Alston & Bird Consumer Finance Blog

Federal Trade Commission (FTC)

CFPB and FTC Amicus Brief Signals Stance on “Pay-to-Pay” Fees under FDCPA

What Happened?

On February 27, the Consumer Finance Protection Bureau (CFPB) and the Federal Trade Commission (FTC) filed an amicus brief in the 11th Circuit case Glover and Booze v. Ocwen Loan Servicing, LLC arguing that certain convenience fees charged by mortgage servicer debt collectors are prohibited by the Fair Debt Collection Practices Act (FDCPA).  This brief comes on the heels of an amicus brief Alston & Bird LLP filed on behalf of the Mortgage Bankers Association (MBA).  In its brief, the MBA urged the 11th Circuit to uphold the legality of the fees at issue.

While litigation surrounding convenience fees has spiked in recent years, there is no consensus on whether convenience fees violate the FDCPA.  Federal courts split on the issue, as there is little guidance at the circuit court level, and the issue before the 11th Circuit is one of first impression.  Consequently, the 11th Circuit’s ruling could significantly impact what fees a debt collector is permitted to charge, both within that circuit and nationwide.

Why is it Important?

Convenience fees or what the agencies refer to as “pay-to-pay” fees are the fees charged by servicers to borrowers for the use of expedited payment methods like paying online or over the phone.  Borrowers have free alternative payment methods available (e.g., mailing a check) but choose to pay for the convenience of a faster payment method.

Section 1692f(1) of the FDCPA provides that a “debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt,” including the “collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.”  The CFPB and FTC argues that Section 1692f(1)’s prohibition extends to the collection of pay-to-pay fees by debt collectors unless such fees are expressly authorized by the agreement creating the debt or affirmatively authorized by law.

First, the agencies contend that pay-to-pay fees fit squarely with the provision’s prohibition on collecting “any amount” in connection with a debt and that charging this fee constitutes a “collection” under the FDCPA.  Specifically, the agencies attempt to counter Ocwen’s argument that the fees in question are not “amounts” covered by Section 1692f(1) because the provision is limited to amounts “incidental to” the underlying debt. They argue that fees need not be “incidental to” the debt in order to fall within the scope of Section 1692f(1). In making this point, the agencies claim the term “including” as used is the provision’s parenthetical suggests that the list of examples is not an exhaustive list of all the “amounts” covered by the provision.  Further, the agencies attempt to counter Ocwen’s argument that a “collection” under the FDCPA refers only to the demand for payment of an amount owed (i.e., a debt). They argue that Ocwen’s understanding of “collects” is contrary to the plain meaning of the word; rather, the scope of Section 1692f(1) is much broader and encompasses collection of any amount , not just those which are owed.

Next, focusing on the FDCPA’s exception for fees “permitted by law,” the agencies contend that a fee is not permitted by law if it is authorized by a valid contract (that implicitly authorizes the fee as a matter of state common law). The agencies suggest if such fees could be authorized by any valid agreement, the first category of collectable fees defined by Section 1692(f)(1)—those “expressly authorized by the agreement creating the debt”—would be superfluous. Lastly, the Agencies argue neither the Electronic Funds Transfer Act nor the Truth in Lending Act – the two federal laws Ocwen relies on in its argument – affirmatively authorizes pay-to-pay fees.

What Do You Need to Do?

Stay tuned. The 11th Circuit has jurisdiction over federal cases originating in Alabama, Florida, and Georgia. Its ruling is likely to have a significant impact on whether debt collectors may charge convenience fees to borrowers in those states, and it could be cited as persuasive precedent in courts nationwide.

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (, and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan.  The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.


Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.

Joint Trade Associations Reject the CFPB’s “Discrimination-Unfairness” Theory

In a June 28 letter to Director Chopra and accompanying White Paper and press release, the ABA, CBA, ICBA, and the U.S. Chamber of Commerce have called on the Consumer Financial Protection Bureau (CFPB or Bureau) to rescind recent revisions made to its UDAAP examination manual that had effectuated the CFPB’s controversial theory that alleged discriminatory conduct occurring outside the offering or provision of credit could be addressed using “unfairness” authority. The White Paper characterized the primary legal flaws in the CFPB’s action as follows:

  • The CFPB’s conflation of unfairness and discrimination ignores the text, structure, and legislative history of the Dodd-Frank Act. For example, the Dodd-Frank Act discusses “unfairness” and “discrimination” as two separate concepts and defines “unfairness” without mentioning discrimination. The Act’s legislative history refers to the Bureau’s antidiscrimination authority in the context of ECOA and HMDA, while referring to the Bureau’s UDAAP authority separately.
  • The CFPB’s view of “unfairness” is inconsistent with decades of understanding and usage of that term in the Federal Trade Commission Act and with the enactment of ECOA. Congress gave the CFPB the same “unfairness” authority that it gave to the Federal Trade Commission in 1938, which has never included discrimination. It makes no sense that Congress would have enacted ECOA in 1974 to address discrimination in credit transactions if it had already prohibited discrimination through the FTC’s unfairness authority. For the same reason, Congress could not have intended in 1938 for unfairness to “fill gaps” in civil rights laws that did not exist.
  • The CFPB’s view is contrary to Supreme Court precedent regarding disparate impact liability. The CFPB’s actions and statements indicate it conflates unfairness with disparate impact, or unintentional discrimination. The Supreme Court has recognized disparate impact as a theory of liability only when Congress uses certain “results-oriented” language in antidiscrimination laws, e.g., the Fair Housing Act. The Dodd Frank Act neither contains the requisite language, nor is it an antidiscrimination law.
  • The CFPB’s action is subject to review by courts because it constitutes final agency action – a legislative rule – that is invalid, both substantively and procedurally. The CFPB’s action carries the force and effect of law and imposes new substantive duties on supervised institutions. However, the Bureau did not follow Administrative Procedure Act requirements for notice-and-comment rulemaking. Additionally, the CFPB’s interpretation is not in accordance with law and exceeds the CFPB’s statutory authority. The CFPB’s action should be held unlawful and set aside.
  • The CFPB’s action is subject to Congressional disapproval under the Congressional Review Act. A Member of Congress can request a GAO opinion on whether the CFPB’s actions are a rule, which can ultimately trigger Congressional review using the procedures established in the Congressional Review Act.

The White Paper concludes:

“Such sweeping changes that alter the legal duties of so many are the proper province of Congress, not of independent regulatory agencies, and the CFPB cannot ignore the requirements of the Administrative Procedures Act and Congressional Review Act. The CFPB may well wish to ‘fill gaps’ it perceives in federal antidiscrimination law. But Congress has simply not authorized the CFPB to fill those gaps. If the CFPB believes it requires additional authority to address alleged discriminatory conduct, it must obtain that authority from Congress, not take the law into its own hands. The associations and our members stand ready to work with Congress and the CFPB to ensure the just administration of the law.”


The position taken in the White Paper that the CFPB’s actions were contrary to law may be an indication that the trade groups intend to mount an APA legal challenge. Alternatively, the arguments made could in theory form a defense to any CFPB supervisory or enforcement action premised upon its new “discrimination-unfairness” theory. Financial institutions subject to CFPB examination would be well-advised to consider the arguments raised by the groups.

The Hunstein Case: Upending Servicing and Debt Collection?

A&B Abstract:

The U.S. Court of Appeals for the Eleventh Circuit, covering Alabama, Florida, and Georgia, recently decided in Hunstein v. Preferred Collection and Management, Inc., that a debt collector’s communication with its third-party vendor violated section 1692c(b) of the Fair Debt Collection Practices Act (“FDCPA”), which prohibits a debt collector for communicating, in connection with the collection of any debt, with an unauthorized third party.

The FDCPA and Regulation F

 In 1977, Congress enacted the FDCPA to eliminate abusive debt collection practices by debt collectors.  Section 1692c(b) of the FDCPA generally provides that, except with respect to seeking location information:

without the prior consent of the consumer given directly to the debt collector, or the express permission of a court of competent jurisdiction, or as reasonably necessary to effectuate a postjudgment judicial remedy, a debt collector may not communicate, in connection with the collection of any debt, with any person other than the consumer, his attorney, a consumer reporting agency if otherwise permitted by law, the creditor, the attorney of the creditor, or the attorney of the debt collector.

The FDCPA defines “communication” to mean “the conveying of information regarding a debt directly or indirectly to any person through any medium.”

For decades the FDCPA was enforced by the Federal Trade Commission (“FTC”).  However, prior to the Dodd-Frank Act, no federal regulator had rulemaking authority under the FDCPA.  The Dodd-Frank Act empowered the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) with rulemaking authority with respect to the collection of debts by debt collectors, as defined by the FDCPA.  Prior to finalizing Regulation F, the CFPB conducted market outreach to better understand how debt collectors attempt to collect on accounts.  In July 2016, the CFPB published a study of third-party debt collection operations (“Operations Study”) that recognized debt collection firms’ reliance on vendors (such as print mail services, predictive dialers, voice analytics, payment processes and data servers).  In fact, the CFPB noted that most respondents use an outside vendor for sending written communications.

On November 30, 2020, amended Regulation F,  implementing the FDCPA, was published in the Federal Register with an effective date of November 30, 2021 (which has subsequently been delayed to January 29, 2022).  Regulation F does not specifically address the use of third-party vendors, such as print mail services, although the Operations Study was cited in the preamble to Regulation F.

With regard to civil liability, section 1692k of the FDCPA states that “[n]o provision of this section imposing any liability shall apply to any act done or omitted in good faith in conformity with any advisory opinion of the Bureau, notwithstanding that after such act or omission has occurred, such opinion is amended, rescinded, or determined by judicial or other authority to be invalid for any reason.”

The Hunstein Case

Despite the CFPB’s implicit recognition of debt collectors’ use of print and other vendors,  a recent court decision suggests that use of certain vendors could violate the FDCPA’s prohibition on third-party communications.  In Hunstein, the U.S. Court of Appeals for the Eleventh Circuit reversed the district court’s judgment, holding that (1) a violation of section 1692c(b) of the FDCPA confers Article III standing; and (2) a debt collector’s transmittal of a consumer’s personal information to its dunning vendor constituted a communication “in connection with the collection of any debt” within the meaning of section 1692c(b).

The facts in this case are not unusual, and reflect the typical interactions between a debt collector and their third-party vendors. Specifically, the debt collector, Preferred Collection and Management Services Inc. (“Preferred”), electronically transmitted information concerning Hunstein’s debt (his name and his status as a debtor, the entity to which he owed the debt, the outstanding balance, the fact that his debt resulted from his son’s medical treatment, and his son’s name) to its third-party vendor. In turn, the vendor used that information to create, print, and mail a dunning letter to Hunstein.  As a result, Hunstein sued alleging that by sending his personal information to the third-party vendor, Preferred had violated section 1692c(b). The district court dismissed Hunstein’s action for failure to state a claim, holding that Hunstein had not sufficiently alleged that Preferred’s transmittal to its third-party vendor violated section 1692c(b), because it was not a communication “in connection with the collection of any debt.”  Hunstein appealed to the Eleventh Circuit. On appeal, the Eleventh Circuit addressed both the issues of Article III standing and whether Preferred’s communication was “in connection with the collection of any debt.”

The court first considered the threshold issue of whether a violation of section 1692c(b) confers Article III standing. Specifically, the court focused on whether Hunstein had suffered an injury in fact, which requires an invasion of a legally protected interest that is both concrete and particularized and actual or imminent, not conjectural or hypothetical. The court indicated that the “standing question here implicates the concreteness sub-element.”  The court explained that a plaintiff can satisfy the concreteness requirement in one of three ways. A plaintiff can meet this requirement by (1) alleging a tangible harm (e.g., physical injury, financial loss, and emotional distress), (2) alleging a risk of real harm, or (3) identifying a statutory violation that gives rise to an “intangible-but-nonetheless-concrete injury.”  The court ultimately concluded that Hunstein had met the concreteness requirement “[b]ecause (1) § 1692c(b) bears a close relationship to a harm that American courts have long recognized as cognizable and (2) Congress’s judgment indicates that violations of §1692c(b) constitute a concrete injury.”

After concluding that Hunstein had standing to sue, the court considered whether Preferred’s transmittal to its third-party vendor was a “communication in connection with the collection of any debt.” At the outset, the court noted that the parties were in agreement that Preferred was a “debt collector,” that Hunstein was a “consumer,” and that the debt at issue was a “consumer debt,” as contemplated under the FDCPA. Moreover, the parties agreed that Preferred’s transmittal of Hunstein’s information to the third-party vendor constituted a “communication” within the meaning of the FDCPA. Thus, the only question remaining before the court was whether Preferred’s communication was “in connection with the collection of any debt.” The court began its analysis by reviewing the plain meaning of the phrase “in connection with” and the word “connection,” and determined that “in connection with” and “connection” are generally defined to mean “with reference to or concerning” and “relationship or association,” respectively.  Based on these definitions, and the facts at issue, the court found it “inescapable that Preferred’s communication to [its third-party vendor] as least ‘concerned,’ was ‘with reference to,’ and bore a ‘relationship or association’ to its collection of Hunstein’s debt.”  Accordingly, the court held that Hunstein had alleged a communication “in connection with the collection of any debt” as that phrase is commonly understood.

The court next considered, and rejected, Preferred’s three arguments that its communication was not “in connection with the collection of any debt.” First, the court found Preferred’s reliance on prior Eleventh Circuit decisions interpreting the phrase “in connection with the collection of any debt,” as used under section 1692e, to be misplaced. The court explained that in those line of cases, the court had focused on the language of the underlying communications that were at issue. However, the court found that the district court’s conclusion that the phrase “in connection with the collection of any debt” necessarily entails a demand for payment “defies the language and structure of § 1692c(b) for two separate but related reasons—neither of which applies to § 1692e.” First, the court explained that the “demand-for-payment interpretation would render superfluous the exceptions spelled out in §§ 1692c(b) and 1692b.” The court noted that under section 1692c(b), “[c]ommunications with four of the six excepted parties—a consumer reporting agency, the creditor, the attorney of the creditor, and the attorney of the debt collector—would never include a demand for payment,” and that the “same is true of the parties covered by § 1692b and, by textual cross-reference, excluded from § 1692c(b)’s coverage.” Accordingly, the court held that the phrase “in connection with the collection of any debt” in section 1692c(b) must mean something more than a mere demand for payment, so as not to render “Congress’s enumerated exceptions…redundant.”

The court also rejected Preferred’s argument that the court adopt a holistic, multi-factoring balancing test that was adopted by the Sixth Circuit in its unpublished opinion in Goodson v. Bank of Am., N.A., 600 Fed. Appx. 422 (6th Cir. 2015), for two reasons: (1) “Goodson and the cases that have relied on it concern § 1692e—not § 1692c(b),” and (2) sections 1692c(b) and 1692e differ both “linguistically, in that the former includes a series of exceptions that an atextual reading risks rendering meaningless, while the latter does not, and…operationally, in that they ordinarily involve different parties.” Moreover, the court found that “in the context of § 1692c(b), the phrase ‘in connection with the collection of any debt’ has a discernible ordinary meaning that obviates the need for resort to extratextual ‘factors.’”

Finally, the court rejected Preferred’s “industry practice” argument—namely that there is widespread use of mail vendors and a relative dearth of FDCPA suits against them—holding that simply because “this is (or may be) the first case in which a debtor has sued a debt collector for disclosing his personal information to a mail vendor hardly proves that such disclosures are lawful.”

In holding that Preferred’s communication with its third-party vendor constituted a communication “in connection with the collection of any debt,” the court acknowledged that its “interpretation of § 1692c(b) runs the risk of upsetting the status quo in the debt-collection industry…[and that its] reading of § 1692c(b) may well require debt collectors (at least in the short term) to in-source many of the services that they had previously outsourced, potentially at great cost.” Moreover, the court recognized that “those costs may not purchase much in the way of ‘real’ consumer privacy.” Nevertheless, the court noted that its “obligation is to interpret the law as written, whether or not we think the resulting consequences are particularly sensible or desirable.”


The court’s textual reading of the statute fails to account for the technological changes to the industry since the FDCPA was enacted in 1977.

The CFPB has the authority to take a more pragmatic view, either through its advisory opinion program or formal rulemaking to recognize the important role of vendors while also putting in proper guardrails to protect consumers’ privacy.  Such a view would be consistent with the FTC’s treatment of this issue.  The FTC previously indicated that a debt collector could contact an employee of a telephone or telegraph company in order to contact the consumer, without violating the prohibition on communication to third parties, if the only information given is that necessary to enable the collector to transmit the message to, or make the contact with, the consumer. Presumably, a debt collector would have to transmit much the same information for purposes of communicating with the debtor through a letter vendor.

Congress also has the authority to modernize the FDCPA.  The House of Representatives recently passed a comprehensive debt collection bill (H.R. 2547, the Comprehensive Debt Collection Improvement Act, sponsored by Chairwoman Waters). While this bill currently doesn’t address the issue in Hunstein, that could be remedied in the Senate.

The consumer finance industry will be closely watching the Hunstein case as it works through the appeal process, as well as how other courts, Congress, CFPB and other regulators react.