Home > Columns > CRM Columns

Call Center Compliance – Using Technology to Follow the Key Rules and Regulations


Presented By: CallMiner

by Scott Kendrick, VP of Strategy at CallMiner  

Risk taking is an essential element of business success. The marketing team might embark on a new edgy slogan to grab attention, or the product developers create a new item that’s definitely out-of-the-box to reach an untouched consumer market. These types of risks come with the potential for reward, which then of course makes it worth taking the leap in the first place. Of course several aspects of business are focused on negating risk and avoiding it at all costs. Within the call center, risk is a dreaded “four-letter word” due to regulatory compliance. Failure to follow the right compliance protocols and standards does not come with any type of reward, only the threat of fines and possible litigation.

A persistent problem for many companies is how to navigate the “alphabet soup” of applicable regulations, and how to put in place systems and people to fit within the regulations. Here’s the eleven most important compliance regulations that impact call center operations: 

  1. Telephone Consumer Protection Act (TCPA) - TCPA was enacted in 1991 to limit the use of automated telemarketing and further clarified in 2015 to cover wireless phone and SMS telemarketing. TCPA creates strict consent rules for the use of pre-recorded messages – including those for phone, mobile, SMS, and fax – and automated dialing, and also created the do-not-call rules that eventually led to the 2003 creation of the National Do Not Call Registry.
  2. Call monitoring consent - Federal and state law varies on what number of parties need to be aware of call recording and monitoring. Some states require both party notification, while others are “one party.” Contact centers very often manage calls from all 50 states and abroad, so the consent laws can be tricky. A best practice is to follow the strictest requirements for consent, and then every call will fall into compliance. Tell callers at the beginning prompt of every inbound and outbound call that the call will be recorded and monitored.
  3. Do Not Call Registry (DNC) - Certainly one of the most well-known regulations is the DNC, which gives consumers an easy way to opt out of telemarketing calls (with certain exceptions). Fines for non-compliance can reach $40,000 per incident, so firms must have procedures in place to frequently scrub their lists against the DNC.
  4. Fair Debt Collection Practice (FDCPA) - Passed in 1977, the FDCPA was intended to prevent debt collectors from using threatening language or verbally abusing customers. It applies to centers that are collecting certain types of debt payments deriving from credit card payments, utility payments, cell phone bills, and late auto loan payments. The act includes specific language on call phrasing and frequency.
  5. Truth in Lending Act - The federal government’s aim is to often protect consumers from themselves. The Truth in Lending Act works in this fashion by mandating the disclosure of interest rates, loan terms, and late fees for customers. Call centers should embrace these regulations and be as transparent as possible with any loan-related specifics.
  6. General Data Protection Regulation (GDPR) - GDPR is a very recent 2018 regulation that affects any business that accepts and stores the personal information of any European Union residents. The regulation applies to the person’s data and their location, not the location of the call center. So a center in Topeka that only handles a few EU resident calls a year must still follow GDPR. The regulation fundamentally shifts ownership of personal data back to the individual. They can ask the center to erase all of their stored data or to provide it to them in a secure form. GDPR compliance means centers must develop processes for the complete deletion of files if necessary and efficient ways to provide customers with information.
  7. Dodd-Frank Act - The wide-ranging Dodd-Frank Act includes requirements for call centers to record phone conversations and save them with time and data stamps. This allows the center to search them for better and more secure management.  Dodd-Frank also created the Consumer Financial Protection Bureau (CFPB) to help protect consumers against unfair, deceptive, or abusive practices and take action on consumer finance complaints.
  8. Sarbanes-Oxley Act - Scandals such as Enron pushed forward the need for businesses to setup call recordings that could not be erased, which is especially important for publicly-traded and financial firms. Centers should carefully review the Act’s specifics as it provides guidelines on when recorded calls be deleted.
  9. Health Insurance Portability and Accountability Act (HIPAA) - The HIPAA restricts how contact centers can share and store health information for patients. It sets mandates for the ways information can flow between different systems and safeguards centers must put in place to prevent breaches.
  10. Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS was established in 2006 by five major credit card companies as a way to improve and modernize credit card data collection and storage. It outlines a set of standards contact centers must follow for the processing of credit card payments. Contact centers must diligently follow PCI rules with both their technology tools and personnel training in order to avoid steep fines.
  11. Equal Credit Opportunity Act (ECOA) - The ECOA prohibits businesses from using race, age, color, religion, gender, marital status, etc. to act as the qualifiers for a loan or credit. It combats the frequent discriminatory practices conducted by unscrupulous lenders and levels the playing field for access to credit. This act applies to any telephone interactions in addition to in-person applications.
  12. Gramm-Leach-Bliley Act - Contact centers and other businesses that hold customer information must disclose how they share that information with other organizations. The Gramm-Leach-Bliley Act put in place rules for allowing borrowers to opt-out of information sharing, and compels companies to keep written documentation of their security efforts that actively manage info sharing. 

Leveraging Speech Analytics for Compliance

Navigating all of these compliance regulations is an arduous task for a contact center’s managers and legal team. It’s vital for companies to put in place ways to measure and track their compliance, specifically in the ways their agents describe the company’s products and data practices. Speech analytics software that records and transcribes every call is a tremendously useful tool because it provides centers with searchable and reliable data to help support their regulatory efforts.

Call conversations can be automatically tracked for compliance, ensuring agents are saying things they must say, and not saying things they shouldn’t say. Calls that represent risk can automatically be tagged with the specific regulation or violation they represent. In addition, conversations can be given compliance risk scores to help narrow the pile of interactions or agents that require further review. Review of analytics data can ensure agent compliance with approved scripts, so personnel that go “off script” can receive immediate coaching and adjustment.

For regulations such as PCI DSS that require data removal, speech analytics software from advanced providers such as CallMiner can help by automatically removing sensitive data from call recordings, allowing organizations to comply both with PCI DSS and regulations that require call recording records to be retained. . This type of service automatically deletes credit card or Social Security numbers from call recordings, which effectively removes much of the data some of the most stringent compliance regulations.

Speech analytics is a powerful tool for call centers who can integrate it into their procedures and training to help remove potentially preventable risk from their operations.