Blog Home

20 Call Center Pros Reveal the Biggest Things Companies Overlook When It Comes to Call Center Compliance Issues

Company

The Team at CallMiner

February 27, 2018

time for compliance
time for compliance

Read the Study: Preventing Fraud and Preserving CX with AI

Call centers are constantly under pressure from regulatory compliance concerns. With a variety of regulations impacting call center operations across many verticals, and those regulations frequently in a state of flux, it can be challenging to stay on top of the latest regulatory requirements, particularly when regulatory changes require changes to the technology call centers rely on or to standard operating processes.

As a result, there are a variety of issues related to compliance that companies tend to overlook. To gain some insight into the most common compliance challenges today’s call centers are facing and the call center compliance issues that often go overlooked, we reached out to a panel of call center leaders and asked them to answer this question:

“What’s the biggest thing companies overlook when it comes to call center compliance issues?”

Meet Our Panel of Call Center Leaders:

Read on to learn what our pros had to say about the biggest potential call center compliance issues that companies often overlook.

James Barham

@PCIPAL

James graduated from Bath Spa University and held several senior management positions in the contact center space before joining PCI Pal in 2008. He was appointed to the board in 2015 and has been instrumental in the evolution of the PCI Pal product suite. James is responsible for sales, operations, and commercial development.

“The cardholder data environment (CDE) is…”

A prime target for hackers and would-be thieves – in the retail sector almost all of the data breaches involve some kind of compromise occurring in the CDE. Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate.

To date, the vast majority of security investment has focused firmly on keeping the bad guys out. It only ever works to a certain extent. This is because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up. We expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take if (and let’s face it, when) they get in. If businesses can remove the valuable data from their environments it no longer matters if and when there is a breach. De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year. Who needs locks anyway?

Alexis Zanger

@FactoryLogix

Alexis Zanger is the Senior Marketing Manager for Aegis Software Corporation.

“There are a few common traps and procedural no-nos that call centers fall into that can be avoided…”

One of the top issues deals with security and compliance. Customer service agents need to be fully aware of PCI-DSS standards and their view on credit-card processing security. Rule number one is that never, ever should the secret CVV2 number (the three- or four-digit number on the back of the card) be recorded. If a company generally records the entire call, this information is getting saved in the recordings, unless agents follow special procedures to stop voice recording while a customer is giving out this information.

Robert Barrows

@RobertBarrows3

Robert Barrows is the President of R.M. Barrows, Inc. Advertising and Public Relations in Burlingame, California.

“Here are two questions pertaining to call center compliance based on my recent experiences with two different call centers…”

1) A few months ago, I called a company for some insurance cost information and their operator told me that they would be recording the call and asked me for my permission to record the call.

I told the operator no and he told me that their company does not permit them to proceed with the call unless I agreed to have it recorded.

I asked to speak to a supervisor. The supervisor told me the same thing. I did not go through with the call.

My question is: Is it legal to not talk to you if you don’t agree to be recorded?

Also, the representatives from this company were implying that they were authorized providers of Medicare information as though they were from Medicare itself.

When I pressured them on this, they would again say that they were authorized to present this information and when I asked them if they worked for Medicare, they were not very straightforward about it until I asked them who signs your paycheck…the company that I had called or Medicare, and they finally told me they worked for the company.

I do not think I would do business with this company since they misrepresented themselves and since they would not speak with me if I didn’t agree to be recorded.

2) I recently saw a television ad for a law firm and when their answering service for their TV ad answered the phone, there were several loud beeps that I heard but there was not the usual disclosure that the calls were being recorded.

So, I asked the operator what those loud beeps are. She said the call is being recorded. I said, “But you did not make any mention of the fact that the calls were being recorded nor did you ask my permission to record my call.” She said that’s why the beeps are so loud.

I did not proceed with the call.

Interestingly enough, it was an ad from a law firm looking for clients and those recording beeps would really put me off if I was actually interested in becoming one of their clients. (I was calling their ad for another reason.)

So, my question is: Is a loud beep (without any mention of the fact that the call is going to be recorded) a legal replacement for no warning that the call will be recorded?

I contacted my Congressperson about item #1, but I have not heard back from her on whether she has done anything about that situation. On item 2, I contacted a local TV station that runs a consumer

division to check out consumer complaints. No one from the TV station has replied, yet.

Ken Lynch

@reciprocitylabs

Ken Lynch is the Founder & CEO of Reciprocity.

“Here are three observations I’ve had regarding call center compliance issues…”

  • Many times, Help Desks forget to validate a caller’s identity prior to performing password resets and disclosing PII both for customers and employee requests. If proper documentation and training is implemented then this can easily be rectified.
  • It’s very common for companies to forget to track call center facilities’ adherence to compliance programs. This is especially common for US-based companies that have call centers located across the globe.
  • Because most call centers are outsourced, many companies tend to overlook the importance of having their call centers fill out a vendor risk survey so that the company can be more aware of each call center’s risks and mitigate the ones that pose the largest threat to the company.

Kolin Porter

@HigherEdGrowth

Kolin Porter is the Vice President of Product Innovation at Higher Ed Growth.

“Real-time monitoring of call recordings is imperative…”

This greatly impacts a call center’s ability to prevent compliance infractions and proactively protect their brand – and their clients. Many companies are still auditing calls days or weeks after an initial call has occurred. This means they’re unable to identify – and correct – issues in the moment or throughout the day. Without a doubt, this puts them at a disadvantage.

With advanced real-time monitoring tools now available, compliance can largely be automated… and easy. Those using call mining and QA technology get a real-time view of agent activities and correct compliance issues faster, reducing their risk and increasing quality.

Nate Masterson

@MapleHolistics

Nate Masterson is the Marketing Manager for Maple Holistics.

“Too many call centers neglect to…”

Use the highly useful ‘monitoring’ tool which allows managers or a third party to listen to a call while feeding information that only the call center representative can hear. This allows for managers to actively improve performance by teaching call center representatives on the fly and giving them more information or feedback to utilize during a call. However, it is important to note that use of this tool should be accompanied by a disclaimer played to the person receiving the phone call that their call may be monitored – not just ‘recorded’ – for quality assurance.

Roumen Todorov

@RoumenTodorov

Roumen Todorov is the COO of 411 Locals.

“When it comes to call center compliance, companies as a rule overlook everything…

Nobody likes to focus attention so much on items that do not bring top line or bottom line results, but are instead a necessary evil. The list is long, but here are some questions. If you answer to any of them with no, you are at risk:

  • Do you have a subscription to the National Do Not Call List for the area codes you are calling?
  • Do you have a copy of the State DNC of the state(s) you are calling?
  • Do you keep an updated list of your own Do-Not Call list?
  • Do you scrub the numbers you call against the National, State, and your own DNCs?
  • Do you have an updated way to distinguish between cell phones and land lines?
  • Do you have a PCI-compliant way of collecting personal identifiable information?
  • Do your agents know not to read back to the customer the numbers of their credit card?
  • Do you have a compliant way of recording conversations?
  • Do you know if your agents call customers names or even threaten them?
  • Do your systems measure the dropped call percentage?
  • Do you inform the customers within a very short time who is calling and from which company?
  • Do you have a quality assurance /quality control department?

Most often than not, companies forget that they deal with people on the phones. Technology and legal frame is something that one can learn, build, and manage – it is straightforward enough. People are different; in a call center each person has their own agency and can decide to go by the rules or go their own way. How well your call center can prepare for that, train, and condition the people on the phones, their supervisors, their Quality Assurance agents, etc., and how fast the call center can react to individual infractions of the agents or trends that happen on the floor of the call center, can mean lost opportunities, losses, or in some cases pure threat to the existence of the company.

Yousuf A. Raza

@yousufaraza

Yousuf A. Raza is a professional content writer and digital marketing expert at Dream World Travel who enjoys writing, playing football, and cooking during his spare time.

“As customers are growing in number owing to the popularity of the business…”

It outsources its call center operations to reduce costs and focus more on executing its core strategies. However, this leads to inconsistency in performance delivery when your business is multinational.

Usually customers leave a business because of poor service provided to them. Things like a call center agent’s poor grasp on English or a rude or indifferent attitude will immediately sow a seed in the customer’s mind that the business displays apathy regarding customer complaints. In order to improve the call center agent’s performance and avoid any repetitive mistakes, supervisors check the quality of customer calls.

The biggest thing overlooked in call center compliance is not disclosing to the customer that for quality assurance, their call will be recorded and MONITORED. We understand calls are being recorded, but what do you mean by monitored? Is there somebody eavesdropping on the call?

That somebody would probably be the call center agent’s supervisor. In order to guide the agent what to say next and how to answer questions politely, the supervisor may ‘barge’ in the customer complaint call. This is in violation of call center compliance.

While these subtle tactics may teach employees how to handle subsequent complaints, customers’ privacy is paramount. A business, if it engages in such an act to improve quality of service, should disclose to the caller about the call being recorded and monitored and that they can choose to opt out if they are uncomfortable proceeding.

Michael Replogle

@CustomerServLTD

Michael Replogle is the Senior Contact Center Consultant at CustomerServ.

“This can really vary significantly by vertical due to the nature of the industry, the difference in regulatory requirements, and who is…”

Overseeing the organization (i.e., OCC, CFPB, FDCPA for financial services, CMS for health plans, PUC for energy, TCPA for telephone carriers, and on and on).

That said, PCI compliance is one of the biggest and most common oversights when it comes to call centers. Very few get this right the majority of the time. They fail to have proper controls in place to ensure cell phones, pen and paper, and cameras are not in the workplace.

SOC 2 Compliance: Technology is migrating from on-premise to cloud-based. CRM magazine recently was quoted as saying that the percentage of call centers employing cloud technology is growing rapidly with a conservative estimate that 18.1% of call centers are now in the cloud. In 2008, only 2.2% were using cloud technology. By the end of 2011, it was estimated that 5.9% were. The last numbers I have found show that has increased to over 18% EOY 2015. As I have spoken with clients that have migrated in the past two years, many are not SOC2 certified. Given the transition to cloud technology coupled with the proliferation of cloud-based security threats, this could potentially create a significant concern for consumers and corporations if cloud-based data is not protected correctly, especially if an outbreak of fraud occurs due to data that was compromised.

Grafton Potter

@GraftonPotter

Grafton Potter is the Vice President of Sales – North America for PCI Pal.

“The most significant challenge for call centers when it comes to PCI compliance is…”

Their use and reliance on compensating controls instead of de-scoping. These control measures, which include pause and resume, clean rooms, and screen blurring, provide a partial solution but don’t fully embody a complete PCI DSS compliant solution.

Relying on compensating controls will not prevent fraud or security breaches which can tarnish the business’ reputation, nor will these controls protect businesses from the resulting financial penalties. The vast majority of companies already have to report on all data breaches to state authorities. As GDPR and state regulation come into play for breaches, choosing a solution that de-scopes a contact center from PCI DSS will prove to be a wise long-term compliance strategy.

Tyler Riddell

@tgr_360

Tyler Riddell is the Vice President of Marketing for eSUB Construction Software with over 15 years of experience in Marketing, Product Management, Advertising, and Public Relations. He has a proven track record for successful go to market and corporate communication programs in multiple vertical tech markets.

“There are a few common call center compliance issues that plague representatives across the nation…”

One critical issue is the processing of credit cards. All agents need to be aware that it is against PCI-DSS standards to store the secret CVV2 number (the three- or four-digit number on the back of bank and credit cards) at any time. It’s never allowed in any way, even if the highest level of encryption is used. An easy fix is to pause the voice recording when an agent gets to that segment of the electronic form where they are inputting credit data. For instance, use an API to stop the voice recording briefly while the customer is saying or inputting their credit card information, then resume once again when they have finished. This way the numbers are never recorded into the phone recordings.

Arenaria Cox

@Arenaria_Cox

Arenaria Cox is a digital marketing expert and a content writer at Fantastic Cleaners. In her spare time, she enjoys reading, cooking, jogging, meditation, watching movies, and eating lots of pizza.

“One of the biggest compliance pitfalls when it comes to call centers in terms of compliance is…”

Recording credit card information over the phone. Call centers often record calls, and getting credit card information over the phone during a recorded conversation is an enormous issue. In such instances, the recording should be stopped while the customer is giving their details. This is one of the biggest mistakes many new call centers make.

Another one is calling customers who have specified that they do not want to be disturbed any further. Many call centers don’t have a Do Not Call list or way to indicate that people don’t want to be disturbed in their system or database.

Robert S. Simmons

@SimmonsFletcher

Robert S. Simmons is a Managing Shareholder at Simmons and Fletcher, P.C., a personal injury law firm based in Houston, TX.

“One of the biggest things that gets overlooked in call centers is…”

Optimizing the order of the questions you ask. Some people will take all day to tell you what they want. You need to identify the questions for which the answers will exclude potential clients/customers from becoming a real client/customer and train your phone operators to ask those in the beginning so that they do not spend all day getting to, “I’m sorry we cannot help you.”

Yana Milcheva

@talkativeuk

Yana Milcheva is a Marketing exec at Talkative, a company aiming to bridge the gap between telephony and online communications by providing voice and video calling and web chat solutions. She’s studying Journalism and Communications at Cardiff university and enjoys writing about social issues, politics, and technology.

“Being compliant with the Payment Card Industry Data Security Standard requirements is…”

Important for every business that handles over-the-phone credit card payments. When customers’ data is being processed over the phone by call center agents, it’s important for the employees to be aware of the sensitive nature of the information they’re handling.

More often than not, business owners tend to focus only on encrypting the data and providing a secure communication system, while overlooking the human side of the correspondence. The truth is that no matter how well-secured the customer information is, the more employees have access to it, the more likely it is for its confidentiality to be jeopardized. Therefore, an efficient practice is for your employees to only have access to the information they need in order to perform the necessary tasks.

Most supervisors are aware of the fact that Payment Card Details must not be recorded along with the rest of the customer interaction, in order to comply with the PCI-DSS standards. However, what can sometimes be overlooked is the fact that when monitoring and recording calls, not only the customer, but also the agent need to be notified of the interference. Therefore, a disclaimer needs to be included with both inbound and outbound calls, or else you risk breaching the regulatory laws and measures of the PCI-DSS, which can cost you your credibility and customers’ trust.

Ronen Ben-Dror

@BlueValleyTele

Ronen Ben-Dror is the Director of Client Development at Blue Valley Telemarketing.

“Many companies fail to follow federal regulations that…”

Require telemarketers to manually dial a cell phone number, and they also often disregard the Do Not Call registration. In addition, there’s a rule that prohibits the calling of prospects who reside in a state that’s been declared to be in a state of emergency. There’s also a lot of problems with paying attention to time zones, whether it’s deliberate or an oversight. I have personally received telemarketing calls at 6 am, so it’s clear that companies are not adhering to a few of these guidelines.

Bryan Weinstein

@call4health

Bryan Weinstein has been with Call 4 Health since 2010. Currently he serves as Vice President of Business Development and Contracts, overseeing all departments during the implementation of new accounts.

“One thing that can be overlooked is…”

Writing notes on scrap paper, or post-it notes.

If that paper isn’t disposed of properly shredded, there is a potential for patient information to not be properly destroyed, a key HIPAA requirement. Call 4 Health has transitioned its call center team to utilize mini white erase boards to avoid any issues with this.

Gene Caballero

@gene_caballero

Gene Caballero is the co-founder of GreenPal which has been described as Uber for lawn care.

“Before I started my entrepreneurial journey, I was a hiring sales manager at a Fortune 50 tech company…”

The biggest overlooked issues I would always encounter would be keeping customers’ credit card information on file. I would have reps that would write down the card numbers or keep them stored on their computers to making ordering easier when it was time for their customer to purchase something.

This was a huge call center compliance no-no due to privacy issues.

Billie Jean Bateson

@AMZG_Wristbands

Billie Jean Bateson’s career started in 2011 as an online marketing analyst, blogger & fashion expert at Amazing Wristbands. In the meantime, she also loves writing articles in various inspiring categories for popular websites, forums, and e-magazines.

“Companies are focused on the best service…”

They offer to the customers, and before we hear the voice of an agent, we will hear this message: “For

customer service improvement purposes, this call will be recorded.” If you take credit card information, do you protect your customers? This is one of the biggest things companies overlook. A credit card has the three or four-digit number often listed on the back of the card. This number is the most important for credit card security. If you regularly record the entire call, you are storing this information in your recordings, as well. You can fix this issue by using an API to stop the voice recording only during the time the customer is saying credit card information to the call agent.

Billy Lowe

@billylowe

Billy Lowe is a well-known Hollywood hair stylist and the Founder of Gloss and Toss.

“After graduating from college in 1993, I worked in a call center environment for two or three years for one of the nation’s largest catalog mail order companies…”

We handled everything from late shipments, invoices due, damaged goods etc. The company had a belief and a vision that TIME IS MONEY. Not just my time, but yours, and the 800 number that the customer is dialing in on. Plus, if I have to ask my boss to approve something, it’s his time, and on and on it goes.

The solution? If it costs $30 or less, just do it and figure it out yourself.

I can’t tell you how truly disappointed I am with my cellular services from a company that boasts being the best and being uncompromised. But I’ve spent countless hours on hold (literally hours and hours when I add it all up) and I’ve had to call as many as three to four times a week.

Joe Laskowski

@HigherEdGrowth

Joe Laskowski is a Managing Partner and Chief Marketing Officer at Higher Ed Growth and Leads Council board member.

“One of the biggest things companies overlook when it comes to call center compliance is…”

Automation. When it comes to call center inquiry generation, many steps can and should be automated in order to reduce errors, call handle times, and compliance missteps.

  • Short form lead data often requires agents to complete the same form fields over and over again. There is great opportunity for human error – and in turn, violations. With automation, fields can be pre-populated and streamline this commonly error-prone process.
  • TCPA disclosures should automatically be shown, read and include all brands to ensure the highest compliance for clients. For those in the higher education industry, this means each school name should be included in order for permission to call the prospective student.
  • Call recordings should automatically be stored once the call has completed. Such recordings should also be retained for seven years, as call centers are responsible for internal audits and the audits of their clients. It’s also important that catalogued recordings be delivered in real time.

Quality contact center software is integral to automating compliance. With the ability to combine scripting and search results into one seamless process, it means data collection is more compliant. In addition, call mining and call grading software solutions can help marketers get as close to real-time audits for compliance as possible.

How does your call center stay on top of regulatory compliance?

Collections Industry Risk Management & Compliance North America EMEA APAC