What Happens When a Company's Written Policies Differ from its Practices? (The Debt Collection Drill Videocast)

Poorly drafted policies and procedures consistently serve as the basis for unfavorable court decisions against financial institutions and debt buyers. Further, investment in updating policies and procedures is key to reduce exposure to consumer and regulatory claims. In this 15 minute video, Moss & Barnett attorneys Brad Armstrong and Mike Etmund provide specific examples of policies and procedures that comply with the law.


Speaker 1 (00:04):

Welcome to The Debt Collection Drill, the video cast featuring Moss & Barnett shareholders John Rossman and Mike Ponson providing sage tips for collection and compliance.

Brad Armstrong (00:18):

Welcome to another episode of The Debt Collection Drill. My name is Brad Armstrong. I'm an attorney with Moss & Barnett. I'm here with my colleague Mike Etmund. Today we're going to chat about policies and procedures and privacy legislation.

Mike Etmund (00:31):

Thank you, Brad. I look forward to it.

Brad Armstrong (00:33):

So getting started with policies and procedures, the first thing we typically think about when we talk about reasonable policies and procedures is the bona fide error defense under the FDCPA, which basically says that a debt collector cannot be held viable in an action if it can show by a preponderance of the evidence that the violation was not intentional and it occurred notwithstanding the maintenance of policies and procedures that reasonably adapted to avoid the error asserted by the plaintiff. Now, courts generally hold that debt collectors don't need to have policies and procedures designed to avoid every conceivable risk. They just have to be reasonable. And most importantly, they have to actually be adapted to allow the debt collector to avoid the violation that's alleged in the complaint.


So we'll chat about a few items, one of which is a recent Seventh Circuit decision that provides some good contrast between policies and procedures that are adapted to avoid the error that was alleged in the complaint and policies and procedures that weren't. But to get started, we're going to talk about what the failure to invest in some of these policies and procedures can do in terms of regulatory liability. Then we'll chat about that Seventh Circuit decision. And finally, we'll talk about a few things that debt collectors and collection agencies can do to improve their policies and procedures in an effort to avoid exposure to regulatory claims and civil liability going forward. And hopefully everybody will agree that investing in these policies and procedures now is worthwhile and the damages you can avoid in the future are going to be offset by whatever you invest now.

Mike Etmund (02:33):

So Brad, what types of penalties can happen if the agencies don't invest in these policies and procedures?

Brad Armstrong (02:41):

Well, that's a good question. So our first topic discusses just that, which is a recent CFPB consent order involving Hyundai. It wasn't an FDCPA, as I understand it, mostly FCRA issues. But essentially the CFPB said that Hyundai's failure to appropriately assign ownership of risk and processes that gave rise to some of the violations that the CFPB alleged was part of the basis for this $19 million fine. The CFPB consent order also noted that Hyundai had underinvested in technology and monitoring, which led to ineffective processes and systems that kind of gave rise to some of the errors.

Mike Etmund (03:29):

What has happened if a regulator has found that there's a violation?

Brad Armstrong (03:34):

The recent Hyundai consent order is a great example, the I guess complaint that the CFPB had lodged against Hyundai related to the accuracy of information that they'd furnished to consumer reporting agencies, and I guess their efforts to correct it. But in the consent order, it highlighted in a few items that relate to policies and procedures that are, I think, important for debt collectors and collection agencies to key onto. One, the consent order said that Hyundai had failed to appropriately assign ownership of furnishing related processes within the company and prioritize identified consumer reporting related risks. That's an item that policies and procedures can be created to address. The other item in the consent order was the CFPB had alleged that Hyundai had underinvested in technology and monitoring, which led to the use of ineffective manual processes and systems that had been previously identified to have logic errors and related to furnishing consumer information, consumer reporting agencies.


What I think is important there is these are items that the CFPB noted in the consent order. That suggests to me that had Hyundai had policies and procedures to avoid some of these shortcomings, maybe the fine would've been less than $19 million. Maybe they wouldn't even had any fine at all. And it's similar in consumer litigation. Investing in policies and procedures now can help you avoid six figure, seven figure damages awards. The Seventh Circuit recently issued a decision, it actually consolidated two district court cases, where the debt collector in each case had supposedly violated the FDCPA by failing to apprise a consumer reporting agency that a debt was disputed after the debt collector had received a fax from the plaintiff or the plaintiff's attorney indicating that the debt was disputed. And in both cases, the District Court granted summary judgment in favor of the debt collector and the plaintiff appealed those decisions to the Seventh Circuit Court of Appeals.


And if you're curious, the case is UMB Med-1 Solutions, and the other consolidated case was Webster versus Receivables Performance. So basically in both cases, the debt collector received a fax one way or another that indicated that a debtor disputed that. And both debt collectors prevailed based on the bona fide error defense in the District Court. The Seventh Circuit agreed with one of the district courts and disagreed with the other. So the Seventh Circuit held that one of the debt collectors had policies and procedures sufficient qualify for the bona fide error defense and the other didn't.


What the Seventh Circuit did note in connection with the debt collector who did have policies and procedures sufficient to qualify for the bona fide error defense is noted that the debt collector had two written policies that explained step by step how receptionists should properly direct legal faxes and concluded that these were the kind of mechanical steps that the bona fide error defense required. Given that the debt collector had all those things in place, and notwithstanding the fact that this error occurred that, the receptionist I believe sent the facts to the wrong department after receiving the facts, Seventh Circuit held the debt collector qualified for the bona fide error defense.


In contrast, in Webster, the debt collector received the facts, didn't notify the CRA that the debt was disputed, and the reason it didn't notify or mark the debt as disputed was because it stopped using the fax number that it had received the fax at. Essentially the fax number was used on NMLS, but the debt collector had removed it from their website in an effort to kind of that fax number out of the universe where consumers might see it. But it didn't remove the fax number from everything. It didn't take the facts out of commission. So they found the number on NMLS, sent the dispute there. Debt collector ignored faxes that went to that number, and the court held that.


The debt collector's dispute handing policies and procedures didn't cover the alleged violation because the debt collector didn't have policies and procedures for faxes. It had all the policies and procedures for if we receive or dispute and we mark the files disputed. And if we talk to a consumer reporting agency, we notify them with a dispute, but it didn't have any policies and procedures that said, We're going to check every fax number that we've put out in the public domain for disputes. And as a result, the Seventh Circuit said, "No, we disagree with the district court. The debt collector's not entitled to summary judgment based on the bona fide error," defense and kicked it back to the district court. It's a great example of a single issue and two debt collectors that both had policies and procedures for dispute handling, but one of them addressed the particular issue of the case, which was the handling of fax disputes and the other that didn't.


And to wrap it up, a couple of things that that collectors can do to help reduce exposure to both regulatory and civil claims related to policies and procedures. The first thing is read the CFPB examination manual. It's a roadmap for how the CFPB is going to look at you if they audit you or investigate you and what they expect to see. So if you can review that examination and craft policies and procedures to address the issues raised in the manual, you're going to save a lot of headaches if the CFPB is ever knocking at your door.


Next thing you can do, read through your policies and procedures. Make sure that they align with what you're actually doing and that they're updated to current laws. Make sure Regulation F is addressed. Make sure if policy and procedure says that you do this, that you're actually doing it. That way, if anybody's ever deposed or a regulator comes in and makes a personal appearance in your office, your written policies and procedures are going to align with your conduct.

Mike Etmund (10:31):

So Brad, I'm aware that a number of agencies have procedures that they just commonly use every day. How important is it that those procedures be in writing?

Brad Armstrong (10:42):

Well, it's pretty important. It's not absolutely essential. There are certainly decisions out there, FDCPA decisions where debt collectors have attested to the existing policies and procedures, and that's been deemed sufficient, but I certainly recommend putting them in writing. That's all I have in policies and procedures.


Next, will my colleague Michael chat about privacy legislation?

Mike Etmund (11:05):

Thank you, Brad. So in the last few years, data privacy has become definitely a hot topic issue. In 2018, the European Union implemented the general data practices or protection regulation, GDPR, and that's led a lot of people to be wondering, well, why isn't the United States incorporated or enacted some federal legislation on data privacy rights? In the absence of that, certain states and a number of states have begun enacting their own data privacy laws to protect personal information.


Perhaps the most well known and most recent was in January of 2020 when the California Consumer Consumer Privacy Act took effect. Since that time, a number of other states have enacted their own data privacy laws. Virginia, Colorado, Utah, Connecticut all have recently enacted laws that will take effect at some time in 2023, as well as California past a so called updated legislation. Now the California Privacy Rights Act, which takes effect in January of 2023. That will essentially replace the CCPA in that regard. It really supplements and correct certain parts of the CCPA that were perhaps lacking or clarifies other issues, but will again, really take over as the leading template, at least in the United States for data privacy laws.


In terms of how it affects a certain business or a collection agency in particular, the first thing to do would be to review the definitions of each of these laws and determine are they even applicable to you. For example, the Colorado Act only focuses on entities that during a calendar year controls or processes data of a hundred thousand or more residents of that state or consumers as it's defined in that act or derives revenue from selling personal data and processes or controls the personal data of 25,000 or more residents. So again, that might be beyond the scope of many agencies, whether or not they conduct business in Colorado or not. That just means that a policy may need to be drafted for if, for example, an agency gets a request from a resident of California versus a resident of Connecticut or a resident of Colorado. So just different policies, different procedures in place depending on where the request originated.


One other part is that still none of these states have really incorporated a private cause of action for these privacy laws. Most of them are all enforceable by the attorney general or a state district attorney, but generally no private cause of action. California does have the exception if there's an actual data breach issue, but that's really about it. The other states haven't gotten that far yet.


That wraps up our discussion of the privacy notices. We hope you found that beneficial. That also brings us to the conclusion of this episode of The Debt Collection Drill. Thank you for joining us.