Press Enter to Search
In the accounts receivable management (ARM) industry, policies and procedures aren’t just helpful to have. They’re critical protection for collection agencies, whose compliance risks are myriad and ever changing. Policies and procedures are of little use, however, if they’re inadequate, outdated, or not consistently followed.
When policies and procedures aren’t serving their purpose, ARM companies face all sorts of potential blowback. In addition to loss of business, worst-case scenarios can include regulatory fines, CFPB audits, civil investigation demands, and litigation.
As an ARM business leader, how can you ensure your policies and procedures are effective and your collectors are following them to the letter?
In a recent group discussion hosted by Mike Gibb at, I joined two of my industry peers—Alicia McKeighan, Chief Compliance Officer at Afni; and Paige Tortorich, Internal Audit Manager at ERC—to tackle this question in some detail (click here to access the webinar). Below, I’ve highlighted four major areas we believe collection agencies should focus on in their efforts to manage compliance risk day to day.

1. Prioritize Monitoring, Reviews, and Updates

A culture of compliance, where all stakeholders are on board and on the same page, is essential for mitigating compliance risk. Senior leadership, compliance officers, operations leaders, and collection agents all bear responsibility for developing, fine-tuning, and executing policies and procedures consistently and effectively.
To build a culture of compliance, you must establish processes and schedules for measuring and improving your policies and procedures—both their effectiveness (how well they’re working on the front line) and their relevance (whether they align with current laws and regulations). For smaller agencies with limited resources, it may be worth bringing in a third party to help with monitoring and auditing rules.
Policies, which should clearly outline what’s acceptable and what isn’t, should be reviewed annually. Changes should happen only as a result of changes in the law or newly identified litigation risks, and then only after a thoughtful review and risk analysis.
Procedures, or the steps employees must take to comply with existing policies, are more fluid. They can be changed as needed to improve their effectiveness or when new technologies or other initiatives alter workflows. Agents should be encouraged to weigh in with suggestions, so they stay engaged and understand the important role they play in managing compliance. When feedback can’t be acted on (as agents don’t always have the full context for a given procedure), agents should always understand the reason(s) why.
Ground Level: Compliance Gap Assessments
Compliance gap assessments are designed to ensure compliance with policies and procedures on the front line and throughout the organization. Payment processing, reporting structure, organization, compliance management, and other aspects of your operation should be audited regularly—by someone not in operations, per the CFPB—with the frequency of audits determined by the degree of risk posed by noncompliance.
From 30,000 Feet: Annual Risk Assessments
Annual risk assessments should include a detailed review of existing policies and procedures to determine whether any need updating to better fit the current legal landscape. An annual risk assessment might also point to the need for training updates, additional controls, or additional auditing and/or monitoring.
Who should be responsible for writing/revising policies and procedures?
Stakeholders across the organization, including but not limited to the chief compliance officer, should be involved in the process of writing and revising policies and procedures.
If your operations managers are too busy to update policies and procedures, you could:
  • Enlist a dedicated document specialist.
  • Have a mediation auditor meet with managers to write procedural changes and get approvals on the spot.
  • Use fill-in-the-blank templates.
Any of these approaches would streamline the process and allow managers to focus more on managing agents’ performance.
What if you’ve let assessments slide, or you’ve never had a formal program in place?
If you’re not conducting compliance gap assessments on a regular basis, now is the time to get back on track. Create a schedule and hold yourself accountable. Start by auditing your top three highest-risk items, fine-tune that process, add additional audits and monitoring controls every 6-12 months, and continue building out the program from there.
You’ll also want to review your procedures for accuracy. Make sure everyone can easily access them—ideally, in electronic form (see tip #2). Conduct refresher training with your agents and/or members of other departments, and ask questions to test their knowledge.
Exception reporting is critical to managing compliance. You need to be sure your controls are in place and working properly. An exception report might be triggered when:
  • An agent took a call, but no notes are listed.
  • An agent took a payment but didn’t get a correct address.
  • An agent added a credit card or Social Security number to the notes.
When a procedural violation occurs and correction is needed, operations should be notified right away (automatic notifications are preferable; see tip #4). It’s important to determine whether any trending issues relate to flawed procedures or the need for refresher or updated training.

2. Make Policies and Procedures Easily Accessible

For many people, the words “policy” and “procedure” bring to mind dusty manuals sitting on a shelf. But reliance on paper isn’t just old-fashioned; it leaves businesses vulnerable. Outdated and/or multiple document versions floating around the office, coupled with inadequate oversight and control, sows confusion and heightens risk.
More and more ARM businesses are moving toward centralized cloud storage platforms such as SharePoint to ensure internal documents are valid, secure, and easy to use, all of which are key to making sure policies and procedures are appropriate and effective. SharePoint offers version controls, prevents unauthorized changes, and allows employees instant access.
Once policies and procedures are reviewed and approved by compliance, they can be uploaded to SharePoint for all employees to view and search by keyword. Changes can be made from across the organization, and compliance is notified in real time so they can review the changes right away. All changes are documented for easy reference.
To train your team on SharePoint, check out LinkedIn Learning (formerly, which offers outstanding SharePoint tutorials.

3. Have a Formal System in Place for Reporting and Addressing Issues

In an ideal collections environment, nonconformities can be reported through multiple channels—directly to management, directly to compliance, or even through an anonymous voice portal. If you give employees multiple options, you’ll have more opportunities to research and respond to problems as they occur and to better protect your business.
If the issue being reported is a one-off occurrence requiring individual remediation, coaching and training should be specific and timely. It’s important to document your response; if the same individual makes the same error repeatedly, termination may be in order.
If the nonconformity is more widespread, you should make remediation via formal group training your top priority. Otherwise, you could see an avalanche of new infractions.
Remediation of compliance risk should be a closed-loop process that’s thoroughly documented and reported to your agency’s highest governing body. You can track all remediations by client and save audits and client Master Service Agreements (MSA) through SharePoint’s vendor management program.
Finally, you’ll need to evaluate corrective action on a regular basis. If an action isn’t getting results, make any necessary adjustments in accordance with current employment law.

4. Equip Your Team to Manage Compliance Effectively

Managing risk on the front line is easiest and most effective when it’s enabled by a robust, fully integrated compliance management system (CMS) with automated auditing and monitoring controls.
If you’re a smaller agency without a CMS in place, the CFPB website outlines everything the bureau might look for in your organization and what your CMS must include.
Here’s how tech-empowered ARM agencies manage risk with ease:
  • The board and director provide continual oversight, review assessment and risk review findings, and revisit policies and procedures on a regular basis.
  • Collectors receive timely feedback on their calls.
  • Operations leaders are instantly notified of exceptions related to call frequency limitations, allowable call times, calls made to cell phones without express consent, etc., with speech analytics helping to identify other types of nonconformities.
  • Complaint management and dispute tracking occur automatically.
  • IT teams are notified of systemic nonconformities and readily respond with any necessary changes.
When all these parts work together as a whole on a daily basis, fewer infractions go unnoticed. Potential problems are more easily prevented. A culture of compliance takes root, and a more compliant, efficient, profitable collections operation naturally results.

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

How Do Consumers View the CFPB's Proposed Rules?

Consumer advocates and the credit and collection industry are at opposing ends of the spectrum when assessing the CFPB’s proposed debt collection rule. But now, the industry can hear one of the leading consumer advocates share her perspectives.

In a recent webinar, hosted by, Margot Saunders, senior counsel at the National Consumer Law Center, and Rozanne Andersen, VP and chief compliance officer at Ontario Systems, discuss the CFPB’s proposed debt collection rule from opposite sides of the issue.

Posted by Sara Woggerman

As the lead in-house Compliance Consultant for Ontario Systems, Sara Woggerman provides consulting solutions for banks, collection agencies, and other financial service providers to prepare them for regulatory examinations, manage litigation risk, and improve the consumer experience. Sara has spent over 11 years in the accounts receivables management industry, managing nearly 200 collection service providers for debt purchasers and serving as the relationship manager to creditors.
All Posts