Friday, November 25, 2016

E-Sign and Enforcing Electronic Signatures

We recognize the requirements of E-Sign. One subject of discussion has been its role in contractually binding our financial institution in mortgage loan originations, especially in the area of consumer disclosures. How valid are electronic signatures? Can electronic signatures be used to enforce contracts?

The Electronic Signatures in Global and National Commerce Act (E-Sign) was designed to allow greater flexibility to implement electronically signed transactions. Its requirements have been used more and more since E-Sign’s inception in 2000. E-Sign specifies that an electronic record or transaction may not be rendered invalid solely on the basis of its electronic or digital nature, but it makes no guarantees about the overall enforceability of such electronic contracts.

An electronic record is only enforceable if it meets the criteria specified in relevant contract laws as well as the language of E-Sign. It is worth noting that E-Sign applies to interstate or government interactions. With respect to in-state transactions, these are bound either by the Uniform Electronic Transactions Act (UETA) or the governing state laws relevant e-Signature laws – which, in some states, are actually more strict than E-Sign or UETA.

For an electronically signed document to be enforceable in court, it must meet certain requirements for legal contracts in addition to the electronic signature guidelines specified in the appropriate laws (such as E-Sign and UETA). According to E-Sign, an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

In contract law, signatures serve the following general purposes:
  1. Evidence: Authenticates agreement by identifying the signer with a mark attributable to the signer that it is capable of authentication.
  2. Ceremony: Act of signing calls attention to the legal significance of the act, preventing inconsiderate engagements.
  3. Approval: Express approval or authorization per terms of agreement. 

To elucidate on factors involving authentication, broadly, authentication is defined as evidence that a given record, contract, or form is a genuine, unaltered written representation of an agreement approved by two or more parties, whether in paper or electronic form.

An authentic document contains no evidence of fraud or tampering, such that it may be reasonably concluded that the parties in agreement did indeed assent to the enclosed terms. Assent is evidenced by an attributable, authenticated signature. To be authenticable, the transaction must contain enough information uniquely attributable to the user that fraud, forgery, or validity can be reasonably proven.

For an electronic transaction to withstand scrutiny in court, it must meet the definitions and criteria stated above; that is, it must be capable of authentication and non-repudiation, call attention to the document's legal significance (viz., creation of the electronic signature), and demonstrate approval of the terms of the agreement.

Some electronic signature technologies sufficiently meet these criteria and some do not. Therefore, it is very important for businesses and government agencies to choose their electronic signature technology carefully or risk making agreements that cannot be enforced.

If interested in a review of your electronic signature technology, please contact us. We have subject matter experts who can review the technological and regulatory compliance requirements of E-Sign.

Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 17, 2016

UDAAP Violations in Consumer Debt Collection

Our compliance group recently passed around the E-Book on Advertising Compliance, written by Jonathan Foxx. In Part II, there is a section on UDAAP. We are particularly interested in UDAPP because we are updating our policies to include new language for UDAAP conduct in debt collection. Mr. Foxx’s outline was terrific in showing the range of UDAAP issues involving Advertising Compliance, but we wonder if he would provide some examples of how debt collection is impacted by UDAAP guidelines. So, what examples of conduct related to the collection of consumer debt could constitute UDAAP violations?

Thank you for the kind words about the E-Book, entitled Advertising Compliance: Getting Ready for the Banking Examination, which compiled two of my published White Papers. I have written extensively on this subject, but the E-Book has been found useful for individuals seeking a path to understanding this very complicated area of regulatory compliance.

There are many examples of Unfair, Deceptive, or Abusive Acts or Practices (“UDAAP”) violations in the context of debt collection, but any list is not going to be comprehensive. Also, please note that the obligation to avoid UDAAPs is in addition to any obligations that may arise under the Fair Debt Collection Practices Act (“FDCPA”).

First, what is an unfair act or practice? There are generally three components: (1) it causes or is likely to cause substantial injury to consumers; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or to competition. [Dodd-Frank Act §§ 1031, 1036, 12 U.S.C. §§ 5531, 5536]

Second, what is a deceptive act or practice? This consists of three components: (1) it misleads or is likely to mislead the consumer; (2) the consumer’s interpretation is reasonable under the circumstances; and (3) the misleading act or practice is material. [Section 5 of the FTC Act. See CFPB Exam Manual at UDAAP 5]

Third, what is an abusive act or practice? This is more nuanced than the foregoing elements, but there are two primary factors: (1) the act or practice materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreasonable advantage of (a) a consumer’s lack of understanding of the material risks, costs, or conditions of the product or service, (b) a consumer’s inability to protect his or her interests in selecting or using a consumer financial product or service, or (c) a consumer’s reasonable reliance on an institution to act in his or her interests. [Dodd-Frank Act § 1031(d), 12 U.S.C. § 5531(d). See also CFPB Exam Manual at UDAAP 9. See Stipulated Final Judgment and Order, Conclusions of Law ¶ 12, 9:13-cv-80548 and Compl. ¶¶ 55-63, CFPB v. Am. Debt Settlement Solutions, Inc., 9:13-cv-80548 (S.D. Fla. May 30, 2013)]

Given the above-outlined features of UDAAP, the following non-exhaustive list of examples of conduct related to the collection of consumer debt could constitute UDAAPs:
  • Collecting or assessing a debt and/or any additional amounts in connection with a debt (including interest, fees, and charges) not expressly authorized by the agreement creating the debt or permitted by law.
  • Failing to post payments timely or properly or to credit a consumer’s account with payments that the consumer submitted on time and then charging late fees to that consumer.
  • Taking possession of property without the legal right to do so.
  • Revealing the consumer’s debt, without the consumer’s consent, to the consumer’s employer and/or co-workers.
  • Falsely representing the character, amount, or legal status of the debt.
  • Misrepresenting that a debt collection communication is from an attorney.
  • Misrepresenting that a communication is from a government source or that the source of the communication is affiliated with the government.
  • Misrepresenting whether information about a payment or non-payment would be furnished to a credit reporting agency.
  • Misrepresenting to consumers that their debts would be waived or forgiven if they accepted a settlement offer, when the company does not, in fact, forgive or waive the debt.
  • Threatening any action that is not intended or the institution or service provider does not have the authorization to pursue, including false threats of lawsuits, arrest, prosecution, or imprisonment for non-payment of a debt. [CFPB Bulletin 2013-07] 

Facts and circumstances will dictate the presence of a UDAAP violation; however, these examples are but a few of the many potential UDAAP acts or practices involving consumer debt collection.

Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 10, 2016

Elements of a Disaster Recovery Plan

Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan
  1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.
  2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.
  3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data. 
  4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.
  5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.
  6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.
  7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.
  8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.
  9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.
  10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.
  11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.
  12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.
Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 3, 2016

Types of Lead Generation

We are thinking about obtaining leads from an online lead generation service. In the process of reviewing our marketing campaign, it seems pretty clear that there are different types of lead generators. What are the different types of lead generators? What are some pitfalls? Also, what is a lead?

For the most part, the Federal Trade Commission (“FTC”) has broad jurisdiction over lead generators. The FTC has used its authority to bring enforcement actions against unscrupulous actors in the lead generation industry. Examples abound, such as where the FTC successfully sued lead generators that lured consumers with promises of extremely low fixed rate mortgages or free refinancing, but then sold consumers’ information to entities that did not actually offer these deals, or where it sued payday loan lead generators that sold consumers’ sensitive bank account information to non-lenders who simply debited charges directly from consumers’ accounts without authorization.

I have written extensively on lead generation generally and lead generation companies in particular, such as my article titled, “The Lead Generation Company: Managing the Risks,” which can be found in our Articles library. This article is a good place to start your reading on lead generation companies, especially in light of the significant regulatory risks posed by them.

Lead generation is the process of identifying and cultivating individual consumers who are potentially interested in purchasing a product or service. The goal of lead generation services is to connect lead purchasing companies with the profiled consumers so that the lead purchaser can convert “leads” into sales. The FTC has defined a lead broadly as any consumer who has indicated interest – directly or indirectly – in buying a product or service by taking some action.

Leads cover the gamut of consumer profile information. For instance, they may consist of little more than a consumer’s name and contact information. But they can contain information that has been derived by soliciting much more detailed and sensitive consumer information, like Social Security Numbers and bank account numbers; in other words, not just information in the public record.

The lead generation world is very state-of-the-art these days. Consider that consumers increasingly research and shop for products and services online, which means that lead generation has become more sophisticated, rapid, and data-intensive.

Leads are collected from many sources. Often, leads are collected by a publisher or affiliate. This entity is encountered by the consumer through the consumer’s use of consumer-facing marketers in the lead generation ecosystem that promote products or services online. These conduits encourage consumers to submit additional information about themselves to learn more and connect with merchants or advertisers that can sell them the products or services being sought by the consumer. Many publisher websites contain marketing claims and a web form requesting consumer information. Some publishers expressly identify the merchant to which they sell consumer leads, but others do not and only make generic marketing claims.

In our reviews of client marketing strategies, we have seen where small publishers simply collect consumer information and pass it on to larger, more sophisticated actors in the lead ecosystem. We have also found that some publishers oversee networks of sub-publishers or sub-affiliates that feed them leads, often contracting with the latter to create marketing websites and web forms.

There are many types of lead sources and lead generation methods. I will mention the salient types.

Leads Transmitted to Aggregators: These are intermediaries that take in leads collected by multiple website publishers and prepare them for sale to their clients, which may be end users or even other aggregators. Generally, the aggregator identifies the leads that would be most valuable or relevant to their clients and to package the leads accordingly. Unless an aggregator chooses to operate its own websites or engage in consumer-facing marketing, its role may be largely invisible to consumers who fill out online forms.

Leads Sold to End-Buyer Merchants: These are leads sold to end-buyer merchants or advertisers that can sell consumers the products and services they are seeking. By using these leads, merchants will frequently contact consumers directly in order to pitch services and provide additional marketing materials about a potential transaction.

Leads Verified or Supplemented with Additional Information: These leads stem from a pruning process, whereby merchants and others in the lead generation ecosystem seek more data about leads. Reasons for seeking additional information include further verification of the accuracy and validity of the information consumers provide in web forms, supplementation of consumer leads with additional data for a fuller picture of a consumer, or the scoring of leads based on their potential qualifications or value. The pruning process could include even contacting consumers directly, for instance, by calling them over the telephone. Some merchants, aggregators, and publishers seek supplemental information from third-party data brokers, firms that unfortunately often act without transparency and accountability.

Finally, lead generators may sell “remnant leads” that can target consumers unlawfully. These are leads where the lead purchaser has no legitimate need for the consumer’s sensitive data. The FTC has brought enforcement actions based on the prevalence of remnant leads. Even lead generators are very cautious in how they sell remnant leads. Depending on the circumstances, they could be liable under the FTC Act if the purchaser has no legitimate need for the information, especially since privacy policies on many publisher websites provide few restrictions on the use or sale of the consumer information collected by the lead generator.

If you plan to use a lead generation company, I strongly advise that you vet it as a service provider, using the kind of due diligence review resources offered by our affiliate Vendors Compliance Group. Whatever you decide in developing your marketing campaign, keep in mind that the FTC has demonstrated significant concern about lead generators’ collection and sharing of consumer information, given that such information increases the risk of misuse and harm to consumers.

Jonathan Foxx
Managing Director
Lenders Compliance Group