Follow Us on FacebookFollow Us on TwitterFollow Us on Linkedin
 

Blog & News

Are your Collection Vendors Taking Compliance Seriously?

Today’s world in first- and third-party debt collections are under an incredible amount of scrutiny. The FCC, FTC, CFPB, 50 Attorneys General, 50 state regulatory bodies, hundreds of consumer attorneys across the U.S. along with mostly unfriendly local, state, and federal courts all have an impact for those in the collection space. Not to mention the BBB® along with Google® and lots of other complaint-based websites where debtor/patients/taxpayers can go to post complaints, valid or not. Add in the indifference or pure disdain from state and federal legislators, and that doesn’t bode well for the collection industry.  

Checking Compliance

So how do those in the collection industry put themselves in the best position to not only survive but thrive in this environment? How do Creditors such as Hospitals, Banks, Utility Companies, Schools and Universities and even state and local governments that rely on collection agencies know that their partners have taken the appropriate compliance measures to protect themselves and their Clients?

For instance, what about a Healthcare provider who has spent millions upon millions of dollars to comply with HIPAA and data security, only to have it all go to waste because they worked with a collection partner that didn’t take it as seriously?

Compliance Management System
The first indication of agency compliance is a robust compliance management system. There are several options out there that could include an internally developed system. However, the best compliance management system for the collection industry is a PPMS (Professional Practices Management System) certification offered by ACA International, our trade organization. It is robust because it is specific to the collection industry, has systems in place to track Client Issues, Non-conformities, cause analysis, continuous improvements and it continuously monitors these areas. The ACA certification covers 18 different areas of the company, not just one area, such as financial controls. PPMS certification also has to be audited at a minimum once every two years by an outside CPA audit firm. The CFPB has made it clear that a compliance management system is a MUST.

Data Security
The next indication of agency compliance is related to data security. Our agency processes millions of accounts per year. That is a lot of data, including names, addresses, phone numbers, social security numbers, and credit card information. The best indication that an agency takes data security seriously is if they use a third-party auditor to attest to data security best practices and standards. SOC 1 (financial processes), SOC 2 (data security processes), SSAE 16, ISO 27002, IRS 1075 (for federal tax data), HIPAA HITECH and Red Flags, GLBA and most importantly PCI compliance (Payment Card Industry) are the most common audits you will see.

A PCI, Level 1 Service Provider, which we have obtained, is the most strenuous audit. Other PCI levels are self-audits, which may be fine for your requirements, but can also be filled with errors. No third-party attested audits are filled with inaccuracies. Creditors need to know what is important to require of their agency and what isn’t. Some agencies, like ours, have become TECHLOCK® certified, which encompasses multiple audits in one certification (PCI being the most important). Regardless of the audits that are performed and by whom, Creditors should make sure that the agency they choose has Cyber Liability insurance because Errors & Omissions and General Liability policies do not cover Cyber-attacks.  

Speech Analytics
The next indication of compliance is related to
speech analytics. Speech analytics allows an agency to take all their calls, in real time or with recordings, and analyze them for compliance.  Collection agencies that don’t use speech analytics can only audit and review a tiny percentage of contacts with debtors. Effective speech analytics will allow for 100% of all calls being audited. Here are the items that speech analytics can help determine:

  • Are their collectors complying with the FDCPA? Are they stating the required mini Miranda? Are they using a talk off that overshadows the debtor’s right for debt verification?
  • Are they validating the debtor’s current demographic information?
  • Are they asking for cell phone consent?
  • Are they using derogatory terms?
  • Are they using polite, professional language?
  • Are they listening to the debtor?
  • Are they talking over the debtor?
  • Do they have sympathy /empathy?
  • Is the collector threatening legal or other prohibited action?

These are just a few of the items that agencies that use speech analytics can check.  Effective collectors perform with high scores when analyzed with speech analytics. The CFPB has made it clear that they will want collector compensation tied to compliance. Without having an effective speech analytics software, this will be impossible to do.

In summary, while recovery rates and service abilities are still necessary, nothing is becoming more important than having a partner that is compliant with all areas of operation. From having a system in place to data security to interacting with your customers, everything counts! While it may cost you more in the short term to deal with agencies that spend more money and time in these areas, it will save you money and headache in the long run not having to deal with lawsuits, data breaches, and patient complaints. Do the right thing for your business and take the time to analyze how your business partners handle these areas.

Compliance Checklist

  1. Compliance Management System? PPMS? Other?
  2. Speech Analytics software?  How are collectors graded and compensated?
  3. Data security: know what is important to you and why. What third-party audits are done?
    • SOC 1, type I or type II or SSAE 16?
    • Audited financial statements?
    • SOC 2, type I or type II?
    • PCI- what level, self-assessment or 3rd party?
    • ISO 27002?
    • HIPAA audits?
    • IRS 1075?
    • TechLock certification or comparable?
    • Cyber Liability Insurance?