Wednesday, December 30, 2015

Filing Bankruptcy Does Not Revoke Consent under the TCPA

While the FCC recently opined that consumers can revoke their consent to receive calls via an ATDS in any manner that clearly expresses a desire not to receive further messages, a district court in Illinois has set some perimeters on revocation.  In Cholly v. Uptain Group, Inc., 2015 U.S. Dist. LEXIS 171415, C.A. No. 15 C 5030 (N.D. Ill. Dec. 22, 2015), the consumer alleged, among other things, that the defendant placed calls to her cellular telephone to collect a debt with a prerecorded or artificial voice.  The calls were made after the consumer filed a voluntary petition for bankruptcy under Chapter 7.  The consumer contended that notice of the automatic stay received by the caller effectively revoked her consent to receive calls on her cell phone.   The court disagreed noting that "the FCC's order provides that the consumer, not a third party, may revoke any prior consent that was given to the caller." Cholly at *7 (emphasis supplied)

Tuesday, December 29, 2015

Lessons to be Learned from the Hanna Saga

After a year and a half, the CFPB suit against debt collection law firm Frederick J. Hanna & Associates has come to a close. A consent order resolving the suit has been submitted to the court which will lay the ground work for future CFPB actions against debt collection law firms. The suit, which was brought in July 2014, alleged that Hanna violated both the FDCPA and Dodd Frank’s unfair and deceptive provisions. The CFPB contended they had jurisdiction over the law firm because the CFPB’s regulatory authority extends to persons engaged in the collection of debt related to any consumer financial products or services.  
Essentially, the CFPB focused in on two facets of Hanna’s practice. First, the CFPB alleged that because Hanna relied upon staff and automated practices to generate thousands of law suits, its attorneys were not meaningfully involved in the suits they filed. The CFPB took issue with the fact that Hanna filed form complaints drafted by staff where the only significant changes were to the name of the consumer and the amount owed, and relied upon its staff to ascertain dates of last payment, whether or not there was sufficient documentation to proceed to suit, or to draft the lawsuits etc. Put more crassly, the CFPB contended that Hanna should have spent more time on each and every law suit it filed. Secondly, the CFPB alleged that Hanna should have known that the persons executing affidavits on behalf of their clients did not have the requisite knowledge to affirm the validity of the debts.  
The Consent Order requires that Hanna and its principals pay a civil penalty of $3.1 million dollars and sets forth specific remedial policies and procedures that Hanna must adopt, including setting forth specific documentation which must be in place before Hanna may file suit and making Hanna responsible for the accuracy of affidavits executed by its clients.  
The Hanna saga should grab the attention of law firms engaged in consumer debt collection and provides some key lessons and warnings:
Collection law firms are not exempt from the provisions of the FDCPA or Dodd Frank. While that fact came as no surprise under the FDCPA, many in the industry, including myself, do not believe that the CFPB has the authority to regulate the practice of law. Unfortunately, the District Court disagreed and held that the Dodd Frank exemption for lawyers did not apply and that Dodd Frank provided a “carve out” for attorneys engaged in debt collection activity, including the filing of suit.  
Collection law firms may be held accountable for the sins of their clients. As noted above, the CFPB complaint against Hanna involved a two prong attack and took issue with the filing of affidavits executed by Hanna’s clients which the CFPB contended were unfair and deceptive and not based upon the personal knowledge of the affiant. The CFPB notes in its press release the Hanna Consent Order “is part of the Bureau’s work to address illegal debt collection practices across the consumer financial marketplace, including companies who sell, buy, and collect debt” and notes the consent orders previously entered into with JPMorgan Chase, Portfolio Recovery Associates, and Encore Capital Group. The Consent Order specifically requires Hanna vet the affidavit it submits to ensure that:
  • The persons submitting the affidavits have personal knowledge of the validity, truth, or accuracy of the character, amount, or legal status of the underlying debt;
  • The affidavits are notarized by persons who are in the presence of the affiant when the affiant signs the affidavit;
  • The affidavits are accurate and that the documentation attached to the affidavits relate to the specific Customer sued;
  • The affidavits do not misrepresent the affiant’s review of the account documentation; and
  • The affidavits do not misrepresent that the affiant personally reviewed the affidavit when that is not the case.
The terms of the Consent Order set forth the CFPB’s expectation that collection law firms are responsible for ensuring their clients’ affidavit practices do not include robo signing and that they are familiar with their client’s practices and policies for executing affidavits.
The CFPB has a Heightened Expectation of the Meaning of “Meaningful Involvement”. The Consent Order makes clear that the CFPB expects consumer debt collection lawyers to place less reliance upon their staff. The consent order requires that Hanna: 
  • Have the following documents in hand prior to engaging in collection efforts:
    • Account documentation which includes documentation the creditor provided to the consumer about the debt, a complete transactional history of the debt created by the creditor or its servicer or a copy of the judgment. The Consent Order sets forth the expectation that the account documentation include, at a minimum, the consumer’s name, the last four digits of the account number associated with the debt at charge off, the claimed amount, and any contractual terms and conditions applicable to the debt;
    • In addition, where the collection efforts are on behalf of a debt buyer, a chronological listing of all prior owners of the debt, the date of each transfer of ownership, a certified or otherwise authenticated copy of each bill of sale and such documentation must contain a specific reference to the particular debt being collection; and
    • Any one of the following:
      •  A document signed by the consumer evidencing the opening of the account; or
      • Original account-level documentation reflecting the purchase, payment, or other actual use of the account by the Consumer.
  •  Document their meaningful involvement by:
    •  Documenting the attorney’s review of the electronic record of each account prior to filing suit;
    • Documenting the attorney’s review the account documentation including the consumer’s name, last four digits of the account number, the claimed amount and contract terms;
    • Documenting the attorney’s confirmation that the statute of limitations has not run;
    • Documenting the attorney’s confirmation that the debt has not been discharged in bankruptcy or is not the subject of a pending bankruptcy; and
    • Documenting the attorney’s confirmation of the consumer’s correct identity and current address to insure the correct venue for suit.
Debt collection law firms should assess risk in light of the CFPB consent order. The consent order sets forth the CFPB’s expectations as to what constitutes meaningful involvement and should provide parties with some guidance as to the same moving forward. All firms are encouraged to review their policies and procedures in light of the Consent Order.

Thursday, December 17, 2015

Lessons to be Learned from the Wyndham Hotels Data Breach

The FTC entered into a Consent Order last week with Wyndham Hotels and Resorts resolving the FTC’s allegations that Wyndham did not do enough to prevent its customer’s credit card data from three data breaches that occurred in 2008 and 2009.  The Consent Order comes on the heels of the Third Circuit’s opinion in the case in which the court held that the FTC has authority to hold companies accountable for failing to safeguard consumer data.  See Federal Trade Commission v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015).

Specifically, the Complaint alleges that:

  • Wyndham allowed its hotels to store payment card information in clear readable text;
  • Wyndham allowed the use of easily guessed passwords to access the property management systems;
  • Wyndham failed to use readily available security measures such as firewalls to limit access between the hotels’ property management systems, corporate network and the internet;
  • Wyndham did not insure that its hotels implemented adequate information security policies and procedures;
  • Wyndham failed to adequately restrict access of third party vendors to its network and servers;
  • Wyndham failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations;
  • Wyndham did not follow proper incident response procedures.  Wyndham did not monitor its network for malware used in the prior intrusions.  As a result, the hackers in each of the three breaches used similar methods to gain access to credit card information.

Specifically, the FTC’s complaint alleges that on three separate occasions in 2008 and 2009 hackers gained access to Wyndham’s network and property management systems and obtained unencrypted information for over 619,000 consumers.  The complaint alleges that Wyndham participated in deceptive and unfair acts or practices related to their data security because it was not proactive in its response after the first data breach specifically by not addressing the weaknesses of its system that led to the initial attack.  As a result, hackers were able to successfully use similar methods in each of the two subsequent attacks.  The Consent Order, which will remain in effect for twenty years, requires Wyndham, among other things:

  • To establish and implement a comprehensive written information security program that is reasonably designed to protect the security, confidentiality, and integrity of its customer’s credit card data;
  • To annually obtain written assessments of its compliance with certain agreed upon data security standards; and
  • To maintain records of its efforts, including audits, policies, and assessments which may be accessed by the FTC upon request.

Businesses which store nonpublic personal information should take note of the FTC Consent Order and take the following lessons to heart:

  • Businesses must develop a Written Information Security Program (“WISP”) which identifies reasonably foreseeable internal and external risks to the security and confidentiality of customer information that could lead to the unauthorized disclosures of personal private information;
  • Businesses must continually assess the sufficiency of the institution’s safeguards and operational risks including detecting, preventing and responding to attacks against the institution’s systems;
  • Businesses must evaluate and adjust the WISP in light of relevant circumstances and changes in the companys environment, business offerings and operations, as well as the results of security testing and monitoring and any cybersecurity breaches which may occur;
  • The FTC has established through the Wyndham litigation that it has authority to bring claims against businesses for cybersecurity intrusions under Section 5 of the FTC Act’s unfair and deceptive umbrella;
  • Businesses are on notice of the FTC’s interpretation of what cybersecurity practices are required by Section 5 of the FTC Act; and
  • Businesses should carefully monitor FTC Consent Orders regarding data breaches and use those consent orders to better model their practices.
Additionally, businesses which store nonpublic personal information should familiarize themselves with state statutes which govern cybersecurity attacks in the event one occurs.  The majority of states have adopted state breach statutes setting forth the notice requirements to consumers, credit reporting agencies and law enforcement in the event a breach occurs.

Sunday, December 13, 2015

When is a Message a Communication "With" a Third Party? The Debate Rages On

Since the Foti decision in 2006, the debate has raged on as to when and how a message may be left without violating the FDCPA.  See Foti v. NCO Fin. Sys., Inc., 424 F. Supp. 2d 643 (S.D.N.Y. 2006); Zortman v. Christensen & Assocs., Inc. 870 F. Supp. 2d 694 (D. Minn. 2014). An Oregon District Court recently joined the fray and the opinion emphasizes that the decision is often specific to the facts.  See Peak v. Professional Credit Service, C.A. No. 6:14-cv-01856-AA, 2015 U.S. Dist. LEXIS 162149 (D. Ore. Dec. 2, 2015).

In Peak, the consumer alleged that the collection agency violated the FDCPA when it left two messages for her on her cell phone which were overheard by third parties.  Prior to the calls in question, Ms. Peak had entered into a payment arrangement with the collection agency.  During the course of payments, the agency contacted Ms. Peak to confirm her debit card payment information and at the same time, confirmed that the number at which it called her was the best number to reach her.  Key to this decision, Ms. Peak was contacted while she was in her car and therefore, the collection agency was aware that the number was a cell number.  Unbeknownst to the collection agency, however, Ms. Peak’s live-in boyfriend had cancelled his cell phone coverage and was using Ms. Peak’s phone when it was available and had access to her voice mail messages.  The very next day, the collection agency attempted to reach Ms. Peak on her cell number and reached her voice mail. The voice mail message stated:

Hi, you’ve reached Kat.  I’m not available to come to the phone right now but if you’ll leave your name and number I’ll definitely give you a call back.  Have an absolutely wonderful day.

In response the agency left the following message:

Hi, this is Katie and I have an important message from Professional Credit Service.  This is a call from a debt collector.  Please call 866-254-2993.

Ms. Peak’s boyfriend, while checking the voicemail messages later, heard the message.  About a month later, the collection agency called Ms. Peak again and left the identical message.  This time, Ms. Peak chose to listen to the message through the speaker function of her cell phone in the employee break room at her place of employment (which ironically, was another collection agency) and the message was heard by her employer.  Ms. Peak filed suit alleging the collection agency violated Section 1692c(b) of the FDCPA asserting that the overheard messages were unauthorized communications with third parties. 

Section 1692c(b) provides:

Except as provided in section 1692b…without prior consent of the consumer given directly to the debt collection, or the express permission of a court of competent jurisdiction, or as reasonably necessary to effectuate a postjudgment judicial remedy, a debt collection may not communicate, in connection with the collection of any debt, with any person other than the consumer, his attorney, a consumer reporting agency  if otherwise permitted by the law, the creditor, the attorney of the creditor, or the attorney of the debt collector.

The court concluded that while the messages qualified as “communications” under the FDCPA, they were not communications “with” a third party.  In doing so, the court applied a negligence standard, holding that “a communication is only “with” a third party under section 1692c(b) if the debt collector knows or should reasonably anticipate the communication will be heard or seen by a third party.” Peak at * 14.  “No matter how careful a debt collector is, there is always some risk a third party will intercept the communication… Congress intended the FDCPA to cause debt collector to be very careful in the way they communicate with consumers,  but it did not intend the statute to completely shut down all avenues of communication and force debt collectors to file a lawsuit in order to recover the amount  owed…Moreover…a true strict liability standard would invite abuse…A negligence standard strikes the right balance because it holds debt collectors liable for failure to take reasonable measures to avoid disclosure to third parties, but does not require them to avoid such disclosure at all costs” Peak at *15-16.

Reviewing the facts of the case, the court determined it was not reasonably foreseeable that the phone messages would be overheard by Ms. Peak’s boyfriend or employer.  Key to the court’s conclusion was the fact that the calls were made to a cell phone and the cell phone’s outgoing message only identified her as the owner of the phone. “The cell phone /land line distinction is important because a caller may reasonably assume messages left on a cell phone’s voicemail system will not be accidentally overheard, as they must be accessed through the cell phone itself.  By contrast, if any person is in the vicinity of a land line answering machine, that person may overhear a message as it is being left.” Id. at *16-17. 


Wednesday, December 9, 2015

FTC Sends Warning to Creditors Collecting Their Own Debts: Winter is Coming

Creditors collecting their own debts have often sought solace in the fact that they were not covered by the FDCPA; however, over the past few years that solace has been called into question by the CFPB and now the FTC.  In a blog post entitled “ThinkYour Company’s Not Covered by the FDCPA? You May Want to Think Again”, the FTC yesterday warned creditors to carefully consider whether they are covered by the FDCPA and, more importantly, warned that whether or not they are covered by the FDCPA, they are not immune from debt collection violations.  The warning was timely as I spent most of yesterday morning with a bank client discussing the same issue. So why should banks and other first party creditors be concerned?

The FTC Act and Dodd Frank generally prohibit deceptive and unfair practices and both the FTC and CFPB have used this umbrella to punish creditors for unfair and deceptive debt collection issues even where they were not covered by the FDCPA.  For instance, the draconian CFPB Consent Order with JP Morgan Chase which was entered in July, was premised in part on Dodd Frank’s general prohibition on unfair, deceptive or abusive acts because the bank did not fall under the FDCPA.  The FTC’s blog post makes no bones about the Commission’s intent to continue using the FTC Act’s general prohibition in absence of FDCPA coverage stating that “even if the FDCPA doesn’t apply, your collection activities are still covered by Section 5 of the FTC Act’s general prohibition against deceptive or unfair practices….[T]he FTC has taken action under Section 5 when first-party creditors engage in other practices expressly prohibited by the FDCPA – for example, revealing the existence of a debt to anyone other than the debtor.”

The CFPB Has Left Little Doubt that Impending Regulation F Will Encompass Creditors Collecting on Their Own Behalf.  To borrow a phrase from Jon Snow on Game of Thrones, “winter is coming” for the debt collection world even for those of us to consider it already here.  The CFPB will likely issue proposed regulations concerning debt collection in the first half of 2016 and those regulations are anticipated to address first party collections, as well as third party collections.  The Bureau’s recent enforcement actions, as well as other publications make clear their position that anyone collecting consumer debt, whether first or third party, cannot do so in an unfair or deceptive manner and all debt collectors will likely be encompassed in Regulation F. 

In 2013, the Bureau issued Compliance Bulletin 2013-07 which clearly laid out its position: “[a]lthough the FDCPA definition of “debt collector” does not include some persons who collect consumer debt, all covered persons and service providers must refrain from committing UDAAPs in violation of the Dodd-Frank Act.” Specifically, the CFPB identified several practices that they are particularly concerned with, including:

  • Collecting or assessing a debt and/or any additional amounts in connection with a debt (including interest, fees, and charges) not expressly authorized by the agreement creating the debt or permitted by law.
  • Failing to post payments timely or properly or to credit a consumer’s account with payments that the consumer submitted on time and then charging late fees to that consumer.
  • Falsely representing the character, amount, or legal status of the debt.
  • Misrepresenting that a debt collection communication is from an attorney or a government source.
  • Misrepresenting whether information about a payment or nonpayment would be furnished to a credit reporting agency.
  • Misrepresenting to consumers that their debts would be waived or forgiven if they accepted a settlement offer, when the company does not, in fact, forgive or waive the debt.
  • Threatening any action that is not intended or the covered person or service provider does not have the authorization to pursue
  • False threats of lawsuits, arrest, prosecution, or imprisonment for non-payment of a debt.

The CFPB concluded by stating that “[o]riginal creditors and other covered persons and service providers involved in collecting debt related to any consumer financial product or service are subject to the prohibition against UDAAPs in the Dodd-Frank Act.  The CFPB will continue to review closely the practices of those engaged in the collection of consumer debts for potential UDAAPs, including the practices described above.”

The FDCPA does not provide a blanket exception for creditors collecting on their own behalf.  As the FTC blog aptly notes, the definition of debt collector under the FDCPA may include creditors collecting on their own behalf under several limited scenarios.  First, the FTC points out that “if a creditor collects its own debt but uses a different name that suggests that it’s a third party debt collector…then the company is now a debt collector subject to the FDCPA”.   The FTC also points to a second scenario – when a creditor is collecting a debt on its own behalf which was in default at the time it was obtained by such person.  What is troubling, however, is that the FTC, misses the second crucial element of the definition of a debt collector - specifically, that the creditor’s principal business purpose must be debt collection.  The FTC blog suggests by implication that banks who acquire loans may be subject to the FDCPA; however, the majority of courts who have examined that issue have ruled to the contrary.

The Bottom Line?  Creditors who collect debt on their own behalf need to examine their policies, procedures and compliance management systems to insure their collection efforts are consistent with the FDCPA whether or not they are “debt collectors” under the Act.  Both the FTC and CFPB have made clear their intention to enforce unfair and deceptive debt collection practices under the FTC Act and Dodd Frank when the FDCPA is unavailable.  Additionally, it is likely that any debt collection regulation proposed by the CFPB will include creditors collecting on their own behalf.  Winter is coming – creditors should be prepared.

Thursday, December 3, 2015

Eighth Circuit Rejects FDCPA Claim Based Upon Attorney Affidavit

The Eighth Circuit recently rejected an FDCPA claim alleging that a law firm violated the Act by swearing to an affidavit without personal knowledge of the facts.  The case, Janson v. Davis, arises from the law firm’s collection suit for unpaid rents.  Janson v. Davis, 2015 U.S. App. LEXIS 19894 (8th Cir. Nov. 17, 2015).  As was the law firm’s customary practice, the attorney filing the suit executed and attached to the complaint an affidavit setting forth the past due balance, as well as the monthly rental rate.  In the subsequent FDCPA suit against the law firm, the consumer alleged that the affidavit was not based upon the attorney’s personal knowledge of the facts and that by swearing to the truth of the affidavit without having personal knowledge of the facts, the law firm violated Sections 1692e and 1692f of the FDCPA. 

On appeal from the district court’s dismissal of the suit, the appellate court pointed out that the suit did not allege that the contents of the affidavit were false.  Moreover, the court honed in on the fact that the complaint did not allege that the consumer or the court were misled by the affidavit in any meaningful way.  The court therefore concluded that there was no violation of the FDCPA and that even a technical falsehood without more would not give rise to a violation of the Act.  “[C]ourts [may only] link “false to misleading,” meaning “[i]f a statement would not mislead the unsophisticated consumer, it does not violate the FDCPA – even if it is false in some technical sense.” Janson at *6, quoting O’Rourke c. Palisades Acquisition XVI, LLC, 635 F. 3d 938, 945 (7th Cir. 2011) (Tinder, J., concurring). 

The court’s opinion brings the Eighth Circuit into alignment with the Second and Seven Circuits and emphasizes that, at least in those circuits, the element of whether the court or unsophisticated consumer were misled is key. 

Wednesday, December 2, 2015

Second Circuit Decision Creates a Moving Target for Statute of Limitations Calculations

Under the FDCPA, a plaintiff must bring its claims within one year from the date the violation occurs.  A recent decision by the Second Circuit demonstrates that the date the violation occurs can be a moving target depending upon the nature of the violation and the actions of the debt collector. In Benzemann v. Citibank, the plaintiff’s bank account was mistakenly frozen.  The restraining notice that gave rise to the freeze was issued on December 6, 2011 but the actual freeze on the account didn’t occur until December 14, 2011.  The plaintiff’s suit was filed on December 14, 2012 and the law firm moved to dismiss, contending that the actions giving rise to the suit – i.e., their issuance of the restraining order- occurred more than a year prior to the filing of the suit.  The district court agreed and dismissed the FDCPA claims against the law firm.

On appeal, however, the Second Circuit raised concerns with the “anomaly” created when the FDCPA claim accrues for the purpose of calculating when the statute of limitations begins to run (in this case, when the restraining notice was issued), but at another time for purpose of bringing suit (when the injury occurred or in this case, when the account was frozen).  The Second Circuit noted that a “cause of action accrues when the conduct that invades the rights of another has caused injury.” Benzemann v. Citibank, 2015 U.S. App. LEXIS 19875, * 7 (2nd Cir. Nov. 16, 2015).  In concluding that the statute of limitations could not begin to run until the injury occurred, the court noted that they saw “no indication in the text of Section 1692k(d) that Congress intended for the FDCPA’s statute of limitations to begin to run before an FDCPA plaintiff could file suit”, finding it “implausible that the Congress that passed the FDCPA intended to create such an anomalous result.”  Id. at *8-9.  The court therefore concluded that under the facts presented, the statute of limitations did not begin to run until the account was frozen.

So what about the FDCPA case brought based upon a letter violation?  When does it occur?  Under the logic of the Second Circuit’s decision it shouldn’t accrue until the letter is received.  However, at least two other circuits (the 8th and 11th) have held that in the context of FDCPA claims premised on unlawful debt collection notices, the FDCPA violation occurs when the notice was mailed versus received.  “Those courts reasoned that tying the statute of limitations to the date of mailing was necessary because (1) mailing is the debt collector’s last opportunity to comply with the FDCPA and (2) the date of the mailing is easy to determine and ascertainable by each party, yielding a rule that is east to apply.”  Id.  at *12. The Second Circuit explained away those rulings by distinguishing the fact that the date of mailing is easy to determine in those cases while the date of receipt is not.  The Second Circuit concluded that the reasoning in those decisions was simply not applicable under the facts presented by Benzemann.

Tuesday, December 1, 2015

Guest Post: Tilting at Windmills – Part II

By: Mark J. Dobosz

December 1, 2015


Last week I wrote about the use of data by the CFPB and the value of insuring that it stands the test of true scientific research on which to base findings.
I commented that “[w]orking with a regulatory body is meant to be a collaborative process where all sides can trust in the third-party data and research used to develop a level-playing field for consumers and creditors. That is very difficult to accomplish when one-side provides data that is reflective of both quixotism and idealism.”
An article yesterday in JDSupra Business News, Does This Year’s Nobel Prize in Economics Suggest Any Lessons Regarding the Regulation of the Consumer Finance Industry? ( appears to support that position.
Professor Angus Deaton, who recently won the 2015 Nobel Memorial Prize in Economic Science, has work which “holds relevant lessons with respect to the regulation of the consumer financial services industry.”
Article author, Vikram Kumar points to the following from Professor Deaton’s work,
“To the extent the CFPB and other federal and state governmental agencies are propounding scientific justifications for new regulations affecting the consumer financial services industry, the quality of the data underlying such scientific theories is of fundamental importance. As Professor Deaton’s research has shown, data regarding consumer behavior may be incomplete or inaccurate due to design failures affecting the data-gathering process. When such a study is conducted by a political entity, rather than an independent expert, issues of research methodology arguably should be front and center.”
Federal regulatory agencies should take note of other experts in the field when gathering data – rely on the experts as third-party independent resources who can provide “independent” data.

About the Author:  Mark Dobosz currently serves as the Executive Director for NARCA – The National Creditors Bar Association. Mark is a one of NARCA’s speakers on many of the creditors rights issues impacting NARCA members. The National Creditors Bar Association (NARCA) is a trade association dedicated to creditors rights attorneys. NARCA's values are: Professional, Ethical, Responsible