Press Enter to Search
Why Ransomware Is Serious Business (and How to Minimize the Threat)

Why Ransomware Is Serious Business (and How to Minimize the Threat)

Everywhere you look these days, it’s in the headlines: another healthcare network, business, or government entity has suffered a debilitating ransomware attack. What used to be a curiosity is now a raging epidemic that shows no signs of slowing—and no sector is immune. By 2021, ransomware damages could cost the world $20 billion (57 times more than in 2015).
 
Even worse, cybercriminals are shifting their strategy. Not only are they demanding larger sums of money—from a few thousand dollars to upwards of $50,000 in just the past few years—but they’re increasingly targeting small and midsize businesses, which may be less sophisticated on the IT front and more willing to pay.
 
I recently sat down with Steve Lodin, senior director of cybersecurity operations/corporate security at Sallie Mae, to discuss this growing threat. We also offered advice for organizations looking to harden their defenses and prepare to respond in the event of an attack.
 
Here are a few highlights from our webinar, “Be Smart, Take Charge: What You Need to Know About Cybersecurity and Ransomware Prevention, Detection, and Response” (you can access the free webinar here).
 
 

How Does Ransomware Work?

Ransomware is malicious code that’s designed to encrypt files on an infected system or storage device to prevent the owner of the data from accessing it. Cybercriminals demand a ransom in return for a decryption key.
 
Ransomware can infiltrate in various ways. Among the most common are phishing emails containing embedded links and innocent-looking email attachments. Email attachments don’t have to contain ransomware code; once opened or downloaded, they can simply run additional code that instructs the host system to download ransomware code from a website.
 
Think about what this means. Among tens, hundreds, or thousands of employees, it takes just one person, one email, one visit to a malicious website. Once that ransomware code finds a vulnerability in the host environment, it can take over in short order.
 
Now, here’s the really bad news: paying these criminals doesn’t always bring data back. In fact, according to a 2017 study, only 26% of businesses that paid a ransom in 2017 received a decryption key. (Of those organizations that paid, 73% were attacked again.)
 
 

How Can You Protect Your Business and Limit the Fallout?

Every organization needs a three-pronged approach to effectively address the ransomware threat: prevention, detection, and response. You’ll want to begin with proactive measures that lessen your odds of a successful attack and limit your vulnerabilities when ransomware strikes.
 
 
SYSTEMS
  • Limit access to your systems, including local admin access (the principle of least privileges).
  • Ensure your system is patched, along with third-party apps like Adobe and Flash.
  • Secure the system with antivirus, anti-malware, and email security services that block known threats; implement tools that scan incoming emails or flag employee activity on known malicious websites.
  • Invest in good data backups.
  • Evaluate and monitor connections with third-party vendors. Allow access only as required for them to provide services, and only on network segments they need.
 
PEOPLE
  • Instruct employees to report suspected phishing emails.
  • Communicate with employees about current ransomware threats.
  • Test employees periodically with sample phishing emails and unfamiliar attachments to maintain awareness.
 
PLANNING
  • Create an incident response plan, ideally involving IT, legal counsel, internal and client communications, and forensic analysis; test and refine it regularly based on newly identified weaknesses and threats.
  • Invest in cybersecurity insurance, with a full understanding of what’s covered in the event of an attack.
  • Make sure vendor contracts include language requiring vendors to notify you within a short period of time of any attack on their systems. Know how to shut down connectivity quickly in case of attack.
  • Enhance your tech stack. An incident response manager tool will allow you to see how/where you’ve been compromised, act fast, and minimize the impact of a ransomware attack; a file integrity management solution can tell you whether any changes made were authorized by your existing change management system.
  • Make sure you have access to enough Bitcoin in case paying ransom is your only option; you might want to establish a Bitcoin account expressly for this purpose.
 
EMERGENCY RESPONSE
  • Check with law enforcement to determine your odds of recovering data. Depending on the type of ransomware deployed, you might be able to get a decryption key from the FBI’s database.
  • Perform a system analysis to determine what communications went outbound and what specific actions were taken on the system. These details will help you determine what gaps in your security stack need fixing.
 

Want to Learn More About Ransomware Preparedness?

If this post left you with more questions than you had before, you’ll want to tune into our recent webinar, “Be Smart, Take Charge: What You Need to Know About Cybersecurity and Ransomware Prevention, Detection, and Response.” You’ll learn more details about the ransomware threat and come away with more resources and specific tips you can use to better secure your systems and develop a thorough, effective response plan.
 
Don’t wait till ransomware strikes to understand what you’re up against and fortify your business. Access the free recording here, and start taking steps to minimize the threat.
 
 
 
 
 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Info and Insights You Won't Want to Miss

Here on the OS Blog, we aim to give you just the right mix of high-level views, tactics, and tools you can use to optimize your collection operations and results. Subscribe today for a steady stream of practical, empowering content delivered to your inbox weekly.

For Leading Collection Agency, Ontario Reports™ Offers Simpler, More Sophisticated Reporting

Asset Recovery Group (ARG), a premier collection agency with 5.8 million account records and a growing client base, was struggling to fulfill extensive reporting requirements and glean timely business intelligence from its FACS® database. ARG’s overburdened team needed a better way to build and share reports, but most available solutions were too complex and costly.

Recently, ARG discovered Ontario Reports™, an intuitive reporting tool that integrates seamlessly with its FACS system (and all Ontario Systems’ core receivables platforms). An easy five-minute installation led to huge gains in efficiency, reporting capabilities, and report quality.

Read More

How to Use Email and Text for Collections Without Getting Burned (Part 2)

How to Use Email and Text for Collections Without Getting Burned (Part 2)

 
If you read part 1 of this two-part blog series or listened to part 1 of our AccountsRecovery.net webinar “Email Is Hot, Texting Is Hotter: Don’t Be the First to Get Burned,” you might have found some of our comments surprising. Perhaps you left with more questions than you’d had going in. Or you wonder how in the world communicating compliantly via email and text—consistently, day in and day out—is even possible.
 
I understand completely. There’s no shortage of legal requirements and practical issues to wade through, and there’s a lot riding on your communication practices.
 
That’s why I’m here today with part 2. It’s based on my continuing discussion with David Kaminski, chair of the Consumer Financial Services Law Practice at Carlson & Messer LLP in Los Angeles. (Part 2 of the AccountsRecovery.net webinar is available here.)
 
Let’s dive straight into some of the webinar highlights.
 
 

Work Email Addresses and Mobile Numbers: Are They Safe to Use?

If a consumer provides you with a work email address or mobile number, you should tread carefully. These channels may not be fully under the consumer’s control. If the consumer ends his or her employment, he or she could miss important communications. If a current or previous employer monitors or accesses email or text messages, you run the risk of third-party disclosure.
 
Here’s what David and I recommend:
 
  • Always ask consumers for personal contact information. Your best bet, legally speaking, is to minimize the number of work accounts your organization uses for collection-related communications.
  • Get consumers to agree to notify you if their employment status changes. If your terms and conditions are detailed enough, and the consumer assumes responsibility for keeping you informed, you’ll have done your part to ensure the integrity of the collections process. This will afford a good measure of protection in the event of a legal claim.
 
“So if that consumer had given you consent . . . but now you’ve added in the additional wrinkle of the fact that the person has left the office. She’s no longer there, but they’re monitoring her email. They open the email, and therefore the company gets the . . . analytic results saying, ‘I sent my 1692g notice.’ [ . . . ] Did she receive the notice, or did she not?” – David Kaminski
 
 

Text Messages: Navigating Carrier Demands, Consumer Expectations, and the Law

The Cellular Telephone and Internet Association (CTIA) is a self-regulatory body that represents mobile service providers and other industry organizations. The CTIA has its own messaging principles and best practices, but they’re not legally binding. You can’t be sued for violating them.
 
Still, it’s important to comply with CTIA guidelines so you know your texting practices align with carrier and consumer expectations.
 
  • Use simple, straightforward language. Consumers must fully understand anything they’re signing up to receive. Opt-in mechanisms must be clear, and when consumers unsubscribe, they must receive an acknowledgement of the action.
  • Be careful with abbreviations. Acronyms can’t spell out inflammatory words (I’d call this one a no-brainer).
  • Terms and conditions are essential. By getting a consumer to agree to terms and conditions upfront, you can effectively nullify gaps and inconsistencies between CTIA and Fair Debt Collection Practices Act (FDCPA) requirements.
 

E-Sign: How It Applies, and How to Comply

A consumer’s E-Sign consent gives debt collectors permission to substitute electronic delivery for snail mail delivery of legally required written documents. You don’t need E-Sign consent to email or text a consumer everyday collection-related communications such as paid-in-full statements, responses to balance inquiries, payment receipts, etc.
 
However, you DO need to obtain a consumer’s E-Sign consent before you may deliver legally required written documents and disclosures to the consumer electronically. Examples of legally required written documents and disclosures include post-dated payment reminders, validation notices not provided in initial consumer communications, and copies of Reg E recurring electronic funds transfer authorizations.
 
FACT: Obtaining E-Sign consent is a two-step process.
First, you must inform the consumer of his or her rights. There are several ways to inform consumers of their E-Sign rights:
 
  • During a recorded conversation with the consumer;
  • In an email;
  • In a text message;
  • In a writing;
  • On a website. 
 
Second, you must ask the consumer to demonstrate his or her ability to access the email address or use the mobile number he or she provided you for E-Sign purposes to receive legally required notices and disclosures.
 
The consumer can demonstrate his or her ability by: 1) sending you a text message or keyword using the mobile number they provided you for E-Sign; or 2) replying to an email or text message you sent to the email address or mobile number they provided you in connection with their E-Sign consent.
 
E-Sign consent takes effect only after the consumer has consented to using a particular channel (email or text) AND has demonstrated he or she can use that particular email address or mobile number.
 
FACT: An initial communication that includes the 1692g validation notice DOES NOT trigger the E-Sign requirement.
This is because there is no writing requirement in play for the initial communication. Section 1692g of the Fair Debt Collection Practices Act (FDCPA) makes clear you only need to “send” the consumer the validation notice [in writing] if you DID NOT provide it in the first communication (e.g., in the body of an email or verbally in a phone call) or if the consumer has already paid the debt.
 
Since E-Sign consent is required only for notices and disclosures that must be provided to the consumer in writing as a matter of law, it does not apply to the validation notice provided in the first communication.
 
FACT: A communication subsequent to the initial communication with the consumer DOES trigger the E-Sign requirement.
This is because the FDCPA imposes a writing requirement on a validation notice if it’s provided in a communication subsequent to the initial communication.
 
For example, if your first communication with the consumer was a text or phone call and you did not include the 1692g validation notice in that communication, you must send the consumer the validation notice within five days of that communication. In this context, the word “send” means by first class or certified mail with return receipt requested.
 
If you would prefer to email or text the written validation notice to the consumer, you may substitute the U.S. Postal Service mail delivery method with a digital delivery method if you first obtain the consumer’s E-Sign consent to do so.
 
Just remember: if you have an initial communication with the consumer that did not include the validation notice, you would be legally required to obtain E-Sign consent within the five-day window and electronically deliver the validation notice or link to the validation notice within the same five-day window.
 
If you fail to obtain the E-Sign consent, the validation notice is not opened, or the link to the validation notice in the email is not clicked within the five days of that initial communication, you must send the validation notice to the consumer using first class U.S Postal Service mail delivery.
 
TIP: To obtain proper E-Sign consent, provide detailed information and terms and ask for a response.
To obtain E-Sign consent properly, you’ll need to specify, among other things, the scope of consent (e.g., all active accounts now and in the future), the option to withdraw at any time, hardware and software requirements, whether any fees apply, instructions for obtaining paper disclosures, how to update contact information, and how to reach an agent.
 
When you send disclosures and terms, request a response (for example, “text YES”) so you can confirm the validity of the email address or mobile number and lock down the consumer’s formal consent.
 
TIP: Always confirm receipt of legally required documents.
There is no mailbox rule for electronic communications. Once you hit “send,” be sure to verify receipt via analytics. You can ask consumers to verify receipt themselves, but having indisputable proof on your end is essential legal protection for your business. Remember to verify open rates of emails as well as any links you use to provide information to the consumer.
 
“Revocation is that word that I think is so important in this whole context . . . . Anytime someone withdraws consent, whether you believe they did that in the proper manner . . . once that’s communicated, the best and safest course to minimize your risk is to honor that and comply with it.” – David Kaminski
 

Recommended Reading From Our Resource Library

Email and text may seem daunting, but you can implement an omnichannel communications strategy with confidence. It’s easier than you think, especially with compliance-minded tech that streamlines collection operations while safeguarding your business by helping prevent noncompliant communications.
 
If you’re eager to distinguish your service and strengthen your market position via consumer-friendly electronic communications, here are a few resources we recommend for further reading:
 
 
 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Info and Insights You Won't Want to Miss

Here on the OS Blog, we aim to give you just the right mix of high-level views, tactics, and tools you can use to optimize your collection operations and results. Subscribe today for a steady stream of practical, empowering content delivered to your inbox weekly.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

How to Use Email and Text for Collections Without Getting Burned (Part 1)

How to Use Email and Text for Collections Without Getting Burned (Part 1)

Is communicating via email and text still a pipe dream for your collection operations? If so, you might want to settle in and keep reading. It really isn’t as scary as you might expect.
 
Despite the high costs and marginal returns of relying on phone calls and printed letters, many ARM agencies and healthcare providers have yet to embrace email and text. Widespread confusion and uncertainty about various state and federal requirements (including the proposed CFPB rules and E-Sign) can make digital communication an intolerable compliance risk.
 
I recently had the pleasure of discussing email and text compliance standards as well as their practical implications for businesses with David Kaminski, chair of the Consumer Financial Services Law Practice at Carlson & Messer LLP in Los Angeles. Although we weren’t in a position to offer legal advice, our goal was to help listeners better understand the laws governing electronic channels so they can move forward with greater confidence.
 
Here are a few of the topics David and I covered in detail during part 1 of our two-part AccountsRecovery.net webinar, Email Is Hot, Texting Is Hotter: Don’t Be the First to Get Burned.”
 
 

Legally Speaking, Emails are Considered Writings

Emails are writings. If sent to a consumer by a third-party debt collector, emails must comply with the  Fair Debt Collection Practices Act (or FDCPA). If the email communication pertains to healthcare debt, the Health Insurance Portability and Accountability Act (HIPAA) applies.
 
Emails trigger compliance with the CAN SPAM Act as well, meaning they must (among the law’s other requirements) include an opt out or unsubscribe provision. Emails must also include any state-required disclosures and special verbiage requirements.
 
There is no legal requirement per se to obtain the consumer’s consent to email. This means third-party collection agencies may rely on client-provided email addresses. Just remember to include the required opt out/unsubscribe language in the body of every consumer-facing email and, as a routine practice, ask consumers to confirm their consent for you to email the particular address.
 
Whether you’re sending legally required documents via email or text, you’ll need E-Sign consent (more on that below).
 
 

Legally Speaking, Text Messages are Considered Calls

Text messages are calls. As such, texts must comply with the requirements of the Telephone Consumer Protection Act (TCPA). The TCPA requires the “calling” party to obtain the express prior consent of the consumer associated with the mobile phone number.
 
The TCPA is not limited to debt collection calls. In fact, it applies to any person placing a call or text to a consumer using the consumer’s mobile number. As is the case with emails, text messages sent to a consumer by a third-party debt collector must comply with the FDCPA.
 
Text messages initiated by a third-party debt collection agency are subject to call restrictions and auto dialer rules, and frequency of delivery can run afoul of state harassment laws and FDCPA laws. If you don’t have TCPA-mandated consent, you may be subject to legal action. Even prior verbal consent is fine, as long as you record it for legal purposes.
 
Mobile numbers are often reassigned, so consider the source of the number you’re using and the currency of the information to gauge the risk of third-party disclosure. Certain technologies can determine whether a mobile number has been deactivated or ported and, if so, block any further text communications.
 
As a practical matter, both emails and text messages may contain links to secure URLs and must encrypt data at rest and in transit.
 
 
“People think, ‘If I’m sending an email, I’m not really bothering anybody, they can get an email anytime. Although Federal and state call time restrictions do not apply to emails, excessive emailing could be viewed as harassment and cause the agency to be blacklisted.” – David Kaminski
 

When and How Does E-Sign Apply?

Informal consent and formal consent (E-Sign) come into play at different times, depending on the nature of the communication. Informal consent relates to getting the consumer’s permission to use email or text to relay basic information—payment receipts, account balance, verifying a payment plan, etc. Formal consent, or E-Sign, is needed for all legally required notices.
 
For an initial communication—which you would use to introduce your organization and purpose, confirm you’re dealing with the correct person, and secure permission to use that channel—E-Sign is not needed. You’re free to send your 1692G notice in that first communication. But for validation notices and other legally required documents not included in the initial communication (a post-dated payment notice, for example), E-Sign is a must.
 
“E-Sign has been an enigma for so many of you. Everyone has come up to me and said, ‘What is this E-Sign? I don’t really understand it. People throw it around like a frisbee.’ Rozanne and I are going to really lay out what it is, what it means, what you need to be concerned about, and how to launch your program.” – David Kaminski
 
 

What Should Collectors Consider When Crafting Emails and Texts?

You’ll need to think carefully about how emails and texts are worded and what they will include. Even the most (seemingly) minor details can mean the difference between a positive, productive interaction and a costly legal challenge.
 
For emails, you’ll want to include your true name in the “From” field (an attorney might advise you to use a DBA), keep subject lines simple and professional (e.g., “Your [Creditor Name] Account,” “Your Payment Date”), and avoid any verbiage that might trigger a spam filter.
 
Text messages must include certain disclosures as required by the Cellular Telephone and Internet Association (CTIA). Short codes can be used in text messages to allow consumers self-service options such as accessing account information, making payments, and communicating with you. Avoid using words that could be confusing, misleading, or inflammatory. If you don’t have prior written consent, including any type of marketing or solicitation in a text message can land you in hot water.
 
“Just be careful when you’re rolling out the language that you’re going to be using in your text messages to consumers. Make sure you’re not using something that will mislead, misrepresent, or potentially even harass the consumer, especially when you’re looking at federal and state laws.” – David Kaminski
 
 

Coming Up: Creating the Right Setup for Compliant Emails and Texts

In the second half of this blog series, I’ll recap the rest of my discussion with David about emails and texts—particularly when it comes to technology and what you’ll need to launch a program you can trust. Stay tuned for more actionable insights from our two-part webinar, Email Is Hot, Texting Is Hotter: Don’t Be the First to Get Burned.”
 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Info and Insights You Won't Want to Miss

Here on the OS Blog, we aim to give you just the right mix of high-level views, tactics, and tools you can use to optimize your collection operations and results. Subscribe today for a steady stream of practical, empowering content delivered to your inbox weekly.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

Data Privacy and Security: What’s Next for Debt Collectors?

Data Privacy and Security: What’s Next for Debt Collectors?

Data privacy and data security are two very hot topics in the ARM industry today. The California Consumer Privacy Act (CCPA) is set to take effect in January 2020, with additional privacy bills now pending in at least 25 states. Meanwhile, cyber crimes involving consumers’ personal data are growing in number, size, and sophistication.

While ARM business leaders are rightly focused on these issues, many are uncertain about the true nature and extent of their compliance and security risks. They’re also not sure how to manage these risks effectively.
 
Recently, I had the privilege of joining two distinguished industry colleagues for a panel discussion about data privacy and security: Odia Kagan, partner and chair of the GDPR Compliance and International Privacy division at Fox Rothschild LLP; and Ben Johnson, director of risk management for Cornerstone Support.
 
Here are some, but not all, of the major issues and topics we addressed (you can access the full webinar here).
 
 

Data privacy: Understanding and Preparing for the CCPA

The CCPA applies to any business or service provider that collects personal data, determines the purpose and means of data use, or controls or is controlled by such a company.
 
Starting January 1, 2020, the CCPA will grant California residents certain rights pertaining to personal data collected since January 2019 (a 12-month look-back window). Residents will be able to file claims for data access or deletion or for an opt out. Companies subject to the CCPA will have 45 days to respond.
 
Types and uses of data covered under the law run the gamut. Personal data can include everything from Social Security numbers and birth dates to lead generation activity, online browsing history, and interactions with mobile apps.
 
 
“Information like name, email address, collections history, purchase history, payment history, and determinations that you make off this (this person is likely to pay on time, they’re not likely to pay on time)—all of those things were not considered personal information in the traditional sense under U.S. law. That all has changed.” – Odia Kagan
 
Your business may be in scope if you do business in California and meet the minimum business thresholds listed below.
 
For purposes of CCPA compliance, doing business in California means:
 
  • Your headquarters are in California;
  • Your employees are in California;
  • Your company is incorporated in California;
  • Your company satisfies the definition of a California foreign entity; or
  • You conduct out-of-state sales or transactions into California.

 

Minimum business thresholds are defined as:

 

  • You conduct business activities in California and your annual revenues exceed $25 million;
  • You’re involved with personal data of more than 50,000 consumers, households, or devices (this could even include unique blog visitors); or
  • Sales of personal information—including value acquired from its use (via data analytics, for example)—accounts for at least 50% of your annual revenues.
 
To better understand how CCPA might affect your business and to prepare for its impact, you’ll want to take the six important steps Odia outlined in detail:
 
  • Map your data flows and processes
  • Determine your role under the law (independent business, service provider, or vendor)
  • Look carefully at legal purpose as well as GLBA and FCRA exemptions and whether they apply
  • Determine how you’ll comply with consumer requests within the required 45-day window
  • Reevaluate your internal processes
  • Plan for CCPA disclosure
 
 
“So it’s basically looking at processes, looking at the information, seeing how [you] get to it, how [you] can produce it. Then the other question is, ‘Once I know how to collect all of this information, how do I provide the disclosure that CCPA requires me to provide along with all the information I am giving?’” – Odia Kagan
 
 

Data security: Reducing the Risk and Impact of Cyber Crime

As Ben reminded us, cyber crime has been called “the greatest transfer of wealth in history.” The exchange of consumer data via ID theft, phishing, hacking, etc. has been compared with the global drug trade and is estimated to be worth as much as a trillion dollars per year.
 
Guarding against breaches and developing a breach response plan are essential for managing risk and minimizing disruption, financial losses, and potential harm to client relationships.
 
 
Have a specific plan in place
In a security breach “fire drill,” you should know whom to call and what steps to take. Ben recommends, among other things, a cyber liability insurance policy (with full limit breach notification response), an established reporting process, and discussions with a claim adjuster and legal counsel. A breach response should also include forensic analysis to assess the source and extent of the damage.
 
 
“Some of you saw there was a high-profile breach in the collection space earlier this year. One of the things that came out . . . was that maybe they took a little bit longer to get a plan in place and respond. And so at times, that can make the cost even greater or the damage even greater.” – Ben Johnson
 
 
Monitor operations in real time
Many companies enlist a dedicated third-party provider to monitor operations and flag any security weaknesses and unusual activity. Identifying problems early on will allow you to limit or compartmentalize the damage.
 
 
Change the way you store old data
Many high-profile breaches have involved personal information that dates back 10 or more years. Storing too many old records is a serious potential liability. By encrypting older files and offloading them to an external (ideally cloud-based) server, you can effectively make the data worthless to hackers and avoid triggering notification responses.
 
 
“[Data] almost was seen as a . . . valuable asset—to have all this data, all of this knowledge, all of this experience. And secondly, data storage is relatively cheap. So another year goes by, another million records go on the server. [ . . . ] I think as an industry, collectively, we’ve really got to start sharing best practices, talking about what we’re doing to get old files offloaded.” – Ben Johnson
 
 

For More Answers and Advice, Catch the Complete Webinar

During our panel discussion, Odia and Ben covered a lot of territory. They offered detailed insights on the above topics and raised a number of other issues ARM business owners need to consider. “Straight Talk About Privacy, Security, and Cyber Liability for Debt Collectors” is one webinar you won’t want to miss. Download and view it today.
 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

CFPB Proposed Rules: 6 Debt Collection Practices Consumers Hope to Prevent

CFPB Proposed Rules: 6 Debt Collection Practices Consumers Hope to Prevent

The ARM industry and consumers see the CFPB’s proposed rules through very different lenses. Collection agencies are trying to get ahead of what may be the final rules so they’re ready to comply, while consumers are demanding clear, unequivocal protection from potential harassment and abuse.
 
Despite the CFPB’s best intentions and the commendable work it has done, its interpretation of the Fair Debt Collection Practices Act (FDCPA) isn’t exactly as either group had hoped.
 
For agencies, there are still open questions about how and when they can communicate with consumers across multiple channels without triggering complaints and legal action. For consumer advocates, the rules provide little reassurance and, if anything, give them new reasons to worry.
 
 
Consumer expectations alone do not create new legal requirements under the law, but creditors expect the agencies they enlist to treat consumers fairly.
 
For ARM businesses looking to become customer service and industry leaders, understanding how consumers view the proposed CFPB rules and why should be of utmost importance.
 
 
I recently sat down with my longtime friend Margot Saunders, senior counsel for the National Consumer Law Center and a former managing attorney for the NCLC office in Washington, D.C. We shared our perspectives on the CFPB’s proposed rules, and Margot raised a number of issues she believes the rules fail to address or, in some cases, create on their own.
 
 
 

1.  Confusion Over the Need for E-Sign Consent for All “Required Disclosures”

Consumers do not oppose the use of electronic delivery of written communications per se, but they do expect E-Sign to be followed, particularly when it comes to the electronic delivery of required disclosures.
 
This is a big point of contention for consumer advocates, who argue that sending writings to an email address previously used without having to verify consent or receipt of the message is wildly unfair. They hope the CFPB addresses the apparent E-Sign loophole that allows collectors to choose whether to comply, even when emailing validation notices.
 
 
“The new rules should not deviate from the statutory requirements of E-Sign. Regardless of what the statute says, you always must make sure that validation notice is sent either in paper form by snail mail or by email after receiving some kind of E-Sign consent from the consumer.” – Margot Saunders
 
 

2.  Excessive Calling, Unlimited Texting

The proposed rules allow for a high number of calls, as call caps are per debt (not per consumer), and there is no limit to the number of texts an agency can send. The rules appear to grant ARM businesses safe harbor from legal claims as long as they don’t exceed call caps—even if they place dozens of calls per week to a single consumer. To Margot and others, the CFPB has failed consumers in this regard.
 
 
“The rule does permit consumers to say, ‘Stop calling or stop texting or stop communicating with me via any particular medium,’ and we think that’s good. We’re a little disappointed there’s not some requirement to tell consumers they have that right.” – Margot Saunders
 
 

3.  Sending Emails and Hyperlinks Without Taking Internet Access Into Account

Millions of families access the internet only through their smartphones and have limited Wi-Fi access. For consumer advocates, this raises concerns about whether emails are received, hyperlinks are accessible, and information can be read on a small screen.
 
Consumer advocates believe the proposed rules effectively treat a lack of response to an email as consent, which Margot calls “an absurd proposal,” since emails are presumed received when they may not be.
 
 
“Tricking the consumer into paying something or having to respond to a garnishment notice because they missed all the prior notices isn’t good policy.” – Margot Saunders
 
 

4.  Texting for Non-Writing Communications

Consumer advocates fear collectors will send texts, and communicate back and forth, without knowing whether they’re engaging the right consumer. If the wrong consumer responds with a request to verify the debt, collectors may reveal personal or account-related information and violate consumers’ privacy.
 
 
“We’re proposing in our comments that for the original communication . . . texts comply with the reassigned number database to ensure they are actually dealing with [the right consumer].” – Margot Saunders
 
 

5.  Sending Limited Content Messages

The concept of a limited content message—a voicemail message, for example, or even a message left with a live person—is, to Margot and others, “nonsense.” Not only do consumer groups believe these messages go far outside of legal bounds, but they wonder why voicemails are even necessary in an age of smart phones and electronic communications.
 
 
“In my opinion, and the opinion of my colleagues and a lot of other people, there is no statutory authority for the Bureau to authorize communication that is not covered under the rules for all communications.” – Margot Saunders
 
 

6.  Threatening to Sue to Recover Out-of-Statute Debts

There is a possibility under the proposed rules that consumers could be persuaded to revive an old debt and then be threatened with a lawsuit (despite existing laws against such behavior), as the proposed CFPB rules don’t require agencies to notify consumers of their rights/risks related to out-of-statute debt. In addition, consumers would have a hard time proving that a years-old debt had, in fact, been paid off.
 
 
“We think it’s very hard to imagine why the new rules do not contemplate a disclosure that appropriately apprises the least sophisticated consumer of the risks of paying an out-of-statute debt. This proposed rule goes backwards in allowing threats of litigation or actual litigation.” – Margot Saunders
 
 

Tune in to Hear Both Perspectives

During my conversation with Margot, I shared my own legal and practical interpretations. At times, we engaged in a healthy debate. But Margot and I were in complete agreement that agencies must protect consumers from unfair practices. Where clear boundaries and directives are lacking, we’re both actively advocating for change.
 
If you want to better understand what consumers expect, and reevaluate your communications strategy in that light, I encourage you to take a listen to this informative discussion. You can download the free webinar here.
 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

An All-In-One Solution

What does it take to communicate with consumers on their terms, comply with changing rules, and keep operating costs low? Cloud-based contact management, fully integrated and automated, holds the key. Learn more about the all-in-one platform that can transform daily operations, customer service, and collection results.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

Beyond Integration: How to Compete to Win in the ARM Market

Beyond Integration: How to Compete to Win in the ARM Market

This is the final post in our OS blog 2.0 series highlighting the “ARM ecosystem”—what it is, how it works, and how ARM businesses can benefit by adopting this approach.

 

With its dense maze of business, legal, and market challenges, the ARM industry is a tough one to navigate. Pitfalls, risks, and hidden opportunities abound. It’s hard to see a clear path forward, let alone pursue bold growth strategies.

 

Nevertheless, you can’t afford to sit still. Your survival depends on it. You must become faster, leaner, and stronger to outmaneuver your competitors. You know technology is key, and you continue to invest accordingly.

 

Yet your business struggles persist, and still, no evolutionary leap. If anything, “innovation” seems to be holding you back.

 

We’ve written about the classic ARM integration model and its practical implications for businesses. For each new point solution added to the tech stack, a custom interface must be created. With every required fix or update, disparate technologies must be realigned. It’s an unwieldy, gap-ridden arrangement that keeps IT personnel and collection agents from contributing more valuably.

 

Meanwhile, as IT burdens and costs eat away at the bottom line, leadership teams hold out hope for elusive gains in operational efficiency, compliance management, and revenue recovery.

 

This is no way to compete in the ARM market.

 

If you want to compete to win, you need an entirely different approach to innovation—one that drastically simplifies collections and drives business results naturally.

 

How an ARM Ecosystem Enables Consumer- and Compliance-Friendly Collections

In an ARM ecosystem, all parts are designed from their inception to work together seamlessly. They’re governed by the same brain, and they operate from a single shared database and interface. Every part of the ecosystem responds to any change or event, no matter where in the system it occurs. A built-in software development toolkit allows businesses to add fields, workflows, and other customizations as needed without disrupting or disabling the ecosystem environment.

As accounts are automatically guided through the collection process, the ecosystem accounts for and helps enforce business and compliance rules governing both consumer communications and account records. Without the data and functionality gaps inherent in the classic bolt-on integration model, there’s less room for human error. Collection teams have the real-time visibility they need to manage and prioritize accounts with ease.

 

Think of an ARM ecosystem as a brand new car, straight from the manufacturer. All system components are designed to operate in sync. When a hands-free call comes in, the radio volume drops and the climate control system automatically adjusts itself. This allows the driver to do his or her job with less effort, greater control, and enhanced safety. When maintenance and upgrades are needed, the dealer can easily complete those tasks to ensure peak operating efficiency and performance.

 

 

5 Ways the ARM Ecosystem Can Help You Compete to Win

Introducing an ARM ecosystem will change the way you operate. It could just as easily change the trajectory of your business. Here are five major advantages you stand to gain.

 

Simplicity

A unified, single-vendor, easily maintained ARM ecosystem will free your IT personnel to devote more of their time to high-value initiatives. It will also mean less effort for your collectors, who would otherwise need to switch between platforms and reconcile data sets. In addition, your team will be able to access and leverage data and analytics with incredible ease and speed.

Control
Real-time insight and oversight will allow you to identify and redirect focus to more profitable accounts and make informed business decisions. With a better handle on your operation, you’ll be well positioned to maximize efficiency and boost your agents’ productivity and collection results.

 

Freedom
The ecosystem’s embedded compliance module will act as a protective shield for your business, making it tough for agents to communicate in noncompliant ways. As your compliance fears fade, you’ll be free to continue innovating, expanding options for consumers, and making the debt recovery process even more profitable.

 

Power
Business rules respond in real time to account activity across the ecosystem. As your business becomes leaner, nimbler, more flexible, and more effective, you can act quickly in pursuit of your business objectives and adapt easily as market conditions change.

 

Dominance
An ARM ecosystem drives major changes: improved recovery rates, lower operating costs, and easier, more effective compliance management. Better business results will strengthen your top and bottom line, make you more valuable to your clients, and position you to compete at a higher level.

 

With a Simpler Tech Model, You’ll Have What It Takes to Win

For decades, we’ve partnered with ARM businesses to help them overcome barriers to their success. We’ve seen how the classic ARM integration model can work against long-term business goals. We designed the ARM ecosystem to be a simpler, more powerful approach to innovation and an industry-leading solution that can supercharge the collection cycle.

 

If you’d like to learn more about the ARM ecosystem—how it transforms collections and the value it can unlock for your agency—you can find it all in our complimentary eBook “The ARM Ecosystem: Advancing Beyond Integration.” Download your free copy today.

 

Don’t miss the other posts in our ARM Ecosystem series:

 

For more insights and tips you can use to accelerate your success in the ARM market, subscribe to the OS blog. We’ll deliver high-value content straight to your inbox.

 

Boost collections. Lower costs. Close compliance gaps.

Your approach to innovation may be hindering your success. Download “The ARM Ecosystem: Advancing Beyond Integration” and learn what a holistic, seamless collections operation can do for you.

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2020 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

Collection Policies and Procedures: 4 Tips for Managing Risk on the Front Line

Collection Policies and Procedures: 4 Tips for Managing Risk on the Front Line

In the accounts receivable management (ARM) industry, policies and procedures aren’t just helpful to have. They’re critical protection for collection agencies, whose compliance risks are myriad and ever changing. Policies and procedures are of little use, however, if they’re inadequate, outdated, or not consistently followed.
 
When policies and procedures aren’t serving their purpose, ARM companies face all sorts of potential blowback. In addition to loss of business, worst-case scenarios can include regulatory fines, CFPB audits, civil investigation demands, and litigation.
 
As an ARM business leader, how can you ensure your policies and procedures are effective and your collectors are following them to the letter?
 
In a recent group discussion hosted by Mike Gibb at AccountsRecovery.net, I joined two of my industry peers—Alicia McKeighan, Chief Compliance Officer at Afni; and Paige Tortorich, Internal Audit Manager at ERC—to tackle this question in some detail (you can access the webinar here). Below, I’ve highlighted four major areas we believe collection agencies should focus on in their efforts to manage compliance risk day to day.
 
 
 

1. Prioritize Monitoring, Reviews, and Updates

A culture of compliance, where all stakeholders are on board and on the same page, is essential for mitigating compliance risk. Senior leadership, compliance officers, operations leaders, and collection agents all bear responsibility for developing, fine-tuning, and executing policies and procedures consistently and effectively.
 
To build a culture of compliance, you must establish processes and schedules for measuring and improving your policies and procedures—both their effectiveness (how well they’re working on the front line) and their relevance (whether they align with current laws and regulations). For smaller agencies with limited resources, it may be worth bringing in a third party to help with monitoring and auditing rules.
 
Policies, which should clearly outline what’s acceptable and what isn’t, should be reviewed annually. Changes should happen only as a result of changes in the law or newly identified litigation risks, and then only after a thoughtful review and risk analysis.
 
Procedures, or the steps employees must take to comply with existing policies, are more fluid. They can be changed as needed to improve their effectiveness or when new technologies or other initiatives alter workflows. Agents should be encouraged to weigh in with suggestions, so they stay engaged and understand the important role they play in managing compliance. When feedback can’t be acted on (as agents don’t always have the full context for a given procedure), agents should always understand the reason(s) why.
 
Ground Level: Compliance Gap Assessments
Compliance gap assessments are designed to ensure compliance with policies and procedures on the front line and throughout the organization. Payment processing, reporting structure, organization, compliance management, and other aspects of your operation should be audited regularly—by someone not in operations, per the CFPB—with the frequency of audits determined by the degree of risk posed by noncompliance.
 
From 30,000 Feet: Annual Risk Assessments
Annual risk assessments should include a detailed review of existing policies and procedures to determine whether any need updating to better fit the current legal landscape. An annual risk assessment might also point to the need for training updates, additional controls, or additional auditing and/or monitoring.
 
Who should be responsible for writing/revising policies and procedures?
Stakeholders across the organization, including but not limited to the chief compliance officer, should be involved in the process of writing and revising policies and procedures.
 
If your operations managers are too busy to update policies and procedures, you could:
 
  • Enlist a dedicated document specialist.
  • Have a mediation auditor meet with managers to write procedural changes and get approvals on the spot.
  • Use fill-in-the-blank templates.
Any of these approaches would streamline the process and allow managers to focus more on managing agents’ performance.
 
What if you’ve let assessments slide, or you’ve never had a formal program in place?
If you’re not conducting compliance gap assessments on a regular basis, now is the time to get back on track. Create a schedule and hold yourself accountable. Start by auditing your top three highest-risk items, fine-tune that process, add additional audits and monitoring controls every 6-12 months, and continue building out the program from there.
 
You’ll also want to review your procedures for accuracy. Make sure everyone can easily access them—ideally, in electronic form (see tip #2). Conduct refresher training with your agents and/or members of other departments, and ask questions to test their knowledge.
 
Exception reporting is critical to managing compliance. You need to be sure your controls are in place and working properly. An exception report might be triggered when:
 
  • An agent took a call, but no notes are listed.
  • An agent took a payment but didn’t get a correct address.
  • An agent added a credit card or Social Security number to the notes.
When a procedural violation occurs and correction is needed, operations should be notified right away (automatic notifications are preferable; see tip #4). It’s important to determine whether any trending issues relate to flawed procedures or the need for refresher or updated training.
 
 
 

2. Make Policies and Procedures Easily Accessible

For many people, the words “policy” and “procedure” bring to mind dusty manuals sitting on a shelf. But reliance on paper isn’t just old-fashioned; it leaves businesses vulnerable. Outdated and/or multiple document versions floating around the office, coupled with inadequate oversight and control, sows confusion and heightens risk.
 
More and more ARM businesses are moving toward centralized cloud storage platforms such as SharePoint to ensure internal documents are valid, secure, and easy to use, all of which are key to making sure policies and procedures are appropriate and effective. SharePoint offers version controls, prevents unauthorized changes, and allows employees instant access.
 
Once policies and procedures are reviewed and approved by compliance, they can be uploaded to SharePoint for all employees to view and search by keyword. Changes can be made from across the organization, and compliance is notified in real time so they can review the changes right away. All changes are documented for easy reference.
 
To train your team on SharePoint, check out LinkedIn Learning (formerly Lynda.com), which offers outstanding SharePoint tutorials.
 
 
 

3. Have a Formal System in Place for Reporting and Addressing Issues

In an ideal collections environment, nonconformities can be reported through multiple channels—directly to management, directly to compliance, or even through an anonymous voice portal. If you give employees multiple options, you’ll have more opportunities to research and respond to problems as they occur and to better protect your business.
 
If the issue being reported is a one-off occurrence requiring individual remediation, coaching and training should be specific and timely. It’s important to document your response; if the same individual makes the same error repeatedly, termination may be in order.
 
If the nonconformity is more widespread, you should make remediation via formal group training your top priority. Otherwise, you could see an avalanche of new infractions.
 
Remediation of compliance risk should be a closed-loop process that’s thoroughly documented and reported to your agency’s highest governing body. You can track all remediations by client and save audits and client Master Service Agreements (MSA) through SharePoint’s vendor management program.
 
Finally, you’ll need to evaluate corrective action on a regular basis. If an action isn’t getting results, make any necessary adjustments in accordance with current employment law.
 
 
 

4. Equip Your Team to Manage Compliance Effectively

Managing risk on the front line is easiest and most effective when it’s enabled by a robust, fully integrated compliance management system (CMS) with automated auditing and monitoring controls.
 
If you’re a smaller agency without a CMS in place, the CFPB website outlines everything the bureau might look for in your organization and what your CMS must include.
 
Here’s how tech-empowered ARM agencies manage risk with ease:
 
  • The board and director provide continual oversight, review assessment and risk review findings, and revisit policies and procedures on a regular basis.
  • Collectors receive timely feedback on their calls.
  • Operations leaders are instantly notified of exceptions related to call frequency limitations, allowable call times, calls made to cell phones without express consent, etc., with speech analytics helping to identify other types of nonconformities.
  • Complaint management and dispute tracking occur automatically.
  • IT teams are notified of systemic nonconformities and readily respond with any necessary changes.
When all these parts work together as a whole on a daily basis, fewer infractions go unnoticed. Potential problems are more easily prevented. A culture of compliance takes root, and a more compliant, efficient, profitable collections operation naturally results.

 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

How Do Consumers View the CFPB's Proposed Rules?

Consumer advocates and the credit and collection industry are at opposing ends of the spectrum when assessing the CFPB’s proposed debt collection rule. But now, the industry can hear one of the leading consumer advocates share her perspectives.

In a recent webinar, hosted by AccountsRecovery.net, Margot Saunders, senior counsel at the National Consumer Law Center, and Rozanne Andersen, VP and chief compliance officer at Ontario Systems, discuss the CFPB’s proposed debt collection rule from opposite sides of the issue.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

How to Maximize Your Account Reps’ Collection Efforts

How to Maximize Your Account Reps’ Collection Efforts

This is the third of four posts in our OS blog 2.0 series highlighting the “ARM ecosystem”—what it is, how it works, and how ARM businesses can benefit by adopting this approach.

 

In the collections business, as in all industries, time is money. Time well spent is profitable; wasted time is a revenue drain. Inside many ARM companies, a great deal of time is inadvertently and needlessly wasted on the front line.

Many account reps simply aren’t equipped to work as efficiently and productively as they could. They can’t make informed decisions. They chase low-value accounts, spend too much time on a single account, or use the wrong channels. Team leaders can’t properly evaluate workflow processes or manage agents’ performance effectively, as the bulk of the data they have resides with various point solution vendors and isn’t tied to other solutions or the primary workflow.

In other words, it’s an activity-rich, data-poor operation—and a drag on the top and bottom line.

This scenario continues to play out in even the most high-tech environments. Best-of-breed point solutions, which are designed to make account reps more effective and more valuable in their roles, can’t compensate for the visibility gaps that keep collection teams in the dark and limit their performance.

In our previous post in the ARM ecosystem series, we explored three ways integration is failing ARM businesses. Today, we’re going to zero in on how the typical ARM tech stack fails the front line—and how you can empower your agents to recover more revenue.

 

Give Your Team What They Need Most: Insight and Control

If you’ve invested heavily in point solutions to streamline collections but you’re not seeing a big uptick in results, your problem isn’t necessarily functionality. It’s a lack of insight and oversight. Your team is forced to make do without the very things they need to perform at a high level—i.e., shared real-time data and a greater degree of control as accounts make their way through the collections cycle.

Now, imagine moving beyond integration to an ARM ecosystem—a holistic tech environment in which all tools are designed to fit and work together—and eliminating the visibility gaps that are hampering your agents and your organization.

With accurate, timely data and pre-defined workflows, your agents don’t have to guess where to focus their efforts. Ecosystem data helps team leaders identify high-priority accounts and determine who should be contacted, how, and when. Armed with this information, agents can maximize their time throughout the day.

Agents also enjoy the benefit of accessing account histories from a single application with one login, one window, and no need to jump between tabs, making collection efforts easier and more efficient.

Team leaders have visibility into account activity and rep performance, allowing them to manage the team in ways that drive meaningful, measurable improvements. Meanwhile, you can evaluate and manage workflow processes on an ongoing basis and fine-tune operations with minimal disruption.

 

TAME THE COMPLIANCE BEASTWITH EASE

 

With greater insight and control and the built-in safeguards an ARM ecosystem affords, your agents can communicate in consumer-friendly ways without triggering the usual compliance risks and worries.

 

 

An ARM Ecosystem Can Unleash Your Agents . . . and Your Ability to Compete

Operating from a shared database and interface, all ARM ecosystem collection tools work in symbiotic fashion like various parts of a living organism. Accounts are easy to track and manage as they progress through the system. Unlike the classic integration model, an ARM ecosystem gives account reps the information and tools they need to maximize their time, thus helping advance larger business goals.

You can read more about how the ARM ecosystem works and how it transforms collections in our complimentary eBook, “The ARM Ecosystem: Advancing Beyond Integration.” Download your free copy today.

 

Don’t miss the other posts in our ARM ecosystem series:

 

For more insights and tips you can use to accelerate your success in the ARM market, subscribe to the OS blog. We’ll deliver high-value content straight to your inbox.

 

Boost collections. Lower costs. Close compliance gaps.

Your approach to innovation may be hindering your success. Download “The ARM Ecosystem: Advancing Beyond Integration” and learn what a holistic, seamless collections operation can do for you.

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2020 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

What the CFPB Rules Mean to You: An Expert Panel Weighs In – Part 2

What the CFPB Rules Mean to You: An Expert Panel Weighs In – Part 2

If you missed Part 1 of “What the CFPB Rules Mean to You,” and you’re concerned about how the proposed rules might affect your operations, I recommend giving it a read. Based on a panel discussion I recently participated in (you can access the webinar here), Part 1 offers a detailed summary of the CFPB’s proposals as well as areas of concern related to call caps, electronic communications, and limited content messages.

This post covers the remainder of our discussion. Following a brief summary of validation notices/required disclosures, I’ll explain the changes and strategies you should consider pursuing long term and what you should be focused on right now.

 

Validation Notices/Required Disclosures

The CFPB’s proposed rules for validation notices and disclosures put some new twists on a number of well-established ARM industry standard operating procedures—and in some cases, with big implications for collection agencies and consumers.

 

Proposed Requirements

For validation notices, collectors will be required to specify the date the debt collector will consider the end date of the validation period. The proposed rule makes clear the validation period begins on the date the debt collector provides the validation information and ends 30 days after the consumer receives, or is assumed to receive, the validation information.

For purposes of determining the end of the validation period, the debt collector may assume that a consumer receives the validation information on any date that is at least five days (excluding legal public holidays, Saturdays, and Sundays) after the debt collector provides it.

Debt itemization must include the Itemization Date. The Itemization Date may be one of four dates for which a debt collector can ascertain the amount of the debt: the last statement date, the charge off date, the last payment date, or the transaction date.

The debt itemization must also include specific information amount the debt including but not limited to the collector’s name and mailing address; the consumer’s name and mailing address; the merchant brand, if the debt is a credit card debt; or if it is a consumer financial product or service debt, the name of the creditor to whom the debt was owed on the itemization date; the account number; name of the current creditor; and an itemization of the current amount of the debt in a tabular format reflecting interest, fees, payments, and credits.

Tear-offs at the bottom of validation notices should allow consumers to respond in a variety of ways such as disputing account ownership, requesting validation of the debt or the name of the original creditor, and submitting payments.

 

Lingering Concerns

With some validation notices sent electronically and others mailed to locations with less frequent mail delivery, counting 35 days past the date that notices are sent could lead agencies to inadvertently reach out to consumers before the validation period has ended and deny them a full 30 days to respond.

Debt itemization, particularly the inclusion of exact dates, could pose problems for medical debt collectors due to the insurance payer billing process that precedes provider collections. Inclusion of interests, fees, and costs creates additional difficulties for collectors as well; they would prefer not to mention these additional charges if they don’t apply—or, in a disclaimer, explicitly state that they don’t apply—and be granted safe harbor from frivolous lawsuits.

The CFPB’s proposed tear-off has both consumer groups and collection agencies particularly concerned.

  • Both camps agree that checking a box at the bottom of the form is inadequate, and consumer groups fear tear-offs could confuse consumers who might misunderstand their rights or the time they have to dispute a debt (or worse, get reported to a credit reporting agency before they even realize a debt is in arrears).
  • Designing a compliant tear-off form could be a struggle. With all the consumer response options the CFPB proposes including, there’s little room on the page for required state law disclosures. In some states, agencies are prohibited from placing these disclosures on the reverse side of the form.
  • Most agencies fear their document readers will miss statements handwritten by the consumer and potentially miss important instructions provided by the consumer.

 

“One thing I find interesting about [the CFPB’s] request for validation is they’ve tried to take some liberties with rewriting the validation notice and the mini-Miranda and as I read the FDCPA, there is no required language or specific words that must be used; rather, they are concepts which must be conveyed. [ . . . ] 

I think there are different ways of expressing the same thought that don’t sound like you’re being handcuffed and thrown into a squad car and brought down to the station.”

Michael Kraft, General Counsel, CCS Companies

 

 

Agency Imperatives That Could Complicate Operations

The proposed CFPB rules could have a tremendous impact on ARM businesses, regardless of how they communicate with consumers. Fundamental change may be needed, at least in some respects, to manage compliance day to day.

 

Record retention in the digital era

Under the CFPB’s proposed rules, ARM agencies will need to retain evidence of compliance with the new rules starting on the date the collector begins collection activity on a debt until: 1) three years after the date of the collector’s last communication or attempted communication; or 2) three years after the date the debt is settled, discharged or transferred to the debt owner or to another debt collector.

Retaining three years’ worth of call recordings, letters, text messages, chats, and social media communications—often stored by date and time—could impose a significant burden.

 

Creditor/agency data sharing

Data standards are going to become increasingly important going forward. To be able to effectively manage communication preferences and consents, validation requirements, and consumer and account data, agencies will need to align more closely with creditors than they have in the past. 

 

 

Big Takeaway for ARM Agencies: For Now, ‘Consent Is King’

The CFPB has attempted to interpret compliance with the FDCPA in ways that protect the most vulnerable consumers without unduly burdening or impeding collection agencies. While there are opportunities for greater clarity and refinement within the proposed rules, the experts on the panel are generally pleased with the CFPB’s efforts to balance stakeholder concerns.

The CFPB is also open to safe harbors in certain areas to protect agencies from consumers’ unfair legal claims. The CFPB has reinstated commission letters, for example, thus giving collection agencies the ability to seek the CFPB’s interpretation of FDCPA regulations (which has the force and effect of law unless a court overturns it).

With this new roadmap from the CFPB, agencies may be more open to communicating in ways they’ve avoided in the past. And that’s a good thing for both businesses and consumers.

As we await (and help shape) the final CFPB rules, agencies must look to the letter of the FDCPA, E-Sign, and TCPA. They must prioritize consent and revocation management above all, and make their voices heard before the CFPB and Congress. No need to wait for final rules before adopting electronic communications; with the right systems and tools in place, you can boldly take your business in new directions.

 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

An All-In-One Solution

What does it take to communicate with consumers on their terms, comply with changing rules, and keep operating costs low? Cloud-based contact management, fully integrated and automated, holds the key. Learn more about the all-in-one platform that can transform daily operations, customer service, and collection results.

ARM Industry Leaders, Why Aren’t You Texting?

ARM Industry Leaders, Why Aren’t You Texting?

This is the first post in a new blog series highlighting the importance of text messaging for debt collections and what ARM businesses need to stay compliant.   Text messaging for debt collections might seem like a bridge too far. But it’s entirely within reach today....

What the CFPB Rules Mean to You: An Expert Panel Weighs In – Part 1

What the CFPB Rules Mean to You: An Expert Panel Weighs In – Part 1

The recently proposed CFPB rules for debt collection have left many in the ARM market scrambling, or at least feeling anxious and uncertain about the future. But take heart: the CFPB recognizes your challenges and concerns. Overall, they’ve done a commendable job outlining limits and safeguards agencies must adopt to comply with the Fair Debt Collection Practices Act (FDCPA) in the digital era.

Even so, those 538 pages raise a fair number of questions. Many ARM leaders, legal experts, industry organizations, and business owners continue to weigh in on collection agencies’ behalf as we near the close of the comment period (September 18, 2019) for the Notice of Proposed Rulemaking (NPRM).

Recently, I sat down with two ARM industry leaders to discuss the NPRM for the CFPB’s proposed rules.

Joining me for the webinar were:

 

Moderating the panel was Mike Bevel, Director of Education for the Compliance Professionals Forum and an editor at insideARM.

Our discussion centered on four major areas addressed by the proposed CFPB rules: call caps, electronic communications, limited content messages, and validation notices/required disclosures. Here’s a brief recap of our discussion (you can access the free webinar recording here).

 

Call Caps

The prospect of call caps, as addressed in the CFPB’s proposed rules, is worrisome for many consumer advocates and ARM agencies. Both camps have expressed confusion and unease about how limits will be defined and applied going forward.

 

Proposed Requirements

Agencies can make up to seven calls per debt before reaching a consumer, including leaving voicemail messages. Once contact is made, only one call can be made per week (with some exceptions, including a consumer’s callback request or a consumer initiating a call). This rule would not supersede state law rules.

While attempting to connect with a consumer using any of the phone numbers on file, the debt collector may take advantage of the seven calls per week restriction on a per-debt basis only if the collector can prove the attempted contact was with respect to a particular debt rather than all the active accounts in its inventory.

 

Lingering Concerns

Agencies with more than one phone number for a consumer might struggle to reach him/her in a timely manner, fearing that dialing within the limits but on multiple accounts could still constitute harassment. In addition, the proposed rules don’t define a “connected call,” leaving debt collectors with more uncertainty.   

Consumers are concerned about the per-debt standard (versus per consumer); an individual with multiple accounts could receive dozens of calls per week. Even so, it’s reasonable to assume agencies would take more care in trying to reach these consumers, and consumers could simply reach out to agencies to put a stop to excessive calls.

Many agencies keep an individual consumer’s accounts completely separate from each other, as required by clients in the financial and healthcare arenas (e.g., credit card accounts, ambulance bill/hospital bill/medical specialist bill). When no one has an overall view of a consumer’s account statuses, building internal controls to ensure compliance and achieve the ideal call frequency could be a Herculean task.

 

Electronic Communications

Since the FDCPA was signed into law in 1977, new communication technologies have introduced new complications for third-party agencies looking to move beyond phone calls and printed letters. For the most part, the proposed CFPB rules regarding email and text messaging offer clear directives regarding consumer consent and consumer privacy.

 

Proposed Requirements

Many agencies shy from email and texting due in part to the risk of unintentionally disclosing consumer debts to third parties. This is a major concern for consumers as well. The CFPB addresses various scenarios related to selecting an email address or mobile number to use for consumer communications.

The proposed rules will provide debt collectors with protection from the unauthorized disclosure of a debt to a third party when engaging in email or text communications so long as specific procedures are maintained regarding the selection and use of a mobile number or email address. The protections afforded debt collectors when communicating with consumers using mobile numbers and email addresses vary depending upon whether the collector uses a number or address the consumer used to initiate communication with the collector; provides the consumer with 30 days’ notice of its intent to use a particular non-work mobile number or non-work email address to communicate with the consumer; or uses a non-work mobile number or non-work email address the consumer recently used to communicate with the creditor or a prior debt collector about the particular debt.

 

Lingering Concerns

When agencies use electronic communications, their responsibility doesn’t end when they hit “send.” They will need to monitor delivery of email and text messages carefully by way of notifications from communication providers. If emails bounce or links aren’t opened, legally required disclosures must be resent through a different channel.

The proposed CFPB rules would allow debt collectors to use digital delivery options for required notices such as the validation notice, verification information, or the name of the original creditor. Specifically, the required disclosures may be included in the body of an email or accessed via e a hyperlink that directs consumers to a secure website. Recognizing the risks associated with hyperlink usage and the reluctance on the part of consumers to click on hyperlinks, the proposed rules include conditions that must be met before using a hyperlink to provide a required disclosure.

Consumers fear the prospect of being flooded with emails and texts. They also fear that collection agencies will make it difficult for them to opt out. But these fears may be overblown. Aside from existing laws against harassment and abuse (and the fact that electronic communications are not cost free), agencies will be inclined to limit email use to avoid being shut down by their ISPs due to spam behavior.

 

“We take the position with most things that are consumer oriented, especially when it comes to electronic and alternative communication, that they have expressed a preference at some point that they be communicated with through some means, and to ignore the fact that they have . . . does a disservice to that consumer.”

Michael Kraft, General Counsel, CCS Companies

 

Limited Content Messages

For many years, collectors have been skittish about leaving messages for consumers who can’t be immediately reached. The CFPB has addressed this issue specifically, first by defining limited content messages as attempts to communicate for purposes of the frequency of calls requirements, while at the same time declaring a limited content message to not be a communication in connection with the collection of a debt as that term is defined in the FDCPA.

 

Proposed Requirements

Limited content messages can be relayed via voicemail, text, or live communication with a third party as long as the message contains the following:

  • The consumer’s name;
  • A request that the consumer respond to the message;
  • The name or names of one or more natural persons the consumer can contact;
  • A callback number; and
  • If the message is delivered electronically, a disclosure explaining how the consumer can stop receiving messages through that medium.

 

Limited content messages may not be delivered via email, as an email address would reveal the sender—thus rendering the email an actual communication per the FDCPA.

For prerecorded voicemail messages, agencies should review TCPA regulations and verify appropriate consent (as would be required for auto dialing cell phones).

 

Lingering Concerns

While collection agencies are bound to protect consumer privacy (and consumer groups see limited content messages as obvious debt collection attempts), consumers are increasingly demanding transparency from businesses upfront. They want to know who’s trying to reach them and why. These two imperatives are somewhat in conflict, and the CFPB has yet to find a way to ease the tension.

The CFPB’s proposed natural person requirement might pose problems for larger agencies whose call centers lack the ability to transfer calls to specific agents. One simple fix, if the CFPB sees fit to institute it, would be to require agencies to request that consumers call a particular department and speak to any available agent.

 

“Personally, I don’t find the message as proposed to be super useful to the consumer. I think it sounds shady. I’m not sure who would respond to it—just saying ‘Please call me; this is about an account.’ I think if collectors would simply say, ‘This is about a [specific company] account, at least the consumer . . . could make a more educated decision about whether or how to respond.”

Stephanie Eidelman, CEO, insideARM/iA Institute

 

Don’t Miss Part 2 of the Panel Discussion

In my follow-up post, I’ll cover the most important aspects of the CFPB’s proposed rules regarding validation notices/required disclosures. I’ll also share new business imperatives that could require fundamental change, along with the most important takeaway for ARM agencies.

Here on the OS blog, our goal is to provide important, timely insights and actionable tips you can use to minimize risk and improve business outcomes. If you haven’t already, be sure to register for the blog to receive valuable new content right in your inbox. As always, we’ll do our best to keep you informed and up to date.

 

 

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Ready to Text?

For a comprehensive guide to text messaging, check out our “Ready to Text?” eBook. In it, you’ll learn all the nuances, pitfalls, and timely developments you need to understand so you can connect with consumers on their terms. Download your free copy today.

Data Privacy and Security: What’s Next for Debt Collectors?

Data Privacy and Security: What’s Next for Debt Collectors?

Data privacy and data security are two very hot topics in the ARM industry today. The California Consumer Privacy Act (CCPA) is set to take effect in January 2020, with additional privacy bills now pending in at least 25 states. Meanwhile, cyber crimes involving...