The Federal Deposit Insurance Corporation (FDIC) recently released a list of administrative enforcement actions taken against banks and individuals in March of 2019. Notably, the list included the agency's first public enforcement decision and order against a bank for alleged violations of the Telephone Consumer Protection Act (TCPA).1 While the TCPA and telemarketing violations have certainly been an area of focus over the past decade in consumer litigation and by the Federal Communications Commission (FCC) and Federal Trade Commission (FTC), the FDIC's recent order signals that the primary banking regulators are also increasing regulatory scrutiny and enforcement of the TCPA.
Overview of the FDIC's Order
In the March 1, 2019 order, the FDIC assessed a sizeable $200,000 civil money penalty against Peoples Bank and Trust Company, Ryan, Oklahoma, for allegedly violating the TCPA and its implementing regulations, and Section 5 of the Federal Trade Commission Act (FTC Act), based on the bank's telemarketing practices.2 Specifically, the FDIC found that Peoples Bank and Trust Company violated the TCPA and its implementing regulations by continuously calling consumers at numbers listed on the National Do Not Call (DNC) Registry or calling consumers who had requested to be placed on the bank's internal DNC list.3 As a result, the FDIC determined that the bank violated 47 U.S.C. 2274 and 47 C.F.R. 64.1200, which include, among other requirements:5 (i) a prohibition on initiating a telephone solicitation to a residential telephone subscriber who has registered his or her telephone number on the national "Do-Not-Call" registry;6 and (ii) maintenance of company-specific do-not-call lists reflecting the names of customers with established business relationships who have requested to be excluded from telemarketing, and such requests must be honored for five years.7
The FDIC also determined that Peoples Bank and Trust Company violated Section 5 of the FTC Act through the use of telemarketers who misrepresented themselves to consumers as employees or affiliates of the federal government.8 Under Section 5 of the FTC Act, "unfair or deceptive acts or practices in or affecting commerce" (UDAPs) are declared unlawful.9 The FDIC has set forth standards for unfairness10 and deception,11 and confirmed the prohibition on unfair or deceptive acts or practices applies to all persons engaged in commerce, including banks.
In assessing the $200,000 civil money penalty against Peoples Bank and Trust Company, the FDIC cited to its authority to issue penalties under 12 U.S.C. 1818(i)(2) of the Federal Deposit Insurance Act, which provides for multiple penalty tiers and permits the FDIC to assess penalties at various levels depending upon the severity of the misconduct at issue.12
In addition to consumer claims and oversight by the FTC and FCC, the FDIC's order suggests that the primary banking regulators are also taking a more active role in enforcing the TCPA. Importantly, an assessment of an institution's compliance with the TCPA is generally included as a component of the consumer compliance examination process by the primary banking regulators.13 This means that supervised institutions should proactively conduct risk assessments to identify potential TCPA risk areas within their programs and practices prior to their next examination, including whether the institution or a third-party vendor engages in any form of telephone or text solicitation.
Institutions must ensure that appropriate policies, procedures, and internal controls are in place to support TCPA compliance and mitigate against any identified TCPA risk areas, including adherence to DNC requirements and the TCPA's prohibitions on calls and texts. These policies and procedures should be regularly monitored and updated, as interpretations of the TCPA's provisions and implementing regulations frequently change following court decisions and updates promulgated by the FCC. Institutions must also ensure that employees and personnel receive appropriate training on TCPA compliance, and that only reputable third-party vendors whose practices comply with the TCPA are used to engage in telemarketing and direct-to-consumer activities.
Additionally, given the particular interplay between the FTC Act and the TCPA, institutions must ensure appropriate policies and procedures are in place for avoiding unfairness and deception during customer interactions, particularly with respect to the institution's telemarketing and communication practices. Because consumer complaints play a key role in the detection of possible violations, institutions should carefully monitor complaints for trends that could indicate potential UDAP or TCPA concerns in connection with an institution's calls or texts. Institutions should further engage in periodic reviews of the adequacy of their oversight and controls over internal compliance procedures, employee training, and third-party vendors to further limit UDAP risk in connection with telemarketing.
The TCPA continues to be a source of heightened litigation risk to institutions, and the FDIC's recent order makes clear that it also poses unique regulatory challenges. It is thus essential that institutions carefully evaluate these risks and engage consultants that are experienced with the unique litigation and regulatory challenges to mitigate against the risk of not only significant litigation recoveries, but also sizeable civil money penalties. In our experience, we have often found deficiencies in processes for TCPA compliance, including policies that are general in nature; procedures that do not reflect actual practices; calls that are not scripted, monitored or recorded; loan officers and other staff that are not specifically trained on the TCPA; and that the TCPA is not tested by third-party compliance firms. We have reviewed policies, as well as procedures, for TCPA compliance. We would be happy to review such documentation and then estimate costs for revisions.