Seeking an exemption from Telephone Consumer Protection Act (TCPA) liability, the American Bankers Association (ABA) requested that the Federal Communications Commission (FCC) allow financial institutions the ability to call or text customers on their mobile phones in the event of a data breach or other account problem.
At the root of the problem: the intersection of the TCPA, which requires prior consent to send identity theft alerts, with other laws mandating that notice be sent when possible data breaches may have occurred. Clearly it is in the bank’s interest to limit fraud and identity theft by being able to communicate with customers as quickly as possible when suspicious behavior has been detected.
Such messages “serve consumers’ interests and can be conveyed most efficiently and reliably by automated calls to consumers’ telephones, which increasingly are wireless devices,” according to the petition. Research and experience have revealed that automated communications are best suited to achieve the necessary goals, the ABA wrote, as 98 percent of text messages are opened and read within three minutes of delivery. Complicating the issue is the rising reliance by many customers on only mobile phones. One ABA member bank reported that one quarter of its customers do not subscribe to landline telephone service.
Despite the ease of such communications, “the ongoing flood of TCPA class action lawsuits” has left banks fearing potential liability. For example, at least one court has agreed with a bank customer that although he provided his number to the bank for a particular reason, he did not specifically consent to receive fraud and identity theft alerts.
The ABA requested that the Commission grant an exemption under Section 227(b)(2)(C) that would permit financial institutions to send messages in four specific categories using an automatic telephone dialing system or an artificial or prerecorded voice without prior express consent, subject to any conditions the Commission might deem necessary.
The first category: messages required to protect consumers from fraud and identity theft, a huge – and growing – area of loss. Financial institutions monitor account activity and risk factors and use algorithms to detect potential fraud, the ABA explained. But “effective fraud prevention requires the earliest possible contact with the customer,” the group wrote. “The volume of these notifications, which average 300,000 to 400,000 messages per month for one ABA member alone, cannot be accomplished with acceptable speed and accuracy unless the process is automated.”
Banks are further required to verify a customer’s identity pursuant to the Fair Credit Reporting Act before authorizing the establishment of any new credit plan or extension of credit when a fraud alert has been placed on a file, the ABA added. “Financial institutions rely on the efficiency of autodialers and other automation techniques to contact these customers quickly,” the group wrote. “For those customers who can most efficiently be contacted at mobile telephone numbers, the inability to use automated calling methods is likely to delay the bank’s ability to contact the customer, resulting in embarrassment – or worse – for those customers.”
Data security breach notifications are another major communication issue for banks. The Gramm-Leach-Bliley Act as well as 47 states and the District of Columbia require financial institutions to establish response and customer notification programs following the unauthorized access of customers’ personal information. And banks protect their customers by alerting them to data breaches, even at third-party retailers. They “deal in a high volume of data security breach notifications,” as a single financial institution might be responsible for 50,000 to 60,000 or more notifications per month, according to the ABA.
Breach notifications must be timely and reliable, the group explained to the FCC, and should be exempt as the second category of messages provided to the recipient.
The second category, remediation messages, are notices to customers concerning measures they may take to prevent identity theft resulting from a breach. They include placing fraud alerts on credit reports or subscribing to credit monitoring services. Such messages are also sent in the wake of a breach to notify customers that they will be receiving new payment cards. “The volume and frequency of these remediation notices equal those of the original breach notification messages and present a similar case for exemption from TCPA prior express consent requirements,” the ABA said.
Finally, money transfer notifications are an increasingly popular method for customers to confirm that they have received or sent money to another account. Similar to the exemption the FCC granted for package delivery notifications earlier in the year, the money transfer notifications are often delivered to persons who do not have an ongoing relationship with the sending institution and therefore have not consented to receive automated calls from that institution.
“Obtaining consent from recipients in these circumstances would be impractical and burdensome and would not serve consumers’ interests,” the group said, requesting that such notifications constitute the fourth category of the exemption.
The ABA said it would abide by any reasonable conditions placed by the FCC on an exemption and would work with wireless carriers and third-party service providers to ensure that recipients of notices are not charged for the messages. The group also proposed some conditions of its own, like identifying the name of the financial institution sending the message and including the sender’s contact information or reply instructions and promising that the messages subject to the exemption “will not contain any telemarketing, solicitation or advertisement.”
Financial institutions “will send no more automated messages than are required to complete the communications’ intended purpose,” the ABA wrote, but a single message may not always be sufficient to serve the purpose for which an organization might need to contact a consumer. For example, if a customer fails to respond to an identity theft or breach notification, the financial institution sends follow-up messages. Banks should be allowed to send a maximum of three messages per day, the ABA suggested, for each affected account and co-borrower or co-cardholder.
To read the ABA’s petition, click here.
Why it matters: The ABA’s two-pronged argument – the need to fulfill legal mandates as well as protect customers – could prove persuasive to the FCC, particularly in light of the Commission’s approval of an exemption for package delivery notifications earlier this year, the first time the agency utilized its powers under Section 227(b)(2)(C). If the Commission were to grant the group’s request, financial institutions could certainly breathe easier when sending fraud or breach notification messages.