Published in Law360
The Federal Deposit Insurance Corporation recently released a list of administrative enforcement actions taken against banks and individuals in March of 2019. Notably, the list included the agency's first public enforcement decision and order against a bank for alleged violations of the Telephone Consumer Protection Act.1 While the TCPA and telemarketing violations have certainly been an area of focus over the past decade in consumer litigation and by the Federal Communications Commission and Federal Trade Commission, the FDIC's recent order signals that the primary banking regulators are also increasing regulatory scrutiny and enforcement of the TCPA.
Overview of the FDIC's Order
In the March 1, 2019, order, the FDIC assessed a sizeable $200,000 civil money penalty against Peoples Bank and Trust Company, Ryan, Oklahoma, for allegedly violating the TCPA and its implementing regulations, and Section 5 of the Federal Trade Commission Act, based on the bank's telemarketing practices.2 Specifically, the FDIC found that Peoples Bank and Trust Company violated the TCPA and its implementing regulations by continuously calling consumers at numbers listed on the National Do Not Call Registry or calling consumers who had requested to be placed on the bank's internal DNC list.3
As a result, the FDIC determined that the bank violated 47 U.S.C. 2274 and 47 C.F.R. 64.1200, which include, among other requirements:5 (1) a prohibition on initiating a telephone solicitation to a residential telephone subscriber who has registered his or her telephone number on the national "Do-Not-Call" registry;6 and (2) maintenance of company-specific do-not-call lists reflecting the names of customers with established business relationships who have requested to be excluded from telemarketing, and such requests must be honored for five years.7
The FDIC also determined that Peoples Bank and Trust Company violated Section 5 of the FTC Act through the use of telemarketers who misrepresented themselves to consumers as employees or affiliates of the federal government.8 Under Section 5 of the FTC Act, "unfair or deceptive acts or practices in or affecting commerce" are declared unlawful.9 The FDIC has set forth standards for unfairness10 and deception,11 and confirmed the prohibition on unfair or deceptive acts or practices applies to all persons engaged in commerce, including banks.
In assessing the $200,000 civil money penalty against Peoples Bank and Trust Company, the FDIC cited to its authority to issue penalties under 12 U.S.C. 1818(i)(2) of the Federal Deposit Insurance Act, which provides for multiple penalty tiers and permits the FDIC to assess penalties at various levels depending upon the severity of the misconduct at issue.12
In addition to consumer claims and oversight by the FTC and FCC, the FDIC's order suggests that the primary banking regulators are also taking a more active role in enforcing the TCPA. Importantly, an assessment of an institution's compliance with the TCPA is generally included as a component of the consumer compliance examination process by the primary banking regulators.13 This means that supervised institutions should proactively conduct risk assessments to identify potential TCPA risk areas within their programs and practices prior to their next examination, including whether the institution or a third-party vendor engages in any form of telephone or text solicitation.
Institutions must ensure that appropriate policies, procedures and internal controls are in place to support TCPA compliance and mitigate against any identified TCPA risk areas, including adherence to DNC requirements and the TCPA's prohibitions on calls and texts. These policies and procedures should be regularly monitored and updated, as interpretations of the TCPA's provisions and implementing regulations frequently change following court decisions and updates promulgated by the FCC.
Institutions must also ensure that employees and personnel receive appropriate training on TCPA compliance, and that only reputable third-party vendors whose practices comply with the TCPA are used to engage in telemarketing and direct-to-consumer activities.
In particular, prior to engaging in telemarketing calls or texts, institutions should ensure clear policies are in place for obtaining the requisite level of consent. Under the TCPA, before engaging in a communication that "includes or introduces an advertisement or constitutes telemarketing," an institution must have "prior express written consent of the called party."14
In contrast, transactional calls or texts, such as debt collection calls or calls made by loan servicers, require only prior express consent.15 Many institutions have policies and procedures in place to obtain the consent necessary to conduct transactional calls or texts with their customers. However, such consent may not be sufficient to meet the heightened requirements to conduct telemarketing calls or texts. It is thus critical that institutions carefully review their policies and procedures to ensure that the appropriate consent has been obtained to engage in the contemplated activities.
In a similar vein, institutions should ensure their policies and procedures include mechanisms to periodically scrub phone numbers. As customers may change their number, calls or texts to a number previously provided and consented to may later belong to a nonconsenting individual. Phone numbers should thus be regularly scrubbed to ensure that the consumer receiving the call or text is the same individual that provided the requisite consent.
It is also important for institutions to remember that a consumer may revoke consent "in any reasonable manner."16 Thus, an institution's TCPA policies and procedures should be sufficiently robust so that a live person speaking with a consumer will recognize a variety of potential "stop calling" phrases and note the phone number or the account. Similarly, text messaging platforms should be carefully selected and programmed to recognize a broad array of opt-out words.
Finally, given the particular interplay between the FTC act and the TCPA, institutions must ensure appropriate policies and procedures are in place for avoiding unfairness and deception during customer interactions, particularly with respect to the institution's telemarketing and communication practices. Because consumer complaints play a key role in the detection of possible violations, institutions should carefully monitor complaints for trends that could indicate potential UDAP or TCPA concerns in connection with an institution's calls or texts. Institutions should further engage in periodic reviews of internal compliance procedures, employee training and third-party vendors to further limit UDAP risk in connection with telemarketing.
The TCPA continues to be a source of heightened litigation risk to institutions and the FDIC's recent order makes clear that the TCPA also poses unique regulatory challenges. Therefore, it is essential that institutions carefully evaluate these risks and engage experienced counsel to mitigate against the risk of significant litigation recoveries and sizeable civil money penalties.