Call Center Compliance – Using Technology to Follow the Key Rules and Regulations
by Scott Kendrick, VP of Marketing at CallMiner
Risk taking is an essential element of business success. The
marketing team might embark on a new edgy slogan to grab attention, or the
product developers create a new item that’s definitely out-of-the-box to reach
an untouched consumer market. These types of risks come with the potential for
reward, which then of course makes it worth taking the leap in the first place.
Of course several aspects of business are focused on negating risk and avoiding
it at all costs. Within the call center, risk is a dreaded “four-letter word”
due to regulatory compliance. Failure to follow the right compliance protocols
and standards does not come with any type of reward, only the threat of fines
and possible litigation.
A persistent problem for many companies is how to navigate
the “alphabet soup” of applicable regulations, and how to put in place systems
and people to fit within the regulations. Here’s the eleven most important
compliance regulations that impact call center operations:
- Telephone Consumer Protection Act (TCPA) - TCPA was enacted in 1991 to limit the use of automated
telemarketing and further clarified in 2015 to cover wireless phone and SMS
telemarketing. TCPA creates strict consent rules for the use of pre-recorded
messages – including those for phone, mobile, SMS, and fax – and automated
dialing, and also created the do-not-call rules that eventually led to the 2003
creation of the National Do Not Call Registry.
- Call monitoring consent - Federal and state law varies on what number of parties need
to be aware of call recording and monitoring. Some states require both party
notification, while others are “one party.” Contact centers very often manage
calls from all 50 states and abroad, so the consent laws can be tricky. A best
practice is to follow the strictest requirements for consent, and then every
call will fall into compliance. Tell callers at the beginning prompt of every
inbound and outbound call that the call will be recorded and monitored.
- Do Not Call Registry (DNC) - Certainly one of the most well-known regulations is the DNC,
which gives consumers an easy way to opt out of telemarketing calls (with
certain exceptions). Fines for non-compliance can reach $40,000 per incident,
so firms must have procedures in place to frequently scrub their lists against
- Fair Debt Collection Practice (FDCPA) - Passed in 1977, the FDCPA was intended to prevent debt
collectors from using threatening language or verbally abusing customers. It
applies to centers that are collecting certain types of debt payments deriving
from credit card payments, utility payments, cell phone bills, and late auto
loan payments. The act includes specific language on call phrasing and
- Truth in Lending Act - The federal government’s aim is to often protect consumers
from themselves. The Truth in Lending Act works in this fashion by mandating
the disclosure of interest rates, loan terms, and late fees for customers. Call
centers should embrace these regulations and be as transparent as possible with
any loan-related specifics.
- General Data Protection Regulation (GDPR) - GDPR is a very recent 2018 regulation that affects any
business that accepts and stores the personal information of any European Union
residents. The regulation applies to the person’s data and their location, not
the location of the call center. So a center in Topeka that only handles a few
EU resident calls a year must still follow GDPR. The regulation fundamentally
shifts ownership of personal data back to the individual. They can ask the
center to erase all of their stored data or to provide it to them in a secure
form. GDPR compliance means centers must develop processes for the complete
deletion of files if necessary and efficient ways to provide customers with
- Dodd-Frank Act - The wide-ranging Dodd-Frank Act includes requirements for
call centers to record phone conversations and save them with time and data
stamps. This allows the center to search them for better and more secure
management. Dodd-Frank also created the
Consumer Financial Protection Bureau (CFPB) to help protect consumers against
unfair, deceptive, or abusive practices and take action on consumer finance
- Sarbanes-Oxley Act - Scandals such as Enron pushed forward the need for
businesses to setup call recordings that could not be erased, which is
especially important for publicly-traded and financial firms. Centers should
carefully review the Act’s specifics as it provides guidelines on when recorded
calls be deleted.
- Health Insurance Portability and Accountability Act (HIPAA) - The
HIPAA restricts how contact centers can share and store health information for
patients. It sets mandates for the ways information can flow between different
systems and safeguards centers must put in place to prevent breaches.
- Payment Card Industry Data Security Standard (PCI DSS) - PCI
DSS was established in 2006 by five major credit card companies as a way to
improve and modernize credit card data collection and storage. It outlines a
set of standards contact centers must follow for the processing of credit card
payments. Contact centers must diligently follow PCI rules with both their
technology tools and personnel training in order to avoid steep fines.
- Equal Credit Opportunity Act (ECOA) - The ECOA prohibits businesses from using race, age, color,
religion, gender, marital status, etc. to act as the qualifiers for a loan or
credit. It combats the frequent discriminatory practices conducted by
unscrupulous lenders and levels the playing field for access to credit. This
act applies to any telephone interactions in addition to in-person
- Gramm-Leach-Bliley Act - Contact centers and other businesses that hold customer
information must disclose how they share that information with other organizations.
The Gramm-Leach-Bliley Act put in place rules for allowing borrowers to opt-out
of information sharing, and compels companies to keep written documentation of
their security efforts that actively manage info sharing.
Leveraging Speech Analytics for Compliance
Navigating all of these compliance regulations is an arduous
task for a contact center’s managers and legal team. It’s vital for companies
to put in place ways to measure and track their compliance, specifically in the
ways their agents describe the company’s products and data practices. Speech
analytics software that records and transcribes every call is a tremendously
useful tool because it provides centers with searchable and reliable data to
help support their regulatory efforts.
Call conversations can be automatically tracked for
compliance, ensuring agents are saying things they must say, and not saying
things they shouldn’t say. Calls that represent risk can automatically be
tagged with the specific regulation or violation they represent. In addition,
conversations can be given compliance risk scores to help narrow the pile of
interactions or agents that require further review. Review of analytics data
can ensure agent compliance with approved scripts, so personnel that go “off
script” can receive immediate coaching and adjustment.
For regulations such as PCI DSS that require data removal, speech
analytics software from advanced providers such as CallMiner can help by
automatically removing sensitive data from call recordings, allowing
organizations to comply both with PCI DSS and regulations that require call
recording records to be retained. . This type of service automatically deletes
credit card or Social Security numbers from call recordings, which effectively
removes much of the data some of the most stringent compliance regulations.
Speech analytics is a powerful tool for call centers who can
integrate it into their procedures and training to help remove potentially
preventable risk from their operations.