On November 1, 2023, the Office of the Comptroller of the Currency (OCC) published a revised interagency examination procedure to address updates to the federal Telephone Consumer Protection Act (TCPA).
Although TCPA compliance is not a new requirement for financial institutions, these revised procedures suggest the OCC may be taking a more active role in TCPA enforcement amid a larger nationwide crackdown announced by the Federal Trade Commission.
Among the more notable changes, the OCC’s examination procedures incorporate the following TCPA revisions:
Automated Calls for Fraud
The revised procedures specifically provide financial institutions with carve-out exceptions for automated phone calls and texts sent to inform customers of potential account fraud, personal data breaches, or actions necessary to remedy harms caused by a security breach.
To comply, these messages must:
- Be sent only to the number provided by the customer;
- State the name and contact information of the financial institution;
- Not include telemarketing, solicitation, debt collection, or advertising content;
- Be concise, with a suggested length of one minute or less for a voice call and 160 characters or less for a text message;
- Be limited to three messages over a three-day period, per affected account, for each fraud or breach event; and
- Offer customers an easy and clear opportunity to opt-out of future messages, which must be honored immediately.
Utilizing the Reassigned Numbers Database
The revised procedures also include a Safe Harbor provision for entities that make it a common practice to subscribe to and cross reference the Reassigned Numbers Database before placing autodialed or prerecorded calls.
While financial institutions are not required to search the Reassigned Numbers Database, they are now incentivized to utilize the Database as a safeguard from potential TCPA liabilities.
For example, if a customer previously consented to receive automated calls from a financial center, but their phone number has since been reassigned to a different subscriber, the financial center may be liable under the TCPA for autodialing that same number and reaching the new, non-consenting subscriber.
The Safe Harbor provision eliminates this liability so long as the financial institution can demonstrate that it searched the phone number in the Reassigned Numbers Database and received a “no” response, indicating that the number was not permanently disconnected after consent by the first customer was given.
What This Means for Financial Institutions
Going forward, each financial institution should expect its federal regulator — even if that is not the OCC — to examine its policies and practices for communicating with its customers via automated phone calls and texts. This includes examination of the financial institution’s internal TCPA compliance policies, training, and incident-monitoring procedures.
If your financial institution offers mobile banking or partners with a consumer-facing fintech to provide banking services, a TCPA compliance program is a crucial form of risk mitigation.
Failure to have and maintain a robust TCPA compliance program can expose financial institutions to fines or, worse, a formal enforcement action.
Updating your institution’s TCPA compliance procedures and policies will prove to be a valuable investment as the OCC begins what may be a more active period in TCPA enforcement.
About Our Authors
Amy Hanna Keeney (CIPP/US) is the Adams and Reese Financial Services Regulatory and Compliance Team Leader. A Partner practicing in the Atlanta office, Amy assists banks, credit unions, and non-bank financial service providers launch and service new financial products, and helps them navigate the complex regulatory landscape for fintech services and products. Amy has an in-depth understanding of financial privacy rights and how those impact a financial institution or service provider's third-party risk management program.
Louis Ursini is the Adams and Reese Financial Services Practice Group Leader. A Partner practicing in the Tampa office, Louis is a financial services litigator with more than two decades representing national and regional retail banks, lenders, fintech providers, online payment processing servicers, investors, credit card issuers, mortgage servicers, and debt buying and collection professionals. Louis also acts as national coordinating counsel for large financial institutions.
Emory Powers is a member of the Adams and Reese Financial Services team. An Associate practicing in the Houston office, Emory serves businesses and financial institutions in litigation matters, including commercial and fiduciary disputes, and provides regulatory advice, taking a proactive approach to identify potential risks and protect clients' unique interests.
 More information on the Reassigned Numbers Database can be found at Reassigned Numbers Database | Federal Communications Commission (fcc.gov) and Reassigned Numbers Database | RND.
 The Reassigned Numbers Database may provide one of three responses to any query. A response of “no data” or “yes” means the Safe Harbor provision does not apply because the number searched has been permanently disconnected at some point after consent was given, or there is insufficient data to provide a response. A response of “no” means the Safe Harbor provision may apply because the number searched was not permanently disconnected after consent was given.