As the world steadily moves to digital, information security compliance is taking increasingly paramount significance within organizations, and as a result, regulations are becoming more stringent than ever! A lot of these data regulations today fall within the scope of contact centers that receive, process and store a range of Personally Identifiable Information (PII), such as addresses, telephone numbers, date of birth, card numbers, account numbers, social security numbers and more. It requires contact centers to make compliance as their absolute top priority.
In 2012, one of the largest banks in the United States entered into a legal hazard by referring credit card customers with low credit scores to third-party vendors that operated call centers, pitching credit card add-on products such as payment protection plans and credit monitoring services. The vendors used high-pressure sales tactics and misleading practices to sign customers up, and the bank failed to monitor them. As a result, they had to pay $210 million in fines and penalties in a settlement reached with federal banking and consumer protection regulators.
In 2013, the Federal Trade Commission (FTC) held one of the leading mortgage lenders in the US accountable for violating the Do Not Call provisions of the Telemarketing Sales Rule (TSR) of the agency. The company paid a civil penalty of $7.5 million, the biggest fine ever collected by the FTC. During telemarketing calls, the company failed to remove consumers from its DNC lists on-demand and misrepresented the terms of the available loan products.
In the following year, the Consumer Financial Protection Bureau (CFPB) ordered another large bank to pay a whopping $225 million in relief to the consumers who were harmed by illegal and discriminatory credit card practices. The Bureau found that the bank’s telemarketers had misinterpreted the add-on products and had not disclosed that certain classes of consumers were ineligible for these products.
These examples indicate the risks and the impact of the regulations on contact centers. Now, let’s look at some of the most critical regulations governing contact centers.
Consent to Record
There are several federal and state wiretapping laws that limit the ability of contact centers to record phone calls or conversations in-person. From a regulation point of view, the most critical aspect is that one should obtain the consent of one or all the parties to a phone call or conversation before recording it. Federal law and many state wiretapping statutes allow recording if one party consents to a phone call or chat. Other states, on the other hand, require the consent of all parties to the communication. Violations may result in imprisonment of no more than five years, including fines of up to $500,000 for organizations.
Payment Card Industry Data Security Standard PCI-DSS
PCI-DSS is an information security standard designed to ensure the security of credit, debit, and cash card transactions and is designed to protect cardholders from misuse of their personal information. Created jointly in 2004 by four major credit card companies: Visa, MasterCard, Discover and American Express, it sets out six main objectives such as network security, protection of cardholder information, system protection against hackers, viruses, spyware and malware programs, restriction and control of access to system information and operations, security measures for network monitoring, and implementation of formal information security policies. The consequences of not being compliant with PCI range in fines from $5,000 to $500,000.
General Data Protection Regulation (GDPR)
Designed to harmonize data privacy and security legislation across Europe, the European Union (EU) General Data Protection Regulation (GDPR) mandates a base set of standards for all companies handling personal data of EU citizens. Some of the critical privacy and data protection requirements of the GDPR include requiring the consent of data processors, anonymizing the data collected to protect privacy, providing notifications of infringements of data, safe handling of cross-border data transfers, and requiring individual companies to appoint a data protection officer to oversee compliance with the GDPR. Penalties for violations of GDPR may result in a fine of up to EUR 20 million or up to 4% of the company’s annual worldwide turnover.
Markets in Financial Instruments Directive II (MiFID II)
MiFID II is a legislative framework established by the EU to regulate and improve financial markets and to protect investors. It aims to standardize practices across the EU and restore industry confidence, especially after the 2008 financial crisis. It covers virtually all institutional and retail investors, financial firms and professionals within the EU, such as bankers, traders, fund managers, exchange officials, and brokers, and all must abide by its rules. Penalties are laid down by the regulatory agencies in each country. The Financial Conduct Authority in the United Kingdom recently imposed a fine of £ 1.50 per line of incorrect or unreported data.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA legislation provides data privacy and security provisions for the safeguarding of personal medical information in the US. It includes regulations governing the use, storage and access of “individually identifiable health information,” i.e., past/present/future physical or mental health conditions, held or transmitted in any form or media, whether electronic, paper or oral. HIPPA regulates healthcare providers and payers who maintain contact centers to handle member inquiries, provider inquiries, eligibility checks, care authorizations, and claims questions, among other types of calls. Companies that violate HIPAA are subject to penalties by the U.S. Department of Health & Human Services.
Telemarketing Sales Rule (TSR)
TSR prohibits misleading and abusive telemarketing practices. TSR has established the National Do Not Call Registry, which makes it easier and more efficient to reduce the number of unnecessary telemarketing calls. The TSR sets standards of conduct for telemarketing calls, such as restricting telemarketers from calling customers before 8 AM and after 9 PM, identifying and disclosing the vendor and the purpose of the call, etc. TSR prohibits telemarketers from lying about the terms of their offer. Companies that violate the rules are subject to fines up to $11,000per infringement.
Telephone Consumer Protection Act (TCPA)
TCPA regulates telemarketing calls and the use of automated telephone equipment. It limits the use of pre-recorded voice, automatic dialing, SMS, and fax messages without the express consent of the customer. Companies must abide by strict solicitation rules, and the National Do Not Call Registry, and the consumers may sue a company that does not follow the TCPA guidelines. Consumer consent is a crucial defense under the TCPA.
U.S. Electronic Funds Transfer Act (EFTA)
EFTA is a federal law that protects consumers engaged in the transfer of funds by electronic means. It regulates contact centers for the use of electronic money transfers, debit cards, automated teller machines, and automatic withdrawals from bank accounts. The act also provides a means of rectifying transaction errors and limits the liability for any financial loss due to a lost or stolen card.
Fair Debt Collection Practice Act (FDCPA)
FDCPA regulates third-party debt collectors who attempt to collect debts on behalf of another person or entity. It prohibits the use of threatening or abusive language and unfair or misleading practices in the collection of debts. Credit card debt, auto loans, medical bills, student loans, mortgages, and other household debts are covered by the FDCPA. Debt collection agency representatives cannot contact a customer at inappropriate times or places without their prior permission.
To sum up, some of these regulations complement one another, while others in some cases weaken or even contradict one another. For example, contact centers that accept telephone payments must comply with EFTA, which requires them to record telephone conversations that allow electronic fund transfer. PCI DSS, meanwhile, complicates this process by stipulating that certain information, such as Card Verification Value 2 (CVV2) codes, should never be recorded or stored. Many contact centers use “pause and resume” or “stop/start” call recording systems to try to comply with these different rules, which come with their own set of problems and issues.
In most U.S. states, when a call is monitored or recorded, the law requires at least one party to be notified, while a few other states and countries require all parties to be informed. Differences in these laws are difficult for contact centers to keep up with, especially when some states have regulations that are stricter than federal laws.
But there’s some good news. In our next blog, we’ll show how Acqueon Engagement makes it easy for companies to keep track of TCPA, Do Not Call Lists, GDPR, and internal regulations within our dashboard. Stay tuned!