We understand that a bank collecting its own debts would not be considered a “debt collector” under the Fair Debt Collection Practices Act (FDCPA), but what about third parties that collect debts for our bank, such as collection agencies or tow companies that repossess vehicles? Also, does a bank have any due diligence obligations under the FDCPA? Our contract with one of our collection agencies indicates that they must comply with all federal, state, and local laws and regulations. Is this sufficient under the FDCPA?

Yes, third party collection agencies and tow companies that you contract with to collect consumer debts and repossess automobiles for your bank would be considered “debt collectors” under the FDCPA. Additionally, we believe that you should conduct due diligence on all third-party debt collectors to manage associated risks. Such due diligence should go beyond requiring compliance with all applicable laws and regulations.

FDCPA Definition of “Debt Collectors”

Under the FDCPA, as implemented by Regulation F, a “debt collector” is “any person . . . in any business the principal purpose of which is the collection of debts, or who regularly collects . . . debts owed or due . . . to another.” While your bank would not be considered a “debt collector” when collecting its own debts — provided that it uses its own name when collecting such debts — a third-party debt collection agency hired by your bank to collect your bank’s debts would be considered a debt collector.

Additionally, for purposes of Regulation F’s requirements for nonjudicial repossessions (as well as nonjudicial actions to disable property), the definition of “debt collector” includes any person “in any business the principal purpose of which is the enforcement of security interests.” Consequently, a tow company that repossesses vehicles for your bank would also be considered a “debt collector” for certain purposes under Regulation F.

There are several exceptions to the definition of “debt collector,” but we do not believe those exceptions would apply to an unaffiliated collection agency or tow company collecting debts or repossessing automobiles on behalf of your bank.

Due Diligence for Debt Collection Agencies

An important point regarding your contractual requirement to comply with applicable laws and regulations is that banks “cannot outsource the responsibility for complying with laws and regulations” to a third party. Consequently, we do not believe it is sufficient to require compliance with all applicable laws and regulations in a contract, without monitoring for compliance. Additionally, your bank should address the regulatory expectations for pre- and post-contract due diligence found in interagency and OCC guidance, as described below.

While the FDCPA does not impose any due diligence requirements, the Interagency Guidance on Third-Party Relationships states that due diligence should include “assessing a third party’s ability to perform the activity as expected, adhere to a banking organization’s policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner.” (This Interagency guidance has been proposed but not yet finalized, but it is based on the OCC’s existing third-party risk management guidance.)

The OCC, your primary federal regulator, has released Risk Management Guidance on consumer debt sales, which would include transactions in which the debt buyer collects the debts (or engages with another collection agent to do so). This OCC guidance recommends that before entering into a contract, banks should assess a potential debt buyer’s background, experience, past performance, and record of compliance with consumer protection laws and regulations — including the FDCPA, among several other laws.  

The OCC guidance also advises on several elements of your written contracts with debt buyers. Among other items, the OCC recommends that your contracts clearly delineate responsibility for consumer protection laws, require debt buyers “to comply with applicable laws and consumer protections,” and “include minimum-service-level agreements in debt-sale arrangements to promote fair and consistent treatment of customers,” among several other contractual considerations. 

Beyond contractual considerations, the OCC guidance also recommends monitoring the implementation of contracts after they are executed. This ongoing due diligence should include “(1) reviewing the debt-buyer’s annual financial statements to ensure ongoing financial strength, (2) remaining alert for any relevant adverse information about the debt-buyer’s principals, and (3) monitoring the bank’s complaints for any potential adverse treatment of consumers by the debt buyer,” among other items.

While your bank is not supervised by the CFPB, that agency’s Debt Collection Examination Procedures may be helpful as guidance specific to the use of third-party collection agencies. These procedures state that examiners should assess whether an entity using a debt collection service provider reviews the service providers’ policies, procedures, internal controls, and training materials, includes in its contracts with its service providers clear expectations about compliance with federal consumer financial laws, establishes internal controls and ongoing monitoring to determine the service provider’s compliance with federal consumer financial law, and takes prompt action to address any problems identified.

For resources related to our guidance, please see:

  • Regulation F, 12 CFR 1006.2(i)(1) (“Debt collector means any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the collection of debts, or who regularly collects or attempts to collect, directly or indirectly, debts owed or due, or asserted to be owed or due, to another. Notwithstanding paragraph (i)(2)(vi) of this section, the term debt collector includes any creditor that, in the process of collecting its own debts, uses any name other than its own that would indicate that a third person is collecting or attempting to collect such debts. For purposes of § 1006.22(e), the term also includes any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the enforcement of security interests.”)
  • Regulation F, 12 CFR 1006.22(e) (“A debt collector must not take or threaten to take any nonjudicial action to effect dispossession or disablement of property if:

(1) There is no present right to possession of the property claimed as collateral through an enforceable security interest;

(2) There is no present intention to take possession of the property; or

(3) The property is exempt by law from such dispossession or disablement.”)

(i) Any officer or employee of a creditor while the officer or employee is collecting debts for the creditor in the creditor’s name;

(ii) Any person while acting as a debt collector for another person if:

      (A) The person acting as a debt collector does so only for persons with whom the
      person acting as a debt collector is related by common ownership or affiliated by
      corporate control; and

      (B) The principal business of the person acting as a debt collector is not the
      collection of debts;

(iii) Any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of the officer’s or employee’s official duties;

(iv) Any person while serving or attempting to serve legal process on any other person in connection with the judicial enforcement of any debt;

(v) Any nonprofit organization that, at the request of consumers, performs bona fide consumer credit counseling and assists consumers in liquidating their debts by receiving payment from such consumers and distributing such amounts to creditors;

(vi) Any person collecting or attempting to collect any debt owed or due, or asserted to be owed or due to another, to the extent such debt collection activity:

      (A) Is incidental to a bona fide fiduciary obligation or a bona fide escrow
      arrangement;

      (B) Concerns a debt that such person originated;

      (C) Concerns a debt that was not in default at the time such person obtained it; or

      (D) Concerns a debt that such person obtained as a secured party in a
      commercial credit transaction involving the creditor; and

(vii) A private entity, to the extent such private entity is operating a bad check enforcement program that complies with section 818 of the Act.”)

  • FFIEC, Uniform Interagency Consumer Compliance Rating System, 81 Fed. Reg. 79473, 79478 (November 14, 2016) (“While an institution's management may make the business decision to outsource some or all of the operational aspects of a product or service, the institution cannot outsource the responsibility for complying with laws and regulations or managing the risks associated with third-party relationships.”)
  • Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 86 Fed. Reg. 38182, 38189 (July 19, 2021) (“Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. . . . Due diligence will include assessing a third party’s ability to perform the activity as expected, adhere to a banking organization’s policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner.”)
  • Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 86 Fed. Reg. 38182, 38184 (July 19, 2021) (“The proposed guidance is based on the OCC’s existing third-party risk management guidance from 2013 . . . .”)
  • OCC Bulletin 2014-37, Consumer Debt Sales: Risk Management Guidance (August 4, 2014) (“Banks should perform appropriate due diligence before entering into debt-sale arrangements with debt buyers. For example, banks should assess the potential debt buyers’ background, experience, and past performance, including consumer complaints about the debt buyers, and assess steps taken by debt buyers to investigate and resolve the complaints. . . . In addition, banks contemplating entering into a relationship with debt buyers should first assess the debt buyer’s record of compliance with consumer protection laws and regulations”)
  • OCC Bulletin 2014-37, Consumer Debt Sales: Risk Management Guidance (August 4, 2014) (“Debt-sale arrangements between banks and debt buyers should clearly specify each party’s duties and obligations regarding confidential customer information, and should include provisions requiring debt buyers to comply with applicable laws and consumer protections. . . . Regardless of the structure of the arrangements, the duties and obligations of the parties, particularly provisions for confidentiality and information security, should be clearly delineated in the contracts, as should responsibility for compliance with applicable consumer protection laws. . . . In addition, banks should include minimum-service-level agreements in debt-sale arrangements to promote fair and consistent treatment of customers, applicable whether debt buyers conduct the collection activities or employ other collection agents.”)
  • OCC Bulletin 2014-37, Consumer Debt Sales: Risk Management Guidance (August 4, 2014) (“Regardless of the structure of the arrangement, the bank’s appropriate oversight of the debt-sale arrangement is important to minimize the bank’s exposure to potential reputation damage and supervisory action. In addition to monitoring the implementation of the sales contract, particularly when the bank is engaged in a forward-flow arrangement with a debt buyer, the bank should consider, as applicable, (1) reviewing the debt-buyer’s annual financial statements to ensure ongoing financial strength, (2) remaining alert for any relevant adverse information about the debt-buyer’s principals, and (3) monitoring the bank’s complaints for any potential adverse treatment of consumers by the debt buyer.”)
  • CFPB, Examination Procedures — Debt Collection, page 6 (March 2022) (“Determine whether the entity uses any service providers in conducting its debt collection activities. If so: . . . Assess whether the entity:

i. Requests and reviews the service providers’ policies, procedures, internal controls, and training materials to ensure that the service providers conduct appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;

ii. Includes in its contracts with its service providers clear expectations about compliance with Federal consumer financial laws as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;

iii. Establishes internal controls and ongoing monitoring to determine whether its service providers are complying with Federal consumer financial law; and

iv. Takes prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate. See CFPB Bulletin 2016-02 (October 31, 2016).”)