Compliance for contact centers, especially those in highly regulated industries and sectors, is incredibly important.
Without adhering to established regulations, both domestic and international, even functionally sound contact centers are at risk of fines and penalties or even closure. Yet, despite the importance of keeping a call center compliant, chief compliance officers (CCOs) often face an uphill battle when establishing enterprise-wide standards.
Maintaining contact center compliance with all relevant regulations comes down to facilitating cooperation between CCOs, agents and the rest of the organization.
The Contact Center Compliance Space is Rapidly Shifting
Contact centers face a number of challenges when it comes to keeping up with compliance.
In addition to all of the existing regulations, such as HIPAA, TCPA, PCI-DSS and more, recent industry developments have given rise to more critical regulations that directly affect contact center operations. Among these, STIR/SHAKEN (an anti-call-spoofing initiative) and more have brought new rules into the space that impact contact centers’ telemarketing efforts in multiple ways.
The majority of customers care about security and be able to trust that the companies they interact with take compliance seriously. Fighting fraud and consumer threats means adapting to the ever-changing landscape of consumer protections, regulatory mandates and compliance.
For information on how contact centers can leverage technology to improve compliance, download our eBook, How US Contact Centers Can Use Interaction Analytics to Reduce Risk & Improve Compliance.
Below, we’ve gathered insights from CCOs on what they wish contact center agents were more aware of when it comes to compliance. If you care about contact center compliance, read on:
Contact Center Compliance Challenges
1. Contact centers must comply with stringent compliance regulations.
“Accommodating regulatory guidelines and remaining compliant with strict mandates can be tough for any call center organization to do.
“As communication technologies continue to evolve, so too do the various threats that target them. Call centers are at the bullseye in terms of their strategic attractiveness for malicious actors. Such organizations regularly intercept and process important, sensitive data pertaining to customers and clients across a large variety of industries. This makes them veritable treasure troves of highly valuable information if left improperly guarded against attacks.
“Unfortunately, threats to consumer safety and privacy during dealings with call centers come in many forms, warranting a more encompassing approach to protection than other organizations might have use for.” – Call Center Regulatory Compliance, CallMiner; Twitter: @CallMiner
2. Monitoring is essential for TCPA compliance.
“Monitor calling agents. Not only is monitoring of your call center agents beneficial from a training standpoint, but it is also very beneficial in the discovery of any potential TCPA infractions. Call recording allows you to get ahead of the game and enforce regulations or redirect mistakes by employees. In the process of ensuring compliance, a new measure of efficiency can also be obtained.” – The Basics of TCPA Compliance for Call Centers, TCN
3. Both consumers and agents should be advised when calls are monitored.
“Many organizations announce that the call will be recorded — something like, ‘For customer service improvement purposes, this call will be recorded.’
“But far fewer organizations provide this notification when the call center is making outgoing calls. And fewer still don’t stop to think that when they record calls, they are recording and monitoring their employees’ conversations as well as their customers’.
“And in most states in the US, notification of ALL parties is required before you record. Therefore, many legal sources advise that to be safe, it is important to ensure that all parties are advised that they will be recorded — and are given an option to opt out if they do not wish to be recorded.” – Michael McAlpen, 4 call center compliance traps—and what to do about them, CIO; Twitter: @CIOonline
4. Compliance audits ensure necessary actions are always being taken.
“Knowing your rules isn’t enough. It’s how well your business is aligning itself with compliance rules that matters. The best way to ensure this is to perform routine compliance audits. A compliance audit involves reviewing your call center processes and measuring performances based on these processes through customer feedback, agent documentation, and call recordings. At a minimum, your business should be doing this on an annual basis.
“Not only do you gain the ability to make swift course corrections, but it also provides you with a well-documented defense should your business be charged with violations.” – Call Center Compliance Keys Your Business Should Know, DialAmerica; Twitter: @dialamerica
5. The importance of compliance is only increasing.
“A new survey by professional services firm Duff & Phelps found that financial institutions typically spend 4 percent of their total revenue on compliance, and this could rise to 10 percent by 2022.” – Skip Chilcott, The Battle for Call Recording Compliance, Corporate Compliance Insights; Twitter: @cci_compliance
6. Cyber security risks are pushing regulations to expand.
“Areas such as privacy, data protection, and associated regulations such as GDPR are the tip of the iceberg. Cyber security and its associated risks, complexities, and costs also rank high among concerns in compliance departments. A result of news stories of cyberattacks and losses or misuse of personal data is a heightened public awareness and political focus on data privacy and cyber security. Look for stiffer, and or new rules and regulations.” – Todd Ehret, Top 10 concerns for U.S. compliance officers in 2019, Thomson Reuters; Twitter: @ThomsonReuters
7. Training must be ongoing to keep up with compliance guidelines.
“Regular training around call center compliance is essential, too, for keeping up with laws that are either new, changing, or not well-known. For instance, the Dodd-Frank Act requires that recorded calls include a time and date stamp. The Sarbanes-Oxley Act prohibits businesses from changing recorded calls or deleting them before the time the law allows.” – Archie Heinl, Call Center Compliance: How Training and Technology Work Together, Call Logic; Twitter: @call_logic
8. Onsite and offsite call handling procedures must remain compliant.
“As an increasing amount of medical facilities decide to outsource their phone services, HIPAA-compliance becomes even more complicated. Employees dealing with these phone calls are not on-site, and this may pose some worries. DialAmerica Healthcare Solutions is an example of a medical call-center that explicitly describes its HIPAA compliance. It explains how employees are not allowed to have outside technology, papers, etc. with them when answering phone calls. It then describes the data encryption services that are utilized when transferring information and provides statistics about any regulatory citations regarding compliance that they have received.” – Alexandra Kennedy, What Does HIPAA-Compliance Look Like in a Call Center?, Customer Elation
9. Outsourced contact center agents are considered riskier than in-house agents.
“Additionally, another underestimated factor that needs to be kept in mind is that poor employee outsourcing decisions increase cyber security risk – in fact, they are responsible for over 63% of the data breaches that happen to call centers and other companies with similar activities.” – Ani Miteva, 17 tips to PCI Compliance for Call Centers (IMPORTANT), Mymoid; Twitter: @mymoid
10. Careful encryption when handling financial information is not optional.
“NACHA (National Automated Clearinghouse Association) Rules govern all ACH payments. All sensitive data, including bank account numbers and routing numbers, have to be encrypted when sent, received, or stored. It’s also your responsibility to ensure routing numbers are valid.” – Four Technologies Simplifying Call Center Compliance, PayNearMe; Twitter: @PayNearMe
11. Compliance extends to contractual obligations as well.
“Each individual client to whom a call center provides service is classed as a separate contract. Call centers must, at all times, follow federal mandates for these clients, as well as following the client’s specific requirements. For example, a contract may specify that calls are to be answered live instead of being routed through an automated system. Another contract may request that calls are answered within a specific time frame. If a call center is unionized, it is also required to meet union regulations as well. All specific contractual obligations must be followed at all times.” – Corinna Underwood, Call Center Regulations, GlobalCallForwarding; Twitter: @forwardcalls
12. Outbound conversation scripts keep telemarketing efforts compliant.
“The Telemarketing Sales Rule is an extensive document that governs how call centers may conduct their business legally. A primary requirement or all telemarketing operations is the disclosure of material information in a clear and conspicuous manner. The definition of ‘clear and conspicuous’ is that the telemarketer presents information in a way that ordinary consumers will easily comprehend when given in the consumer’s language, and in the same tone and volume as a sales offer.” – Ahmed Macklai, Regulatory Requirements that Impact US Call Centers Using a Publicly Switched Telephone Network, Chase Data Corp; Twitter: @ChaseData
Chief Compliance Officer Challenges
13. CCOs work hard to prioritize protocol adjustments.
“CCOs face an overwhelming number of tasks and projects. It is hard to prioritize what needs to be done. Priorities are important, and care has to be taken when allocating time, attention and resources to specific projects.” – Clark Conine, 5 Common Mistakes Chief Compliance Officers Make (And How to Avoid Them), Conselium; Twitter: @ConseliumSearch
14. Compliance does not stop at managing agents’ actions.
“To ensure companies maintain policies and procedures that are within the regulatory framework of their industry, compliance officers often have to review old standards for outside communications and set new ones. It can be anything from requiring disclaimers in emails to designing or updating internal policies in order to mitigate the company’s risk of violating government or industry laws and regulations.” – What Is A Compliance Officer?, Game-Learn; Twitter: @Gamelearn
15. Compliance officers’ efforts directly impact an organization’s public image.
“Enterprise ethics and compliance executives represent a young, but rapidly maturing profession — one that began to emerge in the late 1980s when several government initiatives and high-level commissions began recommending that specific senior-level personnel should have responsibility for overseeing an organization’s compliance and ethics program. These key business leaders are responsible not only for maintaining compliance, but also for safeguarding what is arguably an organization’s most valuable asset: its reputation.” – Maureen Mohlenkamp, The Chief Compliance Officer, Deloitte; Twitter: @moemoh
16. When compliance efforts go wrong, CCOs are held accountable.
“Personal liability is starting to raise its ugly head. In the last few months, we’ve seen cases of professional liability where compliance officers have been sanctioned for not having control of their own organization. It’s an interesting milestone that we should be careful about. Compliance officers carry liability and huge reputational risk if they are found to be not doing something that they should be doing.” – Robert Powell, as quoted by Joanna Belbey, 7 Nightmares Keeping Chief Compliance Officers Awake At Night, Forbes; Twitter: @Forbes
17. Complying with labor laws means managing employee overtime as carefully as consumer data.
“Most call center employees work for an hourly wage. The U.S. Department of Labor enacted the Fair Labor Standards Act, containing several provisions regarding hourly workers. Per the FLSA, the employer must pay at least the national minimum wage, unless there is a higher state minimum wage. Another regulation stipulates any hourly employee who works more than 40 hours per week must receive pay equal to one and one-half times their regular hourly wage.” – Francine Richards, Regulations for Call Center Operations, Chron; Twitter: @houstonchron
18. CCOs strive to learn exactly how things are being done and improve them.
“Most critically, you need to understand how your people and processes deal with credit card information. Not just at the 60,000-foot-high level about what is supposed to happen, but what actually happens. You also need to understand what technologies are in play and what components see the data. A seemingly simple change such as from old fashioned analogue telephony to VoIP or from a fax to a fax server can have a huge impact on your compliance footprint. Lastly you need to understand the data itself. In a call center context, cardholder (and sensitive authorization) data include the primary account number (PAN), security validation codes, and PINs regardless of the form or media type.” – Call Centers and PCI Compliance: Things You Need to Know, Control Gap; Twitter: @ControlGap
19. Call monitoring is always important, but CCOs must make monitoring practices compliant as well.
“It’s easy to see how call monitoring can be both a blessing and a curse. It’s definitely a blessing if your organization is compliant, because those recorded calls can be used as proof. If you’re not compliant, however, the answer is not to stop recording calls. It’s to take the steps necessary to become compliant.” – Regulatory Mistakes Can Cause Invisible Risk to Your Call Center, Scorebuddy; Twitter: @score_buddy
20. Compliance efforts without a CCOs vision are not enough to keep a company in the clear.
“Compliance leadership must have a clear vision, empowerment, and passion for the mission, so that their voice will be heard when sitting at the leadership table. Getting in early and often with leadership can help avoid costly mistakes and retrofitting down the road. This means continuously seeking means by which to use technology and data to improve the compliance program and operations.” – Richard P. Kusserow, The Top Four Compliance Officer Challenges Today, Strategic Management Services
21. Automation’s effectiveness depends on agents’ adherence to policy as well.
“Technology risk comes to the highlight as it is expected to be the biggest change for professionals and industry in the coming years. All compliance professionals need to be prepared to automate their function and implement safely new technologies that come to help the industry.
“In order to mitigate risks and maintain compliance, there are precautionary measures that firms should take. When talking about cyber risks, a fundamental part is monitoring and testing; it doesn’t mean the compliance function has to do all this. However, the compliance function needs to be sure these measures are effective, employees are adhering and all control and monitoring are actually working.” – Compliance Officers Foresee the Challenges of 2020, MCO; Twitter: @mycompliance
22. Compliance officers should always keep employees in the loop on upcoming changes to policies.
“Compliance fatigue is a real problem facing many companies. Employees are worn out by the same message and methods. Compliance Officers must get creative in their delivery and monitoring of compliance. They need to engage with the human aspect and keep their employees at the forefront of their program.” – The Top 3 Challenges Facing Chief Compliance Officers, C5 Communications; Twitter: @C5Live_AC
23. Technology chosen by CCOs for compliance purposes should be used alongside all other existing efforts.
“Call centre operations are well advised to approach these regulations holistically, not as separate distinct programmes, as much efficiency can be derived. This systemic complexity can only be handled through better automation, intelligently and efficiently supported by technology. Such a strategy, whilst well suited to improve efficiency, agility and speed, is now also crucial to solving regulatory and security challenges.” – Steve Murray, Managing Risk & Compliance in the Contact Centre, Call Centre Helper; Twitter: @callcentrehelp
24. CCOs are constantly learning about new regulations and adapting policies to match them.
“Compliance standards are constantly in flux, and with so many digital threats cropping up across the business world, organizations such as PCI are expanding their frameworks to account for these new dangers. To ensure your call center remains compliant in light of these changes, you’ll need to keep pace with the evolution of these regulations and refine your operations accordingly.” – 4 Best Ways to Ensure Regulatory in your Call Center Compliance, Global Response; Twitter: @BrandCarePeople
25. Compliance officers manage the call center’s legal standing as much as its reputation through the policies they design.
“Compliance officers are responsible for ensuring their organization complies with government regulations — domestically as well as globally, if applicable — and avoids missteps that could result in hefty fines, legal ramifications and reputation damage. Compliance officers also need to make sure that employees are following internal compliance policies.” – Robert Half, Compliance Officers: What They Do and Why They’re in Demand, Robert Half; Twitter: @roberthalf
How does your organization handle contact center compliance?