Coast to Coast: the State of Privacy and Compliance in 2023

By on April 20th, 2023 in Compliance, Industry Insights, Webinars
Coast to Coast: The State of Privacy and Compliance in 2023

Disclaimer: The information provided in this blog post does not, and is not intended to, constitute legal advice. 

Protecting consumer privacy is not an unfamiliar concept in our industry and it’s something that should already be woven into our policies, procedures, and practices. With the rapid increase of state privacy laws across the United States, any company that collects, uses, transmits, or receives consumer data has to stay up-to-date on all related compliance issues.

In a previous webinar, Coast to Coast—the State of Privacy and Compliance in 2023, TrueAccord’s legal experts discussed the newest federal privacy laws and all the related compliance issues. Watch the full webinar on-demand now!

The passage of the FTC’s Safeguards Rule, amending the Gramm Leach Bliley Act (GLBA), has been a big topic in data security conversations across the financial services industry as businesses prepare to be in compliance on or before the extended effective date of June 9, 2023. Meanwhile, several states have actively been considering and passing new legislation requiring additional policies, controls, and practices not only in the data security space but also for data privacy and data breaches. It is important for Chief Information Security Officers, Privacy Officers, and Chief Compliance Officers to stay on top of this legislation, as well as Chief Executive Officers since we have seen many federal and state actions naming the CEO in their individual capacity for failing to properly secure and protect data or to properly delegate these responsibilities to the appropriate persons within their organizations. 

**Please note this article is not legal advice. This is not an exhaustive list of all laws. You should consult a lawyer if you have questions about federal and state data security, privacy or breach laws.

Data Breach Laws

All 50 states have data breach notification laws on the books. In 2022, 19 states considered enhancing their data breach laws.

Those states that passed revised data breach laws, tightened up notification timelines, added additional definitions of what constitutes personal information, and expanded the notification requirements to include additional state agencies. For example, Arizona’s law HB 2146, amending Arizona Revised Statutes section 18-552, not only requires that notification be made to consumers but also to the Director of Arizona’s Department of Homeland Security. If the breach impacts more than one thousand people, then the law requires the notification also be given to the three largest nationwide credit reporting agencies, the attorney general, and now the Director of Arizona’s Department of Homeland Security. 

While most states are shortening the time frame in which a consumer must be notified of a data breach to 45 days or less, some of these laws include exceptions or a short list of situations in which a delay in notification is permissible. For example, Indiana’s revised law, H.B. 1351, amending Indiana Code 24-4.9-3-3, limits a permissible delay in notification three circumstances: (1) when the integrity of the computer system must be restored, (2) when the scope of the breach must be discovered, or (3) when the attorney general or a law enforcement agency asked to delay disclosure because disclosure will impede a criminal or civil investigation, or jeopardize national security.

Both Maryland (H.B. 962, amending Maryland Personal Information Protection Act and section 14-3501 of the Annotated Code of Maryland)and Pennsylvania (S.B. 696, amending the Pennsylvania Breach of Personal Information Notification Act) expanded the definition of “personal information” to include medical and health information, including a definition of “genetic information” in Maryland’s law.

Since the webinar, Utah Governor Spencer Cox signed into law Senate Bill 127 on March 23, 2023, which amends the state’s data breach notification statutes. The amendments go into effect May 2, 2023.*

Along with updates to states’ laws, Federal regulators are also providing additional guidance too. For example, the Office of the Comptroller of the Currency (OCC) recently released more information regarding when banks need to know from their vendors about data breach including ransomware notifications.

Data Privacy Laws

In addition to creating and updating laws to help consumers in the event of a data breach, states have also been enacting laws dedicated to protecting consumer privacy. There are six states with comprehensive data privacy laws: California, Connecticut, Colorado, Iowa*, Virginia, and Utah. These laws give consumers various rights over their personal information, such as the right to know what information companies collect and use, a right to correct their information, a right to opt-out of the sale of such information, and a right to request deletion. 

In 2022, Congress introduced a federal privacy law, HR 8152, the American Data Privacy and Protection Act; however, it did not make it to the finish line despite having bipartisan support. It contained some preemption of state privacy and data protection laws, which would have been a relief to many companies navigating the existing patchwork of state laws.  As of January 2023, many states have introduced privacy-related bills and this is likely to continue throughout the years to come. 

California took the privacy law lead in passing the California’s Consumer Privacy Act of 2018 (CCPA) that went into effect in January of 2020 to protect the use and sharing of personal data. California recently expanded the CCPA with the California Privacy Rights Enforcement Act (CPRA) that took effect on January 1, 2023. The law created the new California Privacy Protection Agency and gave it the power, authority, and jurisdiction to implement and enforce CRPA. Additionally, businesses must regularly submit their risk assessment on the processing of personal information to this new agency. 

The four other states that followed suit have substantially similar laws with broad definitions of personal information. These laws typically apply to persons that conduct business in the state and processing a set minimum of consumer data records (typically 25,000 or more) or businesses who earn at least 50% of their revenue from the sale of consumer data. 

These laws give consumers various rights, such as the right to access their personal data, correct inaccurate personal data, delete personal data, in certain circumstances, obtain a copy of the personal data they previously provided to a controller, opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities, appeal a controller’s refusal to take action on a request, and submit a complaint to the attorney general if an appeal is denied. Interestingly, Colorado’s law makes clear that a consumer’s consent is not valid if obtained through the use of a “dark pattern.” 

These laws do not give consumers a private right of action but are enforced by the state’s attorney general with civil monetary fines calculated per violation. These laws also contain exemptions for data already protected by other laws, such as HIPAA, FCRA, and GLBA.

Virginia’s law took effect January 1, 2023. Both the Connecticut and Colorado Data Privacy Acts will go into effect July 1, 2023. The Utah Consumer Privacy Act takes effect December 31, 2023. The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on Tuesday, March 28, 2023. The legislation is set to take effect Jan. 1, 2025.*

Best Practices for the Future of Data Security & Privacy 

Having good security practices in place is not only beneficial for both consumers and businesses, but is absolutely critical to stay compliant with all the new laws and amendments being introduced. 

So what are some of the best privacy and security practices to implement to protect customers, companies, and stay compliant? 

  • Practice data minimization.
  • Know where personal information lives at all times by creating a data map of where the data goes and is stored throughout your systems, which includes knowing your vendor’s data security and privacy practices and controls. 
  • Know who has access to personal information and routinely examine if that access is necessary to complete that job function.
  • Be intentional with how data is organized and stored so it can be easily segmented and treated differently if need be (think network segmentation). 
  • Have a public facing Privacy Notice–and make sure it accurately reflects your practices for use, collection, deletion and correction.
  • Conduct an annual data security and privacy risk assessment to continually reassess areas for improvement and where you may need additional controls.
  • Ensure contracts with parties whom you receive and/or give personal information to specifically address each parties’ obligations and restrictions for how personal information is used, shared, disclosed, stored, and sold (if permitted).

Compliance with data privacy and data security requirements will continue to progress as new laws and regulations are passed. Best practices will continue to evolve as well, as we continue to learn more about the expectations from Federal and state legislators and regulators, and as companies navigate evolving threats and vulnerabilities. Watch the full Webinar: Coast to Coast— the State of Privacy and Compliance in 2023 here »»

Learn more in our Compliance & Collections Resource Center or schedule a consultation today

Footnotes: 

*The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on March 28, 2023 after TrueAccord’s Coast to Coast webinar. 

*The data breach law for Utah was passed on March 23, 2023 after TrueAccord’s Coast to Coast webinar

Compliance & Collections: 22 Essential Terms to Know

By on September 8th, 2022 in Compliance, Industry Insights

The world of regulatory compliance can be a complicated place, especially when it comes to debt collection. It can be tricky for non-security and compliance professionals. To help quickly get you up to speed on what auditors are referring to, we’ve put together a glossary, covering some of the most important compliance terms and acronyms.

  • Action Plan: A plan to identify and facilitate remediation steps of current operating practices. 
  • Audit: An unbiased and comprehensive examination of an organization’s compliance and adherence to regulatory guidelines. 
  • Benchmarking: The process of analyzing an organization’s performance data and comparing it against the industry standard. Used to see the effectiveness of a compliance program and if there are any areas that need improvement. 
  • Best Practices: When law and/or regulation is unclear, a “best practice” policy may be implemented to safeguard a business’s compliance.
  • Bona Fide Error Defense: An unintentional mistake or violation that occurred despite the maintenance of procedures reasonably adapted to avoid the mistake/violation. A debt collector may be able to assert a “Bona Fide Error Defense” in a lawsuit alleging violations of the federal Fair Debt Collection Practices Act (FDCPA). 
  • CCPA: The California Consumer Privacy Act (CCPA) gives consumers in California rights over the personal information that businesses collect and process about them.
  • CFPB: The Consumer Financial Protection Bureau (CFPB) is an agency of the United States government responsible for consumer protection in the financial sector.
  • Code of Ethics: A document or guide that is composed of an organization’s values, standards commitments, and a set of principles. 
  • Compliance: The state of adhering to established guidelines or specifications such as a policy, standard, specification, or law.
  • Compliance Management System: A series of integrated policies, processes, tools, internal controls, and functions designed to help an organization manage, monitor, and test  compliance with applicable laws and regulations (e.g., federal, state, local/municipal). A fully functioning compliance management system is designed to continuously minimize risk, prevent consumer harm and limit financial or reputational harm to the organization. An essential in the modern business world.
  • Compliance Risk: Captures the legal, financial, and reputational dangers for failing to act in compliance with laws and regulations.
  • Conflict of Interest: A conflict that happens in a decision-making situation in which an individual or organization is unable to remain impartial and where serving an interest would harm another.
  • Controls: A checks put in place to ensure compliance with a policy and procedure. A control could be automated or manual.  
  • Dodd-Frank Act: Dodd-Frank Wall Street Reform and Consumer Protection Act is a US federal law that governs the financial industry by enforcing transparency and accountability with rules for consumer protection, such as its Unfair Deceptive Acts and Practices provision. 
  • FDCPA: The Fair Debt Collection Practices Act (FDCPA) is a consumer protection law passed by Congress in 1977 to eliminate abusive debt collection practices and insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged.
  • Fraud: The act of intentionally lying and cheating in order to obtain an unauthorized benefit. 
  • Governance: A formal framework made up of policy rules, processes, procedures and controls used to control risk and ensure accountability and transparency. 
  • Gray Area: A situation where the rules are not clear and can be open to interpretation.
  • Regulation F: A rule implemented by the Consumer Financial Protection Bureau (CFPB)  providing rules governing activities covered by the Fair Debt Collection Practices Act (FDCPA). It seeks to clarify and expand on the FDCPA, including requiring  collection agencies to provide additional information to consumers as part of the validation disclosure and clarifies rules for the use of digital communications. 
  • Remediation: The process of recognizing a compliance issue or deficiency and implementing an action plan to correct the deficiency or enhance/strengthen an area of compliance.  For remediation to be successful, the new or revised policies, processes or controls must address the deficiency or issue and to minimize risk. 
  • Risk Assessment: The process of identifying and analyzing all potential risks that an organization can face in relation to its legal and regulatory obligations. The results of risk assessments are prioritized based on severity and then used to determine areas of focus for risk mitigation.
  • Safe Harbor: A provision in a statute or regulation that protects against legal or regulatory liability in situations where the safe harbor provision conditions are met.
  • Transparency: The act of being open and honest while disclosing as much information about policies, procedures, and activities as possible.

Now armed with your glossary of terms, get ready to investigate the world of compliance in collections further in our upcoming webinar. Join us Thursday, September 29th at 1pm ET for our interactive webinar, The Future of Collections & Compliance, hosted by TrueAccord Associate General Counsel Lauren Valenzuela and Director User Experience Shannon Brown.  

Reserve your space now for an interactive discussion on:

  • Cutting edge digital collection compliance
  • The role of the legal team in creating a digital collection strategy
  • How cutting edge compliance drives collection revenue
  • The future of digital compliance

Register now for the upcoming webinar»»

TrueAccord Names Kelly Knepper-Stephens as Chief Compliance Officer and General Counsel

By on October 27th, 2021 in Company News, Compliance
TrueAccord Blog

Lenexa, KS – Oct. 27, 2021 – TrueAccord Corporation, a debt collection company offering AI-powered digital recovery solutions, is proud to announce the appointment of Kelly Knepper-Stephens as chief compliance officer and general counsel. TrueAccord started in 2013 as a digital-first collection agency built to fundamentally change collections into a recovery and reconciliation process. TrueAccord was the first to offer digital solutions to the sector and continuously proves itself to be a trailblazer in an industry still dominated by traditional call-and-collect agencies. Knepper-Stephens’ appointment further confirms the company’s consumer-focused mission by tapping into one of the industry’s most sought-after counsel and compliance leaders.

“​​Compliance is at the forefront of TrueAccord’s mission, and Kelly guided the development of our robust digital collection compliance systems,” said Mark Ravanesi, CEO of TrueAccord. “TrueAccord’s investment in compliance is a win-win all around: it protects TrueAccord, it protects our clients, and—most importantly—it allows us to do right by consumers.”

An expert in debt collection law, Knepper-Stephens joined TrueAccord in 2018 as vice president of legal and compliance, where she has focused on civil litigation, government regulation, and compliance.  During her tenure, TrueAccord secured federal court victories showcasing TrueAccord’s legal compliance in two of the main FDCPA court decisions involving the use of email in debt collection: Green v. TrueAccord and Zuniga v. TrueAccord.

“As demonstrated in Regulation F, TrueAccord is the industry leader in email compliance,” Knepper-Stephens said, “I’m excited to join the mission-driven executive leadership team as TrueAccord continues to lead best practices for digital collections and beyond—empowering consumers to resolve their accounts according to their preferences.” 

Knepper-Stephens started her career in the collection space in 2011. Collections Advisor Magazine named her as one of the top 25 Women in Collections in 2016 and top 20 in 2018. She currently serves on the Board of Directors for RMAI, on the Steering Committee for the Consumer Relations Consortium, and as an ACA-certified instructor. She received her Juris Doctor degree from the George Washington University Law School and is currently barred in California, the District of Columbia, Illinois and Maryland.

A key benefit of TrueAccord is the scalability provided by the flexibility of code-based compliance, overseen by Knepper-Stephens and her team to ensure its programming is adjusted to new laws, regulations, and court decisions. The company’s patented machine-learning algorithm, HeartBeat, is augmented by its compliance checker software, mitigating risk by ensuring regulatory requirements are met before sending communications. 

Knepper-Stephens is a Receivables Management Association International (RMAI) certified receivables compliance professional and has earned the Credit & Collection Compliance Officer designation from the American Collectors Association (ACA). Prior to joining the industry, she worked as a Visiting Professor of Law at George Washington University Law School, teaching the Criminal Appellate Clinic, and as a San Diego Public Defender. Her long-standing dedication to helping others plays an integral part in her success.  

To learn more about TrueAccord’s mission and digital debt collection solutions, visit www.TrueAccord.com and follow @TrueAccord on Twitter and LinkedIn.

About TrueAccord

TrueAccord is the intelligent, digital-first collection and recovery company that leaders across industries trust to drive breakthrough results while delivering a superior consumer experience. TrueAccord pioneered the industry’s only adaptive intelligence: a patented machine learning engine, powered by engagement data from over 16 million consumer journeys, that dynamically personalizes every facet of the consumer experience – from channel to message to plan type and more – in real-time. Combined with code-based compliance and a self-serve digital experience, TrueAccord delivers liquidation and recovery rates 50-80% higher than industry benchmarks. The TrueAccord product suite includes Retain, an early-stage collection solution, and Recover, a full-service post-charge off recovery platform. 

TrueAccord discusses adapting to work-from-home

By on May 21st, 2020 in Company News, Industry Insights, Webinars

TrueAccord’s Director of Service Operations, Cassie Cox, and our General Counsel & Chief Compliance Officer, Tim Collins, hosted a webinar on May 13th, 2020 to talk through collections continuity in light of the COVID-19 crisis. The team discussed adjusting to regulatory changes, how to effectively manage a work-from-home approach in collections, and what the future of the industry may look like. 

How are federal and state regulations changing?

Federal-level regulatory updates

The pandemic has prompted the US federal government to examine how it can work to aid Americans in need. Following the CARES Act, the House has proposed a new, $3 trillion relief package, and we are likely to see other potential stimulus packages discussed as the Senate proposes their own stimulus plan. Major industry organizations like insideARM and the ACA International are watching these unfold closely, as should we all. 

The Consumer Financial Protection Bureau’s activity has not slowed during the pandemic, and they are on track to meet their examination goals this year. Remote auditing processes are in place and buzzing. They may not be in your offices, but the CFPB’s teams are still actively working to ensure the industry remains compliant.

State-level regulatory updates

Several states, including Massachusetts and New Jersey, are pursuing legislation that directly impacts the ability of collectors to reach consumers. Massachusetts’ Attorney General recently enacted an emergency law that outright banned collections efforts.

This was fought by the ACA, and the law was declared too broad and in violation of First Amendment rights, but the changing playing field does not end there. New Jersey has worked to pass similar legislation which has now been narrowed to primarily impact medical debt collection practices. 

There will also likely be a heightened focus on state budgets and an increase in understanding how to bolster state economies. 

As of this writing, forty-seven US states are either reopening or partially reopening by lifting shelter-in-place orders. Twenty of these state legislatures are now back in session and may begin to make other changes that collectors should keep an eye on. There will also likely be a heightened focus on state budgets and an increase in understanding how to bolster state economies. 

One major change that seems to be for the better is the newfound flexibility for collection agencies and other companies to allow employees to work from home. This behavior is being echoed by Rhode Island’s new “stay healthy” order which has started the reopening process but is strongly encouraging employees to work from home when possible. Collections is beginning to adapt to the changing need, and TrueAccord was able to adapt quickly.

How is collections operations changing?

Maintaining control and information security in a work-from-home environment

TrueAccord’s team began to prepare for potential risk to our operations in early March by reviewing and updating our practices, policies, and procedures to make sure all of our teams could effectively work from home. 

Here are some of the standards we established as we transitioned 80% of our agents to work from home full-time:

  1. Replicate an effective office space
    1. Agents must have a private area in their home and commit to working their shift uninterrupted.
    2. Agents must have a minimum internet speed of 50Mb/s in order to maintain high sound quality on calls.
  2. Enhance work from home agent information security
    1. Agents do not take payments over the phone. All payments are received via IVR or guided through our secure payment portal.
    2. Agents are not permitted to have cell phones near their workplace.
    3. Agents are monitored by their supervisors via webcam with at least two random checks throughout the day. 
    4. Calls are randomly monitored by supervisors to ensure continued commitment to exceptional customer service and quality.

These were only made possible by bringing on new technologies and building processes before we dove in headfirst. We also made sure that all of our agents fully understood these new practices in advance, and they signed off on the policies ahead of time. The 20% of our team members that are still in-office (at safe distances) continue to meet the same standards as the other agents. 

Our contact centers directly support our omni-channel approach to the industry. Here’s information on three other channels we use to reach consumers.

The remaining 20% either opted to not work from home due to a lack of interest or they were not permitted due to their homes not meeting security requirements (e.g. not having a private space, not having a fast enough internet speed, etc.). 

Managing agent performance standards remotely

Call centers are filled with high-energy individuals that are driven by their wins. Maintaining the same hum and energy of an office space without sharing the same space is difficult, and we’ve taken steps to keep our agents excited about their work.

Meet (virtually) Face to face 

A robust virtual management system has been put in place to keep building our team’s connectivity. The webcams we provided to our agents not only help with security monitoring but also increase our ability to build team morale. All of our agents are dialed into (and muted on) a Google Hangout or Zoom meeting throughout the day so that at any point they can turn and see their teammates working hard. 

This practice has also extended to our new management strategy. All of our contact center team meetings are required to be on camera so that we get face time with each other. These meetings include small group meetings, individual coaching sessions, and any other 1:1 meetings as well. 

Encourage conversation

Look for opportunities to create additional team touchpoints. Our current structure includes:

  • Weekly coaching sessions
  • Weekly team meetings
  • Random, weekly 15-minute huddles

We also have a wide range of Slack channels in place for sharing anything from anecdotes to best practices. In an office environment, it’s easy for folks to look over their shoulder and share tips and tricks, and those conversations drive positive change. Slack (and other work chat tools) also provide ways to circulate urgent updates with ease.

Keep the excitement up

We’ve increased our budget for intra-day chachkes, small giveaways, and rewards. Our in-office management style was largely visual: performance trend boards, goal setting boards, and team-based competitions were huge drivers for us. Now, we’re turning to setting up more contests. In this environment, a $10 gift card can get almost as much traction as a $50 card. It’s the thrill of the win, not necessarily the prize itself. Keep the energy up!

Monitor issues closely

The first two weeks of the work-from-home experiment were an amazing honeymoon period. There were three, consecutive days of perfect attendance in our contact center. Typical efficiency metrics like production volume per hour and average handle time have remained consistent. Keeping the same levels of performance is another story entirely, and close performance management is critical to making work-from-home, well, work.

We continue to track month to date metrics and just as closely monitor individual daily performance. Though many of our agents had no issue moving to a home environment, just as with any contact center, the bottom 10% of our group semi-frequently underperforms. It’s more essential now to keep a careful eye on red flags and correct underlying issues immediately. 

The biggest concern was properly tracking things like call or work avoidance or time card manipulation. Thankfully, with all of our systems are aligned and our supervisors actively checking on their teams, the only instance we found was caught immediately. 

Terminating a remote employee

Unfortunately, this is a necessary part of any operations manager’s role. In a work-from-home world, we still want to make it as direct an experience as possible. The full investigation, conclusion, and termination conversation should all be conducted via video conference.

Beyond the human aspect of termination, there are data and security considerations that should be tested ahead of time. Your team should understand how and when data should be cleared from a remote employee’s computer, and systems should be in place for the employee to either drop off or otherwise return their gear. Remember to accommodate for the possibility of lost assets. Some folks, even under contract, may not return your stuff.

What is coming next?

Changes in the office

The COVID-19 pandemic prompted a lot of changes to the way companies operate in general. While it continues to unfold, we are likely to see more change. That said “Right now, maintaining [business continuity] means not changing anything,” said Cox. 

As shelter-in-place rules begin to lift, and we see some employees return to their offices, we will see physical changes:

  • New desk layouts
  • A possible return to cubicles or dividers and a shift away from open-plan offices
  • New air filtration standards for enclosed spaces

Changes in the industry

While the US economy recovers, we expect to see a massive wave of customers that are unable to pay their bills. Unemployment rates will continue to drive payments from slightly overdue to collections, and debt collection agencies and internal recovery teams are likely to struggle to meet the account volume. 

“Collections has long been driven by human capital,” said Collins in discussing the need for contact center agents. “Technology will have to step in and fill a new, higher demand.” He went on to add that alongside the increase in volume, we expect a change in collections mentality. In order to overcome the disparity between payment deadlines and consumers unable to meet them, there will be a rise in customizable payment plans, hardship plans, and digital, self-service tools.

Crises drive rapid evolution and change. Many business practices and technologies that were slowly gaining traction in a pre-COVID-19 world are now fast-tracked. Working from home is a must at the moment, and the collections industry has to embrace that. Moving forward, we’re likely to see new innovators that are reinventing an aging industry, and it’s time for collections to adapt. 

Greene v. TrueAccord further refines email best practices

By on May 19th, 2020 in Compliance

The Northern District of California has confirmed what the law makes clear: a debt collector may send the initial communication by email (except in New York).

In Greene v. TrueAccord, Case No. 19-cv-06651 (N.D. Cal. May 19, 2020), the Plaintiff claimed the initial email she received and opened violated the Fair Debt Collection Practices Act (FDCPA) and the Electronic Signatures in Global Commerce Act (E-SIGN) because she never consented to receive email from TrueAccord.

As the District Court made clear, consent is not a factor when an initial communication contains the validation notice in the body of the email. Only one week after final submissions on the motion to dismiss the Complaint, the District Court dismissed the case with prejudice also finding TrueAccord’s validation notice met the requirements of the law and TrueAccord’s emails sent during the 30-day validation period did not overshadow the initial demand.

The case

Sending the initial communication and validation notice by email

A debt collector must provide a consumer with a notice about how to dispute an account.  The law states the notice must be given either in the initial communication or in writing within 5 days of that first communication.  The FDCPA does not state what methods a collector can use to provide the validation notice in the initial communication—it only indicates that a “communication” is conveying information about a debt through any medium.  Many debt collectors have hesitated to use email and other modern forms of communications that consumers prefer because these modes are not addressed in the FDCPA.  

In this case, Plaintiff argued that TrueAccord violated the FDCPA by sending the validation notice in an initial communication by email without the consumer’s consent.  Plaintiff argued that TrueAccord did not follow the E-SIGN Act, which outlines the requirements for obtaining consent to email a consumer documents that must be provided in writing.  

However, as the Court recognized, the E-Sign Act applies to notices that must be provided in writing.  Under the FDCPA, the validation notice is not required to be provided in writing if it is given in the initial communication.  Since TrueAccord provided the validation notice in the body of the initial communication, E-SIGN does not apply.  The Court ruled TrueAccord properly delivered the validation notice in the body of the initial email.

“The Court also agreed with the CFPB’s proposal on the fact that the subject line should contain the name of the creditor and one additional piece of information about the debt other than the amount.”

The Court, in finding that an initial communication can be made electronically, pointed to the fact that “a communication” is broadly defined and can be sent across any medium. Additionally, the Court pointed out that despite amending the FDCPA in 2006 Congress has not made any effort to amend the statute to account for newer communication technologies that have developed.  The Court also recognized the CFPB’s proposed rulemaking permits a validation notice as part of an initial communication in the body of an email. 

The Court explained that when using email to send the initial communication the notice must be reasonably conveyed to the consumer. This requires the notice to appear in the body of the email—not in an attachment where it could be “hidden from the eyes” of the consumer. 

The Court also agreed with the CFPB’s proposal on the fact that the subject line should contain the name of the creditor and one additional piece of information about the debt other than the amount. This ensures “the consumer’s attention is focused on the email . . . as many . . . make decisions to read, ignore, or delete emails on the basis of the subject line.” 

While TrueAccord’s subject line did not contain this information (it read “This needs your attention”), the Plaintiff received the email and opened it.  While the Court noted that the subject line did not convey that the purpose of the email was to collect a debt, the Plaintiff still opened the email with the validation notice in the body.  Therefore, Plaintiff had no standing to make an argument that the subject misled her from opening and receiving the notice when she actually opened it. 

Use of the term “send” instead of “mailed”

Plaintiff also argued that the validation notice in the body of the email was incorrect and misleading because the statute reads “a copy of such verification . . . will be mailed to the consumer.” Yet, the notice in TrueAccord’s email used the word “send” instead of the word “mailed.” 

When evaluating whether or not a collection communication violates the FDCPA, Courts use the “least sophisticated consumer standard.”  This standard is designed to protect all consumers in the spirit of the FDCPA, not just the consumer who filed a lawsuit.  

In looking at the challenged language under this least sophisticated consumer standard, the Court held that there is no requirement for a validation notice to track the language of the statute verbatim.  The Court stated that: 

“…the fact that TrueAccord’s notice departed from the statutory language could not plausibly have deceived or misled the least sophisticated consumer reading the notice.” 

Instead, the consumer would understand from the use of the word “send” that a copy of the verification could be physically mailed or electronically mailed; as the Court noted, electronic mailing of validation documents is permitted in compliance with the E-SIGN Act.

Subsequent email communications did not overshadow the validation notice

Plaintiff also claimed that multiple demands for payment during the thirty-day validation period violated the FDCPA because these emails overshadowed the initial communication containing the validation notice.  The FDCPA protects consumers from collection efforts and communications sent during the thirty-day validation period that overshadow the consumer’s right to dispute.  Typically, communications that demand immediate payment or offer deadlines prior to the expiration of the thirty days constitute overshadowing.

In dismissing Plaintiff’s theory, the Court found that the FDCPA does not put any limits on the number of times a debt collector can communicate with a consumer during the validation period.  The Court noted that while it is possible that the number and timing of communications sent to a consumer could be relevant in an evaluation of whether the communications overshadow the notice, the number of communications in this case—seven within a 30day period—is not excessive. 

The Court also looked at the content of all these emails.  The emails clearly conveyed that TrueAccord would like a payment. They did not include:

  • Language requiring a payment
  • Language suggesting that a payment should be made prior to the expiration of the 30-day validation period

The Court noted there was no real expression of urgency and all emails had a prominent out of statute disclosure stating that, because of the age of the debt, the creditor will not sue Plaintiff or report it to a credit reporting agency.  By taking this “non-threatening content” of the communications in consideration with the number of emails sent, the Court did not find it plausible that the least sophisticated consumer could be misled or that the emails overshadowed the validation notice.

What lessons can we learn from this case?

Greene is only the second case ever to evaluate how to properly provide the validation notice by email.  It provides good guidance to follow:

  • Placing the notice in the body of the email, not behind a password or through a link with seven steps to download (like in LaVallee) and
  • Including the name of the creditor and one additional piece of information in the subject line. This step brings the consumer’s attention to the initial email as relating to the debt (this is also forthcoming in the CFPB rule).

Greene is also the first case ever to evaluate the content of email communications sent during the validation period.  It provides good guidance to follow regarding appropriate tone, frequency, and payment requests.  Of interest, the Court noted that TrueAccord included a “Dispute this Debt” link on all emails.  The Court felt that it’s smaller font size and placement at the footer of the emails “buried” the link; but ultimately that fact:

“…did not mean that the original validation notice ha[d] been overshadowed, particularly given the specific facts before the Court.”  

The text appeared in the footer of all emails, along with our mailing address, phone number, office hours, and Privacy Policy.  

Email is a core part of an omnichannel, digital collection strategy, but it doesn’t evolve overnight. It’s important that you have the experience and infrastructure in place to send and deliver emails on a mass scale so that they’re delivered to the consumer’s inbox. Cases like this are shaping the future of digital debt collection practices and how consumers interact with their debts. 

Want to learn more about how TrueAccord remains at the forefront of regulatory change? Reach out to our team!

3 things to avoid with in-house collections teams

By on May 6th, 2020 in Compliance, Industry Insights

When more than one-quarter of American consumers have debts in collections it’s easy to see the rising need for any company to have a collections strategy. Working to get a dedicated internal team up and running to collect effectively can be a resource-intensive project, especially for small businesses. 

Creating the infrastructure for a collections team includes building extensive policies to protect your business from compliance violations, carefully training agents (or building incredibly complex digital infrastructure), and hiring collections and recovery experts to support these new efforts.

Once you have the logistics of your collections department sorted out, it’s time to start reaching out to your customers. Here are important things to avoid when you get started.

Wait to start collecting

“Too late” can come all too soon when it comes to recovering on aging accounts. A series of small payments or even a single large payment can cause issues for small businesses, but missed payments—especially in a recession—can pile up quickly for anyone. Avoid getting too far behind (and potentially sabotaging your growing email strategy) and get ahead of the problem.

While you gradually build an internal collections team, you can also consider partnering with a third-party debt collection agency. Having a partner on retainer can prepare you for working with a growing number of accounts as your business expands. These strategies aren’t mutually exclusive either, and you can gain greater insight into the performance of both teams by comparing their respective strategies and methods.

Reveal a debt to a third party

The Fair Debt Collection Practices Act (FDCPA) clearly states that it is illegal to expose an individual’s debt to third parties—including friends, family, neighbors, co-workers, and employers. The FDCPA was established in 1977, and it primarily focuses its regulation toward traditional call-and-collect debt collection agencies (with a team of collectors calling consumers on the phone). 

Though the FDCPA was primarily focused on call-and-collect technologies, its rules still apply to other communication channels. Collectors attempting to call consumers must be wary of leaving voicemail messages that directly state that they are calling to collect a debt due to the potential risk of someone else listening to it. The law regulates how your teams can (and cannot) use social media to get connected with consumers. 

Use confusing or unclear verbiage

Even if you are sending messages directly to a consumer’s inbox you can potentially violate communication compliance regulations. In the case Lavallee vs. Med-1 Solutions, that the defendant (Med-1 Solutions) did not provide the consumer with the required initial disclosures. The consumer received an email and had to click an unknown link and navigate a series of tasks before accessing information related to their debt. The email did not convey any information about the debt, and the court ruled that this series of steps meant that the email did not constitute a “communication” for the purpose of collections.

Any communication to a consumer from a debt collection agency must explicitly state who it is coming from and why (read more on the mini Miranda here), and masking that intent (either purposefully or not) can lead to more compliance troubles. While it is strongly recommended that you borrow metrics from marketing teams to enhance digital communications, be careful with taking too many queues from marketing language. All content sent by TrueAccord’s teams are processed through a legal review before they’re ever sent to a consumer.

As a collector, your first step to reaching your collection goals is having a well-organized team to support your efforts. Collections and recoveries at major companies can account for hundreds of employees, but a new department won’t appear overnight. Remaining careful as you scale your team and their strategy can save you from potential lawsuits and ensure a positive consumer experience. 

Are you looking for a debt collection partner to help answer some questions? Talk to our team today to see how we can help build your digital collections strategy together.

One True Holding Company writes to the CFPB

By on March 24th, 2020 in Company News

The Consumer Financial Protection Bureau’s Notice of Proposed Rulemaking (NPRM) is set to help shape massive changes to the debt collection industry. In an effort to continue our mission to protect consumers from predatory and aggressive collections experiences, the co-founder of TrueAccord, Ohad Samet, recently drafted a letter to the CFPB’s Director Kathleen Kraninger.

In the midst of major economic uncertainty, we understand that we must be compassionate when many consumers are struggling financially. Offering consumers in debt flexibility by supporting and expanding the industry’s digital infrastructure enables us to extend self-service options to those that need it most and limit their exposure to collections efforts that are intrusive and harassing. 

Some states are considering freezing collections efforts, but we continue to believe in consumers’ ability to manage their finances for themselves. Access to online portals and self-service payment plan adjustments can help them manage their overdue accounts at their own pace, even in times of financial instability. A complete suspension of their ability to pay, if and when they can afford it, can make matters worse.

Passing the NPRM into law can help to restructure collections to protect consumers today. 

You can read our letter to Director Kraninger below:

Our letter to the Consumer Financial Protection Bureau

Dear Director Kraninger,

I am the CEO of One True Holding Company, a technology company providing business- and consumer-facing solutions in the debt collection space. Our subsidiary TrueAccord Corp. offers machine learning-based, digital- and mobile-first servicing for debt in collections and recoveries. Our subsidiary True Life Solutions offers consumers a SaaS platform that consumers can use to contact collectors and creditors digitally.

We service millions of consumers on a monthly basis, sending more than 18 million emails a month. As a technology startup at the forefront of debt collection efforts, we have both quantitative and qualitative views of the state of the economy and debt collection within it.

Times like these require swift action, and technology allows us to empower consumers while reacting to changing circumstances without having to re-train a large workforce. Since the crisis began, we have been able to seamlessly launch features allowing consumers to modify their payment plans on their own and set up longer and more flexible payment arrangements. We are launching tools for clients to offer automated digital relief programs. Consumers still interact often with the emails we send as they try to stay abreast of their finances and remain informed. 1

Our pandemic response page, offering tools and perspectives about finances in this time, sees more than 1,200 daily visits. Technology offers better service, a sense of empowerment and agency, and keeps our users informed through complicated circumstances. As a consumer-focused company, we carefully track our customer satisfaction (CSAT) scores, and those have remained high (at 68.45% for the month of March). Consumers appreciate our approach, as these reviews also show:

Consumer review from 3/19/20 

You were patient. All emails were kind even from the beginning of my debt. You motivated me to repay my debts and monitor my credit. You appreciated me and I felt the extraordinary customer service from the day I first took the loan. I am grateful and even during this pandemic [emphasis added] I felt my loyalty to complete my payment of this loan over any other bill. Thank you again!

Consumer review from 3/18/20

Settled in a manner that facilitated affordable payments on a schedule that fit my life. I wish all collection agencies were this caring and flexable [sic]. Hopefully, I’ll never have another collections account, but if I do, I pray it’s with this agency.

As a single father making minimum wage, finding money to pay bills that aren’t crucial to keeping my kids healthy and happy is a real struggle, and my credit score had taken the hit in the past. I am really, truly grateful this is one acct that gets crossed off my list. Thanks!

I write today to ask the CFPB to accelerate its NPRM and swiftly push the industry to rely predominantly on digital communications for the purpose of debt collection. We need to continue to communicate with consumers through their channel of choice, in a non-intrusive manner, allowing them to easily manage their finances while controlling who they want to interact with. We need to continue to allow them to access their accounts and make adjustments to fit their personal circumstances.

Through this last week consumers have continued to set up customized payment plans on a daily basis, at a rate comparable to pre-tax season behavior. These are consumers acting on their own, responding to our low-frequency digital contact efforts. Finances aren’t one-size-fits-all, and a digitally native collection service supports this variety even in these trying times.

Thank you for your consideration and leadership in these trying times. We are eager to share as much data and qualitative observations as possible to support your policy-making and continue this conversation with a focus on consumer protection, choice, and experience

Citations

1. More than 20% open rate per each individual email broadcast as of 3/21, comparable with and exceeding eCommerce benchmarks

How to Ensure Your Safe Harbor Language is Actually Safe

By on October 24th, 2019 in Compliance

It has been nineteen years since the Seventh Circuit held that a debt collector must include a notice to consumers if the balance in a collection communication would change from day to day due to interest, fees, or other changes accruing on a debt.

However, we still see balance-related issues today under the Fair Debt Collection Practices Act as some debt collectors struggle to provide consumers with the amount of debt owed in a simple, clear manner.  

Since Miller, other courts agree that a consumer must be told if the balance will increase adopting Miller’s safe harbor language. In September 2019, a court in the Eastern District of New York dismissed a case, finding the collection letter adequately set forth the amount owed because the letter included the safe harbor language.

“Additionally, debt collectors should not put the safe harbor language on an account where the balance will not increase.”

In Paracha v. MRS BPO, the fact that the balance on a second letter (mailed six months after the first letter) increased by thousands of dollars did not make the original letter deceptive or inaccurate. This decision was made because the first letter advised the consumer, through the safe harbor language, that the balance may increase over time.

Using (and not using) the right language

Debt collectors must be careful with the safe harbor language and cannot simply add it to a communication when a balance on a collection letter will increase. The safe harbor language must be accurate for the particular account in question. The safe harbor language will only be safe to the extent that it states what may cause the balance to change. 

For example, according to Boucher v. Finance System of Green Bay, Inc., if the debt will increase due to interest—not due to fees or other charges—then the safe harbor language should only advise that the balance may increase from day to day due to interest and not mention fees or other charges. 

Additionally, debt collectors should not put the safe harbor language on an account where the balance will not increase. Doing so could create a false sense of urgency, and a consumer may think that they need to pay the balance immediately or it will increase when in fact it will not increase. Debt collectors are not required to tell a consumer that a balance will not increase. 

Courts have made clear that a debt collector has no obligation to state that the balance will not increase when the balance on a collection communication is static. But, even when a debt is static, a debt collection agency must choose their words carefully when describing the amount of the debt owed.

In Koehn v. Delta Outsource Group, Inc., a consumer sued a debt collector, arguing that the words “current balance” materially mislead and confused the consumer into thinking that the balance would change from day to day. The Seventh Circuit found that the phrase was “common and innocuous” and not a violation of the FDCPA.

Itemizing debt

Debt collectors should be wary of itemizing a debt when the debt collector does not have the right to add interest and fees. The CFPB’s proposed rulemaking does include debt itemization; however, until the rule becomes final, cases like Virden v. Client Services, Inc., suggest that listing “zero dollars” for interest and fees could mislead a consumer into thinking that interest or fees may increase. This deception would, in fact, be in violation of the FDCPA. In Virden the agency included the following itemization:

Balance Due at Charge-Off$1,658.91
Interest$0.00
Other Charges: $0.00
Payments Made:$0.00
Current Balance:$1,658.91

The court found that the least sophisticated consumer could misinterpret the “$0.00” listed for interest and other charges and that one plausible misinterpretation could be that interest and other changes would begin to accrue if the debt was not paid. Since interest and other charges would not accrue on this debt, the court ruled that the information was deceptive.

Agencies need to be careful in choosing what words they use describing the balance owed on a debt. In this context, less is more. Do not add itemizations when not required and only use safe harbor language tailored specifically to the account. 

For more discussion of current balance issues, listen to the most recent episode of Two DEBTicated Attorneys.

Lavallee v. Med-1 Solutions Confirms Common Sense Email Principles

By on August 26th, 2019 in Compliance, Industry Insights

On August 8, 2019, the Seventh Circuit Court of Appeals (7th Cir.) released its long-awaited verdict in the case of Lavallee v. Med-1 Solutions, LLC, 17-3244 (7th Cir. Aug. 8, 2019). The court ruled that Med-1 Solutions, LLC did not properly provide the validation notice as required by the Fair Debt Collection Practices Act.

Additionally, the court held that the first email Med-1 Solutions, LLC sent did not constitute a debt collection communication. Despite the unsuccessful method by which Med-1 attempted to email the initial communication, it is possible to do so in a compliant manner consistent with the current interpretation of the FDCPA.

The court’s decision

The Court held that Med-1 Solutions, LLC did not properly deliver the validation notice to the consumer. Med-1 sent the Plaintiff an email, but the email did not contain the text of the validation notice.

Instead, the email contained a hyperlink to a page where the Plaintiff would have had to enter personal information, and then take four additional steps in order to open a PDF containing the full initial demand letter with the required validation notice language. 

The Court reasoned that Med-1’s email did not constitute a communication because the email did not have any content relating to a debt. The Seventh Circuit reasoned that the “email conveyed three pieces of information:

  • The sender’s name (Med-1 Solutions, LLC)
  • Its email address
  • The fact that it ‘has sent … a secure message.’ ”

The email did not convey any information about the debt so it did not constitute a communication.

The FDCPA requires debt collectors to provide the validation notice in the initial communication or within 5 days of the initial communication in writing. Since the email did not constitute an initial communication, the Court found the initial communication happened over the phone. Med-1 Solutions, LLC, however, did not provide the validation notice during that call or in writing within 5 days because the company believed that their email satisfied the requirement. 

How to provide a validation notice in initial communication via email

When sending an initial communication by email, the content in the body of that email must contain all the validation notice requirements (15 USC § 1692g). It should:

  • Identify current creditor
  • State the amount owed
  • Provide the validation statement explaining the customer’s dispute rights

With the right information provided in the initial communication customer’s are more likely to recognize the account and trust that the email is from a legitimate debt collector. It should contain information on:

  • How to unsubscribe from future emails
  • Telephone contact information
  • The business’ hours of operation

Beyond that, it should comply with any other state, federal, or local obligations such as whether or not to provide a disclosure or other information. These are some of the principals embraced in the CFPB’s proposed debt collection rule. Had Med-1’s email contained this information in the body of the email, the result in the case would have been different.

Limited content emails 

The Seventh Circuit’s decision also highlights a concern with sending limited content communications via email. This case reinforces the importance of developing an email strategy and fully understanding deliverability requirements. This can ensure emails are delivered and not identified as spam and filtered away from a recipient’s view.

A full deliverability strategy may consider several factors including, but not limited to ISP reputation, providing relevant content in the body of the email, and more technical aspects of email such as throttling, bounces, and bulking. These elements can greatly affect an email’s ability to reach its intended recipient and ultimately convey its message.

Med-1 Solutions, LLC did not have a prior relationship with the Plaintiff, they did not remember receiving the email, and they did not click on the hyperlink provided in the email. As the lower court noted in its decision, the Department of Homeland Security warns consumers from clicking on links received in emails from unknown senders. The Seventh Circuit decision showcases the ineffectiveness of using a limited content message to reach and engage a consumer.

TrueAccord and the future of digital debt collection

We work to create a digital environment that places customer experience at the forefront of our collections strategy. This means ensuring not only personalized content delivered through our machine learning technology, flexible payment options, and digital access for customers to manage their debts. We do all of this via software that guarantees compliance.

If you want to learn more about how our technology can change your strategy, reach out to our team here!