On July 10, 2015, the Federal Communication Commission (FCC) came out with new rules interpreting the Telephone Consumer Protective Act (TCPA).

The TCPA governs and in most circumstances precludes unsolicited calls and texts to wireless device (Cell phones) made by auto or “robo” dialers. You know the type: you answer the telephone, there is a pause for a few seconds and then a recording asking you to buy property in Florida etc.

The theory behind the Act is, in part, that such calls and texts are intrusive and annoying but, perhaps more importantly, can be expensive to the dialed party.  Under many cell phone plans, the dialed party pays for the time that it takes to hang up or the time is counted against free monthly minutes. And under some plans, unsolicited texts also cost or may reduce the amount of free data to which the person receiving the text is entitled.

The Act carries with a statutory penalty of up to $5000 per violation. Often claims of many recipients of unsolicited calls or texts under the Act are joined in class actions and the settlements of these actions have been for staggering amounts. Bank of America paid $32 million to settle 6 such class actions. Capitol One paid $75 million. Jiffy Lube paid $47 million.

For more information on the TCPA generally see:

http://www.frostbrowntodd.com/assets/htmldocuments/5-Burnside%20FBT.pdf

On July 10th, the FCC, among other things, dealt with the ability of banks and other financial institutions to notify customers using automatic dialer systems if and when there is a data breach involving personally identifiable information or the threat of fraud or identity. Previously, Banks opting to try to mitigate damage to themselves and customers in these situations may have violated the TCPA and have been subject to its penalty provisions. Such institutions thus exposed themselves to significant liability chilling these efforts. The FCC granted Banks and financial institutions an exemption from the Act subject to “strict conditions and limitations”.

More specifically, the American Banking Association (ABA) had specifically requested the exemption calls and messages sent by its members and other financial institutions providing notice of the following:

  • Transactions and events suggesting a risk of fraud or indentify theft
  • Possible breaches of customers personally identifiable information
  • Steps customers could take to prevent harm from such breaches

The ABA argued that in these situations, there is a need for prompt actions on the part of customers and sending messages to or calling cell phones is the most expeditious and effective means of communicating this information.

In response, the Commission first noted that these types of calls, even if not considered telemarketing, “does not lessen the cost to the recipients or lessen the invasion of privacy caused by the automated calls.” The Commission decided to exempt such calls because “these types of calls are intended to address exigent circumstances in which a quick,  timely communication with a consumer could prevent considerable consumer harms from occurring or in the case of remediation calls, could help quickly mitigate the extent if harm that will occur”.

But the FCC accepted the exemption request subject to a number of conditions. Some of these are as follows:

  • Calls made and messages can be sent only to the wireless number provided by the customer
  • The calls and messages must state date and contact information of the institution
  • The calls and messages must be “strictly limited “ to the purposes for which the exemption was given
  • The recipient must understand and be provided with opt out information
  • Any calls must be limited to one minute or less and messages to  160 characters
  • Banks  can initiate no more than 3 messages per event over a 3 day period

Most of these are straight forward although the last two are a bit more difficult to meet and are surprising given the Commissions statement as to the purpose of the exemption to begin with. Care must be exercised by any institutions to meet these limitations and be able to account for the number of contacts.

But the Commission’s final condition is perhaps the most problematic: The exemption applies:

….only if the calls and messages are not charged to the recipient, including not being counted against any plan limits that apply to the recipient (e.g. number of voice minutes, number of text messages) …

Given the plethora of different plans and cell service providers, one wonders whether this condition could ever be met. Indeed, it is not even clear at this point that the technology to do this even exists; if it does not, then the exemption is pretty much worthless.

So to some extent, the new rules provide banks and financial institutions with a dilemma. On the one hand, banks now have the ability to notify customers of a breach, identity theft or possible fraudulent transactions and thereby reduce the losses to its customers, merchants and retailers and themselves.  Indeed, banks may now have a duty to use this tool to mitigate these losses and the failure to do so could lead to claims against the institution. This is particularly true given the language of the FCC in its exemption grant that such calls and messages could prevent considerable harm. On the other hand, the use of these kinds of notices could subject the bank to claims that it violated the TCPA subjecting it to significant liability to recipients of the calls and messages especially if especially if the institution cannot guarantee that all conditions specified by the FCC are met.

At the very least, because the technology to satisfy the exemption conditions is apparently not yet readily available, banks and financial institutions may need to continue to monitor technologic developments to determine if and when the exemption conditions could be met. And to understand the risks of any such technology not working as intended, in order to make the appropriate decision about whether to issue a notice.

Perhaps the Supreme Court will offer a solution to these dilemmas when it decidesRobins v. Spokeo Inc., and determines whether statutory penalties, such as those imposed by the TCPA, provide the requisite standing to prosecute actions. If the penalties do not, then TCPA actions may quickly become extinct. See http://www.classcounselblog.com/class_action_SCOTUS_Robins_Critical_Standing_Issues.

In the meantime, banks and other financial institutions are advised to review carefully, and to do so on an ongoing basis, their procedures and the available technology to determine when and whether to give notice of data breaches, thefts and potential fraud via cell phone calls or texts.  Whether to do so may be very much driven by the facts of the situation, the perceived liabilities involved and the nature of the breach.  Expert advice should be sought in such circumstances.