Regulatory and Compliance Mistakes Are Causing Invisible Risks

Dick Bourke takes us through the rules and regulations that US contact centres must be made aware of to avoid compliance mistakes. 

One of the more daunting challenges facing companies relying on contact centres, as well as contact centre outsourcers, is consumer data protection, privacy and the protection of personally identifiable information.

Contact centres have tried to reduce their risk through scripting, call monitoring and call recording, but these do not offer any guarantees or proof of compliance.

Companies, especially those in finance, insurance, the public sector and debt collection, have become encumbered with regulations which they must follow strictly, with potentially expensive penalties for failure, including heavy fines and criminal prosecution.

The bottom line is that contact centres are subject to wide-ranging regulations that address their everyday business practices.

Poor advisor performance can represent a significant risk to the organisation, whether within on-premise contact centres or through third party service organisations (outsourcers).

Contact centre quality assurance not only ensures regulatory compliance but also reduces the risk of fines.

Here are some examples every contact centre quality assurance manager and agent needs to know.

Call Monitoring Consent

Both the federal government and most states require that at least one party be notified that a call is being monitored or recorded.

A number of states, and other countries, require that all parties be notified.

Differences in laws can be difficult to keep up with, especially since some states have laws that are stricter than federal laws.

So, it’s safest to conform to the most restrictive laws that may apply. That is easily handled with a recorded notification that plays before a caller is connected to an agent.

But what about outgoing calls? If your advisors are using recording devices when they call customers during an outbound call to customers or sales prospects, the same rules apply.

Whether it’s recorded or part of the agent’s script, you have to provide notification.

Fair Debt Collection Practice Act (FDCPA) of 1977

Debt collectors are regulated by the Fair Debt Collection Practice Act (FDCPA) of 1977, which, among other things, prohibits the use of threatening or abusive language and specifies when and to whom those calls can be made.

Do Not Call Registry

The federal Do Not Call Registry allows consumers to choose not to receive telemarketing calls, and more than 150 million consumers across the nation have chosen to do so.

There are exceptions — such as having made a previous purchase from the company, or calls from charitable or political organisations — but contact centres must have a way to stay on top of new additions to the registry.

Truth in Lending Act

The Truth in Lending Act is intended to protect consumers from deceptive loans and purchases.

To add another layer of complexity, the law requires contact centre advisors in relevant sectors to disclose things like interest rates and late fees, all of which are subject to frequent change.

Gramm-Leach-Bliley Financial Services Modernization Act

This legislation regulates the recording and storage of private financial information (such as account numbers).

It includes stipulations for how that information is stored, including the requirement that all such businesses maintain written documentation of their security protocols, and prohibits using false premises to get customers to reveal such information.

It also mandates that businesses that access personal financial information — like those that process applications for car loans, for example — disclose their policies regarding the data and offer consumers the chance to opt out.

The Dodd-Frank Act

The goal of the Dodd-Frank Act is to ensure transparency in the financial sector.

The law stipulates that all financial communications, including calls from contact centres, are recorded, date/time stamped, and stored in a way that is both secure and searchable.

It’s easy to see how call monitoring can be both a blessing and a curse.

It’s definitely a blessing if your organisation is compliant, because those recorded calls can be used as proof. If you’re not compliant, however, the answer is not to stop recording calls. It’s to take the steps necessary to become compliant.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002 (SOX), a result of scandals such as the ones involving Enron and Worldcom, was created to guard against fraud and deception in the financial services industry. It stipulates requirements for the collection and storage of digital records.

The SOX Act also addresses the integrity of recorded calls.

In other words, it mandates that businesses implement protocols to make sure records cannot be falsified or deleted before the end of the mandated storage requirement.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes provisions governing the use, storage, and access of personally identifiable health information.

The law includes third-party vendors, such as accountants, lawyers, IT personnel, and companies that help doctors get paid for their services.

Payment Card Industry Data Security Standards (PCI-DSS)

Most businesses big enough to need a contact centre are well aware of the regulations surrounding the collection and storage of personally identifiable information, especially when it comes to payment.

In fact, an international group called the Payment Card Industry Data Security Standards (PCI-DSS) Council has formed an ongoing partnership with credit card brands to identify and enforce security best practices.

There are standards for how you collect payment data, how you transmit it, and where and for how long you store it.

Here are some things to think about:

1. Agent scripts should include notification that calls — whether incoming or outgoing — may be recorded.
2. If call recordings include payment data, that data must be protected with the same degree of security as your IT systems. If recordings that contain payment information can be easily accessed by anyone, that’s a violation of PCI-DSS standards and can result in significant penalties. Some businesses have solved the problem by choosing to pause recordings when payment information is being transmitted.
3. Privacy concerns can be addressed by having a non-recorded line available for agents to make necessary personal calls.

Is your contact centre compliant? Are you sure? If not, we’d be happy to talk with you about the issues you’re facing and how call monitoring and agent scoring can help.

Contact Scorebuddy today to talk about how our unique, user-friendly tool can help you spot compliance errors before they create big problems.