained the reasoning behind the decision in her statement, “It [] doesn’t seem right that a call can make its way to your voicemail inbox without you having any way to stop it. On top of that, ringless voicemail can lead to the same kind of fraud that flourishes with scam robocalls. That’s why today the [FCC] is making it crystal clear that ringless voicemail is subject to the [TCPA] and our rules prohibiting callers from sending this kind of junk without consumers first giving their permission to be contacted this way.”

The Declaratory Ruling and Order is in response to a petition from All About the Message, LLC to declare that ringless voicemail is not subject to the TCPA and, therefore, does not require consumer consent. The company argued its ringless voicemail message is not a “call” because its proprietary software creates a landline-to-landline session directly to the telephone company’s voicemail server without charge to the subscriber or appearing as a received call on a bill. When the FCC sought comment on the petition, it received over 8,000 comments and replies, almost all in opposition.

The FCC concluded, “Congress intended the TCPA to protect consumers from the nuisance and invasion of privacy caused by such artificial or prerecorded voice messages. To complete a ‘ringless robocall,’ the originator of the call must direct the call to the voicemail associated with the wireless phone number. … [W]e find that the inclusion of additional information along with the wireless telephone number to route the call does not remove a consumer’s rights under the TCPA because ‘the effect on the recipient is identical.’ To do so would elevate form over function and is inconsistent with both the text and purpose of the TCPA.”