On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the circular, the CFPB stated that failure to comply with these specific requirements may be an unfair act or practice under the CFPA in certain circumstances.

The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, (3) where the substantial injury is not outweighed by countervailing benefits to consumers or competition. The CFPB explained that inadequate data security measures can cause substantial injury, such as significant harm to a few consumers who become the victims of targeted identity theft or harm to potentially millions of consumers in the event of large customer-base-wide data breaches. The agency stressed that actual injury is not required to meet the substantial injury prong, as a significant risk of harm is also sufficient. This means that even practices that are merely likely to cause substantial injury, such as inadequate data security measures that have not yet resulted in a data breach, can still satisfy this prong of unfairness.

With respect to the second prong of unfairness, the CFPB explained that consumers are unable to reasonably avoid the harms caused by a firm’s data security failures as they typically do not know whether appropriate security measures are properly implemented, do not control an entity’s security measures, and lack practical means to reasonably avoid harms resulting from data security failures. As for the final prong, the CFPB noted that where companies forgo reasonable cost-efficient measures to protect consumer data, the agency expects the risk of substantial injury to consumers to outweigh any purported countervailing benefits to consumers or competition.

The circular also highlighted a number of data security-related cases brought by the FTC, wherein the agency alleged violations of its analogous prohibition against unfair practices under the FTC Act in connection with inadequate authentication practices, poor password management, failure to remediate known software security vulnerabilities, and other deficient data security practices.

The CFPB provided the following examples of conduct that increase the risk of triggering liability under the CFPA:

• Not requiring multi-factor authentication for employees or not offering multi-factor authentication as an option for consumers accessing systems and accounts, or failing to implement a reasonably secure equivalent.

• Not having adequate password management policies and practices. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords, and using default enterprise logins or passwords.

• Not routinely updating systems, software, and code or failing to update them when notified of a critical vulnerability. This includes using versions of software no longer actively maintained by vendors and not keeping track of which systems depend on what software to ensure that software is up to date. The CFPB highlighted its complaint against Equifax over the consumer reporting agency’s 2017 data breach. The CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices by, among other things, failing to patch a known vulnerability for more than four months, which resulted in hackers gaining access to Equifax’s system and obtaining the personal information of millions of consumers.

The CFPB stressed that the circular does not suggest that particular security practices are specifically required under the CFPA. Nevertheless, financial companies and their service providers should review their information security programs and take care to implement common data security measures—such as multi-factor authentication, adequate password management, and timely software updates—to help minimize the risk of an unfairness violation.

Really interesting one for the servicers and collectors out there.

Similar to the TCPA’s marketing vs. informational messaging divide, there continues to be a divide between collection vs. informational messaging in the FDCPA context.

In Hurtser v. Specialized Loan Servicing, Case No: 4:21-cv-00318 (E.D. Mo. Aug. 5, 2022) the Court considered whether the following voicemail constituted debt collection:

This message is from Specialized Loan Servicing. During this time of the recently announced national emergency relating to COVID-19, we are contacting you to remind you of alternative methods to receive information about your account, or to make payments. You may make payments via our website at http://www.sls.net or calling our Payment IVR service at (800) [xxx]-[xxxx] You can receive account information via our website at http://www.sls.net or through our automated phone system at (800) [xxx]-[xxxx]. Thank you.

[article_ad]

If it did, then SLS was in a heap of trouble because the messages does not comply with various FDCPA requirements. However, the Court concluded the voicemail–which was sent to all customers and not just those in default–did not constitute debt collection:

Based on the record before the Court, no reasonable jury could find that an animating purpose of SLS’s voicemail message was to induce payment. Nothing in SLS’s informational message is specific to Plaintiff’s debt; in fact, there is no mention of his debt. No part of the message requests or demands payment from Plaintiff. It does not threaten consequences for nonpayment. Thus, SLS’s voicemail message was not a “communication in connection with the collection of a debt” as required to establish liability under the FDCPA. 

Really interesting case.

Now I note this one easily could have gone the other way. The SLS representative testified that he hoped customers would respond to this VM by making payments–and that would include customers in default. But it does show that Courts will be somewhat understanding of messages sent to inform customers of changed payment options.

Of note for the TCPA world, the Plaintiff had originally sued under the TCPA but switched his focus to the FDCPA when consent was discovered. Something to keep in mind. Many times a Plaintiff will come for the TCPA–bigger scarier damages–but stay for FDCPA claims if/when the TCPA component evaporates.

Also, remember an “all customers” blast using a prerecorded call is a DANGEROUS thing folks. If numbers in the campaign had changed hands you can be sued for wrong number calls under the TCPA, regardless of whether or not the calls were for marketing purposes or not. Be sure to scrub the new RND database anytime your “last good” date is more than 90 days in the past–and you should consider scrubbing as soon as 30 days.

SLS was fortunate that the Plaintiff in this case was not a wrong number call recipient. Case could have been much worse.

Always happy to chat.

The order can be found here.

On August 4, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra spoke at the Philadelphia Federal Reserve Bank’s Sixth Annual Fintech Conference, arguing that enforcement actions rather than financial literacy efforts were necessary to prevent consumer abuse.

Chopra said that while there is value in educating consumers to spot risks and find trustworthy advice, financial products are inherently challenging to understand. “Disclosures are not going to be what’s fixing it,” Chopra said. “What is often going to fix it is to eradicate unlawful actors who really prey on people.”

Chopra was even more pointed in his July 14 prepared remarks for the Financial Literacy and Education Commission where he claimed that “financial education can be harmful.”

Chopra’s statements reflects a marked change from Chopra’s predecessor’s, former Director Kathleen Kraninger, approach to consumer protection. Kraninger listed education as the “first tool” in the CFPB’s toolbox in preventing consumer harm. In a 2019 speech at the Bipartisan Policy Center, Kraninger stated that the Bureau could not and should not try to “be everywhere, with everyone, at every transaction” and so would look to empower consumers to help themselves and make good financial choices.

Chopra, meanwhile, cast doubt on the effectiveness of that approach on August 4. “The experiment has not had much success,” Chopra said. “One, I think in some cases financial education has made people worse off because they become overconfident.”

The CFPB’s increased emphasis on enforcement led to an uptick in fair lending enforcement in 2021, and that trend has continued with increased enforcement in areas, such as loan servicing, credit reporting, student loans and small business lending.

Troutman Pepper will continue to monitor important developments involving the CFPB and enforcement actions and will provide further updates as they become available.

OGDEN, UT – Payment communication software company PDCflow and call center software company PIMSWARE have teamed up to deliver secure capture payment technology. 

Through an integration with PDCflow’s Flow Technology, PIMSWARE users can now send texts and emails or call via dialer and collect secure signatures and payments from consumers – all within a single system.

“Partnering with PDCflow has provided a great value-add to our customers by allowing a fast and seamless way to securely take payments within the PIMSWARE platform,” says Rachel Johnson, Business Development, PIMSWARE.

With secure payment capture, agents can take payments over the phone without seeing or hearing sensitive card information. Card numbers are entered by the consumer via the dial pad on their phone, and payment automatically reflects in the PIMSWARE collection system. 

Through this integration: 

• All account information is merged, making it available in one place – no need to log into one tool to dial the consumer, then another to request signatures and securely process a payment.

• Companies can offer a secure, compliant way for agents to take payments in a work from home setting.

• Call centers can reduce fraud and limit PCI scope by eliminating receipt and storage of sensitive information.

• Simplify reconciliation between payments processed by PDCflow and transactions entered into the PIMSWARE system with real-time, side-by-side comparison of payments posted. 

Streamlining the process of sending documents and getting signatures and secure payments from consumers turns promised payments into actual payments, reduces chargebacks, and increases consumer satisfaction.   

About PDCflow

PDCflow is a payment software that empowers organizations to engage consumers through digital communication and digital payment channels. With patented FLOW Technology, the software gives businesses flexibility and control over the secure delivery and capture of business transactions, including payments, signatures, photos and documents through digital channels.

Flexible and customizable APIs allow platforms to easily integrate, giving their users the ability to accept payments through multiple channels and electronic communication methods while keeping their software out of PCI scope. Integrators save on the cost and time of PCI compliance while still having control over their user experience.

Programming and customer operations for PDCflow’s national client base have been completed in-house in Ogden, Utah, since the company’s founding in 2003. Find out more about PDCflow at https://www.pdcflow.com/.

About PIMSWARE

PIMSWARE is a software development company that provides solutions to organizations that manage large volumes of data, online fulfillment, debt collection, and call center operations.

With a focus on the debt receivables industry, their mission is to provide turnkey solutions that meet needs of organizations across various industries.

The PIMSWARE suite of products includes:

• Debt collection system
• Predictive auto dialer
• Call metrics
• Stratification tool
• Ring-less voicemail
• Nearshore call center services

Are lenders being too cautious when it comes to using texting / SMS for debt collection? Several third-party agencies with deep SMS experience say yes.

Texting with consumers who are dealing with delinquent or charged off accounts can result in a major lift in engagement and overall performance. Nevertheless, the collections & recovery industry has been slow to add texting to their digital debt collection strategy because of some serious concerns about compliance – despite the arrival of new Regulation F guidance covering texting.

Some of those concerns, however, are based on compliance myths about texting with consumers. And those myths may be holding lender back from using SMS as much as they could. Let’s debunk three of those myths.

Myth #1: Texting Consumers Increases Consumer Complaints

Frankly, this is just not true.

Third-party agencies using texting to contact consumers report that they receive more complaints about calls than texts by an order of magnitude, and consumers largely see texts as much less invasive than calls. One of those experts attributed this to texts giving the consumer the ability to opt out without having to speak to a person. As long as you have a solid process by which to process opt outs (for example, allowing the consumer to text “stop” to opt out), texting is a less-invasive, high-reward way to reach consumers about their delinquent or charged off accounts.

Pro-tip: avoid requiring the consumer to click a link to opt out. Most consumers view links as potential scams and may be reluctant to click.

Myth #2: Under Regulation F, Consent is Absolutely Required

This one is a bit more complicated.

[article_ad]

Creditors and lenders get consent to communicate via text up front when the account originates, but it’s up for debate whether that consent passes to third party agencies. Whether consent passes to third parties is a question for collections & recovery attorneys to consider, but there is an argument that allows us to mostly disregard that concern.

Operational experts from the third-party agencies who are on the cutting edge of innovation in the space have the opinion that Regulation F doesn’t expressly require an opt-in or consent from the consumer to send text messages. Regulation F does, however, explicitly require an opt out.

Discussing this option with your agency partners is key to getting a robust texting program in place, and while risk appetite may vary, it’s clear that consumers prefer texting to phone calls, so it’s certainly a worthy discussion.

Myth #3: There’s a Safe Harbor in Reg F, and You Must Abide by it

Regulation F presents a safe harbor for email and text communication which involves verifying the consumer’s information in one of the ways laid out in the rule prior to engaging in outbound texting.

But that safe harbor is not the law, and it doesn’t protect the creditor, only the agency.

Third-party disclosure is a real risk when engaging in text communication with consumers, but creditors should be focused on understanding how their agency partners prevent third-party disclosure without managing to the safe harbor, but instead managing to the FDCPA and Regulation F.

Pro-tip for creditors: Understanding your risk from the beginning is key. Work with your agency partners to create a robust digital collection strategy by getting all of the necessary teams involved from the beginning of the process, especially your legal and complaint departments and your TCPA experts.

———–

Are you interested in Digital Collections and Recovery Strategy Best Practices? If so, you can find the (free!) iA Strategy and Tech Short Guide Digital Collections and Recovery Strategy Best Practices in 2022. You can find resources like this as well as the latest trends in collections and recovery strategy, digital debt collection, vendor management, and compliance in the iA Strategy and Tech newsletter. To get these insights delivered directly to your inbox, sign up here.