Compliance: Technology Alone Will Not Protect You

Every day, I receive around a dozen emails detailing some aspect of compliance and data security. Some I immediately delete, some I briefly scan over and others I really dig into. There is no formula behind this. It simply depends on the timing of the email. Looking back at the history of the ARM industry, compliance is certainly one of the newer topics of conversation. The conversation has been steadily growing and the concerns surrounding compliance have exploded in recent years. On most days, it seems one could attend several compliance webinars covering everything from implementation strategies to costs.

Technology changes very rapidly and in many cases, technology introduced today will be outdated in fewer than six months. That statement is not enlightening for any of us but what we may overlook is how much technology is taking over the everyday aspects of our lives. For example, think about how we communicate, receive our news, and manage finances. With such a dependence on technology and increasing regulation surrounding compliance and data security, what is an agency to do?

Many agencies have taken the approach of staging a fully compliant and secure environment for individual clients, for different lines of business or for employee training purposes. I recently visited a client that prepared this type of environment for their Department of Education accounts and it has allowed them to control the data and access to sensitive data. Furthermore, the environment can be cloned and the data can be masked or scrambled to create a fully compliant and secure environment for training, related to an individual client or business line. This is a sound approach but there are several considerations before making a move like this.

Evaluate Costs

First, costs should be evaluated. The raw costs to start up another environment, purchase additional licenses from your software provider, and add more support and maintenance is easy to calculate but do not neglect the costs of working the business. Costs such as staff training, integrating with outside service vendors, and completing security audits need to be added to the raw environment costs and then compared against anticipated revenue from working the business. You may find it difficult to justify.


Second, if costs can be justified, access to the environment and certain data elements within the environment must be a top priority. Even if employees have all the necessary training and clearance permissions, they probably do not need access to everything in the environment. Utilize user profile features and permission sets in your software to control user access and to ensure users can only access the information necessary for their job.


Finally, ensure your software is up-to-date with the latest upgrades and releases from your software provider. Included in this is the operating system and software running on your servers and employee workstations. In most cases, updates and upgrades are simple to retrieve and install. Be careful though and make sure you have a testing plan in place for upgrades and a rollback procedure in the event the update or upgrade fails or takes longer to install than anticipated. Running the latest software versions will help protect your organization from cyber-attacks and data breaches.

Agencies, as they should, want to benefit from technology investments but when it comes to compliance, you must recognize that technology alone will not protect you. Even the best and most detailed compliance practices can fail without collective buy in from the members of the organization.


Texting Is The Final Frontier?

How are there two extremes when it comes to sending a text message to a debtor? The answer is actually quite simple. There is no answer because the FDCPA does not specifically address text messaging. In 1977, when the FDCPA was passed into law, text messaging and other contemporary forms of communication did not exist. Since then, not only have new methods of communication been introduced but the population’s preference for how they want to be communicated with has changed dramatically. Almost anyone with children can confirm that texting and social media dwarfs communicating over the phone or in person. In fact, we see these same preferences in the younger generation workforce as well.

Education aside, how can the agency start sending text messages? There is no law detailing the use of text messages as a method of communication; however there is law regarding how the agency can communicate with the debtor. The same rules in place for communicating via phone calls, letters, and emails need to be followed when sending text messages. If we evaluate this from a technology perspective, agencies are faced with a challenge. Even the newest collection software available does not include a module for text messaging. For now, agencies must partner with an outsider provider to capture the necessary technology to launch a text messaging campaign. Using an outside service provider equals a need for integration. Here are three technology considerations for implementing your text messaging campaign:

1. Consent

As with calling a cell phone or sending an email, you must get consent from the debtor. Yes, this can be achieved over the phone if you actually speak with the debtor but I have seen a more systematic approach. If you are driving the debtor to a payment portal, whether from your own website or through a letter campaign, ask for consent when they log into the portal. Setup the first screen to include a checkbox for consent to receive text messages. Furthermore, if the box is checked, ask for updated contact information. Force the debtor to confirm or update their phone numbers and address information before they can move to the payment portion of the site. I have seen technology offerings like this from several letter vendors and payment processing vendors in the industry.

2. Data Integrity

If the debtor does consent and provides updated demographic information, do not assume it is accurate. You should not be in a hurry to overwrite the primary phone number and address you have in your collection software just because something newer has been presented. The debtor may consent to receiving text messages and then deceitfully or not, provide a wireless phone number that does not belong to them. Sending a text message to the wrong phone number could mean you have just disclosed the debt to a third party and violated the law. Ask the debtor to respond to an initial text somehow confirming the phone number belongs to them. After passing your integrity checks, update the primary phone and/or address information in your collection software with the newly provided demographic data. However, do not fully delete any previous demographic data. Capture it in a previous record module or in the account notes.

3. Integration

The design and development of the data integration, or interface, will need to be tested and in place before launching your text messaging campaign. Most vendors will offer a batch mode integration. This file-based solution usually involves an overnight file delivery for updates that day. The agency will receive that file and import it into their collection software. An import interface must be built into your collection software. Depending on how many files are delivered or the schema of the files, more than one import interface may be required. The data in your collection software will always be up to 24 hours behind the payment/consent portal because the updates will not be received and processed until later that night. A real-time solution will process updates from the portal as they occur and import the updates into your collection software automatically.

For now, sending text messages to debtors remains a gray area. While text specific regulation is being formed, will you wait for others to push ahead and evaluate the fallout or will you implement this modern day, and often preferred, contact method?

Collecting for the IRS

Last December, the Fixing America’s Surface Transportation Act (FAST Act) was made law by the federal government. Unlike the previous ruling which only allowed the IRS the authority to place collections with private debt collection companies, this new law went a step further by requiring the IRS to use private debt collection companies. The law also states that the IRS must begin entering into contracts within three months after the date of enactment. That time frame is rapidly closing but there is no language detailing when the IRS will actually start placing inactive tax receivables.

Last year, I wrote about agencies investing their time and dollars in preparing for a government contract, primarily for the Department of Education contract. Collecting for the IRS is a new opportunity for established agencies to get into the government space and for agencies already in the space to service another line of government receivables. There is plenty of work that can be done in advance to prepare for this opportunity.

Data security should be a primary concern. If your collection software is preventing your agency from achieving compliance and hitting security benchmarks you may want to evaluate other software options or work with your current software provider to implement additional security features. Make sure the backend database is fully encrypted and that data in transit is as well. If encryption is available, you may want to verify it is turned on because in some collection products the encryption feature is optional and turned off by default in an effort to save space. Aside from the actual software, you should review and enhance your information security policies. If you do not already have these policies documented, you should address that immediately. Policies detailing available user accounts, access privileges, password policies, and how to work with sensitive data need to be covered. If you find yourself overwhelmed with implementing or updating data security policies, a great resource to start is the Federal Information Security Management Act (FISMA). It will not answer all the questions but FISMA will provide great direction and help to set things in motion.

Simply having a strong data security policy is not good enough. Awareness of the policy and to the ever-changing landscape of compliance and data security is key as well. Awareness begins with a strong training program. Create an electronic training program that focuses on working with government data and the sensitivity of that data. In a test environment, stage examples for users to encounter and work with sensitive data in your collection software. Wherever possible, implement automated IT processes that promote awareness.

So far, I have touched on policy and procedure ideas with a focus on the operation and environment. There are many items you can fine-tune directly in your collection software as well. First and foremost, make every effort to eliminate manual processes by replacing them with automation. Every time a user manually kicks off a process, renames or moves a file, or manually retrieves/sends data with an external vendor, the likelihood for user error increases. You may be surprised to find out that most manual processes like those mentioned can be automated within your software or with custom applications that work with your collection software. Take a step back to really understand and document all your processes. Then, review the list with your team or consultant(s), pick out areas where automation is an option, and prioritize the list before beginning any design or development. Second, take the time to evaluate and enhance your workflow. Agencies should implement this practice at least twice per year. The addition of new clients, the performance of your consumer representatives, and the strengths/weaknesses of your skip tracing efforts may introduce new trends or change trends that were evaluated when your existing workflow was designed. Find something that works best for your agency. Third, develop your own performance reports. Do not rely solely on canned reports that were delivered with your collection software. Like enhancing the workflow, there are metrics and key performance indicators (KPIs) meaningful for your agency. Many of the collection products have some sort of built-in mechanism for developing custom reports. If custom reporting within your software is not available, there are plenty of reporting tools with many connectors that may work with your product. Take a look at Business Objects (Crystal Reports), Cognos BI, Microsoft SSRS, or Tableau.

By refining a few of your operational policies and procedures and implementing some strategic changes in your collection software, your agency can be set up nicely for that new government contract. As with the Department of Education contract, you can bet the IRS will be gathering performance data on the agencies receiving placements and that the data will be made public via several published reports. Wouldn’t it be nice to see your agency at the top of that list?

4 Compliance Areas Debt Buyers Must Address

For years, debt buyers could operate outside the scope of compliance and regulation in the accounts receivable management industry. This was not because debt buyers were attempting to be deceitful, rather this sector of the industry was so new and innovative that too much was unknown to attempt to govern it. Those days are over and no longer are debt buyers overlooked. In fact, they are now very much on the radar of the CFPB. It was only a matter of time as compliance administration was on the rise with larger creditors and other first parties. The CFPB is already visiting the organizations. Most would agree that debt buyers are not far down the list.

What can debt buyers do to prepare themselves for a call from the CFPB? Debt buyer certification programs are fairly new in the industry and several options are available. The standards for most of these certification programs focus on the primary areas of concern debt buyers are facing these days. Topics including media, chain of title, agency management, and credit bureau reporting all make the cut. I would like to examine these four primary topic areas and present some solutions for capturing and maintaining the compliance related information using the same technology debt buyers are using to manage their inventory. Let’s set the precedence that present day debt buyers are managing their inventory with proper, enterprise level software. Any debt purchasing operation still managing inventory using spreadsheets is destined for compliance violations and trouble with the CFPB should there be an audit.


Also referred to as account and debtor documentation, media is crucial for debt buyers and it is important to have software that will allow for media attachments on a per account basis. Often, media is not included in the actual purchase agreement. It usually must be requested from a separate entity, or if the seller does have the media, it comes with an additional cost. In many systems, media attachment components are not included but hopefully your software allows for custom configuration and you are able to add media attachment options.

Make sure media attachments are available at both the account and consumer levels. For example, there may be a contract at the account level but separate credit reports if there is more than one responsible party on the account. The setup should be able to store the credit report for the respective responsible party. Most media is large in file size and because of this, disk space will be consumed quickly. Proper system sizing is often overlooked and needs to be planned accordingly. Lastly, in the event a consumer pursues litigation, the debt buyer will need to be in a position to confirm the consumer opened the account and is a responsible party by presenting media.

Chain of Title

The history of account ownership is referred to as chain of title. When a debt buyer purchases an account from a creditor or another debt buyer, the ownership is transferred. Like media, chain of title is additional documentation for the account. It should be requested at the time of purchase and any information or media related to chain of title should be stored in the software at the account level. You will want to have this information for compliance purposes, in the event of litigation, or if you eventually sell the account. Storing the chain of title in your software will also position you to set up your placement strategies with external agencies and provide them with chain of title for each account in the placement file.

Agency Management

As a debt buyer, knowing the agencies you are placing with is almost as important as knowing your own agency. At least that is what an auditing entity will expect. Until sold and ownership changes hands, debt buyers are responsible for all their accounts regardless if being worked inhouse or placed with an external agency. There is some very nice software available for debt buyers that will not only allow for automated account placement strategies, but will also include features for ranking an agency, certifying an agency, and tracking compliance related data points for an agency. If you cannot find the latter in your current software, it is in your interest to build out the agency management module to capture compliance related information. For example, you may be expected to know any certifications your agencies have achieved, how they enforce and maintain data security related to your inventory, and their backup and restore procedures. In most cases, this is not only a single field of data. You should be able to capture and store short text descriptions of the processes or attach documentation to the external agencies that are configured in your software.

Credit Bureau Reporting

How debt buyers report to the credit bureaus is one of the most common violations in the industry. Far too often, workflow elements for credit bureau reporting is not detailed enough. Ensure your credit bureau reporting workflow is not re-reporting debtors and is also deleting debtors from the bureau’ s file upon resolution of the debt or in the case of bankruptcy. Be ready with documentation that details your process. It is much easier to hand an auditor a detailed document and walk through it together than attempt to explain your process for others to appraise. Credit bureau reporting practices are also key processes debt buyers should understand about each of their external agencies.

Understanding and documenting compliance standards such as those described above will help prepare you for a visit from the CFPB. At the very least, you will have addressed and standardized some important, compliance related business processes should the CFPB never call or visit.