Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

FCC Allows Exemption for Fraud Alerts

But Experts Say New Rule Needs More Clarification
FCC Allows Exemption for Fraud Alerts

The Federal Communications Commission's new rule aimed at giving consumers the opportunity to opt out of receiving automated-dial or robocalls, as well as spam text messages, carves out a few very narrow exemptions for banking institutions and healthcare organizations.

See Also: 57 Tips to Secure Your Organization

Under the new rule, banks can place calls or send texts to consumers, without their prior consent, to alert them of potential fraud. And healthcare organizations can place calls or send texts, without consent, about important medication refills.

But the exemption only allows banks and healthcare providers to send these alerts once without prior consent. After that, if a consumer asks that the calls or text alerts stop, and a banking institution or doctor's office continues to place the automated calls or send the alerts, then the consumer has the right to seek legal action - a point of concern that needs to be clarified, one expert says.

Still, the American Bankers Association last week said it was pleased with the one-time exemption for banks, pointing out that ensuring consumers receive timely notifications about possible data breaches and fraud is critical.

In October 2014, the ABA asked the FCC to exempt time-sensitive informational calls and texts that banks often send to consumers about fraud or identity theft risks from communications restrictions noted in the Telephone Consumer Protection Act.

"Exempting data breach and fraud alerts from outdated regulatory restrictions on calls and texts to mobile devices is critical to effective fraud prevention," said ABA President and CEO Frank Keating. "Text messages and calls to mobile phones can reach people wherever they are, enabling customers and financial institutions to react promptly to stop fraudulent transactions and respond to data security breaches."

Al Pascual, director of fraud and security at Javelin Strategy & Research, says ensuring banks have the ability to verify transactions in near-real-time via text alerts is a "critical" tool for fraud-prevention.

"The more immediately fraud is detected, the lower the losses," he says. "It is good to see that the FCC is working to stem this unintended consequence [of the Telephone Consumer Protection Act]."

But other experts say the FCC's exemptions pose new concerns, some that should be especially troubling to banks.

One concern is that consumers can seek legal action against institutions that contact them more than once without prior consent; another is that fraudsters could more easily send spoofed alerts to consumers, since consumers don't have to opt-in for alerts in advance.

FCC's Exemption Needs More Clarification

On June 18, the FCC clarified how the Telephone Consumer Protection Act, which took effect in 1991, applies to communications made to mobile devices as well as landline phones.

The FCC points out in its clarification that the Telephone Communications Protection Act requires that consumers give prior consent before any non-emergency autodialed, prerecorded, or artificial voice calls can be made to their mobile numbers, as well as prerecorded telemarketing calls to residential landline numbers. But it makes an exception for certain communications from banking institutions and healthcare providers.

"Free calls or texts to alert consumers to possible fraud on their bank accounts or remind them of important medication refills, among other financial alerts or healthcare messages, are allowed without prior consent," the FCC states. "But other types of financial or healthcare calls, such as marketing or debt-collection calls, are not allowed under these limited and very specific exemptions."

However, the FCC also notes that consumers have the right to opt out at any time from receiving any of those alerts. Banks and healthcare providers are permitted to make one unsolicited communication without prior consent before consumers can opt out.

If consumers do opt out and continue to receive texts or phone calls from the bank or healthcare provider, then the consumer has the right to ask the mobile service provider to have the communications blocked. The consumer also can seek legal action against the entity that continues to place calls or send texts after the request to stop.

The opt-out clause is the concerning point for Christine Pratt, a senior credit analyst at the consultancy Aite.

"From a consumer standpoint, I think this clarification is very helpful, she says. "From the banks' standpoint, I think they are still going to face challenges ensuring that they can reach their customer."

That's because mobile numbers are easily transferred from one consumer to the next, Pratt says. "Mobile numbers are reassigned all the time," she says. "So if a number is transferred to someone else, and the bank is not notified, then the bank could be sued if the person they are texting or calling is not their customer."

Pratt says banking institutions need to ensure that they have protections built in by the FCC that would account for numbers that have been transferred to a consumer who is not a customer of the bank.

"If you send these messages and that number belongs to someone else, someone who is not a customer and therefore does not notify the bank to stop, that person can now legitimately file legal action against the bank," she says. "It's a problem."

Pratt says the FCC should clarify that consumers must notify their banking institutions if and when they change, drop or transfer mobile numbers.

And Jan Volzke, vice president of phone reputation services for contact information provider Whitepages, says he worries the FCC's one-time contact provision will offer an avenue for fraudsters to exploit.

"The ruling to allow banks and healthcare providers to alert consumers to possible fraud is a move in the right direction for consumer protection, as banking fraud and healthcare fraud are two of the most largely seen areas of phone and SMS [text] scams," he says. "But expanding robocalling [or auto-dialing] opportunities to these two industries introduces the opportunity for more fraudulent activities. Where previously consumers knew that all unsolicited contact from their bank or healthcare provider was suspicious, now it will be harder to tell real alerts from scams."

Volzke says mobile service providers and carriers need to ensure they have systems in place that can accurately evaluate the risk of alerts that are sent to consumers - another point the FCC should clarify, he adds.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.