Search auto data

The Federal Deposit Insurance Corporation (“FDIC”) is seeking comment on proposed examination guidance for Third-Party Lending. [1] The proposed guidance, issued July 29, provides banks with safety, soundness and consumer compliance measures to be followed when lending through a business relationship with a third party. The proposed guidance will apply to all banks that engage in third-party lending, and will also affect all institutions that seek to originate loans with banks. The proposed guidance, while appearing technical, follows a pattern of federal regulators showing increased interest in holding financial institutions accountable for the acts of those who they do business with, resulting in increased risk and increased compliance burdens on all involved.

Supplementing the FDIC’s existing Guidance for Managing Third-Party Risk [2], the proposed guidance defines Third-Party Lending broadly as any “lending arrangement that relies on a third party to perform a significant aspect of the lending process,” and is designed to capture the use of third parties in the following portions of the lending process:

  • marketing;
  • borrower solicitation;
  • credit underwriting;
  • loan pricing;
  • loan origination;
  • retail installment sales contract issuance;
  • customer service;
  • consumer disclosures;
  • regulatory compliance;
  • loan servicing; and
  • debt collection, and data collection, aggregation, or reporting.

The proposal places special attention on three types of third-party relationships: (1) banks originating loans for third parties; (2) banks originating loans through third-party lenders or jointly with third-party lenders; and (3) banks originating loans using platforms developed by third parties. Additionally, bank participation in practices such as indirect auto lending would likely receive heightened scrutiny under the proposed guidance.

The FDIC believes numerous risks may arise or be heightened from a bank’s use of third parties in the lending process and the proposed guidance focuses on the following risks:

  • Strategic (potential misalignment of incentives and goals)
  • Operational (key operational factors not under the direct supervision of the bank)
  • Transaction (volume of loan and multiple parties increase risk exposure)
  • Pipeline and liquidity (transactions failing to be consummated and funded as expected)
  • Model (potential regulatory compliance issues related to financial models used by third parties)
  • Credit risk (misalignment of incentives and concerns about loan quality)
  • Compliance (failure to observe applicable law or internal policy)
  • Consumer compliance (fair lending, debt collection, credit reporting, privacy etc…)
  • Bank Secrecy Act/Anti-Money Laundering (potentially inadequate procedures at the third party level)

Examples of regulators’ existing interest in these areas include examination by banking regulators and enforcement actions by the Consumer Financial Protection Bureau for “disparate impact” violations under the Equal Credit Opportunity Act arising out of banks indirect auto lending operations, and regulators effective elimination of the market for refund anticipation loans by enforcement actions against banks involved in such loans.

A bank’s board of directors and senior management are ultimately responsible for managing the bank’s third-party lending arrangements as if such activities were handled within the bank. The proposed guidance expects banks to establish third-party lending risk management programs and policies prior to entering into significant third-party lending relationships. Such programs should be tailored based on the significance, complexity, risk profile, transaction volume and number of third-party lending relationships. The FDIC also wants banks to establish processes to evaluate and monitor specific third-party lending relationships. Examples of the potential programs and processes necessary under the proposal include:

  • Incorporation of third-party lending in the strategic planning process, establishment of clear risk tolerance limits, increasing staffing to ensure oversight capability, and developing back-up plans;
  • Implementation of procedures and policies relating to third-party lending activities developed by management and approved by the bank’s board;
  • Initial and ongoing risk assessment practices relating to third-party lending relationships coupled with comprehensive due diligence and oversight of each third party relationship; and
  • Review of the contract and structuring of third-party lending relationships.

FDIC Examiners will assess each bank’s third party lending relationships in conjunction with the proposed guidance. Banks with significant third-party lending relationships can expect increased supervisory attention, including a 12-month examination cycle with concurrent risk management and consumer protection examinations, off-site monitoring, targeted examinations of significant third-party lending arrangements and possible review of the third parties themselves. The proposed 12-month examination cycle would apply to all banks, and not just lower rated institutions. This would likely lead to more routine examinations and increased compliance costs for smaller community banks.

Comments are sought on the entire proposed guidance with particular emphasis on those areas outlined in the FDIC’s Financial Institution Letter number FIL-50-2016. Comments will be accepted until September 12, 2016. Comments should be sent to thirdpartylending@fdic.gov and will be posted on the FDIC’s website at https://www.fdic.gov/regulations/laws/publiccomments/.

__________________________________

[1] FDIC Seeking Comment on Proposed Guidance for Third-Party Lending, FIL‑50-2016 (July 29, 2016)  

[2] Guidance for Managing Third-Party Risk, FIL‑44-2008 (June 6, 2008)

 

 

Microsoft prevailed in its appeal to the Second Circuit from an order denying its motion to quash a warrant seeking a Microsoft user’s email stored on the company’s servers in Ireland.  The ruling sets important precedent limiting the extraterritorial reach of the federal government in seeking to compel disclosure of private company data under the Stored Communications Act (“SCA”).  Microsoft received high profile support in its appeal, with the likes of Apple, AT&T, Amazon, Verizon Communications, Cisco, and the country of Ireland joining as amici curiae.   

The ruling may also help bolster the credibility of the fledgling EUU.S. Privacy Shield data transfer agreement, which has been criticized by European regulators for not adequately safeguarding EU personal data from U.S. government scrutiny.  Privacy Shield’s predecessor, Safe Harbor, was struck down by the European Court of Justice over similar concerns.  European regulators have so far signaled reluctant acceptance of Privacy Shield, but issues like automated data profiling continue to cause worries.  The ruling by the Second Circuit may help to allay some fears over the staying power of Privacy Shield. 

The July 14 ruling by Judge Susan L. Carney of the United States Court of Appeals for the Second Circuit reversed the denial by the District Court for the Southern District of New York of Microsoft’s motion to quash, and vacated the court’s finding of civil contempt for Microsoft’s failure to comply with the warrant.  

Judge Carney’s ruling emphasized the SCA’s intended focus on safeguarding privacy in stored electronic communications.  “Contrary to the government’s contention, this section does more than merely protect against the disclosure of information by third parties.  By prohibiting the alteration or blocking of access to stored communications, this section also shelters the communications’ integrity.”  Importantly, Judge Carney held that a “warrant” issued under the SCA is subject to traditional territorial limitations and constitutional requirements, including the presumption against extraterritoriality, and is not akin to a subpoena.   

The warrant served on Microsoft was issued by a United States magistrate judge as part of a narcotics investigation into an unnamed individual.  The warrant directed Microsoft to seize and produce the contents of the individual’s Microsoft Outlook “@msn.com” email account.  The individual’s non-content information was stored on servers in the United States.  The individual’s content information, however, was stored on servers in Ireland, as Microsoft generally stores content at datacenters located near the physical location identified by the user.   

Microsoft complied with the warrant in part and produced the individual’s U.S.-based non-content information.  Microsoft refused to produce the customer content stored on its servers in Ireland, however, and moved to quash the warrant.  Microsoft’s motion subsequently was denied by the District Court, and the company was eventually held in civil contempt. 

In presenting its case, the federal government argued that similar to a subpoena, an SCA warrant requires the recipient to deliver records to the government regardless of where the records are located, so long as they are in the recipient’s custody and control.  Microsoft swayed the court in asserting that an SCA warrant is subject to the same territorial boundaries as a traditional warrant.  Judge Carney also noted that the federal government conceded that the warrant provisions of the SCA do not contemplate or permit extraterritorial application.  The court further pointed out that the SCA itself draws a distinction between “subpoena” and “warrant”, with the latter providing a greater degree of privacy protection.   

The federal government also contended that preventing SCA warrants from reaching data stored abroad would seriously impede law enforcement efforts, and that the current process for obtaining such information, using Mutual Legal Assistance Treaties (“MLATs”), is overly cumbersome.  Judge Carney dismissed this argument, noting that international comity and the text of the SCA supported limiting the scope of a warrant under the SCA.   

The Second Circuit’s ruling can be seen as a win for companies concerned about maintaining user privacy and curbing law enforcement’s reach into private user data.  The ruling limits law enforcement’s ability to compel host companies like Microsoft to produce private user data stored abroad.

 

Health care entities and their business associates with access to electronic Protected Health Information (ePHI) are subject to the HIPAA Privacy & Security Rules. New guidance was just released regarding the requirements of the HIPAA Security Rule in the event of a ransomware attack. Additional information regarding the requirements of the HIPAA Privacy & Security Rules is available here in our earlier advisory entitled, Another HIPAA Compliance Deadline Approaches.

Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015. Hospitals and other healthcare organizations have become popular targets for ransomware attackers. Nearly one half of all U.S. hospitals reported at least one ransomware attack during the past year. The healthcare industry is especially vulnerable because ransomware attacks can block access to Electronic Medical Records (EMR) which can result in patient care services being disrupted. Hospitals and other healthcare providers are updating their Continuity of Operations Plans to address prolonged loss of the EMR and rapid implementation of back-up electronic or paper systems.

The rise in ransomware attacks in the healthcare industry has also led to many questions about HIPAA compliance before, during and after an attack. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued guidance on July 11, 2016, to address some of these questions. OCR is responsible for HIPAA enforcement and responding to complaints alleging HIPAA violations. The way in which OCR views the interaction of HIPAA and ransomware is relevant for every healthcare organization and every HIPAA business associate. Here are some key take-aways from the OCR guidance:

  1. A ransomware attack constitutes a “security incident” under the HIPAA Security Rule, and once the ransomware is detected, the covered entity or business associate must implement its security incident response and reporting procedures. The high incidence of ransomware attacks on healthcare providers means that every provider should be conducting exercises to test their security incident and response procedures using ransomware based scenarios.
  2. A ransomware attack will probably result in a reportable data breach as defined by HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act). The ransomware virus works by encrypting data within the EMR so that it cannot be accessed by users. The OCR guidance makes clear that when electronic Protected Health Information (ePHI) is encrypted as a result of a ransomware attack, a data breach has occurred. This is because the act of encryption means the ePHI was “acquired” by the attacker which is an unauthorized disclosure of the ePHI under HIPAA. Unless the covered entity or business associate can prove that there is a “low probability that the ePHI has been compromised” under the Breach Notification Rule, then the breach must be reported.
  3. Congress is calling for HHS to declare that every ransomware event is automatically a reportable breach, but the guidance does not go that far. The covered entity or business associate that is the victim of a ransomware attack can attempt to demonstrate that there is a low probability that ePHI has been compromised as a result of the attack so that no breach notification is required. The burden of proof is squarely on the covered entity or business associate to prove this. The documentation supporting this determination must be rock-solid, since it could be challenged later. The guidance requires the covered entity or business associate to act in good faith in making this determination and to retain the documentation supporting its determination.
  4. Even if the ePHI is encrypted within the EMR, the guidance makes clear that a ransomware attack might still be a reportable breach. There must be a fact-specific investigation about how the ePHI was being used at the moment of the ransomware attack in order to determine whether a reportable breach has occurred.

The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization’s response, and addressing those gaps quickly.

For additional information, please contact Troutman Sanders Partner and Healthcare Practice Leader, Steve Gravely, at steve.gravely@troutmansanders.com and Troutman Sanders Partner, Erin Whaley, at erin.whaley@troutmansanders.com.

On May 20, PayPal entered into an Assurance of Voluntary Compliance (AVC) with the Texas Attorney General over allegations that it failed to clearly explain how the personal information belonging to users of its Venmo mobile payment application would be used and with whom it would be shared.

The AVC stems from Texas Attorney General Ken Paxton’s investigation into potential violations of the Texas Deceptive Trade Practices Act by Venmo, a popular money transfer app and social network that allows users to electronically pay others by using linked bank accounts or credit cards that PayPal acquired in December 2013.

According to a press release issued by Paxton, his office’s Consumer Protection Division found a number of issues regarding the safety and security of the Venmo app.  Investigators allege that Venmo used consumers’ phone contacts without clearly disclosing how the contacts would be used, did not clearly disclose how consumers’ transactions and interactions with other users would be shared, and misrepresented that communications from Venmo were actually from particular Venmo users.

In order to resolve the regulators’ claims, PayPal has agreed to improve the disclosures that the Venmo app presents to consumers regarding privacy and security, and to work to ensure that consumers understand the safeguards available on the app, who will be able to view their transaction data, and who is sending them communications.

PayPal will also be required to make sure that the disclosures it makes about the app’s security features are “true and correct” and to “clearly and conspicuously” disclose the audience setting for any transaction at the time it is submitted as well as any optional security features an app user may take advantage of, according to the settlement.  Specifically, PayPal must stop accessing Venmo users’ contact lists without first clearly disclosing the type of information that will be accessed, the specific ways in which it will use the data, and how to use and disable the Autofriend feature within 90 days.
PayPal will pay $135,000 to the state of Texas and $40,000 for reimbursement of attorneys’ fees to the Texas Attorney General.

On February 3, the Consumer Financial Protection Bureau announced that it is taking steps to help consumers get better access to checking accounts.  The CFPB has “concerns that consumers are being sidelined by the lack of account options and by inaccurate information used to screen potential customers.”  Towards that end, the CFPB sent letters to 25 of the largest banks and credit unions to encourage them to offer low risk checking accounts to their customers, to improve screening inaccuracies, and to provide account options to assist in avoiding overdraft fees.  A copy of the letter can be found here. 

The agency claims that although nine out of ten American households have at least one checking account, nearly ten million American households do not have a checking or savings account.  As technology has improved and automated overdraft programs have been instituted, banks have placed greater emphasis on screening new applicants for accounts.  

One manner in which banks screen applicants is to use information provided by checking account reporting companies, which have databases of information on involuntary closures of consumer checking accounts, supplied by banks and credit unions.  In October 2014, the CFPB identified concerns about the information accuracy of these reports and consumers’ ability to dispute incorrect information.  The CFPB believes many consumers are denied access to checking accounts because of inaccurate information used during this screening process.  By improving reporting practices, it claims that more consumers will have access to the banking services they need.

“Consumers should not be sidelined out of the basic banking services they need because of the flaws and limitations in a murky system,” said CFPB Director Richard Cordray.  “People deserve to have more options for access to lower-risk deposit accounts that can better fit their needs.”

On January 21, U.S. District Judge Jorge L. Alonso dismissed a lawsuit against Facebook for lack of personal jurisdiction, holding that Facebook did not target its alleged biometric collection activities at Illinois residents.  Judge Alonso did not grant plaintiff Frederick Gullen leave to amend. 

The class action complaint, which was filed last August, alleged that Facebook illegally collected, stored, and used Gullen’s biometric information without his informed written consent, in violation of the Illinois Biometric Information Privacy Act (740 Ill. Comp. Stat. 14/1 et seq.).  This biometric information included “face templates,” or highly detailed geometric maps of individuals’ faces, which Facebook allegedly created “using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces appearing in photos uploaded by their users.”  Although Gullen did not have a Facebook account, he claimed that he was tagged in a photo uploaded to Facebook by another user without his permission.  He claimed that Facebook subsequently scanned and analyzed his face, extracted his biometric identifiers, and used those identifiers to create a template of his face.  According to the complaint, millions of individuals, including Gullen, reside in Illinois and were subject to this conduct. 

Gullen argued that Facebook was subject to specific personal jurisdiction in Illinois because it registered to conduct business in Illinois, maintained a physical sales and advertising office in Illinois, and targeted its facial recognition technology to millions of its users who are residents of Illinois.   

Judge Alonso disagreed.  The court stated that Facebook’s sales, marketing, and other business activity in Illinois, unrelated to its alleged collection of biometric data from user photos, could not support specific personal jurisdiction.  The court held that Gullen’s other basis for specific jurisdictionthat Facebook targeted its technology to Illinois residentswas in conflict with the complaint’s other allegations.  Specifically, Judge Alonso emphasized the complaint’s allegation that Facebook automatically uses facial recognition technology on every user-uploaded photo, not just on photos uploaded in or by residents of Illinois.  Accordingly, the court concluded that Facebook’s collection of biometric data was not targeted at Illinois residents.  

Therefore, the court held that Facebook’s only relevant contact with Illinois was its operation of an interactive website available to Illinois residents, and that this alone was insufficient to confer specific jurisdiction over Facebook.  The court analogized the operation of a social media site with Seventh Circuit case law regarding an online merchant’s operation of an interactive site.  According to Judge Alonso, under Seventh Circuit case law, the operation of such a site is insufficient to confer specific jurisdiction on a business in every state from which the site may be accessed.  

The court also rejected Gullen’s “intentional tort theory,” which would still require that Facebook’s conduct be expressly aimed at Illinois.

Commentators have since pointed out that a district judge in the 7th Circuit recently rejected a similar motion to dismiss brought in Norberg v. Shutterfly, No. 15-cv-5351 (N.D. Ill. Dec. 29, 2016) (link to PDF).  The differentiating factor between the two cases is likely caused by the fact that the court found dispositive, on the face of the pleadings, that Shutterfly allegedly used the compiled biometric data to target Illinois residents for its various photo products.  On the other hand, Facebook’s collection of photographs was passive, and thus not actively directed at Illinois residents.

Lessons Learned and Best Practices in an Era of Heightened Government Scrutiny for the Industry October 29-30, 2015 – The Carlton Hotel – New York City We are pleased to announce that David N. Anthony, Partner at Troutman Sanders, will present “Protection of Consumer Financial Information Including Consumer Financial Privacy (FCRA and GLBA) Plus Data Security and Preventing Fraud/Identity Theft”. In addition, the Consumer Lending Regulatory Compliance Forum will provide sessions including:

  • In-house insights on the current consumer lending environment, compliance and enforcement challenges, and how to overcome them;
  • Speakers from federal and state agencies on the latest regulatory, supervision, investigation, and enforcement initiatives, and examination procedures for consumer lenders;
  • The ubiquitous presence of the CFPB, including rulemaking updates and everything you need to know about being compliant with the “Big Brother” of the consumer lending industry;
  • Nuances in state law regulatory compliance, including a focus on auto lending regulations, and federal preemption issues;
  • Deep dive into the consumer lending industry’s two biggest product lines — residential mortgages and student loans — including unique regulatory scrutiny, hot button topics, emerging trends, and more;
  • All about disclosures, including truth in lending (TILA) nuances for consumer lending products, plus benchmarking your compliance with the brand new TILA/RESPA integrated disclosure rule (TRID) for home mortgages;
  • Fair lending, including ensuring compliance with all applicable regulations (FHA, ECOA, HMDA, etc.), and factoring in the Supreme Court’s decision on the use of the “disparate impact” theory in fair lending;
  • The increasingly pervasive use of UDAAP, including remaining compliant with standards, and examination and enforcement updates;
  • Third-party relationship compliance and risk management, including enhancing oversight and control over vendors and service providers in an environment of heightened regulatory expectations;
  • Protection of consumer financial information, including consumer financial privacy (FCRA and GLBA) plus data security and preventing fraud/identity theft;
  • Proper debt collection practices, including avoiding exposure to FDCPA and TCPA violations; and
  • Controversial and emerging lending trends, including high interest/short term loans such as payday and auto title loans, and the rise of “peer to peer” or “online marketplace” lending.

For additional conference details, please visit: http://www.americanconference.com/2016/828/consumer-lending-regulatory-compliance-forum

On July 14, the U.S. District Court for the Eastern District of Missouri granted United Collection Bureau’s motion for summary judgment in an individual action brought under the Fair Debt Collection Practices Act.  Troutman Sanders served as counsel for UCB in this matter.  See Martin v. United Collection Bureau, Inc., No. 4:14cv804-JAR, 2015 U.S. Dist. LEXIS 91017 (E.D. Mo. July 14, 2015).  In this mixed-identity case, Plaintiff Joseph Martin alleged that UCB had placed on his credit report a medical collection account belonging to another individual with the same first and last name, different middle name, and similar Social Security number.  The complaint lodged claims under FDCPA Section 1692e, 1692g, and 1692c(b) for alleged improper debt collection via reporting of the account on Martin’s credit report.

The facts showed, however, that UCB never reported the account as applicable to Plaintiff, never attempted to collect any debt from Plaintiff, and never had any communications with Plaintiff except to issue an Automated Universal Dataform to remove the misapplied tradeline in 2013 at Plaintiff’s request.  Moreover, UCB only reported information about the account to consumer reporting agencies once in 2009 and closed the account later that year.  Plaintiff only discovered the tradeline on his credit report when he allegedly applied for a bank loan in 2013.

The Court’s summary judgment ruling rejected Plaintiff’s arguments that his claims were not time-barred by the FDCPA’s one-year statute of limitations as set forth in 15 U.S.C. § 1692k(d).  Following the Eighth Circuit’s decision in Mattson v. U.S. West Communications, Inc., 967 F.2d 259 (8th Cir. 1992), the Court held that “all of the conduct that Plaintiff alleges violated the FDCPA, i.e., the initial reporting, failure to send a validation notice, and communication with the CRAs, occurred more than one year before he brought this action.  Thus Plaintiff’s FDCPA claims are barred by the one-year statute of limitations.”  Moreover, “[b]ecause the FDCPA’s statute of limitations is deemed jurisdictional in the Eighth Circuit” via Mattson, the Court found that “the limitation period is not subject to a general discovery rule and the Court does not address Plaintiff’s equitable tolling argument.”

Yet, despite the untimely nature of Plaintiff’s claims, the Court also held that his claims failed on the merits:

  • 15 U.S.C. § 1692e – According to the Court, Plaintiff never established a necessary element of his claim – that he was the object of collection activity or that UCB engaged in an act or omission prohibited by the FDCPA – and so UCB had no liability under § 1692e.
  • 15 U.S.C. § 1692c(b) – The court held that UCB’s communication with the CRAs in 2013 to delete the tradeline fell under the exception embodied in this section for communications done at the consumer’s request.  Thus, Plaintiff’s claim failed as a matter of law.
  • 15 U.S.C. § 1692g – The court held that credit reporting does not qualify as an initial communication with a consumer.  Therefore, Plaintiff’s claim pursuant to the validation-notice provision of the FDCPA failed as a matter of law as well.

Ultimately, the Martin decision is a significant win for debt collectors on the discrete issue of jurisdictional tolling in the Eighth Circuit, as well as a vindication of certain industry defenses against mixed-file allegations involving collection via credit reporting.

On Friday, July 10, the Federal Communications Commission enacted major changes and clarifications to the Telephone Consumer Protection Act of 1991 (“TCPA”). Approved on a contentious 3-2 vote by the FCC commissioners, the FCC released its Declaratory Ruling and Order (FCC 15-72) formally stating its interpretation of numerous provisions of TCPA.

The TCPA is a federal statute that aims to increase consumer privacy protections by restricting telemarketing and the usage of automated telephone dialer systems (“ATDS”).

In a 147-page ruling, the FCC increased the scope of the TCPA in several areas. Any company that calls consumers at cell phone numbers should be concerned by the implications of the Order. Although the Order contains a few bright spots for businesses, most of the Order enhances restrictions on businesses and their use of dialer systems in the name of increased consumer protection. Significant parts of the FCC ruling are as follows:

  • Definition of an ATDS: Any dialing equipment that “has the capacity to store or produce, and dial random or sequential numbers” is considered an ATDS for TCPA enforcement purposes, even if calls are not made using autodialing functions  but instead are placed in a “manual” mode that involves a human entering the numbers. A telephone system is an ATDS even if additional software components need to be added to make it function as such. The only limitation on this expansive “capacity” definition is that “there must be more than a theoretical potential that the equipment could be modified” into an automatic dialer. Although the Order stated that one of the primary goals of the Order was to provide clarity to businesses wishing to comply with the TCPA, the FCC expressly declined to provide specific guidance on what types of systems would be caught up by its definition, including smartphones. The only specific example given of a system that would not be captured by its definition was a rotary telephone. That the FCC referenced decades-old technology to find an acceptable example indicates how broadly the FCC’s Order intends to interpret the meaning of ATDS.The FCC repeatedly stated that the TCPA’s basic rule is a calling party must have express consent of the called party to make an ATDS call to cell phones. It seems clear that the FCC was less interested in providing clarity in what types of systems trigger a consent requirement than it was in creating the broadest possible duty on calling parties to obtain consent from consumers before making calls.
  • Consent revocable at any time and by any means: Many calls using an ATDS are permitted under the TCPA if the calling party has prior express consent to make the call. Consent and potential revocation of consent often become key issues in TCPA lawsuits. The FCC’s Order clarified its stance on consent by expanding the manner in which consumers may revoke consent. A called/texted party may now revoke consent to be contacted “at any time and through any reasonable means” and callers “may not limit the manner in which revocation may occur.” This revocation is effective regardless of prior consent being obtained, and includes both oral and written revocation. The FCC took the position that businesses can mitigate the risk by creating adequate business records and processes to record and respect revocations.
  • “One-call exception” for reassigned numbers: The FCC clarified that “the TCPA requires the consent not of the intended recipient of a call, but of the current subscriber [or customary user of the phone.]” As such, if a phone number legitimately provided by a prior user is reassigned, potential TCPA violations loom when attempting to reach that prior user at the outdated number.The FCC provided a one-call exception for reassigned numbers, meaning any ATDS call after the first attempt to a reassigned number is a potential violation. According to the FCC, “callers who make calls without knowledge of reassignment and with a reasonable basis to believe that they have valid consent to make the call should be able to initiate one call after reassignment as an additional opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.” Although this change is couched as a protection for businesses, its efficacy may be limited. The FCC further stated that “[i]f this one additional call does not yield actual knowledge of reassignment, we deem the caller to have constructive knowledge of such.” Potential liability looms if a caller does not realize that a number has been reassigned, such as if the call goes unanswered or reaches a generic voicemail greeting.
  • Text messages equivalent to calls: The FCC reaffirmed its 2003 determination that text messages are treated the same as voice calls, and added that Internet-to-phone text messages are equivalent to phone-to-phone text messages under the TCPA.
  • Exempting specific financial and health care related messages: In limited situations, calls to address exigent circumstances, where the calls are “free to the called party,” are exempted from the TCPA’s consent requirement, such as notifications of fraud, identity theft, data breaches, and money transfers. However, such exemptions are limited to three calls/text messages in a three-day period from a single financial institution and come with conditions such as disclosure of the institution’s contact information, ability to opt out, and prohibition on telemarketing.Additionally, health care-related calls, including time-sensitive information such as appointment confirmations, prescription notifications, and lab results are similarly exempted, limited to three calls/text messages per week, but non-exigent situations such as billing and account communications do not receive similar protection.However, the value of these exemptions appears to be limited, as the exemptions only apply to non-telemarketing calls placed to numbers provided by consumers. Calling parties already have permission under the TCPA to call numbers provided by consumers. The exemptions appear to be limited to avoiding liability for claims that consumer revoked consent or where the number has been reassigned. The net effect may be to provide limited comfort for calling parties, but not to clear the way altogether for robust pro-consumer calling campaigns for high-value fraud alerts, health information, and so on.

The Order puts in writing the decision made by the FCC at its hearing on June 18, 2015, in response to 21 petitions or letters filed by various companies and trade associations. The Order was passed by a party-line vote, with all three Democratic commissioners in support and both Republican commissioners in opposition.

Emphatic dissents by Commissioners Ajit Pai and Michael O’Rielly noted the recent exponential growth of TCPA litigation and expanded potential for abuse by aggressive plaintiffs’ attorneys, the seemingly limitless ATDS definition, and the practical difficulties for businesses in documenting revoked consent and monitoring reassigned phone numbers. According to Commissioner Pai, the expanded definition of capacity turns the TCPA “into an unpredictable shotgun blast covering virtually all communications devices.”

Commissioner O’Rielly noted with approximately 100,000 cell phone numbers being reassigned to new users daily, companies acting in good faith will routinely be risking litigation simply by reaching out even to established customers. Additionally, broad language allowing revocation “at any time and through any reasonable means” appears to include all communications with any of a business’s employees, even those not in position to relay such a request to a large organization, and opens the floodgates to countless “he said, she said” disputes. As such, Commissioner O’Rielly foretells that the Order will “lead to more litigation and burdens on legitimate businesses without actually protecting consumers from abusive robocalls made by bad actors.”

Troutman Sanders LLP has unique industry-leading expertise with the TCPA, with experience gained trying TCPA cases to verdict and advising Fortune 50 companies regarding their compliance strategy. We will continue to monitor regulatory and judicial interpretation of the TCPA following this ruling in order to identify and advise on potential risks.

Despite the rise in student loan balances over the past decade, a new TransUnion study found that student loan obligations have not inhibited younger consumers’ ability to access and repay other consumer credit categories, such as auto loans and mortgages, when compared to their peers without student loans.

According to TransUnion, this is contrary to the popular belief that growing student debt is hampering access to credit for young adults.  Instead, this new study indicates consumers 18-29 years of age with a student loan in repayment generally are able to gain access to new loans and perform as well as or better than similarly aged consumers without student loans.  Furthermore, the study results indicate that in only three to six years, student loan consumers in their 20s have been observed to surpass similarly aged consumers without a student loan in overall loan participation rates on mortgages, auto loans, and credit cards.

According to TransUnion data, the percentage of consumers 20-29 years old with a student loan has grown from 32% in 2005 to 52% at the end of 2014. In the last five years alone, student loan balances have increased from $589 billion in the first quarter of 2010 to $1.1 trillion in the first quarter of 2015.

According to Charlie Wise, co-author of the study and vice president in TransUnion’s Innovative Solutions Group, “Participation rates for mortgages, credit cards and auto loans dropped significantly between the 2005-2007 and 2012-2014 timeframes—and impacted both consumers repaying student loans and those in the control group to a similar degree.  However, just as we observed in 2005, student loan borrowers in 2012 generally left school with lower loan participation rates than their control counterparts, likely due to difficulty in accessing credit while a student with little or no income.”  Wise adds that “[o]ver the next two years, student loan borrowers were actually more credit active in opening new auto and credit cards, enabling them to close this gap.  Further, we saw the rate of new mortgage originations nearly identical between the student loan and control groups, keeping the mortgage gap constant – the same thing we saw in the 2005 cohort.” 

The release of this study coincides with the CFPB’s announcement that it is launching a public inquiry into student loan servicing practices and the re-launch of its Repay Student Debt web tool.  The issues on which the Bureau is seeking information include industry practices that create repayment challenges, hurdles for distressed borrowers, and the economic incentives that may affect the quality of service.