|Blogs and tweets can land you in compliance hell (February 2009)|
Six new-media compliance tips
Is that an iPod plugged into your customer’s ears? Or a time bomb waiting to blow up your bank’s compliance record?
It all depends on what your bank has been up to, and how well your marketing and compliance functions control how the bank’s messages reach the public … and how well the bank controls independent-minded employees with a technical bent.
Does your bank “blog”? “Tweet” on Twitter? Present “podcasts”? Market by mobile phone? Post a page on FaceBook or some other social networking site? Maybe, maybe not.
But your bank very likely communicates with customers by e-mail, e-newsletter, your own website, or ads on other sites.
Whether your bank is on the “tweeting” edge or perhaps a bit behind, your compliance staff certainly knows the many restrictions and requirements relating to traditional advertising communication channels. But even if your sales and marketing staff, and compliance staff, have to ask their kids or some of their younger employees about the latest ways to communicate, one thing you must realize: Banks can’t forget to consider the compliance requirements that apply.
Some are familiar favorites. For example, Regulation Z (truth-in-lending) and Regulation DD (truth-in-savings and overdraft protection) advertising rules apply to advertising in any form. Some are new and unique to the medium used, such as the CAN-SPAM Act, which specifically affects e-mail messages.
But these methods are only the beginning. When using these newer forms of communication, banks should also be alert to:
* Traditional advertising compliance rules
* Unfair and Deceptive Acts or Practices Act
* Telephone Consumer Protection Act
* Federal Communications Commission Fax Advertising Rule and Junk Fax Prevention Act
* E-SIGN Act
* State laws
* Securities and Exchange Commission anti-fraud provisions
Advertising and disclosure risks
Although not contemplated 40 years ago when the Truth in Lending Act was passed, an e-mailed message to customers offering a promotional loan rate or mention of a new loan program in an online newsletter or on the bank’s website falls within the scope of the advertising compliance requirements of Regulation Z.
Laws like Truth in Lending and Truth in Savings have been adapted to fit changing industry trends. Any messages that are intended to promote the bank and/or its products and services, directly or indirectly, are advertisements that are subject to compliance disclosure rules. The advertising compliance requirements apply even if the message is delivered electronically.
Under both Regulation Z and DD, advertisements that include certain triggering terms must then include in the advertisement additional terms. These regs also contain provisions that prohibit misleading or inaccurate advertisements. Fair lending laws and regulations (such as Regulation B) apply to the early communications with potential loan applicants as well as the decision to grant credit and on what terms. Any message that tends to illegally discourage a person from applying for credit would violate the Equal Credit Opportunity Act and Regulation B.
Any time a bank puts forth a commercial message, in any medium, that is designed to attract public attention or patronage to a product or business (unless specifically exempt) the bank must include the official advertising statement of FDIC membership, “Member FDIC.” “Equal Housing Lender” logos are also required whenever a message covers or could cover residential real estate lending.
UDAP fits all sizes
In addition to the provisions in Regulation DD and Z that prohibit misleading and inaccurate advertising, there is the broad scope coverage of Section 5(a) of the Federal Trade Commission Act, commonly known as the Unfair or Deceptive Acts or Practices prohibition.
The UDAP provision of the FTC Act applies to all persons engaged in commerce, including banks. The federal financial regulators enforce UDAP as it applies to banks, savings associations, and credit unions.
An act or practice that does not violate any other specific law or regulation can nevertheless be a violation of the FTC Act if it meets the legal standard for an unfair or deceptive act or practice. An unfair act or practice is one that causes or is likely to cause substantial injury to consumers; cannot be reasonably avoided by consumers; and is not outweighed by countervailing benefits to consumers or to competition. A deceptive act or practice arises when there is a material representation, omission, or practice that misleads or is reasonably likely to mislead consumers. The regulators can (and do) apply the double whammy by citing an institution for violation of Regulation Z or DD, as well as a violation of UDAP.
Regulation Z does not contain any minimum type-size requirements for disclosures. However, the regulators can use their UDAP enforcement authority to determine that a disclosed term in advertising or customer disclosures is too small and unfair to consumers.
Note that clarifying information about advertised or disclosed terms that is far removed from the attractive terms described can also be deceptive, even if there is no specific regulatory provision addressing location of information.
The Electronic Signatures in Global and National Commerce Act (E-SIGN) has opened the door for businesses to provide disclosures to consumers electronically, avoiding some of the paper required. E-SIGN Act provisions have been incorporated into some of the consumer protection disclosure regulations, such as Regulation B, Z, M, E, and DD.
However, E-SIGN is broader in coverage than bank consumer protection regulations. It applies to consumer signatures and disclosures in general. As long as specified disclosures are provided relating to the electronic delivery, and the consumer has given consent, the E-SIGN Act gives businesses more flexibility in electronic communications.
Keep e-mails out of spam can
If a bank is considering using e-mail to advertise or communicate with potential or existing customers, it should first become familiar with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (commonly known as the CAN-SPAM Act).
If you saw the word “pornography” in the title and immediately disregard it as something that has nothing to do with banks, take another look. The CAN-SPAM Act, in part:
* Prohibits the use of false or misleading transmission information such as subject heading or who the message is from
* Requires a clear and conspicuous indication that the message is an advertisement
* Requires that the message include a functioning e-mail return address or other internet-based response mechanism
* Requires a clear and conspicuous notice of the receiver’s opportunity to decline to receive further commercial e-mail messages from the sender
* Requires the message to include a valid physical postal address of the sender
* Requires the sender to discontinue further commercial e-mail messages within ten business days after receiving a request from the recipient to opt-out
A CAN-SPAM implementing regulation was issued by FTC and became effective March 28, 2005. While the FTC does not have direct jurisdiction over banks, savings associations, and credit unions, the law also gives the federal regulatory agencies the authority to enforce the law against supervised institutions. The OCC, FRB, FDIC, OTS, and NCUA expect supervised institutions to comply with CAN-SPAM and FTC’s regulation. The agencies have issued interagency examination procedures addressing these requirements for examiners to use during consumer compliance examinations.
The kinds of e-mails covered under CAN-SPAM are those with the primary purpose of advertising or promoting a commercial product or service. It would not include an e-mail message that has transactional or relationship content. For example, an e-mail message to existing customers about changes to the customers’ checking accounts would not be a covered message. An e-mail message that contains both transactional/relationship and commercial content would still be subject to the law if the transactional/relationship portion of the content is buried at the bottom of the message.
Some states have moved into the e-mail protection game too. According to the National Conference of State Legislatures, 37 states (as of September 2008) have laws regulating unsolicited e-mail advertising. Except to the extent that a state law prohibits false or deceptive commercial e-mail messages, the federal CAN-SPAM Act preempts state law.
However, state attorneys general are authorized under CAN-SPAM to bring lawsuits against violators on behalf of individuals in their states. Federal preemption helps relieve the tangled web of different requirements that apply when an entity does business with customers in multiple state jurisdictions.
Another more security-focused concern for banks relating to the use of e-mails to advertise or market to customers or potential customers is the risk of phishing. Phishing is the fraudulent practice of attempting to obtain confidential customer information such as passwords and account numbers from individuals by masquerading as the individual’s financial institution or payment processor.
Many of us have received e-mails purporting to be from eBay, PayPal, or various banks (and even the IRS and the FDIC) claiming to need our identification information to clear up a “problem” with our account on their system. Criminals are hoping that some recipients will respond with the information so they can use it to access the accounts and steal identities. Many banks have alerted customers to this practice and have a policy of not using e-mail to communicate with customers in order to reduce the potential risk of customers falling for these scams.
Don’t call my mobile!
The CAN-SPAM Act also mandated that FCC adopt regulations to apply to unsolicited commercial messages sent to wireless devices. These rules also took effect in March 2005.
The FCC rules are similar to the FTC’s rules and do not cover transactional or relationship messages. Under the FCC rules, unsolicited commercial e-mail messages to wireless devices, such as cell phones, that are not “transactional or relationship” messages, are prohibited.
Regardless of the purpose of the call, it is a violation of law to call a cell phone using an automatic telephone dialing system or artificial or prerecorded voice, without the prior express consent of the called party.
New frontier: blogs, e-letters, podcasts
Are you blogging? Many banks are. A blog is an online diary of sorts. Sometimes it involves personal views or commentary. Sometimes it involves descriptions of events or information about a particular subject. Actually, a blog can be anything under the sun. Generally, blogs are interactive, like a conversation.
The objective of a bank blog may be to educate customers about financial topics, or provide the institution’s perspective on current events. Blogs could, however, morph into advertisements, intentionally or unintentionally. A blog-turned-advertisement is subject to all of the advertising compliance rules. The same is true of e-newsletters that banks either post on their web sites or e-mail to certain customers.
Banks should regularly monitor their blogs for posted comments. Some major examples are on the web for your review. The Federal Reserve Bank of Chicago warns commenters to its blog that the FRBC reserves the right to delete off-topic comments, profanity, and spam. So do the blog sites of Wells Fargo-Wachovia and Bank of America.
The SEC, recognizing the use of websites and blogs to provide investor information, issued guidance on Aug. 7, 2008, regarding the use of company websites under the Exchange Act and the applicability of the antifraud provisions of the federal securities laws. The agency’s guidance noted that companies are responsible for statements made by the companies, or on their behalf, on their websites or on third-party websites, and that the securities law antifraud provisions reach those statements.
Thus, blog conversations would be covered. The guidance further warns that any term or condition of a blog requiring users to agree not to make investment decisions based on the blog’s content, or disclaiming liability for damages arising from the use or inability to use the blog, would violate the anti-waiver provisions of federal securities laws.
Podcasting is another communication option banks have been using. Podcasts are audio or video digital media files that are downloaded to portable media players and personal computers. There is a wide variety of uses of podcasts in the banking industry. These range from financial management tips and economic news to solicitations of products and services.
Compliance advertising rules apply when any portion of the podcast serves to promote the bank and/or its products and services. It is important to keep in mind that podcasts can take on a life of their own. They can be downloaded and shared and end up in places that the bank never contemplated.
Reining in employees
Even a bank that does not officially include “new media” as part of its marketing plan may find itself caught in the snare of compliance calamities relating to underground advertising engineered by its enthusiastic employees.
Let’s say an employee or branch decides on its own to send an e-mail or fax to a list of individuals promoting the bank’s new product offering.
You can admire the initiative. But such “loose cannons” are subjecting the bank to risk for noncompliance with laws and regulations pertaining to such contacts. You can find bank advertising on social networking sites such as FaceBook, where bank employees have placed information about their banks and the banks’ products and services on their “wall.” (Employees who can earn sales incentives can become very creative.)
Banks should educate all employees about their advertising and communications policies and limitations. BJ
| TechTopics Plus