CFPB Regulation F FDCPA new rules

Nov 08, 2021

Key takeaways

cyber virus under microscope

New updates to CFPB Regulation F represent the first significant changes to the FDCPA since it was established in 1977.

cyber virus under microscope

The changes strengthen consumer protections by clarifying rules within the context of new technology and establishing additional disclosures for consumers.

cyber virus under microscope

Creditors and servicers should review their internal collection practices, and those that work with third-party debt collectors and debt buyers should review their third-party compliance efforts.

Anti-money laundering Cybersecurity consulting

Regulation F has implemented the Fair Debt Collection Practices Act (FDCPA) since its enactment in 1977. The FDCPA prohibits debt collectors from engaging in harassment or abuse, making false or misleading representations, or engaging in unfair practices in debt collection, by restricting debt collectors' communications with consumers and other parties and requiring disclosures to consumers concerning the debts they owe.

In October 2020 the CFPB proposed revisions to Regulation F to further address communications and prohibitions in connection with debt collection. In December 2020 it amended Regulation F to clarify rules around collectors’ initial contact with consumers and provide a model collections notice; prohibit legal actions for time-barred debt; and establish requirements for furnishing consumer debt information to consumer reporting agencies. All revisions are slated to take effect Nov. 30, 2021.

The updates are the first significant changes to the FDCPA since its enactment in 1977. The CFPB’s final rules strengthen consumer protections established under the act by, among other things, clarifying application of the rules in the context of newer communication technologies and providing for additional disclosures to consumers.

Highlights of the final rules include:

  • Definition of certain terms used in the regulation, including “limited-content message”—a voicemail message that a debt collector may leave for a consumer that is not a communication under the FDCPA and therefore not subject to certain requirements or restrictions. To meet the limited-content message definition, a voicemail message must include only specific information, with limited exceptions.
  • Clarification that a consumer need not use specific words to assert that a time or place is inconvenient for debt collection communications.
  • Identification of newer communication technologies, such as emails and text messages, that may be used in debt collection, with certain limitations to ensure consumer protections. The final rules require that email or text messages provide consumers a reasonable and simple method of opting out of such communications.
  • Restrictions against repeated or continuous telephone calls, limiting a debt collector to no more than seven calls to a consumer within a seven-day period or within seven days of a single call. The final rule also lists factors that may rebut the presumption of compliance or of a violation.
  • Description of how a collector must handle consumer disputes, including duplicative disputes, as well as requests for original creditor information.
  • Specific provisions for record retention; prohibitions on the sale, transfer or placement of certain debts; and communications with personal representatives for deceased consumers.
  • Information debt collectors must send consumers at the outset of collection activities, such as itemization of the debt and a plain-language disclosure detailing how a consumer may respond to a collection attempt, including how to dispute the debt. Additionally, the disclosure must include a “tear-off” that consumers can send back to the debt collector in response to the collection attempt.
  • Prohibition against filing or threatening to file suit on time-barred debts.
  • Restriction against a debt collector furnishing information about a debt to a consumer reporting agency unless the collector has communicated the debt to the consumer via telephone, letter or electronic message.
  • Model disclosure forms for use by debt collectors.

Creditors and servicers—including but not limited to banks, credit unions, automobile and private student loan lenders, mortgage servicers and credit card issuers—that engage with third-party debt collectors and debt buyers should be aware of the new rules, and conduct a thorough review of their third party’s compliance efforts as part of their vendor management program. Since its inception, the CFPB has received thousands of complaints related to debt collection—many involving practices addressed in the finalized rules—and has brought numerous cases and public enforcements against third-party debt collectors. Since 2020, there have been seven public enforcement actions related to FDCPA violations, with civil penalties of $204,000 to $15 million in addition to required consumer redress.

Lastly, creditors and servicers should review their internal collection practices to determine whether any may create or constitute an unfair, deceptive or abusive act or practice (UDAAP) under section 1031 of the Dodd-Frank Act. Although the FDCPA specifically governs third-party collection activities, CFPB Bulletin 2013-07 makes clear that certain provisions of the FDCPA could apply to all persons and service providers protected from UDAAPs under the Dodd-Frank Act.

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.