According to the Telephone Consumer Protection Act, it's illegal to robocall a mobile phone number without permission. The American Bankers Association wants to change that, arguing that robocalls will help fight identity theft and other kinds of fraud. Opponents say that's an overreach, one that will erode an important consumer protection.
"Gee, I can't talk right now. Why don't you give me your home number and I'll call you later."
That's how Jerry Seinfeld memorably got rid of telemarketers, but for most of us getting a robocall is no laughing matter. It can cost you money, and beyond that it's just annoying. In fact, since 2003, more than 223 million Americans have registered with the Federal Trade Commission's National Do Not Call Registry. It helps, but you may have noticed the calls keep coming in. There are services and apps that may help, and, of course, there's the TCPA.
The latter protection is the reason a group of more than 75 national and state organizations, via the National Consumer Law Center, sent an open letter last week to the FCC urging the commission to keep in place important consumer and privacy protections for mobile phone users and to deny the American Bankers Association's petition for exemptions to existing rules.
At first glance, the exemptions requested by the American Bankers Association look pretty reasonable. The ABA wants banks to have the ability to unleash the robots for data breach notifications and when fraud is suspected.
According to the letter sent out by the NCLC and its co-signers, "the proposed changes that the FCC is considering will open the floodgates for 'wrong number' calls to cell phones. This would not only be an improper interpretation of the TCPA, but it would gut essential privacy rights of cell phone users." While the ABA stated that the calls will not eat up mobile phone users' minutes, the NCLC letter contends "the banks have not yet demonstrated or explained how they could guarantee that these calls would not impact recipients' phone bills."
Why the Robocall?
Assume for the moment the above issues can be sorted out. There is no downside to immediate notification that your personal identifying information has been breached. Similarly, the other exemptions petitioned by the ABA include notification when an account has been compromised or fraud is suspected and when an institution wants to share information that may help remedy fraudulent activity.
In theory, the above notifications are a win for everyone. But we do not yet have a federal breach notification law, and even if the ABA modeled its notification policy on the most stringent existing state laws, there is no indication that the notification will be immediate--just that the notification will be accomplished by robot.
"Financial institutions have found that automated communications are best suited to achieve these goals," the ABA argued. It's a well-crafted sentence, but it's hard not to wonder if it may simply be putting a nice spin on a cost-cutting move for the institutions that the ABA represents. Robocalls are a lot cheaper than operators.
While it's a stretch to expect strong breach notification and cybersecurity laws any time soon given the current climate in Washington, that's precisely what would be needed to make the ABA petition worthwhile to the public.
The Right Way to Do This
It's worth considering what form these notifications would take, since the nature of those robocalls could either have the desired effect of alerting consumers to an issue, or the unintended consequence of opening people up to scams that will be built off the new mode of communication. My worry is that consumers will become used to getting these robocalls, and fraudsters will invade that new comfort zone. If the FCC were to allow the exemptions that the ABA has requested, I would like to see strict guidelines about the kinds of instructions that those calls can provide.
For a robocall system to work, it would not be enough for it to say, "Please call the number on the back of your XYZ card for further instructions." Many institutions subcontract to identity theft resolution companies that set up a dedicated phone number to handle client inquiries, but robocommunications are easily spoofed. What's to keep a fraudster from creating a number and harvesting information? It could be the right answer is to send clients to the compromised institution's website for further instructions. Regardless, because the creation of a new service will always bring with it new opportunities for scam artists, these issues will have to be carefully assessed and addressed.
Any additional fighting capacity in the war against identity-related crime is to be welcomed, but it is important to make sure that new initiatives have public interest in mind, as opposed to bottom-line considerations. Ideally, the bottom line and the best interests of consumers are aligned. In our less than perfect world, however, one needs to negotiate.