ELECTRONIC COMMUNICATIONS POLICY

OVERVIEW

Understanding the details of the laws, regulations, and guidelines that surround electronic communications is crucial for organizations before devising and implementing email or text messaging campaigns. This set of requirements includes:

• Telephone Consumer Protection Act (and implementing regulation 47 C.F.R.§64.1200)

• Cellular Telecommunications Industry Association’s Common Short Code Monitoring Handbook

• Cellular Telecommunications Industry Association’s Messaging Principles and Best Practices

• CAN-SPAM Act

TELEPHONE CONSUMER PROTECTION ACT 47 U.S.C.§227 (TCPA)

The TCPA is the primary federal law governing the regulation of telephone solicitations. It was first signed into law in 1991 and has remained the bedrock of federal telemarketing regulations ever since. The TCPA covers any person, business, or entity that sends voice calls, faxes, VoIP calls, and text messages (SMS). Multiple Federal Communications Commission (FCC) Declaratory Rulings have reaffirmed that text messages are subject to the same TCPA restrictions as voice calls to cell phones. As it relates to restrictions around the use of text messages, section 227 (b)(1)(A) of the TCPA states:

1. It shall be unlawful for any person within the United States, or any person outside the United States if the recipient is within the United States - (A) to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice - (i) to any emergency telephone line (including any “911” line and any emergency line of a hospital, medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency); (ii) to the telephone line of any guest room or patient room of a hospital, health care facility, elderly home, or similar establishment; or (iii) to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call;

Terms defined in section §227(a) the TCPA:

• An automatic telephone dialing system (ATDS) means equipment which (A) must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator and (B) to dial such numbers.

• The term established business relationship includes a relationship between a person or entity and a business subscriber subject to the same terms applicable under such section to a relationship between a person or entity and a residential subscriber.

• The term telephone solicitation means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person, but such term does not include a call or message:

  • (i) To any person with that person's prior express invitation or permission;

  • (ii) To any person with whom the caller has an established business relationship; or

  • (iii) By or on behalf of a tax-exempt nonprofit organization.

CELLULAR TELECOMMUNICATIONS INDUSTRY ASSOCIATION (CTIA)

The CTIA is a trade association representing wireless carriers and suppliers, and manufacturers and providers of wireless products and services. The Messaging Principles and Best Practices primarily addresses wireless messaging services that use 10-digit telephone numbers assigned from the NANP as the unique identifier for the sender and/or recipient(s) of individual or group messages. The Common Short Code Monitoring Handbook describes best practices for short message services (SMS), multimedia messaging services (MMS), and free-to-end-user (FTEU) programs that use Short Code.

The four Guiding Principles listed below provide the baseline for all requirements:

1. Display clear calls-to-action. All calls to action must be clearly and unambiguously displayed. Consumers must be made aware of what they are signing up to receive relating to a specific program.

2. Provide applicable consent mechanisms. Message Senders should support opt-in mechanisms, and messages should be sent only after the Consumer has opted-in to receive them, giving Consumers sufficient control of the messages they receive.

3. Send opt-in confirmation messages. A Consumer’s opt-in must be confirmed in the first message sent to the Consumer. For single-message programs, the confirmation message content may be part of a single message that a Message Sender sends after a Consumer has opted in. For recurring-messages programs, confirmation messages must include clear opt-out instructions.

4. Acknowledge and honor opt-out requests. Message Senders must acknowledge and act on all opt-out requests. Monitoring procedures confirm successful opt-out.

A Call-to-Action should ensure that Consumers are aware of: (1) the program or product description; (2) the telephone number(s) or short code(s) from which messaging will originate; (3) the specific identity of the organization or individual being represented in the initial message; (4) clear and conspicuous language about opt-in and any associated fees or charges; and (5) other applicable terms and conditions (e.g., how to opt-out, customer care contact information, and any applicable privacy policy).

Message Senders of recurring messaging campaigns should provide Consumers with a confirmation message that clearly informs the Consumer they are enrolled in the recurring message campaign and provides a clear and conspicuous description of how to opt-out. After the Message Sender has confirmed that a Consumer has opted-in, the Message Sender should send the Consumer an opt-in confirmation message before any additional messaging is sent. The confirmation message should include: (1) the program name or product description; (2) customer care contact information (e.g., a toll-free number, 10-digit telephone number, or HELP command instructions); (3) how to opt-out; (4) a disclosure that the messages are recurring and the frequency of the messaging; and (5) clear and conspicuous language about any associated fees or charges and how those charges will be billed.

Opt-out mechanisms facilitate Consumer choice to terminate messaging communications, regardless of whether Consumers have consented to receive the message. Message Senders should acknowledge and respect opt-out requests consistent with the following guidelines:

• Message Senders should ensure that Consumers have the ability to opt-out of receiving Messages at any time;

• Message Senders should support multiple mechanisms of opt-out, including phone call, email, or text; and

• Message Senders should acknowledge and honor all Consumer opt-out requests by sending one final opt-out confirmation message per campaign to notify the Consumer that they have opted-out successfully. No further messages should be sent following the confirmation message.

• Message Senders should state in the message how and what words affect an opt-out. Standardized “STOP” wording should be used for opt-out instructions, however opt-out requests with normal language (i.e., stop, end, unsubscribe, cancel, quit, “please opt me out”) should also be read and acted upon by a Message Sender except where a specific word can result in unintentional opt-out. The validity of a Consumer opt-out should not be impacted by any de minimis variances in the Consumer opt-out response, such as capitalization, punctuation, or any letter-case sensitivities.

Terms defined by the CTIA:

• A Call-to-Action is an invitation to a Consumer to opt-in to a messaging campaign.

• A Consumer is an individual person who subscribes to specific wireless messaging services or messaging applications. Consumers do not include agents of businesses, organizations, or entities that send messages to Consumers.

• Consent is an individual subscriber’s election to participate in a messaging campaign.

• A Non-Consumer (A2P) is a business, organization, or entity that uses messaging to communicate with Consumers. Examples may include, but are not limited to, large-to-small businesses, financial institutions, schools, medical practices, customer service entities, non-profit organizations, and political campaigns.

• Wireless Providers own and operate radio, telephone, and data networks and offer Consumers a wide variety of wireless communications products and services, including wireless messaging services such as SMS, MMS, and RCS.

• Connection Aggregators offer a variety of value-added services to enterprise customers, including messaging connectivity with multiple Wireless Providers. Unlike ICVs, Connection Aggregators do not typically support inter-carrier peering traffic.

• A Message Sender or Sender is any Service Provider or Non-Consumer that originates or transmits A2P message traffic.

• Unwanted Messages may include unsolicited bulk commercial messages (i.e., spam); “phishing” messages intended to access private or confidential information through deception; other forms of abusive, harmful, malicious, unlawful, or otherwise inappropriate messages; messages that required an opt-in but did not obtain such opt-in (or such opt-in was revoked); and unwanted content noted in Content section 5.3 (i.e., (1) is unlawful, harmful, abusive, malicious, misleading, harassing, excessively violent, obscene/illicit, or defamatory; (2) deceives or intends to deceive (e.g., phishing messages intended to access private or confidential information); (3) invades privacy; (4) causes safety concerns; (5) incites harm, discrimination, or violence; (6) is intended to intimidate; (7) includes malware; (8) threatens Consumers; or (9) does not meet age-gating requirements)

CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING (CAN-SPAM) ACT

The CAN-SPAM Act of 2003 is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to stop receiving emails, and spells out tough penalties for violations. Congress passed the CAN-SPAM Act to address the problem of unwanted commercial electronic mail messages. To determine if the CAN-SPAM Act covers emails that a business is sending, it must first determine the “primary purpose” of the message. To determine the primary purpose, the type(s) of information contained in the email must first be understood. According to the Act, emails can contain three different types of information:

1. Commercial content – advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose.

2. Transactional or relationship content – facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction or gives information about a change in terms or account balance information regarding an account, loan, or other ongoing transaction.

3. Other content – which is neither commercial nor transactional or relationship.

If the message contains only commercial content, its primary purpose is commercial and it must comply with the requirements of CAN-SPAM. If it contains only transactional or relationship content, its primary purpose is transactional or relationship. In that case, it may not contain false or misleading routing information, but is otherwise exempt from most provisions of the CAN-SPAM Act. When a message contains both kinds of content – commercial and transactional or relationship - if the subject line would lead the recipient to think it’s a commercial message, it’s a commercial message for CAN-SPAM purposes.

As defined in section 3 of the CAN-SPAM Act (15 U.S.C. 7702):

• Commercial electronic mail message means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). This term does not include a transactional or relationship message.

• The term affirmative consent, when used with respect to a commercial electronic mail message, means that— (A) the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient’s own initiative; and (B) if the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient’s electronic mail address could be transferred to such other party for the purpose of initiating commercial electronic mail messages.

• The term electronic mail message means a message sent to a unique electronic mail address.

• The term recipient, when used with respect to a commercial electronic mail message, means an authorized user of the electronic mail address to which the message was sent or delivered.

• The term transactional or relationship message means an electronic mail message the primary purpose of which is

  • (i) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;

  • (ii) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;

  • (iii) to provide—

    • (I) notification concerning a change in the terms or features of;

    • (II) notification of a change in the recipient’s standing or status with respect to; or

    • (III) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;

  • (iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or

  • (v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.

PURPOSE

The purpose of this Policy and Procedure (PnP) is to document the laws, regulations, and guidelines that dictate the use of electronic communications and to outline the procedures that Kredit Financial Inc. (Kredit) must employ to comply with these requirements.

POLICY

It is the policy of Kredit to obtain consent from consumers to send transactional email and/or SMS messages prior to sending such communications; and to cease sending such communications upon receiving a consumer’s request to opt out or unsubscribe from a particular channel.

SCOPE

This PnP applies to all electronic communications sent by Kredit.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Compliance Officer (CCO) is responsible for ensuring this Policy contains the most current requirements to comply with the TCPA, the CAN-SPAM Act, and the CTIA’s guidelines, and for developing controls that ensure the requirements are being followed. The CCO is also responsible for reviewing this PnP on an annual basis.

Kredit’s Chief Executive Officer (CEO) is responsible for notifying the CCO of any changes related to the Procedures set forth in this PnP.

Kredit’s Chief Technology Officer (CTO) is responsible for ensuring the identified control(s) are implemented on the Kredit Platform (the Platform).

Kredit’s Director of Network Operations is responsible for processing email and SMS opt-out requests received via the support@trykredit.com email address.

PROCEDURES

Kredit uses third-party service providers to deliver SMS and email alerts to its customers. For SMS, Kredit utilizes a 10-digit toll free number to exchange wireless messages via Wireless Providers’ messaging networks.

CONSENT / OPT-IN

In order for a consumer to establish an account on the Platform, they must either provide a mobile phone number or an email address. By providing this information, the consumer is agreeing to Kredit's Terms of Service and Privacy Policy. Section 10 of the Terms of Service addresses the following items:

• Consent to Electronic Communications

  • Administrative Communications – this section contains the language wherein the consumer is consenting to receive electronic communications from Kredit, “regarding registration, security, privacy, and administrative issues relating to your use of the Service.”

  • o SMS Messaging – this section contains the language wherein the consumer is specifically consenting to receive SMS messages in connection with the use of the Platform and to receive such messages by way of an ATDS. Consumers are also advised that they can opt out of receiving SMS messages by texting the word “STOP” or emailing support@trykredit.com and that additional fees from their wireless carriers may apply.

  • Alerts – this section outlines the types of messages or “alerts” that consumers may receive from Kredit, which includes, “automatic alerts and voluntary account-related alerts.”

After a consumer has successfully created their account on the Platform, they may receive the following types of automatic account-related alerts, including but not limited to:

• Confirmation of opt-in / opt-out communication preference

• Confirmation of single payment or recurring payment schedule set-up (see EFTA_Reg E_Nacha_E-Sign PnP for additional information on recurring payment schedules)

• Notification of upcoming payment

• Notification of successful payment

• Notification of failed payment

• Notification of expiring payment method

• Notification of account resolution

• Notification of change in terms of service

SMS OPT-OUT

Consumers may opt-out of receiving SMS alerts from Kredit at any point by texting the word STOP or sending an email to support@trykredit.com. Opt-out requests with the words STOPALL, UNSUBSCRIBE, CANCEL, QUIT, or END are also accepted and are not impacted by de minimis variances in the consumer opt-out response, such as capitalization, punctuation, or any letter-case sensitivities. Consumers receive the following confirmation upon submitting an opt-out response, “You have successfully been unsubscribed. You will not receive any more messages from this number. Reply START to resubscribe.” Consumers can disable this message stop, and resume receiving messages with the START, YES, or UNSTOP commands. Consumers receive the following confirmation upon submitting a resubscribe response, “You have successfully been re-subscribed to messages from this number. Reply HELP for help. Reply STOP to unsubscribe. Msg&Data Rates May Apply.”

Upon receipt of an opt-out request from a consumer to a particular phone number, Kredit’s third-party provider creates a "block list" entry on their side, which is then passed on to Kredit’s webhook. Once the block list entry is created for a particular consumer’s phone number, any future attempts to message the consumer is met with a 400 response, along with Error Code 21610. Opt-out requests are processed by Twilio the same day they are received.

Upon receipt of a consumer’s request to opt-out of SMS via the support@trykredit.com email address, the consumer’s phone number is manually removed from the third-party provider’s platform.

EMAIL UNSUBSCRIBE

Consumers may opt-out of receiving email alerts from Kredit at any point by either clicking the unsubscribe link that is provided in each email or sending an email to support@trykredit.com with their request. Upon receipt of an unsubscribe request from a consumer to a particular email address, Kredit’s third-party provider adds the email address to the global unsubscribe list and any future attempts to send email to that email address is suppressed.

COMMUNICATION

This PnP shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Regulatory Policies, on Google Drive for reference purposes.

VIOLATIONS

Failure to follow the above stated procedures will result in a violation of the TCPA, CAN-SPAM Act, or the CTIA’s Messaging Principles and Short Code Handbook.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Regulatory

Policy Name: Electronic Communications Policy