One of the more daunting challenges facing companies relying in call centers, as well as for call center outsourcers, is consumer data protection, privacy and the protection of personally identifiable information (PII). Contact centers have tried to reduce their risk through scripting, call monitoring and call recording, but these do not offer any guarantees or proof of compliance.
Companies, especially those in finance, insurance, the public sector and debt collection, have become encumbered with regulations which they must follow strictly, with potentially expensive penalties for failure, including heavy fines and criminal prosecution. The bottom line is that call centers are subject to wide-ranging regulations that address their everyday business practices.
Poor agent performance can represent a significant risk to the organization; whether within on-premise call centers or through third party service organizations (outsourcers). Call center quality assurance not only ensures regulatory compliance but also reduce the risk of fines.
Here are some examples every call center quality assurance manager and agent needs to know.
Call Monitoring Consent
Both the federal government and most states require that at least one party be notified that a call is being monitored or recorded. A number of states — and other countries — require that all parties be notified. Differences in laws can be difficult to keep up with, especially since some states have laws that are stricter than federal laws. So it’s safest to conform to the most restrictive laws that may apply. That is easily handled with a recorded notification that plays before a caller is connected to an agent.
But what about outgoing calls? If your agents are using recording devices when they call customers during an outbound call to customers or sales prospects, the same rules apply. Whether it’s recorded or part of the agents’ script, you have to provide notification.
Fair Debt Collection Practice Act (FDCPA) of 1977
Debt collectors are regulated by the Fair Debt Collection Practice Act (FDCPA) of 1977, which, among other things, prohibits the use of threatening or abusive language and specifies when and to whom those calls can be made.
Do Not Call Registry
The federal Do Not Call registry allows consumers to choose not to receive telemarketing calls, and more than 150 million consumers across the nation have chosen to do so. There are exceptions — such as having made a previous purchase from the company, or calls from charitable or political organizations — but call centers must have a way to stay on top of new additions to the registry.
Truth in Lending Act
The Truth in Lending Act is intended to protect consumers from deceptive loans and purchases. To add another layer of complexity, the law requires call center agents in relevant sectors to disclose things like interest rates and late fees, all of which are subject to frequent change.
Gramm-Leach-Bliley Financial Services Modernization Act
This legislation regulates the recording and storage of private financial information (such as account numbers). It includes stipulations for how that information is stored — including the requirement that all such businesses maintain written documentation of their security protocols — and prohibits using false premises to get customers to reveal such information. It also mandates that businesses that access personal financial information — like those that process applications for car loans, for example — disclose their policies regarding the data and offer consumers the chance to opt out.
The Dodd-Frank Act
The goal of the Dodd Frank Act is to ensure transparency in the financial sector. The law stipulates that all financial communications — including calls from call centers — are recorded, date/time stamped, and stored in a way that is both secure and searchable.
It’s easy to see how call monitoring can be both a blessing and a curse. It’s definitely a blessing if your organization is compliant, because those recorded calls can be used as proof. If you’re not compliant, however, the answer is not to stop recording calls. It’s to take the steps necessary to become compliant.
The Sarbanes-Oxley Act of 2002 (SOX), a result of scandals such as the ones involving Enron and Worldcom, was created to guard against fraud and deception in the financial services industry. It stipulates requirements for the collection and storage of digital records. The SOX act also addresses the integrity of recorded calls. In other words, it mandates that businesses implement protocols to make sure records cannot be falsified or deleted before the end of the mandated storage requirement.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes provisions governing the use, storage, and access of personally identifiable health information. The law includes third-party vendors, such as accountants, lawyers, IT personnel, and companies that help doctors get paid for their services.
Payment Card Industry Data Security Standards (PCI-DSS)
Most businesses big enough to need a call center are well aware of the regulations surrounding the collection and storage of personally identifiable information, especially when it comes to payment. In fact, an international group called the Payment Card Industry Data Security Standards (PCI-DSS) Council has formed an ongoing partnership with credit card brands to identify and enforce security best practices. There are standards for how you collect payment data, how you transmit it, where and for how long you store it.
Here are some things to think about:
• Agent scripts should include notification that calls — whether incoming or outgoing — may be recorded.
• If call recordings include payment data, that data must be protected with the same degree of security as your IT systems.
• If recordings that contain payment information can be easily accessed by anyone, that’s a violation of PCI-DSS standards and can result in significant penalties. Some businesses have solved the problem by choosing to pause recordings when payment information is being transmitted.
• Privacy concerns can be addressed by having a non-recorded line available for agents to make necessary personal calls.
Is your call center compliant? Are you sure? Scorebuddy helps spot compliance errors before they create big problems. Contact us for more information.