Meeting the Demands of Government Requirements

By Alexandra Warner, Platform28 on October 28, 2014

Platform28 first explored the challenges of government requirements in the contact center in its recent blog, “Understanding Complex Regulatory Expectations.” In this article, we offer a more in-depth analysis of this idea.

Consumer contentment is key among contact center staff, and one that is addressed through proper customer service training, product training, oversight, and assessment. Add on top of that the need for contact centers and staff to respect and comply with the mounting and ever-changing government requirements for customer contact restraints and handling of privacy information – and you’ve got your hands full.

The primary concern for consumers is respect for their “personal space,” which has led to laws and regulations that government (both federal and state) has put into place to prevent abusive calling and sharing of confidential information.

Balancing productivity within your contact center along with the need to comply with government requirements is not an easy task. The regulatory environment and technologies evolve rapidly, and consumers expect us to remain customer service friendly and engaged, while our enterprise, with respect to the economy, is constantly requesting that we do “more with less.”

If your company is non-compliant to a particular requirement, the detriment can be catastrophic. Let’s look at recent examples to see how far-reaching a lapse in correctly adhering to regulation can be.

Examples of Regulation Missteps

Last year, unknown hackers managed to gain access to the personal information and credit card numbers of 40 million Target customers. This event was called a “disaster” and the impetus for at least one lawsuit. Additionally, Target lost store traffic, holiday revenue, and customer trust. According to informal research by Forbes Magazine, it was estimated that Target lost about “4.6 million holiday customers to competitors specifically because of the credit card data breach.” I personally noted the outrage from my friends who posted nasty-grams on Facebook and Twitter. This was a PR and systematic nightmare for Target. They have since sent a letter to all their Target REDCard customers, offering them one year of free of credit report monitoring to attempt to ally any fears associated with the data breach. The cost of even a fraction of customers taking them up on such as offer would be financially significant.

Other notable breaches lately include Neiman Marcus, Michaels, and Aaron Brothers, regarding sophisticated cyber security attacks and stolen credit card details. All of these breaches just deepen consumer concerns and create the need for contact centers to tighten their belts as it relates to data security and improving privacy standards.

The Top Requirements To Address

Below is a summary of the top requirements your contact center should be mindful of. Please note: this is only a summary and does not include every requirement currently out there. 

Requirement Overview
Telephone Consumer Protection Act (TCPA) Restricts telephone solicitations (i.e., telemarketing) and the use of automated telephone equipment. The TCPA limits the use of automatic dialing systems, artificial or prerecorded voice messages, SMS text messages, and fax machines. It also specifies several technical requirements for fax machines, autodialers, and voice messaging systems—principally with provisions requiring identification and contact information of the entity using the device to be contained in the message (Source: Wikipedia).Danger: Fines for violations have been in the millions and have produced thousands of irate customers. There are no business size limitations.
Health Insurance Portability and Accountability Act (HIPAA) The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.Danger: The regulations are very complex and cover billing, payment and demographic information. Medical professionals are at risk of fines and imprisonment.
PCI-DSS (Payment Card Industry – Data Security Standard)   Robust payment card data security process that is intended to prevent, detect and address incidents.Danger: Credit card fraud can cost consumers up to $500 million a year, according to the U.S. Department of Homeland Security. Vendors must not store unencrypted credit cards numbers, PIN numbers, and other specified identifiers. Failure to comply can result in loss of credit acceptance privileges and business losses. Unqualified agents should not have access to sensitive data.  
Telemarketing Sales Rule – “Do Not Call” Provisions  Requires disclosures of specific information, prohibits misrepresentations, limits when telemarketers may call consumers, requires transmission of caller ID information, prohibits abandoned outbound calls, subject to a safe harbor, prohibits unauthorized billing, sets payment restrictions for the sale of certain goods and services, requires that specific business records be kept for two years.Danger: Material disclosure is required before orders may be accepted by phone, including the identification of the seller, nature of goods or services, full cost of offers, any conditions or restrictions. The FCC can fine up to $11,000 per violation. EVA (“Express Verifiable Authorization”) may be required with some transactions.
Sarbanes-Oxley Act (SOX)   Well-known law that dictates how records must be stored and for how long.Danger: Call recording, screen capture and speech analytics offerings must facilitate strict audit and regulatory compliance.
Gramm-Leach Bliley Financial Services Modernization Act (GLBA)   Privacy, safeguards and pretexting provisions in controlling how financial institutions manage an individual’s private information.Danger: Financial institutions are required to implement a comprehensive, written information security program that includes proper administrative, technical and physical safeguards. The program must be designed to protect consumers’ non-public, personally-identifiable information (PII) by ensuring security and confidentiality of data, by preventing potential risks and threats to data, and by protecting against unauthorized access to or use of consumers’ private information.
Truth in Lending Act (TILA)   Law intended to regulate consumer credit transactions and disclosures.Danger: Disclosure requirements are very specific to the manner in which interest rates are calculated, requirements to disclose the annual percentage rate (APR), cost of late fees, payment term, and advance notice of renewals.
Fair Debt Collections Practices Act (FDCPA) Acts   Regulations that prohibit abusive practices by debt collectors (including calls at “inconvenient” times).Danger: It is difficult to determine if you are contacting a consumer on their cell phone versus a land-line, which may create the potential for liability exposure. Consumers may seek legal recourse and sue a collector for illegal collection practices, including lost wages.

 

How Do You Properly Address Compliance Requirements?

There are many factors to consider when assessing compliance risk, including:

  • How are you preventing breaches of do-not-call lists?
  • How can you ensure that contacts are only reached during safe windows?
  • How are you overseeing your agents who might work on multiple accounts, to ensure they are adhering to regulations?
  • If you are not sure of any of these answers, what will you do to seek resolution?

First you must feel comfortable that you understand what regulations affect your contact center. For a list of resources to monitor the latest regulations, check out our recent blog. We also recommend leveraging industry associations that offer legal counsel and tips to its members, in addition to partnering with your company’s own compliance officer.

Once you have taken the necessary steps to understanding the requirements you are obligated to follow, you should develop a proactive approach to adherence. We’ve broken our recommendations for complying with government regulations into five key focus areas: 

Regulation Steps SMALL 

1. Screening and training. Before you begin training, you need a stringent screening process. Only allow properly screened professionals to assist your customers to prevent any information leaks. Background checks, credit and criminal checks, and other pre-employment screenings are imperative for agent and management roles. There are several screening mechanisms available based on the type of position and industry you are operating within.

Your industry or geography probably has its own unique requirements. Be certain you know them, understand, and adhere to them. Are you serving the health care industry? If so, be certain your agents attend regular HIPAA training. Share any changes to regulations with your staff. Regularly.

Conduct regular security assessments to complement training activities. This helps you identify any gaps in privacy services.

2. Technology. Many contact center vendors exist today to help in this respect. Their offerings and focus revolve around incorporating features in their software and applications to help you comply with changing rules and regulations. Automated contact rules and campaign filters, setting maximum contact attempts, mobile identification, opt-in and deactivation, for example, are all requirements that today’s technologies are able to help with.

We’ve outlined a sampling of specific tools and services available today to help with compliance requirements.

  • Speech analytics tools capture critical business intelligence and document a larger sampling of inbound and outbound customer calls to monitor adherence to consumer protection rules. This tool also helps operations systematically mine customer sentiments that haven’t been available with past technologies.
  • Outbound calling tools exist to helps companies maintain compliance with new TCPA regulations. This tool is essential as failure to adhere to TCPA and the Do Not Call Registry has resulted in more than 2.6 million complaints in 2011, with that number jumping to 54 percent in 2012 to almost four million. Centers should be certain to have the latest Do Not Call Registry loaded on their dialer software.
  • ACD enables call routing to only those agents who are qualified to handle specific calls.
  • Agent desktop technologies provide supervisors the opportunity to monitor, coach, whisper, and even “barge in” during a potential compliance oversight.
  • Quality assurance tools allow post-call analysis to view and listen to recordings.
  • Encryption technology protects data on any device that houses sensitive information. Sadly, according to a report by InfoWeek, 26 percent of organizations do not use database encryption on databases that contain sensitive information.

3. Scripting. By providing scripts to your agents, you can rest assured that all required disclosures are made by the agent. Checklists are also helpful tools for agents to help ensure that standard compliance protocols are followed and can be tracked and documented more effectively.

If your agent is unsure about how to proceed with a particular call, provide a list of subject matter experts within your organization who can step in to help. There is no room for guesswork when it comes to regulation compliance.

4. Recording, Monitoring and Record Keeping. Multichannel recording and quality monitoring tools can provide liability protection against he-said, she-said disputes. You are better able to conveniently and quickly retrieve specific interactions. They also provide real-time insight that allow supervisors and managers to monitor agents’ multichannel customer interactions.

Why is record keeping so imperative? Regulators may request access to customer recordings during on-site exams. This shows your company is proactive in demonstrating compliance. A good rule of thumb is to record any interaction that involves actual telephone sales or sales attempts.

5. Breach Reactions. In the unfortunate event that your security has been breached, be certain you have an adequate disaster recovery plan. This ensures business is restored quickly. This is a great area to conduct ongoing training exercises to ensure your staff knows what to do in this situation.

Summary

As you know, contact centers constantly manage personal and credit card information, and this poses huge potential risks to your company’s bottom line and reputation. Contact centers serve as the face of your company and can be an easy target.

Your contact center must be aggressively proactive to construct safety nets around your day-to-day operations in order to ensure regulatory compliance. It is recommended that contact centers record and archive all voice and data interactions, while ensuring sensitive verbal and data recordings are only accessible to authorized agents. By taking these positive steps, you can enjoy increased control, better customer experience, and mitigated risk.

Find Out More About Platform28

Platform28 offers an easily customizable Communications-as-a-Service (CaaS) solution to contact centers that need a comprehensive, highly scalable communications platform. Platform28 delivers a carrier-grade solution that includes multichannel Contact Center, PBX, IVR, Unified Messaging and network call routing. Our customers include mid-to-large enterprises, Tier1 carriers and government agencies, with 150,000 active users and 600,000,000 interactions monthly. The platform is completely customizable using open standards and web services, enabling tight integration with virtually any application. Platform28’s flexible delivery enables customers to meet the strictest security standards using distributed database and extraction layers. The interface has been re-engineered to deliver an intuitive user experience and complete business intelligence throughout the platform.  

Contact us at 800.861.6228 or moc.82mroftalpnull@ofni for more information.

 

The above article is intended as a guide, and not as a legal document.