Risks should be assessed
before marketing via e-mail
by Andy Zavoina, BOL Guru Guru BIOS
E-mail marketing is inexpensive and, if done correctly, can be an effective tool for selling products and services. As with almost
everything else, however, there are compliance aspects to sending e-mail communications.
Those compliance responsibilities begin with a new federal law commonly referred to by its acronym, “CAN SPAM.” The “Controlling the Assault of Non- Solicited Pornography and Marketing Act of 2003” was signed into law in December 2003. It was effective Jan. 1,
2004. There is no warm-up period or phase-in.
Michael Goodman, staff attorney for the Federal Trade Commission (FTC) has stated they will target spammers immediately.
The initial cases will be those scamming customers and taking dollars via deceptive means. Those spammers not inflicting
economic harm will be further down the list.
While these issues do need to be addressed now, what is required of you will vary depending on how involved you are in
sending applicable messages. Certainly there should be no financial institutions on this first tier of projected enforcement.
While your first thought may be that CAN SPAM doesn’t apply to you, the definitions are integral and may change your mind.
“Spam,” as it is defined, may very well encompass the e-mail you send to your customers and customers to be. It reaches far
beyond the Viagra and weight loss advertisements we typically associate with “real spam.”
Key definitions you must be familiar with (italicized text is from the Act) include:
“Commercial electronic mail message’’ means any electronic mail message the primary purpose of which is the commercial advertisement
or promotion of a commercial product or service.
It is important to note that “primary purpose” is not a defined term yet, but should be included in the pending regulation.
The term ‘‘commercial electronic mail message’’ does not include a transactional or relationship message.
This could be a notice of change in terms, or a purchase receipt and the like. It is not a relationship exclusion as is often
seen in marketing regulations where if you have an existing relationship anything is okay for 18 months; it is a more limited exclusion.
By relationship, it means a recent transaction or information on an existing account, in general terms. If you append sales information
to a relationship message, the yet undefined term pertaining to the “primary purpose” will increase in importance and your
message, if its primary purpose is seen to be promotion of a commercial product or service, rather than a transactional or relationship
message, would not be exempt.
For your message to be either clearly transactional or a commercial electronic mail message will depend on how clearly you differentiate
its content.
And, ‘‘electronic mail message’’ means a message sent to a unique electronic mail address. The address is a string of characters, consisting of a unique user name or mailbox (commonly referred to as the ‘‘local part’’) and a reference to an Internet domain (commonly referred to as the ‘‘domain part’’), whether or not displayed.
So, to be a commercial electronic mail message, it first has to have a defined electronic mail address and be an electronic mail
message. For example, the address John.Doe@abc.com would be a qualified one. Messages sent in your Internet banking product
may well be exempt from this description and may be a new means selected by you for communicating with your customers.
The bottom line is that many types of messages promoting a product will be subject to CAN SPAM. And this is not a "consumer-
oriented" law, either. It applies whether the messages are sent to a consumer or any other legal "person."
This anti-spam law will not be a silver bullet and no one believes that was its intent. It cannot eliminate spam. In fact, some criticism is that it legalizes spam.
It now provides rules that when followed, are defendable as being completely legal. And spammers moving out of the
United States will be outside the reach of this law.
As a federal law, CAN SPAM specifically pre-empts 38 state laws which had similar intentions. In some cases, those were more
burdensome and conforming to each would have been difficult at best. Now you have only one law to follow. Some attributes of CAN
SPAM pertaining to messages include:
The requirement to clearly label unsolicited e-mail as an advertisement. While some state rules required "adv" or
"advert" in the subject line, this law does not require this.
The requirement to include clear and conspicuous opt-out instructions within the message.
The requirement to include the sender's physical postal address within the message.
The prohibition against "header information" or subject line containing false, misleading or inaccurate information.
The FTC will have the lead role in producing the regulation and implementing this law. Enhancements may be made to best define
what a transactional message is. They will determine if the current rule of processing an opt-out request within 10 business days is
sufficient, too long or too short. Banking regulators will still have enforcement authority over their respective financial institutions. The regulators have not yet produced guidance for examinations. As they work with the FTC to develop the regulations, the hope is that there will be unified audit procedures.
The Federal Communications Commission also will have authority over spam as it relates to wireless transmissions. Comment periods will be announced as proposed regulations are developed. Because of the flexibility allowed in the Act, the regulations may clarify some
issues and internal bank policy and procedures may require amendments as a result.
While you likely do not consider your bank to be a hard core spammer, the absence of a policy, procedures and controls may leave
your bank open to criticism and exposed to potential losses.
You should develop an action plan to evaluate where your financial institution is and what it sends:
Who sends what e-mail? This inquiry goes beyond the obvious messages sent by marketing and drills down to the branch managers,
commercial lenders and new accounts clerks who are "incentivised" and may occasionally contact some of their better customers about special programs and rates. It should include a review of electronic newsletters and may include rate sheets when sent as advertisements. Divide out what is allowed as "transactional," using the appropriate definitions.
You should have a set of email policy and procedures specifically, or you may address the subject within the context of an
Internet Acceptable Use Policy. Either way, specific sections should address this issue and prevent applicable messages from
being sent if they do not conform to the rules.
All e-mail users should be trained on what is and is not permissible. If employees are not trained and this practice has been acceptable in the past, how are they to know now that the rules changed? Training is a necessity and must include new users as well.
Work with your IT department to determine what controls they can put in place to prevent and detect unauthorized e-mail.
They may be able to monitor volumes sent, as an example. If you see a spike from one sender, this may indicate that either they were
attempting to send a batch of email to current or prospective customers. It may instead mean that a security breach has occurred and
their account is being hijacked by a spammer or their return address is being spoofed by a virus or worm. This may also be evident if
a large number of messages are suddenly coming back as undeliverable. There may also be keywords that could be added to your filters on outbound messages to detect messages being sent in an unauthorized manner.
Have opt-out procedures in place. A recipient who opts-out does so by address. So, more than one address can require more than one opt-out request. You may allow for opt-outs of specific types of messages or of all messages. (The latter should be an option if you provide a list.) It should be Internet-based and the option to opt-out is permanent unless the person requests otherwise. You
have 10 business days to remove the requester from your lists after they submit the opt-out request. The mechanism you select must
be in effect for at least 30 calendar days. This is the minimal opt-out period.
Include a review of e-mail in your IT audits. There are no regulator-approved questionnaires. Penalties for violations of the CAN SPAM law include, for criminal offenses, up to five years imprisonment, unlimited fines and seizure and forfeiture of
spamming equipment and the profits from it. Civil actions by states may include actual damages, $750 per spam message up
to $6 million and reasonable attorney fees. Individuals have no cause of action under this law.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
