Have you ever felt like there isn’t being enough done to enforce the Do Not Call List? Between spoofed robo-dialing and other unwanted calls, picking up your home phone barely feels worth the effort. It’s the audio equivalent of a mailbox full of advertising flyers.
The good news is at least one agency is taking action to enforce telemarketing regulations. The bad news for one community bank is that it’s the FDIC.
In March, the FDIC took its first-ever public enforcement action for violating the Telephone Consumer Protection Act (TCPA), including a $200,000 civil money penalty. The FDIC says the $41 million-asset Oklahoma Bank “continuously” called consumers who were on the National Do Not Call Registry or who asked to be put on the bank’s internal Do Not Call List. Enforcing this rule is usually the purview of the Federal Communications Commission (FCC) and Federal Trade Commission (FTC).
Worse yet, the bank was also alleged to have a UDAP violation, violating Section 5 of the Federal Trade Commission Act by misrepresenting itself as employees or affiliates of the federal government.
How Did This Happen?
Calling someone who doesn’t want to be called and lying about who you are is always bad business. It’s also illegal.
I have a lot of questions about how this happened. The enforcement action is short on details.
Third-party vendor or employee error?
Were the alleged illegal actions taken by bank employees or by a third-party contracted to do business on behalf of the bank? Either way, there should have been controls in place to ensure that consumer law was followed.
A third-party vendor should assure compliance with consumer and other laws and regulations in the vendor contract. It should provide documentation of policies, procedures, training, and audits. The bank then needs to review these documents and engage in continuous monitoring and due diligence.
Similarly, the bank should have internal policies and procedures, training, approved scripts, and other controls to ensure employees have the knowledge and accountability to follow all applicable laws and regulations. Ongoing monitoring is a must.
How did the FDIC hear of this issue?
Was the information passed on by the FTC, which encourages consumers to file complaints? Or did the FDIC come across the issue when reviewing consumer complaints filed directly with the bank? If that’s the case, why didn’t the bank discover this problem through its own internal review of consumer complaints? Complaints need to be properly logged and promptly addressed.
Does the large fine stem from the TCPA violation or the UDAP violation?
The world may never know, but we do know that $200,000 is a big sum for a $41 million-asset bank. Then again, the answer to this question almost doesn’t matter. When a financial institution violates a law, there are consequences. An FI needs controls and monitoring in place to be sure that it isn’t breaking any of them.
Was this a failure of compliance, vendor management, risk management, or something else?
Every FI breaks down responsibilities differently, so we have no way of knowing. Avoiding these kinds of problems requires collaborative effort across all these areas so it’s known who is responsible for what activities. It also ensures information sharing that allows an FI to leverage each area’s knowledge to inform the actions and decisions of the others.
It’s certain that at least one area failed to adequately oversee telemarketing. A centralized approach to risk management that addresses all forms of risk, including compliance and vendor management, could have helped prevent this civil money penalty.
Does your FI have proper oversight and controls to ensure both vendors and employees are adhering to telemarketing laws and regulations? It may very well cost you if it turns out you don’t.