Adding Collection Fees to Delinquent Accounts

Can a creditor add “collection fees” (not including interest or service fees) onto delinquent consumer accounts?

Ultimately, the answer depends on the laws of the debtor’s state. Some states allow it, and some don’t. Almost all of states that do allow the additional fees require that the terms be included in the creditor/debtor agreement. Some states have express limits on the amount of fees that may be recovered. In addition, under the FDCPA, the amount of the collection fee must be “reasonable,” which means the fee should “bear a relationship” to the actual costs of collection.

The Addition of a Collection Fee is not an “Unfair Practice,” Per Se, under FDCPA

Section 808(1) of the FDCPA allows the addition of collection fees when “such amount is expressly authorized by the agreement creating the debt or permitted by law.” 15 U.S.C. §1691f(1). According to its now de-published “informal staff opinions” from the 1980s and various state court decisions, the amount of the collection fee should be “reasonable” and should probably “bare a relationship” to the actual costs of collection. [See Ptazka v. Viterbo College (W.D. Wis. 1996) 917 F. Supp. 654; and Kojetin v. C U Recovery Inc. (8th Cir. 2000) 212 F. 3d 1318.]

In short, the FTC is abstaining from weighing-in on the amount of collection fees that may be recovered, and instead, it defers to state law on the issue. Its official position can be found in the most current FTC Staff Commentary to section 808(1), which states, “if state law permits collection of reasonable fees, the reasonableness (and consequential legality) of these fees is determined by state law.” (FTC STAFF Commentary, 53 F.R. at 50108.)

Collection Fees are Allowed by Some States if Included in the Debtor Contract

As far as state law goes, if the fees are allowed, the safe bet is to pay attention to state limitations on amount and expressly provided for the fees in the agreement between the creditor and debtor. The following is an attempt to distill the federal and state laws to come up with some (hopefully) simpler guidelines for answering this convoluted question for each particular state (state-by-state rules included at the end):

1. If the state law expressly prohibits it, then the answer is “NO.”

Under this rule, you CANNOT add collection fees to accounts located in: Washington D.C.; Guam (unless debt is over $25K); Hawaii (except for contracts by University of Hawaii, or unless lawsuit filed); Idaho; Louisiana; Missouri (unless consumer debts is over $1,000); North Carolina; North Dakota; Oklahoma (for consumer loans); Puerto Rico; South Carolina; Tennessee; Washington (for consumer loans); West Virginia (except for student loans); Wisconsin and Wyoming.

2. If the state law is silent AND the contract does not expressly provide for it, then, again, the answer is “NO.” Put another way, if the contract expressly provides for the charge AND the charge is not expressly prohibited by state law, then the answer is, “YES.”

Under this rule, collection fees are allowed for accounts in the following states so long as they are INCLUDED IN THE DEBTOR CONTRACT: Alabama; Alaska; Arkansas; Florida; Indiana; Kentucky; Maryland; Mississippi; Montana; New Jersey; New Mexico, Ohio; South Dakota; and Virginia. Other than the FDCPA outside limit of “reasonableness,” there is no express guidance on the amount of collection fees chargeable to debtor in these states.

3. If the state law expressly permits it, then the answer is “YES” so long as the laws of the state are followed. (As you will see, this rule overlaps with rule (2) above, because each state listed below also requires the fee terms to be included in the debtor contract. However, the legal distinction between the two rules is that in (2), the contractual requirement comes from the FDCPA and in (3) it comes from the individual state laws.)

Under this rule, collection fees as also allowed in the following states under the following express circumstances: Arizona (if established in debtor contract); California (if established in debtor contract); Connecticut (if established in debtor contract and limited to 15% of the amount actually collected on the debt); Colorado (if established in debtor contract); Delaware (if established in debtor contract and limited to amount actually incurred by creditor); Georgia (if established in debtor contract); Illinois (if established in debtor contract and amount is not “unreasonable”); Iowa (if established in debtor contract and “reasonably related to actions taken by the debt collector”); Kansas (if established in the contract and limited to 15% [however, statute does not distinguish between principal amount and amount actually collected]); Maine (if established in debtor contract); Massachusetts (if established in debtor contract); Michigan (if established in debtor contract); Minnesota (if established in debtor contract and bearing a “relationship to the actual costs of collecting on the account”); and Missouri (allowed only on consumer debts greater than $1,000).

4. In in both (2) and (3) above, the AMOUNT of fees sought cannot be “unreasonable,” and according to the limited case law, this probably means that there should be a relationship between the costs charged to the debtor and the cost actually incurred by the creditor for collection. In addition, some states have express limits as to the amount of collection fees allowed.

Under this rule, the creditor needs to make sure that the amount of collection fees stated in the creditor contract “bear a relationship” to the actual fees charged by the collector (i.e., 30% of the amount collected.) This is a tricky concept, because merchants will likely want to add the collection cost up-front to the principal balance.

Therefore, creditors should be aware that the following states expressly prohibit this, by allowing only for the addition of only ACTUAL COLLECTION COSTS to the debt: Connecticut (limited to 15% of the amount actually collected); Delaware (collection costs recoverable only to the extent they are actually incurred); Idaho (limited to 50% of amount actually collected); Kansas (limited to 15% – however, does not distinguish between actual and principal amounts); Nevada (collection fee must be either added to principal balance by the creditor before assignment to collection, or added to the principal by the collector and described as such in the first written communication with the debtor); Utah (collection fee cannot exceed the lesser of (a) the actual cost paid to debt collector; or (b) 40% of the principal amount owed); Washington (only allowed on commercial debts and amount cannot exceed 35% of the claim); West Virginia (only allowed on student loans with West Virginia and cannot exceed 33.33% of principal amount).

Alternatively and by default, in states where the law does not make the distinction between actual costs and reasonable costs, in theory, the creditor can add an up-front fixed collection fee based on a percentage of the principal balance so long as this number is not disproportionate with what the collector actually charges on the account.

When contracting in these states, the creditor should explicitly state how the fee will be determined (avoiding using the term “actual cost,” because that infers that the fee will be calculated based on the amount actually recovered, not the amount of the principal.) Some states have invalidated fees that were based on a percentage of the principal on the grounds that the debtor contract at-issue called only for “actual costs of collection.”

Overview of State-by-State Rules

Alabama – Totally silent. The amount is limited only by “unconscionable” standard.

Alaska – Totally silent. The amount is limited only by “unconscionable” standard.

Arizona – A collection fee is allowed if established in the contract. [Ariz. Admin. Code R20-4-1509.] The amount must be “justly due from and legally chargeable against the debtor.” [Ariz. Rev. Stat. Ann. §32-1051(4).

Arkansas –Collection fee that an agency can charge a creditor is limited to: (a) no more than 50% of the total amount actually collected on all accounts for one client; (b) no more than 50% of the total amount actually collected on any one account; and/or (c) a “minimum charge” of more than $1. [Ark. Code Ann. § 17-24-309(a).]

California – No express limits on collection fees, but must be included in contract. [Cal. Civ. Code § 1788.14(b).] The amount is limited only by “unconscionable” standard.

Connecticut – Collection fee limited to 15% of the amount actually collected on the debt. [Conn. Gen. Stat. Ann. §36a-805(a)(13).] Must be included in agreement creating the debt. [Conn. Agencies Regs. §36a-809-3(g)(1).]

Colorado – Collection fee must be included in the agreement. [Corlo. Rev. Stat. Ann. §12-14-108(1)(a).] A collection fee cannot be charged unless the check is assigned for collection to another collection agency not owned in whole or in part by the payee collection agency. [Color. Rev. Stat. Ann. § 12-14-108(1)(a).]

Delaware – Collection fee must be covered in the agreement. Collection costs (including charges by a collection agency) may be recovered to the extent they are actually incurred. [5 Del. Code Regs. §2203 section 3.1.4.]

District of Columbia – Collection fees expressly prohibited. [Act 19-189 (D.C. 2011) amending D.C. Code Ann. §§28-3814(g)(3)(4).]

Florida– Totally silent. The amount is limited only by “unconscionable” standard.

Georgia – Collection fee must be included in the contract. [Ga. Comp. R. & Regs. R. 120-1-14-.23(h).

Guam – Collection fees not permitted for debts under $25,000. [14 Guam Code Ann. §§2414 and 2401.] No express limits on collection fees for debts over $25,000.

Hawaii – Collection fees not allowed unless a lawsuit is filed and the collection commission (fees) are remitted to an attorney. However, collection commissions are allowed if authorized under a contract with the University of Hawaii. [Haw. Rev. Stat. Ann. §443B-9.]

Idaho – Collection fees not allowed to be charged to debtor. Collection fee that an agency can charge a creditor is limited to no more than 50% of the amount actually collected. [Idaho Code §26-2229A(4).]

Illinois – Collection fee must be included in the contract. Contingency fee allowed so long as it is not unreasonable. [225 Ill. Comp. Stat. 425/9(a)(29).]

Indiana– Totally silent. The amount should be limited by “unconscionable” standard.

Iowa – Collection fee is allowed if fee is “reasonably related to the actions taken by the debt collector” and the fee is expressly authorized by the agreement. [Iowa Code Ann. §537.7103(5)(c)-(d).]

Kansas – Collection fee is allowed if authorized by the agreement and the amount may not exceed 15% . But the fee may not include “costs that were incurred by a salaried employee of the creditor or its assignee.” [Kan. Stat. Ann § 16a-2-507.]

Kentucky– Totally silent. The amount should be limited by “unconscionable” standard.

Louisiana- Collection fees expressly prohibited. [La. Rev. Stat. Ann. § 9:3534.]

Maine- Collection fee must be included in the contract. Me. Rev. Stat. Ann tit. 32 §11013(2)(B)(2).

Maryland– Totally silent. The amount should be limited by “unconscionable” standard.

Massachusetts – Collection fee must be included in the contract. Mass. Regs. Code tit. 209 §18.17(1).

Michigan – Collection fee must be included in the contract. Mich. Comp. Laws. Ann. §339.915a(e).

Minnesota – Collection fee may be imposed on a consumer, but the charge should be authorized and itemized in the original consumer agreement and bear a relationship to the actual costs of collecting on the account. Kojetin v. C.U Recovery, Inc. (8th Cir. 2000) 212 F. 3d 1318. Also, there should be a retainer agreement between collector and creditor, specifying what collection charges will be imposed and who will be responsible for charging these. Minn. State § 332.37(19).

Mississippi – Totally silent. The amount is limited only by “unconscionable” standard.

Missouri – Collection fees expressly prohibited for credit of $1,000, or less intended to be used for personal, family or household purposes. Mo. Ann. Stat. §408.096. Law is silent as to debts over $1,000 and commercial debts of any value.

Montana– Totally silent. The amount should be limited by “unconscionable” standard.

Nebraska – Collection fee must be authorized by loan agreement. Neb. Rev. Stat. Ann. § 45-1047(2)(k).

Nevada – Collection fee must be included in the agreement. It must be added to the principal of the debt by the creditor before receipt of the item of collection (Or?) added to the principal of the debt by the collector and described as such in the first written communication with the debtor. Nev. Rev. Stat. 649.375(2).

New Hampshire – Collection fee must be included in the contract. N.H. Rev. Stat. Ann. §358-C:3 (VIII)(X).

New Jersey – A “bank” may charge and collect a collection agency’s fee if the agreement so provides. N.J. Stat. Ann. §17:3B-40. Silent as to non-banks ability to add collection fees.

New Mexico – A gross receipts tax (must be paid to the state as a charge for doing business there) may be charged to the debtor by a collection agency (between 5.125% and 8.6875%). There are no statutes addressing collection fees. N.M. Stat. Ann. §61-18A-28.1.

New York State – Collection fees must be justly due and chargeable against the debtor. N.Y. Gen. Bus. Law §601(2).

New York City – Collection fees must be expressly authorized by the agreement. New York City, N.Y., Rules, Tit. 6. §5-77(e)(1).

North Carolina – Collection fees expressly prohibited. N.C. Gen. Stat. §58-70-115(2).

North Dakota – Collection fees expressly prohibited. N.D. Admin. Code §13-04-02-09(3), (4).

Ohio– Totally silent. The amount should be limited by “unconscionable” standard.

Oklahoma – Collection fees expressly prohibited for consumer loans. Okla.Stat.tit. 14A § 3-405.

Oregon – Collection fees must be included in the contract. Or. Rev. State. §646.629(2)(n).

Pennsylvania – Collection fees must be included in the contract. 19 Pa. Cons. Ann. § 7311 (b.1)

Puerto Rico – Expressly prohibited. 10 P.R. Laws Ann. § 981p(12).

Rhode Island – Collection fees must be included in the contract. R.I. Gen. Laws § 19-14.9-8(i).

South Carolina – Expressly prohibited. S.C. Code Ann. §37-2-414.

South Dakota – Totally silent. The amount should be limited by “unconscionable” standard.

Tennessee – Prohibited. Tenn. Code Ann. §62-20-115(b)(2).

Texas – Collection fee must be included in the contract. Tex. Fin. Code Ann. §392.303(a)(2).

Utah – Creditor can require debtor to pay collection fee if collection agency hired by creditor is “registered” in Utah and collection fee is included in agreement between creditor and debtor. The collection fee may be imposed at the time of assignment of the debt to collection agency. The fee cannot exceed whatever amount is less: (a) the actual amount the creditor is required to pay a third party debt collector; or (b) 40% of the principal amount owed to the creditor. Utah Code Ann. §12-1-11.

Vermont – Collection fee must be included in the agreement. Vt. Code R. 06 031 044 Rule CF 104.05(b), (c).

Virginia – Totally silent as to collection fees. The amount is limited only by “unconscionable” standard.

Washington – Collection costs are only allowed for commercial claims, and the amount of the fee must not exceed 35% of the claim. Wash. Rev. Code Ann. §19.1.250(21).

West Virginia – Expressly prohibited, except for delinquent educational loans by institution in West Virginia, if terms are in the contract and the fee does not exceed 33.33 % of the principal amount. W. VA Code Ann. §46A-2-128(c)-(d).

Wisconsin – Expressly prohibited. Wis. Admin. Code § DFI-Nkg 74.11(1)-(2).

Wyoming – Expressly prohibited. Wyo. Rules and Regs. Ch. 3 §3.

What are FERPA and FISMA?

FERPA

The Family Educational Rights and Privacy Act “FERPA” became a federal law under the Buckley Amendment in 1974. The purpose of the Act is to protect the privacy of student educational records. The FERPA requirements apply to all schools that receive funds under an applicable program of the U.S. Department of Education. Covered entities are required to provide written notices about privacy rights and policies/practices to parents and students, obtain written permission from students over the age of 18 before disclosing information from their student records (except for certain limited circumstances) and provide opt-out opportunities with regard to the disclosure of non-private student-directory-type information.

Under the Act, there is an exception for the disclosure of private information without prior written consent when disclosure is necessary for “enforcement of the terms and conditions of financial aid.”
See 34 CFR 99.31 (4)(i)(D)

The requirements of FERPA are similar enough to Gramm-Leach-Bliley Act “GLBA” such that colleges and universities that comply with FERPA are exempt from having to comply with the “Privacy Rule” (but not “Safeguards Rule”) portion of GLBA. In 2000, the FTC published a final rule that found while colleges and universities were considered financial institutions under the GLBA, because they are subject to such stringent privacy requirements under FERPA, if the entity is in compliance with FERPA, then it is deemed to also be compliant with GLBA. However, the college and university must still comply with the “Safeguards Rule” portion of GLBA.

Third-party collectors do not need to becom certified in FERPA, because the Act only applies to educational institutions, and there is a clear exception for disclosure with regard to the “enforcement” of student loans. In addition, based on the FTC logic, above, if an agency complies with GLBA, at least with regard to the Privacy Rule, then FERPA requirements will likely overlap.

With that said, there are certain universities do require that their own employees become FERPA “certified.” One example of this is the University of Massachusetts, which has a free PowerPoint and PDF on becoming FERPA certified posted on its website. While the certification is specific to that particular university’s procedures, it is still informative because it shows how FERPA requirements apply to the day-to-day operations of educational entities.
See http://www.oit.umass.edu/support/spire/about-ferpa-certification

FISMA

The Federal Information Security Management Act “FISMA” was enacted as part of the E-Government Act of 2002. It requires federal agencies (and government contractors/service providers) to implement an “information security program” in order to protect government information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction and to provide integrity, confidentiality and availability. (Note that under President Obama’s 2010, Health Care and Education Reconciliation Act, private banks and lenders may still service federal student loans, but they are no longer allowed to make student loans with federal money.)

The National Institution of Standards and Technology “NIST” is in charge of managing FISMA and walking the government agencies through an accreditation process called, NIST SP 800-37.
See http://csrc.nist.gov/groups/SMA/fisma/index.html

Agency program officials, Chief Information Officers “CIO’s” and Inspectors General “IGS” must conduct annual reviews of the agency’s program and report the results of the Office of Management and Budget “OMB,” which has oversight responsibilities. The OMB also prepares an annual report to Congress on the agency’s compliance with the Act.

Third-party debt collectors have to be compliant with FISMA in order to service government loans. While the Act does not necessarily require that service providers become “certified” in NIST SP 800-37, official certification is offered by different independent auditing companies. As an example, in August 2012, the Regional Adjustment Bureau, Inc., which collects on student loans for guaranty agencies and universities, announced via InsideArm that it had obtained FISMA certification from Crimson Security.
See: http://www.insidearm.com/daily/debt-collection-news/debt-collection/student-loan-collector-becomes-fisma-certified/

(But note the snarky comment posted at the end of the article, which says, “Congratulations! Other than the fact that there is no such thing as the Federal Information “Systems” Management Act and there is no such thing as “FISMA Certified.” Under the NIST Risk Management Framework, compliance to FISMA is constituted in achieving an Authority To Operate.”) So, without officially confirming the veracity of this comment, it is probably most accurate to say that a non-goverment service provider can be FISMA “compliant” without achieving an official “certification.”

A PRIMER ON ARM REGULATION

A PRIMER ON ARM REGULATION

There are many state and federal laws that regulate the day-to-day operations of ARM employees. More in-depth and on-going trainings should be provided depending on the specific work functions involved. The following is meant merely as an introductory overview of some of the regulatory agencies and laws that ARM employees may encounter on a regular basis:

CONSUMER FINANCIAL PROTECTION BUREAU

The CONSUMER FINANCIAL PROTECTION BUREAU “CFPB,” is a federal agency, which was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Act was passed during the 111^th United States Congress, and signed into law by PRESIDENT, BARACK OBAMA on July 21, 2010.

Passed as a response to the late-2000s recession, the Act has brought the most significant changes to financial regulation in the United States since the regulatory reform that followed the GREAT DEPRESSION OF THE 1930’S.

The Act has made changes in the American financial regulatory environment that affect all federal financial regulatory agencies and almost every part of the nation’s FINANCIAL SERVICES INDUSTRY.

The CFPB holds primary responsibility for regulating CONSUMER PROTECTION with regard to financial products and services in the United States.  As part of its mission to regulate consumer protection, the CFPB will be collecting and tracking consumer complaints submitted through its website, consumerfinance.gov.

A company’s policies and practices may be subject to review or EXAMINATION by the CFPB  to assess compliance (and detect violations) regarding numerous FEDERAL CONSUMER PROTECTION LAWS.

FEDERAL TRADE COMMISSION

The FEDERAL TRADE COMMISSION “FTC” is another independent U.S. Government agency, which was established in 1914 by PRESIDENT WOODROW WILSON’S Federal Trade Commission Act. The current mission of the FTC is to “prevent business practices that are anticompetitive, deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.”

The FTC has its own BUREAU OF CONSUMER PROTECTION which is separate and distinct from the Consumer Financial Protection Bureau “CFPB.” The FTC’s Consumer Bureau has seven different divisions, each specializing in the enforcement of different kinds of consumer protection laws. For example, the FINANCIAL SERVICES DIVISION enforces the Fair Debt Collections Practices Act (below), while the PRIVACY AND IDENTITY PROTECTION DIVISION enforces the Fair Credit Reporting Act (also below).  

FEDERAL COMMUNICATIONS COMMISSION

The FEDERAL COMMUNICATIONS COMMISSION “FCC” is another U.S. Government agency established by the 1934 Communications Act, passed by Congress and signed in to law by PRESIDENT FRANKLIN D. ROOSEVELT in order to regulate telecommunications. Over the years, the FCC has focused on regulating commerce as it relates to different media, including wire, radio and telephone communications. The Act has undergone numerous over-halls (in 1991, 1996 and 1999) in order to keep up with the evolution of technology, specifically internet and wireless communications.

Today, the FCC is responsible for implementing the Telephone Consumer Protection Act “TCPA” (see below), which requires among other things, that creditors obtain a consumer’s prior express consent before placing telephone calls to the consumer’s cell phone.

FAIR DEBT COLLECTIONS PRACTICES ACT

The FAIR DEBT COLLECTIONS PRACTICES ACT “FDCPA” is a CONSUMER PROTECTION statute meant to promote FAIR DEBT COLLECTION. The Act seeks to eliminate unfair, deceptive and abusive practices and provide consumers with an avenue for disputing and obtaining validation of debt information in order to ensure the information’s accuracy. EXAMPLES of specific FDCPA rules that must be followed include:

DISCLOSING THE CALLER’S IDENTITY – Callers must provide meaningful disclosure of their identity in all calls.

THE TIME AND PLACE OF COMMUNICATION – Callers are prohibited from making calls at unusual times or times known to be inconvenient to the consumer. 

AVOIDING HARASSING, OPPRESSIVE OR ABUSIVE COMMUNICATIONS – Callers are prohibited from engaging in harassing, oppressive or abusive conduct. 

AVOIDING FALSE, DECEPTIVE AND MISLEADING COMMUNICATIONS – Callers are prohibited from using any false, deceptive or misleading representations in connection with the collection of any debt.

LIMITS ON COMMUNICATIONS WITH THIRD PARTIES – Callers may not reveal the existence of a consumer’s debt to anyone other than the consumer without the consumer’s prior consent.

LIMITS ON THE USE OF TECHNOLOGY – Callers may not use technology (cell phones, call ID, Text Messages, etc.) in a way that runs afoul of the FDCPA.

FAIR CREDIT REPORTING ACT

The FAIR CREDIT REPORTING ACT “FCRA” is another CONSUMER PROTECTION statute, which puts certain requirements on CONSUMER REPORTING AGENCIES, USERS OF CONSUMER REPORTS and FURNISHERS OF INFORMATION to consumer reporting agencies.

In general, a CREDIT REPORT USER must have a PERMISSIBLE PURPOSE to use the report. Consumer Reporting Agencies and Furnishers also have the duty to provide accurate information and to correct any inaccurate or incomplete information. In addition, there are numerous requirements for responding to disputes, address discrepancies and claims of identity theft. 

TELEPHONE CONSUMER PROTECTION ACT OF 1991

THE TELEPHONE CONSUMER PROTECTION ACT OF 1991 ”TCPA” was passed by the United States Congress and signed into law by PRESIDENT GEORGE H. BUSH in 1991. The TCPA amended the Communications Act of 1934 to restrict telemarketing and the use of AUTOMATIC DIALING SYSTEMS, artificial or prerecorded voice messages, fax machines and text messages.  Unless PRIOR CONSENT is obtained, the TCPA restricts solicitor calls to cell phones, or between the hours of 8:00 a.m. and 9:00 p.m., local time. The TCPA prevents “artificial recordings” made to residences, and it also requires that identifying information and contact information be provided by the caller.

THE RED FLAG RULES & FACTA

On December 18, 2010, PRESIDENT BARACK OBAMA signed into law the RED FLAGS CLARIFICATION ACT OF 2010, which requires certain businesses and organizations to implement a written IDENTITY THEFT PREVENTION PROGRAM. The idea behind a Red Flags Program is to detect the warning signs — or “red flags” — of identity theft. With regard to ARM companies, the Red Flags focus will likely be on responding to bona fide claims of identity theft in order to protect the rights of the consumer and/or victim. 

The RED FLAGS RULE is part of the Fair Credit Reporting Act “FCRA”(see above),  so it is enforced by the Privacy and Identity Theft Protection Division of FTC’s Bureau of Consumer Protection.  In 2003, George W. Bush signed into law an amendment to the FCRA, called the FAIR AND ACCURATE CREDIT TRANSACTIONS ACT “FACTA,” which was designed to provide even greater consumer protection in the areas of identity theft and consumer credit reporting.

Specifically, FACTA allows consumers to request and obtain a FREE ANNUAL CREDIT REPORT from consumer credit reporting companies. FACTA also aims to help reduce identity theft, by giving individuals the ability to place ALERTS on their credit histories if identity theft is suspected, or if deploying overseas in the military. In addition, FACTA places numerous restrictions on financial institutions with regard to credit reporting, as well as the communication and disposal of consumer information.

PCI DSS

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) – The PCI DSS was introduced in 2004 by the major credit card issuers as a unified standard for protecting cardholder and sensitive authentication data.

CARDHOLDER DATA is any PERSONALLY IDENTIFIABLE INFORMATION “PII” associated with the cardholder, such as the primary account number, expiration date and card holder name.  SENSITIVE AUTHENTICATION DATA is the CVV or CVC (card verification values) and the Track 1 and Track 2 data (magnetic stripe).

The PCI DSS has specific security requirements for the storing, processing and transmitting of PII and authentication data, which are intended to optimize the security of payment card transactions and prevent the misuse of cardholder data.

The PCI Data Security Requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organization with access to cardholder information must meet the data security standards. Companies may utilize outside auditing to become PCI DSS certified. However, all companies that store, process or transit cardholder data must comply with PCI DSS Standards.

HIPAA & HITECH

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT “HIPAA” was enacted by the U.S. Congress and signed into law by President Bill Clinton in 1996. The idea behind the Act was to improve the EFFICIENCY AND EFFECTIVENESS OF THE NATION’S HEALTHCARE SYSTEM by encouraging the widespread use of ELECTRONIC DATA in the U.S. healthcare system. The Act protects health insurance coverage for workers and their families when they change or lose their jobs.  HIPAA also addresses the SECURITY AND PRIVACY OF HEALTH DATA.  The HIPAA Privacy Rule regulates the use and disclosure of PROTECTED HEALTH INFORMATION “PHI.” PHI is any information which concerns health status, provision of health care, or payment for healthcare that can be linked to an individual. Generally, PHI may be disclosed to facilitate payment or if authorization is obtained from the individual. However, when a covered entity discloses PHI, it must make a reasonable effort to disclose only the MINIMUM NECESSARY INFORMATION to achieve its purpose. 

In 2009, THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT “HITECH” was passed as part of the AMERICAN RECOVERY AND REINVESTMENT ACT in order to address the regulation of health information technology. In addition to encouraging the use of electronic health records among medical providers, HITECH also seeks to further increase privacy and security protections by extending HIPAA requirements to additional businesses not previously covered under the original Act.

GRAMM-LEACH BLILEY ACT

THE GRAMM-LEACH BLILEY ACT “GLBA,” regulates the DISCLOSURE AND USE OF NONPUBLIC PERSONAL INFORMATION, and it is considered a PRIVACY LAW. The creation of the Act in 1999 was significant, because for the first time since the Great Depression, it allowed the creation of CONGLOMERATE CORPORATIONS by permitting one entity to combine banking, securities and insurance services under a single house of brands (ex. Citigroup, Time Warner, Phillip Morris).  Many critics of the Act believe that it directly helped cause the 2007 subprime mortgage crisis by clearing the way for companies that were too big and intertwined to fail.  Under the GLBA, businesses defined as “financial institutions” must comply with the Financial Privacy Rule and the Safeguards Rule with regard to using, disclosing and protecting a consumer’s nonpublic personal information.

Ninth Circuit Clarifies “Prior Express Consent” under TCPA for Cell Phone Calls

Ninth Circuit Clarifies “Prior Express Consent” under TCPA for Cell Phone Calls

In the case of Meyer v. Portfolio Recovery Associates, LLC (9th Cir. Oct. 12, 2012) 696 F. 3d 943, the 9th Circuit U.S. Court of Appeals recently decided to amend an opinion issued in October 2012, in which it arguably fumbled the definition of “prior express consent” with regard to calls made (1) to cell-phones; (2) using “predictive” auto-dialers; and (3) with numbers obtained through skip-tracing. Critics of the October 2012, ruling had argued that the decision created an impossible standard for collectors to obtain “prior express consent” for placing collection calls to cell phones. The decision was also potentially inconsistent with the FCC’s 2008 ruling on the same issue.

In 2011, Plaintiff Jesse Meyer filed the underlying complaint and putative class-action against Portfolio Recovery Associates “PRA” alleging, among other things, that PRA had violated the Telephone Consumer Protection Act “TCPA” by using an automated dialer to call cell phones without obtaining prior express consent.

On September 14, 2011, the district court granted plaintiff’s request for a preliminary injunction (and provisional class certification) to estop defendant, PRA from placing calls to cell phones from numbers obtained via skip-tracing using its Avaya Proactive Contact Dialer. PRA appealed the injunction on several grounds.

On October 12, 2012, the 9th Circuit issued an opinion denying PRA’s appeal and affirming the preliminary injunction and class certification order. This decision, which was criticized by some in the ARM industry as highly “ambiguous, troublesome and frightening” held:

“Pursuant to the FCC ruling, prior express consent is deemed granted only if the wireless telephone number was provided by the consumer to the creditor, and only if it was provided at the time of the transaction that resulted in the debt at issue. Thus, consumers who provided their cellular telephone numbers to creditors after the time of the original transaction are not deemed to have consented to be contacted at those numbers for purposes of the TCPA.”

The Court’s ruling suggested that prior express consent had to be given by the debtor at the time the debtor incurred the debt (at the credit application stage), which many believe is an impossible business reality.

Ultimately, the 9th Circuit seemed to agree, because on December 28, 2012, it issued an order amending its October opinion by replacing the two sentences above with the following language:
“Pursuant to the FCC ruling, prior express consent is consent to call a particular telephone number in connection with a particular debt that is given before the call in question is placed.”

What does this means for TCPA compliance?

Under the amended decision in Meyer, the definition of “prior express consent” essentially reverted back to what it was before the October 2012, decision:

(1) Creditors/debt collectors must still obtain prior express consent to use auto-dialers and pre-recorded messages on cell phone numbers, i.e., auto-dialers/pre-recorded messages should not be used for numbers obtained solely through skip-tracing;

(2) Prior express consent can be obtained from the debtor at any time before the call is placed. However, the industry-wide recommendation is to obtain consent in writing, especially for cell phone numbers; and

(3) Prior express consent is still limited to the specific phone numbers the debtor voluntarily provides with respect to a particular debt, i.e., debt collectors may not use mobile numbers voluntarily provided in connection with one debt to fulfill consent requirements for another debt, even if the debt involves the same creditor.