January 2022 OBA Legal Briefs

  • The FDCPA Regulation—Part 2
  • The CFPB’s Reg E FAQ—Part 1

Don’t Ignore the FDCPA Regulation (Part 2)

By John Burnett

Part 1 of our update on the CFPB’s Regulation F (12 CFR Part 1006), “Fair Debt Collection Practices Act,” appears in our November 2021 Legal Briefs.

False, deceptive, or misleading representations or means

To remain compliant with section 1006.18 of the regulation, debt collectors cannot use any false, deceptive, or misleading representation or means in connection with their collection of any debt.

The regulation provides examples of the things that a compliant debt collector cannot do in paragraphs (b) through (d) of this section.

False, deceptive or misleading representations: Debt collectors must not falsely represent or imply that—

  • they are vouched for, bonded by, or affiliated with federal or state government including through the use of a badge, uniform, or facsimile of a badge or uniform
  • they operate or are employed by a consumer reporting agency (credit bureau)
  • they are attorneys or that any communication is from an attorney
  • the consumer committed any credit or other conduct, in order to disgrace the consumer
  • a sale, referral, or other transfer of any interest in a debt causes or will cause the consumer to:
    • lose any claim or defense to payment of the debt, or
    • become subject to any practice banned by the regulation
  • accounts have been turned over to innocent persons for value
  • documents are legal process
  • documents are not legal process forms or do not required action by the consumer

Debt collectors also must not falsely represent the character, amount, or legal status of any debt, or falsely represent any services rendered, or compensation that may be lawfully received, by the debt collector for the collection of a debt.

Many, many complaints to the CFPB included collectors who had incorrect information about the amount of the debt, and in some cases the debts had already been paid off or settled and no amount was owed. The consumers had to prove to the collector that an aged bill had been paid and this can take a lot of time and effort and the “official loan records” which the collector should have, are really what’s needed. Did the creditor accept payments after a loan was sold?  Did a settled amount not get properly written off? These are issues the consumer can’t easily fix and the collector is not interested in doing because they are interested in collecting money, as perhaps their income depends on how much they bring in. But the collector must know what’s owed.

Debt collectors mustn’t represent or imply that nonpayment of a debt will result in a person’s arrest or imprisonment, or the seizure, garnishment, attachment or sale of a person’s property or wages, unless such action is lawful, and the debt collector or creditor intends to take such action.

False, deceptive, or misleading collection means:

  • Threatening to take any action that cannot legally be taken or that is not intended to be taken (such as threatening to sue when you don’t or won’t sue to collect the debt)
  • Communicating or threatening to communicate to any person credit information that the debt collector knows or should know is false, including the failure to communicate that a disputed debt is disputed.
  • Using or distributing any written communication that simulates or that the debt collector falsely represents to be a document authorized, issued, or approved by any court, official, or agency of the U.S. or any state, or that creates a false impression about its source, authorization, or approval.
  • Using any business, company or organization name other than the true name of the debt collector’s business, company or organization.

False representations or deceptive means. Use of any false representation or deceptive means to collect or attempt to collect a debt or to obtain information concerning a customer is forbidden by the regulation. This is a catch-all that can cover any deceptive tactic that isn’t specifically listed.

For example, in a social media context, it would be a false representation or implication for a debt collector to request to be added as one of a consumer’s contacts or “friends” on a social media platform marketed for social or professional networking purposes if they do not disclose their identity as a debt collector in the request.

Or assume that a debt collector communicates privately with a friend or coworker of a consumer on a social media platform, for the purpose of getting location information about the consumer. The debt collector must identify himself or herself individually by name when communicating for the purpose of acquiring location information. To avoid violating that requirement, the debt collector must communicate using a profile that accurately identifies the debt collector’s individual name. (There is a limited exception for the consistent use of assumed names. See “Use of assumed names” below.) The debt collector also must comply with the other applicable requirements for obtaining location information (e.g., with respect to stating that the debt collector is confirming or correcting location information concerning the consumer and, only if expressly requested, identifying the name of the debt collector’s employer), for communicating with third parties and for communicating through social media.

Initial communication with debtor: A collector must disclose in their initial communication with a consumer that the debt collector is attempting to collect a debt and that any information obtained will be used for that purpose. If the debt collector’s initial communication with the consumer is oral, the debt collector must repeat the disclosure that they are attempting to collect a debt in its initial written communication with the consumer.

In each subsequent communication with the consumer, the debt collector must disclose that the communication is from a debt collector. These disclosures must be in the same language or languages used for the rest of the communication.

Use of assumed names. A debt collector’s employees can use assumed names when communicating or attempting to communicate with a person, but only if the employee uses the assumed name consistently and the debt collector can readily identify any employee using an assumed name.

Unfair or unconscionable means

Debt collectors cannot use unfair or unconscionable means to collect or attempt to collect any debt, including any of the following conduct:

Collection of unauthorized amounts, such as interest, fees, charges or expenses not expressly authorized by the loan note or other agreement creating the debt or permitted by law. Many collectors were in the habit of collecting more than legally permitted, on the theory that excess funds collected could always be returned.

Acceptance or use of postdate payment instruments, such as a check or other instrument post-dated more than five days, unless the consumer is notified in writing of the debt collector’s intent to deposit the check or instrument no more than 10 nor less than 3 days (excluding weekends and legal public holidays) before making the deposit.

Solicitation of post-dated checks or other payment instruments for the purpose of threatening or instituting criminal prosecution (“Give me a post-dated check and I won’t have you arrested.”)

Depositing (or threatening to) any post-dated check before its date (“You gave me four post-dated checks. I will run them all if you don’t come up with a cash payment!”)

Causing charges resulting from concealment of purpose. That’s a fancy way of saying a debt collector can’t pose as a friend or family member to make a collect telephone call to get a consumer to answer the telephone. The word “telegram” is included in this paragraph of the rule just in case someone figures out how to send a collect telegram. There are still ways to make collect phone calls, and they can be expensive for the person who accepts such a call.

Taking or threatening to take any nonjudicial action to effect dispossession or disablement of property if the creditor or debt collector has no current right to take possession of or to disable the property or has no present intention to take possession of it, or the property is exempted by law from dispossession or disablement.

Restrictions on use of certain media. Debt collectors are not allowed to:

  1. Communicate with a consumer about a debt by postcard
  2. Use any language or symbol other than the debt collector’s address, on any envelope when communicating with a consumer by mail (the debt collector’s business name may appear on the envelope if it does not show that the debt collector is in the business of debt collection).
  3. Communicate or attempt to communicate with a consumer by email sent to an email address the debt collector knows is provided to the consumer by the consumer’s employer, unless the consumer has directly given the debt collector prior consent to use that address, or the consumer has sent the debt collector an email from that address and has not subsequently rescinded the expressed or implied consent to use of the address.
  4. Communicate (or attempt to) with a person about collection of a debt through a social media platform if the communication or attempt can be viewed by the public or the person’s social media contacts.

Time-barred debts

Every state has statutes of limitations that prescribe the time limit for bringing a legal action to collect a debt. In some cases, these time limits can vary by the type of debt.

A time-barred debt is one for which the applicable statute of limitations has run or expired.

Under the FDCPA regulation, a debt collector is not allowed to bring or threaten to bring a legal action against a consumer to collect a time-barred debt.

Other prohibitions and requirements

There are miscellaneous other requirements in the regulation that prohibit certain actions and mandate others.

  • 1006.30—Other prohibited practices.
  • 1006.34—Notice for validation of debts.
  • 1006.38—Disputes and requests for original-creditor information.
  • 1006.42—Sending required disclosures.
  • 1006.100—Record retention

Why is this important for bankers?

The Fair Debt Collection Practices Act itself and the FDCPA regulation (Regulation F) are replete with prohibitions against actions that are deemed Unfair, Deceptive, or Abusive, the first three words abbreviated in UDAAP. If a bank were found to engage regularly in the unfair, deceptive, or abusive actions banned in this regulation, it would not be unreasonable for a regulator to bring an enforcement action against the bank under the UDAP provisions of the FTC Act or for the Bureau to bring an action against a large bank for violations of the UDAAP provisions of the Consumer Protection Act of 2010.

The more immediate concern, however, is that a bank that hires an outside debt collection firm has responsibility to verify that firm’s and its collectors’ compliance with the FDCPA and the regulation.

The CFPB’s Reg E FAQ – Part 1

By Andy Zavoina

In one episode of the TV sitcom Big Bang Theory, Leonard asked Sheldon, “What you would be if you were attached to another object by an incline plane wrapped helically around an axis?” And Sheldon answered appropriately, “Screwed.” When I teach Reg E, I typically say more than once that “Reg E is not fair to banks, and it is not meant to be. Reg E is a consumer protection regulation.” But the Electronic Fund Transfers FAQs issued in December 2021 by the Consumer Financial Protection Bureau have taken these protections up a notch. Using its interpretive authority without requesting input from the industry or public, The CFPB has made banks liable for more transactions than in the past, at least based on the common interpretations of the past.

This guidance is in the form of FAQs which the CFPB considers a Compliance Aid. Compliance Aids were introduced in February 2020. Refer to the Federal Register / Vol. 85, No. 17, January 27, 2020, page 4579. The CFPB stated it is not intended that Compliance Aids will bind banks and other entities to new rules. Unlike actual regulations and official interpretations, Compliance Aids are not “rules” under the Administrative Procedures Act.  Instead, Compliance Aids present the requirements of existing rules and statutes in a manner that is useful for those who must comply with the rules as well as the public and others interested in the topics. Compliance Aids can include practical suggestions for how to properly comply with these rules. An FAQ Compliance Aid from the CFPB is simply an explanation of how it connects the dots and interprets an existing rule. It is not new, but it is how those currently in the driver’s seat at the CFPB understand the rule. Again, above all, Reg E, which implements the Electronic Fund Transfer Act, is intended to protect consumers, and the CFPB will read and interpret it from that perspective. It is not intended to be fair to the banks or others.

Now, let’s preview the Reg E FAQs. This December 13, 2021, issuance is an update of the original FAQs on Reg E the CFPB issued on June 4, 2021. It is not all new content. There are four major categories and questions and answers under each.

  • “Coverage: Transactions” is the first section and it contains five new questions and answers. This general topic lays the foundation for interpretations that follow.
  • The second section, “Coverage: Financial Institutions” has four new questions and answers. This section is intended to add clarity as to who the banks and other entities such as “Person to Person” (P2P) vendors are. By defining the roles of these players, we are better able to define the responsibilities of each based on the transactions and relationships between the players.
  • Section three is “Error Resolution,” and it is a general topic. There are four questions and answers, of which two are new to the topic and two were issued in June 2021.
  • The fourth and final section is “Error Resolution: Unauthorized EFTs.” It includes six restated questions and answers from June 2021 and five new ones specific to the topic at hand as Reg E drills into some liability issues particular to P2P payments.

Section two on Coverage is perhaps one of the more controversial. As I read the FAQs the last question is where I annotated “gotcha” in the column. As far back as March 2021 one banker on the BOL threads referred to a conversation with an attorney at the CFPB who opined banks could not displace error resolution responsibilities and liabilities to a P2P third-party vendor as they were believing they could under § 1005.14. And nine months later we received this in print.

Under § 1005.14 a person that provides an electronic fund transfer service to a consumer (think P2P providers like Zell, Venmo, CashApp, etc.) but does not hold the consumer’s account, is subject to the error resolution requirements if the person meets a two-pronged test:

  1. The person issues a debit card (or other access device) that the consumer can use to access the consumer’s account held by a bank, and
  2. The person has no agreement with the account-holding institution regarding such access.

P2P providers often have an agreement directly with a bank to provide services to that bank’s customers. In that case the bank still has Reg E error resolution responsibilities. But when that company is acting on its own it assumes these responsibilities. At least that is how many bankers interpreted the rules.

Under that common understanding, most P2P providers issue logon credentials for access in an app or to a web site such as with a smartphone and this constitutes an access device. Therefore § 1005.14 applies when 1) the service provider offers EFT services and 2) the provider does not have an agreement with the bank who holds the account in question.  So, when a bank consumer customer loans their smartphone to someone who then without authority uses the P2P app to transfer money, the bank simply executed the debit order and sent the funds through the P2P provider to a destination not known by the bank. The P2P provider issued an access device, does not hold the deposit account, and has no agreement to execute such orders with the bank. Section 1005.14 has been used by many banks because of this understanding to refer the harmed consumer to the P2P provider they selected on their own, for satisfaction of a claim.

A. Coverage: Transactions

1. What transactions are covered by the Electronic Fund Transfer Act and Regulation E?

This is new to the FAQ, but the answer provided is not. It is straight out of Reg E, but it must be understood as it is a foundation for most of what follows. Per § 1005.3(a) the answer reminds us this is all about electronic fund transfer requests to a financial institution (FI) to debit or credit a consumer’s account. It applies to checking, savings and other consumer asset accounts, held directly or indirectly by a FI and established primarily for personal, family or household use.

The rules apply to any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a FI to debit or credit a consumer’s account, 1005.3(b)(1). Here the CFPB states inclusively that Reg E applies to any P2P or mobile payment transaction that meets the definition of EFT, including debit card, ACH, prepaid account and other EFTs to or from a consumer account. So, an EFT to or from a P2P vendor is an EFT to your consumer customer’s account.

2. Can person-to-person or “P2P” payments be EFTs under Regulation E?

This reinforces what was just presented as the short CFPB answer is “Yes.” The specific answer is that in general, yes, so long as the P2P payment meets the definition of an EFT, it is under Reg E.

3. Is a P2P payment that uses the consumer’s debit card to transfer funds considered an EFT?

Short answer, “Yes.” This allows the tying of a debit card to the P2P account and clearly includes such transfers.

4. Is a credit-push P2P payment that transfers funds out out of a consumer’s deposit, prepaid, or mobile account considered an EFT? (The FAQ uses “out” twice.)

Short answer is again, “Yes.” It ties back to the definition of an EFT and this meets that definition while associating the transfer as out of a consumer deposit. It further explains that a credit-push P2P transfer is considered an EFT even if the payment was initiated by a third party that fraudulently obtained access to the consumer’s account. An example is by using login credentials stolen in a data breach or obtained through fraudulent inducement. The credit-push P2P transfer would be considered an unauthorized EFT. The consumer neither did it, authorized it nor benefitted from the EFT and the credentials were obtained fraudulently. Remember, too, that if the access device as defined under 1005.2(a)(1) was not an accepted device, the consumer’s liability under 1005.6(a)-(b) may be eliminated and become the responsibility of the bank.

5.  Is a P2P debit card “pass-through” payment considered an EFT?

Another “Yes” plus the explanation that a “pass-through” payment transfers funds from the consumer’s account held by an external FI to another person’s account held by an external FI.Now the FAQ introduces a third-party P2P vendor. It tells us a “pass-through” payment is initiated through a FI that does not hold a consumer’s account, such as a non-bank P2P provider. It restates the foundational question and answer 1 above, that Reg E applies to any EFT that authorizes a debit or credit from a consumer’s account. Therefore, debit card “pass through” payments are EFTs.

B. Coverage: Financial Institutions

In this section the FAQ better defines who the financial institution players are to assist in defining liability and responsibility.

1. What is a financial institution under EFTA and Regulation E?

 Simply put it includes banks, savings associations, credit unions, and:

any other person that directly or indirectly holds an account belonging to a consumer, or

any other person that issues an access device and agrees with a consumer to provide electronic fund transfer (EFT) services.

This includes providers of P2P payment and bill payment services if they directly or indirectly hold an account belonging to a consumer, or if they issue an access device and agree with a consumer to provide EFT services.

So far so good, except that more of the answer clarifies how the P2P provider may become liable itself (it states essentially the two-pronged test under 1005.14), and then how that liability can revert to the FI based on another agreement. It states, “In narrow circumstances, a financial institution can also be considered a “service provider” under Regulation E. A financial institution who provides EFT services to a consumer but does not hold the consumer’s account is a service provider under Regulation E if the financial institution: (1) issues an access device that the consumer can use to access the account and (2) no agreement exists between the access device-issuing financial institution and the account-holding financial institution.  12 CFR 1005.14(a).  The automated clearing house (ACH) rules alone do not generally constitute an agreement for purposes of whether a financial institution meets the definition of “service provider” under Regulation E. However, an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards – is an “agreement,” and thus section 1005.14 does not apply. Comment 14(a)-2.” So, the ACH agreement, plus another agreement such as acceptance of each other’s debit cards is sufficient to eliminate the § 1005.14 exception.

In the past many have interpreted that second agreement as one being between the P2P provider and the bank such as when the bank is endorsing and using Zelle. That would eliminate that § 1005.14 exception, but the CFPB tells us that both accepting each other’s debit cards, as an example, constitutes that agreement regardless of specific terms as to liability.

2. Can non-bank P2P payment providers be considered financial institutions under Regulation E?

The CFPB says, “Yes” as expected and refers to what is defined as a FI. It goes on to explain that the FI has certain responsibilities, as it states that even, “non-account-holding providers of P2P payment or bill payment services are considered covered financial institutions under Regulation E if the provider issues an access device and agrees with a consumer to provide EFT services. 12 CFR 1005.2(i).  For example, a P2P provider may enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account.

Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.”

3. If a non-bank P2P payment provider initiates a debit card “pass-through” payment from the consumer’s account held by a depository institution to a different person’s account at another institution, is the non-bank P2P payment provider considered a financial institution under Regulation E?

Response from the CFBP is “generally yes.” It references the definitions of what is an FI and states that “an entity, including a non-bank P2P payment provider, enters into an agreement with a consumer to provide EFT services and issues an access device, and initiates a debit card “pass-through” payment, then that entity would be covered as a financial institution under Regulation E.  Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error. So, we still can read that when there is liability for unauthorized EFTs, the FI will hold liability. But at this point we commonly have the bank, which is an FI, and a P2P provider, which can be an FI. The key to liability is that the bank is liable unless 1005.14 and the two-pronged test can come into play.

4.  If a consumer uses a non-bank P2P payment provider to initiate a debit card “pass-through” payment from the consumer’s account held by a depository institution, is the depository institution considered a financial institution under Regulation E, even though the transfer was initiated through the non-bank P2P payment provider?

The answer is Yes, and this has the definitive “Gotcha.” The bank holding the deposit account has full Reg E error resolution responsibilities as there is a narrow circumstance that redirect those responsibilities when 1005.14 applies. This exception is not applicable when there is an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards. This constitutes an “agreement,” and 1005.14 does not apply. Comment 14(a)-2.

Conclusively, the FAQ states, where an EFT is initiated through a non-bank P2P payment provider using a consumer’s debit card information, the P2P provider and the account-holding financial institution are parties to an agreement to honor each other’s debit cards – the debit card network rules – and the service provider provision in 12 CFR 1005.14 does not apply.  The account-holding financial institution has full error resolution responsibilities.

5.  I know many bankers will state that the card acceptance issue is not an agreement per se with the P2P provider and liability is not addressed, plus the P2P provider controls the daily limits that are here said to be the bank’s liability. That is all true but again, the CFPB is protecting the consumer and looking at the raw definitions. Until the industry can come to terms on the specifics to an “agreement,” banks will have the responsibility in most P2P disputes. Remember too, that a bank may not reduce any consumer rights afforded by the EFTA and Reg E. It may have other agreements with vendors, but the consumer’s rights may not be diminished.

The final two sections of the Reg E FAQs and recommended actions will be covered in next month’s Legal Briefs.