Why it matters

Seeking an exemption from Telephone Consumer Protection Act (TCPA) liability, the American Bankers Association (ABA) filed a petition with the Federal Communications Commission (FCC) to allow financial institutions to call or text customers on their mobile phones in the event of a data breach or fraudulent activity. The ABA’s two-pronged argument – the need to fulfill legal requirements as well as protect customers – could prove persuasive to the FCC, particularly in light of the Commission’s approval of an exemption for package delivery notifications earlier this year. If the Commission were to grant the group’s request, financial institutions could certainly breathe easier when sending fraud or breach notification messages without worrying about facing a potential TCPA consumer class action.

Detailed discussion

On behalf of its member banks, the ABA filed a petition with the FCC seeking an exemption under the TCPA for four categories of messages. Why the need for the request? The popularity of TCPA class action lawsuits, which offer plaintiffs uncapped statutory damages and often lead to multimillion-dollar settlements (like the $77 million deal Capital One Bank agreed to earlier this year).

While the ABA explained that research and experience have revealed that automated communications are best suited to the bank’s fraud alert and breach notification needs, the TCPA requires prior express consent for such messages sent to mobile phones. At least one court has agreed with a bank customer that although he provided his number to the bank for a particular reason, he did not specifically consent to receive fraud and identity theft alerts. Such rulings have left banks fearful of potential liability under the statute, the petition explained.

To alleviate concerns for its members, the ABA asked for an order pursuant to the Commission’s powers to grant exemptions under Section 227(b)(2)(C) that would permit financial institutions to send messages in four specific categories using an automatic telephone dialing system or an artificial or prerecorded voice without prior express consent by the recipient subject to any conditions the Commission might deem necessary.

The first category: messages required to protect consumers from fraud and identity theft, a huge – and growing – area of loss. Financial institutions monitor account activity and risk factors and use algorithms to detect potential fraud, the ABA explained. But “effective fraud prevention requires the earliest possible contact with the customer,” the group wrote. “The volume of these notifications, which average 300,000 to 400,000 messages per month for one ABA member alone, cannot be accomplished with acceptable speed and accuracy unless the process is automated.”

Banks are further required to verify a customer’s identity pursuant to the Fair Credit Reporting Act before authorizing the establishment of any new credit plan or extension of credit when a fraud alert has been placed on a file, the ABA added. “Financial institutions rely on the efficiency of autodialers and other automation techniques to contact these customers quickly,” the group wrote. “For those customers who can most efficiently be contacted at mobile telephone numbers, the inability to use automated calling methods is likely to delay the bank’s ability to contact the customer, resulting in embarrassment – or worse – for those customers.”

Data security breach notifications are another major communication issue for banks. The Gramm-Leach-Bliley Act, 47 states and the District of Columbia require financial institutions to establish response and customer notification programs following the unauthorized access of customers’ personal information. And banks protect their customers by alerting them to data breaches, even at third-party retailers, meaning they “deal in a high volume of data security breach notifications,” the ABA said, with a single financial institution responsible for 50,000 to 60,000 or more notifications per month.

Breach notifications must be timely and reliable, the group explained to the FCC, and should be exempt as the second category of messages provided to the recipient.

The third category, remediation messages, are notices to customers concerning measures they may take to prevent identity theft resulting from a breach, such as placing fraud alerts on credit reports or subscribing to credit monitoring services. Such messages are also sent in the wake of a breach to notify customers that they will be receiving new payment cards. “The volume and frequency of these remediation notices equal those of the original breach notification messages and present a similar case for exemption from TCPA prior express consent requirements,” the ABA said.

Finally, money transfer notifications are an increasingly popular method for customers to confirm that they have received or sent money to another account. Similar to the exemption the FCC granted for package delivery notifications earlier in the year, the money transfer notifications are often delivered to persons who do not have an ongoing relationship with the sending institution, the ABA wrote, and therefore have not consented to receive automated calls from that institution.

“Obtaining consent from recipients in these circumstances would be impractical and burdensome and would not serve consumers’ interests,” the group said, requesting that such notifications constitute the fourth category of the exemption.

The ABA said that it would abide by any reasonable conditions placed by the FCC on an exemption and pledged to work with wireless carriers and third-party service providers to ensure that recipients of notices are not charged for the messages. The group also proposed some conditions of its own, like identifying the name of the financial institution sending the message and including the sender’s contact information or reply instructions and promising that the messages subject to the exemption “will not contain any telemarketing, solicitation or advertisement.”

Financial institutions “will send no more automated messages than are required to complete the communications’ intended purpose,” the ABA wrote, but a single message may not always be sufficient to serve the purpose for which an organization might need to contact a consumer. For example, if a customer fails to respond to an identity theft or breach notification, the financial institution sends follow-up messages. Banks should be allowed to send a maximum of three messages per day, the ABA suggested, for each affected account and co-borrower or co-cardholder.

To read the ABA’s petition, click here.