The courts deciding issues under the Telephone Consumer Protection Act (TCPA) in 2018 did little to provide greater clarity on how callers can effectively avoid liability for telephone calls and text messages to consumers. Until the Federal Communications Commission (FCC) issues another TCPA Order in light some of these court decisions, Congress passes amendments to the law, and/or the U.S. Supreme Court addresses the conflicting decisions of the various appeals courts, compliance with the TCPA will depend on where you do business.
 
What is an “Automated Telephone Dialing System”?
 
Perhaps the area of greatest confusion and risk of liability lies with the issue of how an automated telephone dialing system (ATDS) is defined.
 
The FCC 2015 Order interpreted an ATDS to include equipment that has the potential ability to dial randomly or sequentially, including by the modification of equipment or adding software to provide these capabilities in the future.
 
A number of entities, including ACA International, requested judicial review of the 2015 Order. On March 16, 2018, the D.C. Circuit Court of Appeals in ACA International v. FCC rejected the FCC’s 2015 interpretation of an ATDS. The court ruled it is unreasonable to conclude a smartphone qualifies as an ATDS “because they have the inherent ‘capacity’ to gain ATDS functionality by downloading an app.” The focus, the court ruled, should be on “how much is required to enable the device to function as an autodialer.”
In response to this decision, the FCC sought the following comment on TCPA interpretations:

• What is an “automatic telephone dialing system”?
• What should “capacity” mean in light of the court’s ruling that smartphones are not included?
• How much effort should be required to enable the device to function as an ATDS? Flipping a switch?
• How “automatic” must dialing be for equipment to qualify as an ATDS?
• Does the word “automatic” envision non-manual dialing of telephone numbers?
• Must such a system dial numbers without human intervention?
• Must it dial thousands of numbers in a short period of time? If so, what is a “short period of time”?
• Can it be an ATDS if the equipment cannot itself dial random or sequential numbers?
• Does the prohibition apply if the call doesn’t use the automatic function?
• Does the “called party” refer to “the person the caller expected to reach”? Or does it refer to the party the caller reasonably expected to reach? Or does it refer to “the person actually reached, the wireless number’s present-day subscriber after reassignment”? Or does it refer to a “customary user” (such as a close relative on a subscriber’s family calling plan), rather than the subscriber him/herself”?
• How can a called party may revoke prior express consent to receive robocalls?
• What opt-out methods would be sufficiently clearly defined and easy to use such that “any effort to sidestep the available methods in favor of idiosyncratic or imaginative revocation requests might well be seen as unreasonable”?

Comment had ended on June 28, 2018, but the FCC reopened its comment call after the Ninth Circuit Court of Appeals expanded its interpretation of an ATDS in its Marks v. Crunch San Diego, LLC decision dated September 20, 2018. In this case, gym operator Crunch was alleged to have violated the TCPA by sending promotional text messages using an ATDS without consent.

The Ninth Circuit ruled the TCPA’s language was “ambiguous on its face” regarding whether the phrase “using a random or sequential number generator” modifies both “store” and “produce.” The court interpreted the TCPA to mean an ATDS is “not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator’ but also includes devices with the capacity to stored numbers and to dial store numbers automatically.” 

Note: The Ninth Circuit covers Arizona, California, Idaho, Nevada, Montana, Oregon and Washington.

As a result of the Marks decision, the FCC requested comment on the following questions:

• To the extent the statutory definition is ambiguous, how should the FCC exercise its discretion to interpret such ambiguities here?
• Does the interpretation of the Marks court mean that any device with the capacity to dial stored numbers automatically is an automatic telephone dialing system?
• What devices have the capacity to store numbers?
• Do smartphones have such capacity?
• What devices that can store numbers also have the capacity to automatically dial such numbers?
• Do smartphones have such capacity?
• In short, how should the FCC address these two court holdings?
• We also seek comment on any other issues addressed in the Marks decision that the FCC should consider in interpreting the definition of an “automatic telephone dialing system.”

 
This comment period ended on October 24, 2018.

On October 30th, the Ninth Circuit denied the defendant’s Petition for Rehearing En Banc. Crunch has 90 days to submit a Petition for Writ of Certiorari with the Supreme Court. Given the different appellate court rulings on the ATDS definition, it is highly likely this issue will go before the U.S. Supreme Court regardless of how the FCC rules.

For example, on June 26, 2018, the Third Circuit Court of Appeals in Dominguez v. Yahoo ruled in light of the D.C. Circuit’s ACA International decision, a plaintiff must prove a phone system has the present capacity (and not the potential capacity) to generate random and sequential telephone numbers and dial those numbers.

In Dominguez, the consumer received approximately 27,800 text messages in 17 months from Yahoo on his used smartphone alerting him to Yahoo emails he was receiving. Because the prior owner of the phone had enrolled the number in Yahoo’s text messaging notification system, Yahoo responded to his request to stop the messages that the service could only be stopped if the former owner of the phone disabled it himself. The court ruled Yahoo’s Email SMS Service did not have the present capacity to function as an ATDS. 

Note: The Third Circuit Court of Appeals covers Delaware, New Jersey, Pennsylvania and the Virgin Islands.  

On June 29, 2018, the Second Circuit Court of Appeals in King v. Time Warner Cable sided with the ACA International decision that the term “capacity” means a device’s present functions, and remanded the case back to the District Court to determine whether TWC’s systems had the ability to perform the functions of an ATDS when it made the calls to King. King, the plaintiff and a customer of Time Warner Cable (TWC), agreed to receiving telephone calls, including automated messages. King sued TWC after receiving over 150 automated voice message collection calls for another customer who had owned her cell phone number, even after requesting the calls cease.

Note: The Second Circuit Court of Appeals covers Connecticut, New York and Vermont.  

Who is the “Called Party”?
 
The ACA International Court affirmed the 2012 Seventh Circuit Court of Appeals decision in Soppet v. Enhanced Recovery Company, LLC that the “’called party’ means the person subscribing to the called number at the time the call is made.”
 
While neither King nor Dominguez were the intended parties called or texted, neither case addressed the meaning of the “called party” as an issue.
 
Revocation of Consent
 
In 2018, the courts treated the issue of consent revocation differently as well.
 
After receiving a number of calls with prior express consent, the plaintiff in McMillion v. Rash Curtis & Associates told the defendant: “I told you guys to stop called [sic] me, but you guys keep calling me…I asked you nicely to stop calling and that I didn’t have anything that you needed at the moment but if I do come across it I’ll definitely give you guys a call. But you guys are not supposed to be calling me.” The U.S. District Court for the Northern District of California on February 2, 2018 denied the defendant’s argument that revocation of consent must “clearly express his or her desire not to receive further calls,” and held in that service of a legal complaint operates as revocation as a matter of law.
 
However, the U.S. District Court for the Northern District of Ohio ruled on April 30, 2018 in Barton v. Credit One Financial that the plaintiff could not orally revoke consent when the contract specifically required a revocation in writing. The court held the plaintiff could not “unilaterally alter the terms of the agreement to claim that his oral revocation of consent was valid.”
 
The FCC’s 2015 Order provides a different standard. The order provides revocation must be reasonable, which is determined by the totality of the circumstances. Callers cannot may not designate a method of opting out in ways that make it difficult or impossible to revoke consent.
 
The D.C. District Court in ACA International held callers “have every incentive to avoid TCPA liability by making clearly-defined and easy-to-use opt-out methods.”
 
On March 28, 2018, the U.S. District Court for the District of New Jersey ruled in Rando v. Edible Arrangements that the Plaintiff’s efforts were not reasonable. Edible Arrangements instructed consumers to reply “STOP” to cease future text messages. The Plaintiff instead texted: (1) “Take my contact info off please”; (2) “I want to confirm that I have been removed off your contacts”; (3) “I asked to be removed from this service a few times. Stop the messages ; and (4) “Again I want to stop this service thank you.”   
 
On October 26, 2018, the Ninth Circuit ruled in Epps v. Earth Fare, Inc. that the plaintiff’s attempt to stop text messages from the defendant with texts such as “I would appreciate if we discontinue any further texts” and “Thank you but I would like the texts messages to stop can we make that happen” were not reasonable because it was communicated to just text “Stop.”

Congressional Action

Both the U.S. House of Representatives and the U.S. Senate have drafted legislation amending the TCPA. The “Stopping Bad Robocalls Act” (H.R. 6026 and S. 3078), would add a new definition of “robocall” in place of an ATDS. The new term would include devices that making calls using “numbers stored on a list” (in addition to dialing random or sequential numbers). The new definition clarifies robocalls do not include using equipment where “substantial additional human intervention” is required to place the call.
 
The bills would also require the FCC to establish a nationwide database of reassigned telephone numbers. Voice providers would have to ensure information is accurate and prevent calls from connecting where caller ID verification cannot be made. The bills would also extend the statute of limitations for FCC enforcement of TCPA violations from 1 year to 4 years.
 
It remains to be seen whether either bill will pass out of committee to a full vote.
 
Veronica Madsen
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018
 

The Consumer Financial Protection Bureau has amended Regulation Pto implement changes to the Gramm-Leach-Bliley Act regarding the conditions under which financial institutions—including credit unions—need not provide annual privacy notice to consumers.

The final rule provides an exception to the requirement to provide an annual notice to “customers,” as defined in Regulation P §1016.3(i), herein referred to as “members.” To qualify for the annual privacy notice exception, the following two conditions must be met:

1. The credit union must not share nonpublic personal information about members, except as described in certain statutory exceptions that do not require an opt-out (i.e., §1016.13, §1016.14 and §1016.15); and
2. The credit union must not have changed its policies and practices with regard to disclosing nonpublic personal information from those the institution disclosed under §1016.6(a)(2) through (5) and (9) in the most recent privacy notice it sent. 

Credit unions that provide an opt-out on a voluntary basis for permitted sharing would still meet the exception. Additionally, any opt-out required under the Fair Credit Reporting Act that is contained in the privacy notice will have no bearing on the availability of the annual privacy notice exception.

However, credit unions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the FCRA, if applicable, though they are not required annually. Credit unions can provide these disclosures through other methods, for example, through their initial privacy notices in most circumstances. 
When the Exception No Longer AppliesUnder the final rule, when the exceptions are no longer met, an annual privacy notice must be provided. The timing of the required annual notice differs, depending on whether the change that causes the credit union to no longer qualify for the annual notice exception also triggers a requirement under Regulation P to deliver a revised notice. 

Section 1016.8 requires credit unions to provide revised notices to members before nonpublic personal information is shared with a nonaffiliated third party if their sharing would be different from what was described in the initial notice delivered. After delivering the revised notice, the credit union must also give the member a “reasonable opportunity” to opt out of any new information sharing beyond the Regulation P exceptions before the new sharing occurs. 

When an annual notice is required, it must be provided ‘‘at least once in any period of 12 consecutive months.’’ A credit union may define the 12-consecutive-month period but must apply it to the customer on a consistent basis. 

When the annual notice requirement is triggered, credit unions must deliver the annual notice within 100 days after the change that caused the exception to be lost.  The final rule provides an example for when a credit union must provide an annual notice after it no longer meets the exception.  

The example assumes that a credit union changes its policies or practices effective April 1 of year one and defines the 12-consecutive-month period as a calendar year. The regulation states the credit union must provide an annual notice by December 31 of year two if the credit union was required to provide a revised notice prior to the change and provided that revised notice on March 1 of year one in advance of the change. The credit union must provide an annual notice by July 9 of year one if the credit union was not required to provide a revised notice prior to the change. 

When the credit union once again meets the exception after having to provide annual notices, the annual notice would no longer be required. 
Alternative Delivery Method Effectively Eliminated Previously under Regulation P, credit unions using the alternative delivery method were required to mail annual notices to members who requested them by telephone. Credit unions were also required to include a clear and conspicuous statement of availability at least once a year on an account statement, coupon book, or a notice or disclosure the credit union issued under any provision of law. 

The final rule has eliminated the alternative delivery method for providing the annual privacy notice. Credit unions that meet the conditions to use the alternative delivery method will also meet the conditions of the annual privacy notice exception.

Credit unions that qualify for the new annual notice exception may still choose to post privacy notices on their websites, and/or deliver privacy notices to members upon request. Such activities will not affect the eligibility for the new exception. 

This final rule became effective on Sept. 17, 2018.

The Economic Growth, Regulatory Relief, and Consumer Protection Act (SB 2155), among other regulatory relief provisions, amended the 2015 Home Mortgage Disclosure Act to provide partial exemptions from the collection and reporting of the expanded 2015 HMDA data points. 
While the law lowers the number of institutions reporting sensitive financial information of mortgage loan applicants, it does not go far enough in that it does not address the issue of keeping certain HMDA data points from being made public. Given the ongoing data security concerns at the Consumer Financial Protection Bureau, the privacy issue must be addressed in a manner that goes much further than what the CFPB proposed in its July 5 statement. 
SB 2155 Amendments to 2015 HMDA Rule
In part, the 2015 HMDA rule added 25 new data points on the loan/application register for both closed-end and open-end lines of credit. This rule requires reporting of the new HMDA data points for mortgage-lending institutions that originated at least 25 closed-end mortgage loans or at least 500 open-end lines of credit in each of the two preceding calendar years (i.e., calendar years 2018 and 2019). 
SB 2155 amends the exemption threshold for both closed-end mortgage loans and open-end lines of credit to fewer than 500 such loans and lines of credit in the preceding calendar year. Note: The current CFPB HMDA summary provides the open-end lines of credit exemption will be reduced to 100 such lines of credit beginning on Jan. 1, 2020, unless the CFPB takes “further action.” SB 2155 appears to make this 500 open-end lines of credit exemption threshold permanent.  
Under SB 2155, for mortgage lenders meeting the closed-end mortgage loans or open-end lines of credit reporting exemption, the requirements of HMDA §304(b)(5) and (6) will not apply.
What this means is that mortgage lenders meeting the closed-end and open-end thresholds will not have to record and report the new HMDA data points, but must still record and report the original 21 HMDA data points on the LAR, which are as follows:

1. Rate Spread (only if above threshold) 
2. HOEPA Status 
3. Action Taken 
4. Action Taken Date 
5. Reasons for Denial (optional, up to 3 reasons) 
6. Income
7. Type of Purchaser 
8. Loan Type 
9. Loan Purpose 
10. Loan Amount
11. Property Type
12. Occupancy Type
13. Lien Status
14. Property Location (MSA or MD, State, County, Census Tract, and Census Tract Number) 
15. Application Date
16. Application/Loan Number 
17. Reporter ID
18. Preapproval Request
19. Sex
20. Ethnicity
21. Race

The exempted lenders will still use the updated LAR. However, the CFPB plans to release exemption codes later this summer for the fields the exempted lenders do not have to report. 
CFPB Proposal Regarding Privacy of HMDA Data
Also anticipated is the final HMDA rule proposed by the CFPB in September 2017 regarding the data that will be made available to the public beginning in 2019 for mortgage lenders that exceed the exemption thresholds provided by SB 2155. 

• Under the proposed rule, the following information data would not be made public:
• The universal loan identifier;
• The date the application was received or the date shown on the application form (whichever was reported);
• The date of the action taken on the application;
• The property address;
• The credit score(s);
• The Nationwide Multistate Licensing System & Registry identifier for the mortgage loan originator;
• The automated underwriting system result; and
• The free form text fields for the following (though the standard fields reported would be disclosed):
  • The applicant’s race and ethnicity;
  • The name and version of the credit scoring model;
  • The principal reason(s) for denial; and
  • The automated underwriting system name.

​The loan amount, age of the applicant, the applicant’s debt-to-income ratio and the property value each would be disclosed as a range or an interval. Loan amounts would be reported in intervals of $10,000 as opposed to the nearest $1,000.  
Data Security Concerns
More will need to be done to protect non-public personal information from being disseminated to the public, as there continue to be data security concerns at the CFPB.
For example, the October 2017 Audit of the CFPB’s Information Security Program conducted by the Office of Inspector General found the agency did not mandate the use of personal identity verification credentials for its privileged and non-privileged users, which “poses an increased risk of unauthorized access to the CFPB’s information systems.” Additionally, CFPB “has not ensured that background checks are completed for contractor personnel performing IT work.”  
The OIG’s January 2018 Audit of the CFPB’s Encryption of Data on Mobile Devices found “the CFPB has not been able to provide a full accounting of all laptops that have been assigned to users since the establishment of the agency.”   
In his April 11, testimony presenting the “2018 Semi-Annual Report of the Bureau of Consumer Financial Protection” to Congress, then CFPB Director Mick Mulvaney told lawmakers that the CFPB had suffered 240 data security "lapses" and another 800 "incidents.” Though none have been deemed a major security breach, concerns remain regarding whether the sensitive financials of mortgage loan applicants and home buyers should be transmitted, stored and shared.  
Until greater consumer protections are provided, we will have to settle for fewer institutions reporting this data.  
Veronica Madsen is CEO at ESTEE Compliance, LLC in the Detroit area. Note: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018

Can a financial institution take a security interest in a consumer’s existing account through the use of a cross-collateralization clause when the consumer takes out a loan as a covered borrower under the Military Lending Act (MLA)? The answer to this question may depend on who you ask. Some will say “yes,” and others “no.”
 
The MLA was enacted in 2007, and expanded in 2015 (2015 MLA), to protect servicemembers and their dependents from lending-related abuses related to tax anticipation loans, vehicle title loans, payday loans, and consumer loans covered under Regulation Z.
 
Both iterations of the MLA permit creditors to take a security interests in funds deposited after the extension of credit in an account established in connection with the consumer credit transaction [See Section 232.8(e)(3) of the 2015 MLA].
 
The attorneys who say “yes” are relying on guidance provided by the Department of Defense (DoD) Interpretive Rule issued on August 26, 2016. These DoD interpretations, presented in a question and answer format, provide as follows:
 
18. Does the limitation in §232.8(e) on a creditor using a check or other method of access to a deposit, savings, or other financial account maintained by the covered borrower prohibit a creditor from exercising a statutory right to take a security interest in funds deposited within a covered borrower’s account?
 
Answer: No. Under certain circumstances federal or state statutes may grant creditors statutory liens on funds deposited within covered borrowers’ asset accounts. For example, under 12 U.S.C. 1757(11) federal credit unions may “enforce a lien upon the shares and dividends of any member, to the extent of any loan made to him and any dues or charges payable by him.” … Therefore, §232.8(e) does not impede a creditor from exercising a statutory right to take a security interest in funds deposited in an account at any time, provided that the security interest is not otherwise prohibited by applicable law and the creditor complies with the MLA regulation, including the limitation on the MAPR to 36 percent.
 
In a legal action with a covered borrower, it is certainly helpful to have the DoD on your side with regard to a claim the financial institution took an illegal security interest in accounts opened before an MLA was issued.
 
However, it must be noted that in the opening paragraphs of the Interpretive Rule, the DoD makes clear “this interpretive rule does not substantively change the regulation implementing the MLA, but rather merely states the Department’s preexisting interpretations of an existing regulation.” If the regulation is unchanged, does this Interpretive Rule really permit a security interest in an existing account?
 
If you believe it does, here is where the proverbial wheels begin to fall off the argument.
 
Section 232.7(a) of the 2015 MLA includes a preemption provision related to existing state of Federal laws. Specifically, Section 232.7(a) states the 2015 MLA will preempt a state or Federal law, rule or regulation to the extent any such law, rule or regulation provides protection to a covered borrower greater than those provided by the MLA. 
 
The DoD’s preexisting interpretation - not included in the MLA or the DoD’s implementing regulation – regarding a federal credit union’s statutory lien under the Federal Credit Union Act actually benefits the creditor, not the covered borrower.  Therefore, the MLA provisions will override any state or federal law, rule or regulation to the contrary.
 
Still not convinced taking a statutory lien in an existing account involving a covered borrower with an MLA loan is okay based on the DoD guidance? Ask yourself this question: Would the law or a contrary interpretation that does not have the force of law win the day in court when a servicemember sues your financial institution for taking a security interest in an account opened before an MLA loan was approved?
 
So what does your financial institution do with this if you haven’t changed the language of your loan agreements. The following options can be taken:
 

• Amend the language of your loan agreements to provide the statutory lien applies to accounts opened in connection with a covered borrower’s MLA loan;
• If you don’t want to incur the expense of making this change to your printed applications, amend your website loan applications to provide the language, and prepare an addendum to your loan agreement to ensure your borrowers understand a security interest can and may be taken in accounts opened in connection with an MLA loan (until new applications are printed); and/or
• Keep good records of your covered borrowers and ensure the statutory lien provisions related to existing accounts are not enforced.

 
Until the statutory language of the MLA that specifically exempts statutory liens from the security interest and preemption provisions is enacted, it may take a lawsuit to answer this question. It appears, in my opinion, that the DoD guidance does not provide sufficient comfort to support the argument that a security interest in existing accounts would survive a legal challenge.
 
Have a regulatory question? Email me at vmadsen@esteecompliance.com.

Veronica Madsen
 
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018