New Yorkers Should Receive the Same Digital Communications Benefits All Non-New Yorkers Receive: Part One

By on November 13th, 2023 in Compliance, Industry Insights

The New York City Department of Consumer and Worker Protection (NYC DCWP) just released an updated proposed amendment to its rules relating to debt collection. This updated amendment changes significantly more than the first proposed amendment released by NYC DCWP last year. Interestingly, this update contains revisions that are similar to the New York Department of Financial Services (NYDFS) proposed amendments to New York’s debt collection law, 23 NYCRR 1, that NYDFS released last year. After receiving a number of comments to the proposal, including a comment from TrueAccord, NYDFS paused the rulemaking and has not yet released any revised proposal. Both of these departments, NYDFS and NYC DCWP should change their proposed amendments to give New Yorkers the same digital communication benefits all non-New Yorkers receive.

The NYC DCWP and NYDFS proposed amendments are designed in part to align with the federal Consumer Financial Protection Bureaus’s Debt Collection Rule, Regulation F, that took effect in November 2021. Even though consumers often prefer to communicate digitally, the NYDFS and NYC DCWP updated proposals are more strict than Regulation F, particularly as it relates to the proposed restrictions on digital communications. While attempting to provide additional protections for consumers when debt collectors reach out using digital channels, these NYDFS and NYC DCWP restrictions create unintended consequences that raise barriers for NY consumers to correspond with collection agencies in their channel of preference and hinder communication efforts. The effect will raise the number of lawsuits brought against NYC consumers and ultimately increase the cost of credit for all consumers across the US to offset New York losses.

As a company that predominantly leverages digital communications for virtually all aspects of our customer interactions, TrueAccord has unique experience and information from serving over 20 million consumers, which showcases the benefits of digital communication in collections. Small edits to these proposed amendments can have the same desired impact (protecting consumers from a barrage of digital debt collection messages) without limiting the ability of debt collectors to proactively reach out—in fact, both the federal debt collection rule, Regulation F, and Washington, DC’s recent debt collection law amendments restrict the frequency of outbound digital communications and include specific requirements for opt-outs on all communications with severe penalties for failing to honor a consumer’s request.

In this two part blog series, we explore the provisions in these proposed amendments that focus on restrictions on digital communications, the unintended consequences to consumers when laws require opt-in instead of opt-out rules for debt collectors, and how the proposals could be changed to accomplish the same result without placing barriers on consumers ability to communicate in their channels of preference—read part two here. This first installment focuses on the provisions of the law, consumers preference for digital communications, and the small changes that could be implemented before these amendments are final. The second installment seeks to provide information about the benefits of digital communications for consumers in all other states and jurisdictions—except New York. If you are impacted by the current NYC proposal, consider speaking at the upcoming hearing (virtually or in person). Information on how to register is below.

Proposed New York State and New York City Amendments

Three proposed amendments, two different departments, two different jurisdictions, and potential unintended consequences that can harm consumers. Let’s start by evaluating the different proposals by jurisdiction.

New York’s Approach to Digital Communications
The New York debt collection law, 23 NYCRR 1, which took effect in 2019, already restricted the ability of a debt collector to reach out proactively to consumers via email without first having direct express consent from the consumer. This means that a debt collector must first call a consumer to obtain consent before the collector could send an email message about the account. While a debt collector can send proactive emails in an effort to obtain consent, to comply with the law these emails cannot reference the reason why a consumer would want to opt-in to communicate by email with the company, (i.e. about a past due account) and cannot even reference information about the account. So, they ultimately sound like spam.

For example, if a consumer received a message from a company they do not know, without any information about why the company is reaching out and asking for consent to email, why would a consumer opt-in?

The result, not surprisingly, is that New York consumers who had already opted in to communicate via email about the account with the creditor would, after falling behind on payments and being referred to a debt collector, only receive phone calls and letters from debt collectors.

New York’s First Proposed Amendment
December 2022 NYDFS released its first proposed amendment to its debt collection rules. Comments were due February 13, 2023. The first New York proposed amendment also never became final. The amendment included the following:

  • Revised definitions of communication, creditor and debt and a new definition of electronic communication
  • Revised requirements for the validation notice, including that the initial communication must be made in writing to avoid having to send another written communication within 5 days of the initial communication
  • Revised requirement that the validation notice cannot be made by electronic communication but may be made in the form requested by a consumer to section 601-b of the General Business Law
  • Revising the disclosure requirements for debts that have passed the statute of limitations for the purpose of filing a lawsuit
  • Revisions to the substantiation requirements, including a 7 year retention period and requirement to provide full chain of title
  • Revisions to the requirement for a debt collector to obtain consent from a consumer before emailing, including, extending the consent requirement to text messages, requiring the consent to be given in writing and retained for 7 years, requiring electronic communications to include clear and conspicuous opt-outs, requiring collectors to honor such opt-outs, and explaining opt-outs are effective upon receipt
  • New provisions covering the relationship with other laws, clarifying, for example, that local laws are not inconsistent with this law if they afford greater protections
  • New section on severability making clear that if any court rules one section of the law to be invalid, it does not invalidate the other sections of the law

The proposed changes to Section 1.6(b) seek to extend the prohibition on a debt collector to reach out proactively to consumers via email without first having direct express consent from the consumer to text messages. This limits the only digital channel currently available for proactive outbound debt collection communications with consumers in New York.

New York City’s Approach to Digital Communications
New York City’s debt collection laws did not contain any restrictions on digital communications. But, after the New York law restricting proactive emails took effect in 2019, New York City consumers who had already opted in to communicate via email about the account with the creditor would, after falling behind on payments and being referred to a debt collector, only receive phone calls and letters from debt collectors.

New York City’s First Proposed Amendment
November 2022 NYC DCWP released its first proposed amendment to its debt collection rules, comments were due December 5, 2022. These first NYC proposed amendments contained changes to align their laws with those of New York, however, the proposals never became final. The amendments included the following:

  • Revised the out of statute disclosure agencies must provide on communications with consumers whose accounts have passed the statute of limitations for the filing of a lawsuit to recover the debt
  • Revised requirements for debt collectors to maintain records of attempted communications, complaints, disputes, cease and desist requests, calls, including what calls are recorded and not recorded, credit reporting, unverified debt notices, and communication preferences (if known) as well as unsubscribes or opt-outs from particular channels
  • New definitions for attempted communication, electronic record, electronic communication, clear and conspicuous, language access services and limited content message
  • New prohibition on electronic communications unless the debt collector sent the initial communication with the validation notice by mail and the consumer opted in to electronic communications with the debt collector directly and clear and conspicuous opt-outs without penalty or charge on all electronic communications
  • Revised unconscionable and deceptive practices to include: adding attempted communications anywhere communications appeared, such as adding attempted communications to the excessive frequency prohibition
  • New prohibition on social media platform communications unless the debt collector obtains consent and communicates privately with the consumer
  • New rules on requirements prior to furnishing information to credit reporting agencies
  • Revised validation notice disclosures and obligations for translating, if notices are offered in different languages

New York City’s Revised Amendment
November 2023 NYC DCWP released an updated NYC proposed amendment. Comments can be submitted through November 29, 2023. A hearing will be held that same day at 11AM. The updated version contains all of the changes suggested in the first proposal as well as:

  • Additional revisions to what information is required to be maintained in debt collection logs that would require major changes to all collection software systems
  • Additional new definitions for covered medical entity, financial assistance policy, itemization reference date, original creditor and originating creditor
  • Clarifies that any communications required by the rules of civil procedure in a debt collection lawsuit do not count toward frequency restrictions
  • New disclosures for medical debts as well as specific treatment of medical accounts, such as validation procedures and verification of covered medical entity obligations prior to collections

These amendments align the New York City law to that of New York. If these amendments become final, New York will be an opt-in jurisdiction instead of an opt-out jurisdiction, meaning debt collectors must communicate by telephone or letter to obtain consent to text or email, even when a consumer already opted into digital communications about their account. This puts New Yorkers at a disadvantage from consumers in all other states who are able to communicate electronically under the provisions of the federal Fair Debt Collection Practices Act (FDCPA) and Regulation F.

Opt-Out Jurisdictions Offer Consumers the Same Protections

The rest of the United States have approached debt collection attempts via digital communications very differently from New York. For all consumers outside of New York, debt collectors may send proactive debt collection communications via email or text messages. The laws require all digital communications contain clear and conspicuous opt-out methods (unsubscribe flows in emails and “reply STOP to opt-out” in text messages) with strict penalties for debt collectors who do not honor a consumer’s request to opt-out of digital communication channels. Digital communications also fall under the frequency limitations of the FDCPA and Regulation F.

Only one other jurisdiction to date has created additional restrictions related to digital communications that exceed the protections in the FDCPA and Regulation F. Washington, DC amended their debt collection law Protecting Consumers from Unjust Debt Collection Practices Amendment Act of 2022, and the changes that took effect in January 2023. DC remains an opt-out jurisdiction with specific requirements for opt-outs on all email and text communications with severe penalties for failing to honor a consumer’s request, but also added a specific frequency limitation on digital communications. Debt collectors are only permitted to send a consumer one digital communication per week—one email or one text message (one time in a seven day period). A debt collector may only communicate digitally more than one time per week after a consumer opts-in to additional digital communications.

As a result in these opt-out jurisdictions, consumers can still receive the digital communications they prefer without having to have phone calls attempting to get them to opt-in to digital communications, like the consumers in New York. Additionally, with these opt-out jurisdictions consumers learn about their account faster, can explore options on their own time, and receive the additional benefits that come with early communication about their debts—such as setting up a payment plan, having a credit reporting tradeline updated or deleted, providing evidence of fraud or identity theft, and disputing all or portions of the balance. New York consumers who do not answer their phones are less likely to receive these benefits that come with knowing there is a debt in collection and the options to resolve.

Ultimately, New York still has time to amend their proposals to ensure their consumers receive the same treatment as all other consumers in the US.

Consumers Prefer Digital Communication

By and large, consumers prefer to communicate with their collection agencies digitally—they already predominantly communicate with their banks, creditors, and lenders digitally, so digital collection is a smooth transition. For example, almost all TrueAccord communications with consumers (93%) happen digitally with no agent interaction because the digital communications contain links to online pages where consumers can take action on their accounts. In fact, more than 21% of consumers resolve their accounts outside of typical business hours—before 8AM and after 9PM—when it is presumed inconvenient to contact consumers under the FDCPA. In fact, consumers often post publicly about their positive experience with digital collections:

We believe restricting digital methods to reach and serve consumers will disadvantage vulnerable populations of consumers who primarily conduct most of their affairs digitally. According to the Pew Research Center, “reliance on smartphones for online access is especially common among younger adults, lower-income Americans and those with a high school education or less.” As the consumer described above, TrueAccord’s approach of sending digital communications helps consumers easily navigate to our website and perform actions at their convenience online.

We will continue to explore the impact of these proposed amendments in the second blog post of this series, including how:

  • Limiting digital communication use hurts all consumers
  • Multiple opt-in requirements burden consumers
  • Non-digital communications can be disruptive to consumers
  • Email and text messages are a step forward in consumer protection

Register to Speak at the Upcoming Hearing

Sign up to speak for up to three minutes at the hearing by emailing Rulecomments@dcwp.nyc.gov. You do not have to be present at the hearing to speak if you join the video conference using this link, https://tinyurl.com/z3svub58, meeting ID: 255 089 803 499 and passcode: 8HGNSw.

Read Part Two of Our Series: New Yorkers Should Receive the Same Digital Communications Benefits All Non-New Yorkers Receive

Discover the unintended harms New Yorkers face if digital communications are restricted by proposed amendments to New York and New York City’s debt collection laws and the digital communication benefits consumers get in all other states here»»

Data Protection is Critical in Debt Collection: GLBA, Consumer Trust, and Best Practices to Protect Your Business

By on June 29th, 2023 in Compliance, Industry Insights

In today’s financial landscape, regulators at both the federal and state level are driving accountability for companies when it comes to data protection and security. We see that with the express requirement in the Gramm-Leach-Bliley Act, or GLBA, Safeguards Rule—which went into effect on June 9, 2023—that organizations have one qualified individual to oversee the information security program, and that the qualified individual provides regular reports to the highest governing body of an organization.
This underscores the importance of protecting customer information in a digital age where information has its own intrinsic value.

Let’s take a look at how the new updates to GLBA Safeguards Rule, how these security policies are important specifically for debt collection, and what best practices your business should follow to protect consumers’ data.

 The GLBA Data Protection Law

The Gramm-Leach-Bliley Act, or GLBA, is a federal regulation to control how financial institutions collect, store, and transmit consumer information. GLBA was enacted by the Federal Trade Commission (FTC) in 1999 and recently rolled out new amendments to the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” that went into effect on June 9, 2023, in effort to continue protecting consumer data in an ever-evolving digital environment. 

A few of the updates to GLBA’s Safeguards Rule include:

  • Provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program
  • Improves the accountability of these security programs, such as requiring financial institutions to designate a qualified individual responsible for overseeing, implementing and enforcing the program

Data Protection is Critical in Debt Collection

To attract clients today a debt collector must demonstrate the implementation of a full suite of information security practices covering physical, technical, and administrative safeguards, including a comprehensive employee information security training. Failure to implement these best practices can result in a security incident or worse, a data breach. Not only are data breaches costly because of the notification provisions, including providing credit bureau monitoring, it can be difficult for a company to survive after a breach. It is not unusual for a company to file bankruptcy after a data breach.

Reputation and Customer Retention

Although complying with federal and state regulations helps companies avoid costly—even criminal—penalties, consumer trust that their financial data is being protected is critical to maintaining a positive reputation and retaining customers (even if they fall into delinquency).

Data protection policies can often be treated as a set-it-and-forget-it, or even treated as a luxury of lower priority due to limited resources, expertise, or familiarity. But for today’s consumers, data security is a top priority.

A recent study by MAGNA Media Trials and Ketch, showed across every age group74% of people rank data privacy as one of their top values—consistently rank data privacy as their top concern. And on the flip-side, the study showed nearly 9 out of 10 consumers report strong data privacy practices positively impact their relationship with a company.

Keeping Up With Compliance

Along with federal regulations, individual states are also issuing new laws focused on consumer data protection. California, Utah, Colorado, Connecticut and Virginia all passed data privacy laws over the past several years that take effect in 2023. This past March, Iowa passed a Data Privacy Law that takes effect on January 1, 2025 that is very similar to both Virginia and Colorado’s laws affording consumers a right to know and right to request deletion. Pennsylvania amended its Breach of Personal Information Notification Act, by among other things, expanding the definition of “personal information” to include medical and health information, and a username or e-mail address in combination login credentials. Several more states have draft privacy and security laws in draft.

Although GLBA and other data protection and privacy laws are the hot topic when it comes to compliance today, it isn’t the only federal privacy regulations lenders and debt collectors need to follow and monitor for changes—or face the consequences of non-compliance. Here are some recent laws and amendments impacting the industry:

  • The Fair Credit Reporting Act: Credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy, with potential criminal liability for certain misconduct.
  • The Dodd-Frank Wall Street Reform and Consumer Protection Act: Established a new Consumer Financial Protection Bureau with the authority to supervise and regulate entities that offer or provide consumer financial products or services.
  • Health Insurance Portability and Accountability Act (HIPAA): Two part rule for privacy and security of personal health information that applies to covered entities (doctors, hospitals, pharmacies, insurers, and their vendors). PHI – is defined broadly to include any information provided to the covered entity by the patient.

Consumer Data Protection is Not a Luxury

Having good security practices in place is not only beneficial for both consumers and businesses, but also critical to stay compliant with all the new laws and amendments being introduced. Here are some of the best privacy and security practices to implement to protect customers, companies, and stay compliant:

  • Practice data minimization.
  • Know where personal information lives at all times by creating a data map of where the data goes and is stored throughout your systems, which includes knowing your vendor’s data security and privacy practices and controls.
  • Know who has access to personal information and routinely examine if that access is necessary to complete that job function.
  • Be intentional with how data is organized and stored so it can be easily segmented and treated differently if need be (think network segmentation).
  • Have a public facing Privacy Notice–and make sure it accurately reflects your practices for use, collection, deletion and correction.
  • Conduct an annual data security risk assessment to continually reassess areas for improvement and where you may need additional controls.
  • Ensure contracts with parties whom you receive and/or give personal information to specifically address each parties’ obligations and restrictions for how personal information is used, shared, disclosed, stored, and sold (if permitted).

The TrueAccord Approach

At TrueAccord, empathy towards the consumer is a core part of our company mission: we enable businesses to collect more, faster, and from happier customers.

Ready to collect more, faster from happier customers? Learn how TrueAccord weaves compliance and data security into debt recovery by scheduling a consultation today»»

A Closer Look at the Gramm-Leach-Bliley Act (GLBA): Updates to the Safeguards Rule

By on June 6th, 2023 in Compliance, Industry Insights

Protecting personal and financial information is critical in today’s digital age. Where data has its own intrinsic value and where data breaches and cyberattacks are a risk for every business, the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) provides financial institutions, including those in the accounts receivable management industry, with guidance on how to safeguard customer information.

The existing Safeguards Rule provided financial institutions with much flexibility and discretion when determining what kinds of safeguards were best for their organizations and risks. With the amendments which go into effect on June 9, 2023 financial institutions now have a more prescriptive recipe for what those safeguards need to be.

What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act, or GLBA, is a federal regulation to control how financial institutions collect, store, and transmit consumer information. Although GLBA was enacted by the Federal Trade Commission (FTC) in 1999, changes have been anticipated for the last few years.

In October 2021, the FTC announced new amendments coming to the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and an issuance of a final rule, referred to simply as the “Final Rule.” Originally set to go into effect in 2022, financial institutions—a designation that has also been updated—now need to prepare for the changes or risk non-compliance and its consequences before they go into effect on June 9, 2023.

What is the Safeguards Rule?

The Safeguards Rule took effect January 10, 2021, and its requirements were first set to go into effect beginning December 9, 2022, but the FTC announced it would extend the deadline for financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023.

There are five overarching modifications to the existing Safeguards Rule:

  • Provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program
  • Improves the accountability of these security programs, such as requiring financial institutions to designate a qualified individual responsible for overseeing, implementing and enforcing the program
  • Exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors
  • Expands the definition of “financial institution” within the scope of the Safeguards Rule – see the expanded definition in the next section below
  • Includes several other definitions and related examples in the amended Safeguards Rule itself in an effort to make it more self-contained and to enable readers to understand its requirements without referencing the FTC’s Privacy of Consumer Financial Information Rule

Along with these updates to the Safeguards Rule, let’s examine a few other specifications of the updates.

What are other updates to the Safeguards Rule?

The expanded scope of financial institutions that are subject to the Safeguards Rule is significant. Under the new Final Rule, “financial institutions” now include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, such as:

It is important to note that the Final Rule does not apply to national banks, savings and loan institutions, and federal credit unions, as these institutions are not subject to the FTC’s jurisdiction.

The Final Rule requires these covered financial institutions to comply with specific new requirements, such as:

  • Encrypt all customer information held or transmitted in transit over external networks and at rest
  • Multi-factor authentication for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution
  • Conduct periodic written risk assessments, and the results of such risk assessments should drive the information security program
  • Create procedures for evaluating, assessing or testing the security of externally developed applications used to transmit, access or store customer information
  • Set procedures for secure disposal of customer information no later than two years after the last date the information is used
  • Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users
  • Provide personnel with security awareness training, and provide information security personnel with training to address relevant security risks; and that key information security personnel take steps to maintain knowledge of changing information security threats and countermeasures
  • Written incident response plan designed to promptly respond and recover from any security event affecting the confidentiality, integrity, or availability of customer information
  • Qualified individual to regularly, and at least annually, report in writing to an organization’s governing body (e.g., board of directors) regarding the status and material matters of the information security program
  • Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, and conduct required penetration testing annually and vulnerability assessments at least every six months and whenever there are material operational or business changes

Given the expanded definition of “financial institutions,” some of these organizations may be unfamiliar with the extent of these requirements, and even those familiar with GLBA previously must be ready to comply or face the consequences.

What are the penalties for non-compliance with GLBA?

Whether it’s GLBA, Regulation F, or any of the numerous state laws, companies can face serious penalties for compliance failures—monetary, reputational, and even criminal. When it comes to GLBA, non-compliance penalties include:

Section 5 of GLBA grants the FTC the authority to audit policies to ensure they are developed and applied fairly—all the more reason to follow the Safeguards Rule’s provisions of self-audits and testing. 

Learn More About Compliance and Collections

Now that you have the breakdown of the Gramm-Leach-Bliley Act updates to the Safeguards Rule, are you familiar with the other laws and regulations governing debt collection? Check out our Collections & Compliance resources to see what other regulatory guidelines may impact your business or schedule a consultation to get started»»

Call-and-Collect vs Digital-First Engagement for Debt Recovery

By on June 1st, 2023 in Compliance, Customer Experience, Industry Insights, Product and Technology, User Experience

Outbound calling has been the main mode of collections for decades, but the cost of a call center or in-house full-time employees (FTEs) making calls is no longer justifiable when most consumers simply don’t answer the phone, on top of the mounting compliance restrictions limiting opportunities to call in the first place.

But outbound dialing isn’t completely obsolete—digital-first omnichannel strategies can turn traditional call-and-collect operations around by integrating new digital channels into the communication mix.

Let’s compare traditional outbound calling methods versus a digital-first approach in three key areas impacting your business’s ability to collect more, faster:

  • COST
  • COMPLIANCE
  • CONSUMER PREFERENCES

Get even more statistics and data in our latest eBook — Why Evolve from Outbound Calling to Omnichannel Engagement? Cost, Compliance, & Consumer Preferencesavailable for download now»»

COST: Call-and-Collect

The cost to collect has been on the rise for traditional methods for years, whether you outsource to a call center or have FTEs dialing the phones.

One reason for this rise is based on the fact that many lenders still practice old strategies to prioritize contacting customers based on their risk profiles, balance, and average days delinquent—completely missing portions of their portfolios. Factoring in propensity to pay is important to successful engagement, but it means that agents’ time is focused on only a small portion of accounts, leaving potential repayments on the table.

Add in the overhead costs, inflation, and hiring challenges of using agents as first attempts at engagement and watch the expenses continue to climb past what you’re able to collect through outbound calling.

COST: Digital-First Omnichannel

Right off the bat, digital-first shows the cost of collections can fall by at least 15%.

Since digital is infinitely scalable, this communication tactic can touch every single account, regardless of scoring models—unlike human dialers who can only physically call a certain number of accounts on any given day. Going digital-first cuts down on the time billed for making repeated outbound calls that are never answered or returned, and it allows agents to interact with customers that want to speak directly to a person.

Overall, digital-first has shown to boost customer engagement by 5x, the first step towards repayment.

COMPLIANCE: Call-and-Collect

It’s no secret that it’s increasingly complicated to reach customers with all the legal communication restrictions.

While all debt collection communication is subject to compliance rules, outbound calling has specific laws and regulations that can carry costly penalties for non-compliance—and it’s only becoming more complex with new state-specific rules rolling out right and left. But no matter where your business is doing business, if you’re making collection calls you must follow these federal guidelines:

  • Inconvenient Time Rule: prohibits calling before 8am or after 9pm
  • Regulation F’s 7 and 7 Rule: Cannot call more than seven times within a seven-day period
  • Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act) tagging legitimate businesses as spam
  • FCC Orders further restrict dialing to landlines and include opt-out requirements for prerecorded voice messages

But there is a more streamlined way to ensure your collection communications are following all the rules: enter code-based compliance.

COMPLIANCE: Digital-First Omnichannel

Code-based compliance works by programing rules that ensure all communications fall within all federal and state laws and regulations, such as:

  • Frequency and harassment restrictions
  • Consent requirements*
  • Disclosure requirements

This digitally designed approach to compliance greatly reduces the opportunities for human error that are bound to occur in more manual processes. Additionally, the digital-first approach allows companies to continue to collect during times that calling would violate certain regulations, like the Inconvenient Time Rule. In fact, 25% of payments come in after 9pm or before 8am (the determined inconvenient times), since these hours can actually be more convenient for consumers to catch-up on digital communications they received throughout the workday.

*Generally, there is no requirement in the federal law to send debt collection communications by email, though some states are more restrictive. This is not legal advice, please consult an attorney for guidance on your unique circumstance.

CONSUMER PREFERENCE: Call-and-Collect

46% of consumers want to be reached through their preferred channels—so what are today’s consumers’ preferences?

Here’s a hint: phone calls aren’t at the top of the list.

And today’s Right Party Contact rates show it, ranging between just 0.5% – 4.0%. And out of those that do answer the phone, 49.5% of consumers take no action after a collection call. The old call-and-collect tactic may actually do more harm than good if compliance rules are ignored: out of the communication tactic complaints received by the CFPB in 2020, over half complained of frequent or repeated calls.

CONSUMER PREFERENCE: Digital-First Omnichannel

So if phone calls aren’t consumers’ preferred method of communication, then what is? For 59.5% of consumers, email is their first preference when it comes to debt collection communications. This is especially important considering that first contacting a customer through their preferred channel can lead to a more than 10% increase in payments.

This digital preference isn’t surprising since nearly nine in ten Americans are now using some form of digital payments—why would they expect collections to be any different? 14% of bill-payers prioritize payments to billers that offer lower-friction payment experiences, and digital is often preferred because of it. Digital communications are easily controlled by consumers and are tightly managed by service providers with built in mechanisms to prevent harassment (like with code-based compliance), which we know has historically been a challenge for call-and-collect practitioners.

Digital-First is the Future of Collections

And it’s here today, working for TrueAccord clients and customers.

At TrueAccord, we find that more than 96% of customers resolve debts without any human interaction when digital options are offered—reducing costs associated with outbound calling, lowering risks with code-based compliance built in, and delivering an experience that consumers prefer.

Get even more statistics and data in our latest eBook — Why Evolve from Outbound Calling to Omnichannel Engagement? Cost, Compliance, & Consumer Preferencesavailable for download now»»

Ready to go digital-first with your debt recovery operations? Schedule a consultation to get started today!

Coast to Coast: the State of Privacy and Compliance in 2023

By on April 20th, 2023 in Compliance, Industry Insights, Webinars
Coast to Coast: The State of Privacy and Compliance in 2023

Disclaimer: The information provided in this blog post does not, and is not intended to, constitute legal advice. 

Protecting consumer privacy is not an unfamiliar concept in our industry and it’s something that should already be woven into our policies, procedures, and practices. With the rapid increase of state privacy laws across the United States, any company that collects, uses, transmits, or receives consumer data has to stay up-to-date on all related compliance issues.

In a previous webinar, Coast to Coast—the State of Privacy and Compliance in 2023, TrueAccord’s legal experts discussed the newest federal privacy laws and all the related compliance issues. Watch the full webinar on-demand now!

The passage of the FTC’s Safeguards Rule, amending the Gramm Leach Bliley Act (GLBA), has been a big topic in data security conversations across the financial services industry as businesses prepare to be in compliance on or before the extended effective date of June 9, 2023. Meanwhile, several states have actively been considering and passing new legislation requiring additional policies, controls, and practices not only in the data security space but also for data privacy and data breaches. It is important for Chief Information Security Officers, Privacy Officers, and Chief Compliance Officers to stay on top of this legislation, as well as Chief Executive Officers since we have seen many federal and state actions naming the CEO in their individual capacity for failing to properly secure and protect data or to properly delegate these responsibilities to the appropriate persons within their organizations. 

**Please note this article is not legal advice. This is not an exhaustive list of all laws. You should consult a lawyer if you have questions about federal and state data security, privacy or breach laws.

Data Breach Laws

All 50 states have data breach notification laws on the books. In 2022, 19 states considered enhancing their data breach laws.

Those states that passed revised data breach laws, tightened up notification timelines, added additional definitions of what constitutes personal information, and expanded the notification requirements to include additional state agencies. For example, Arizona’s law HB 2146, amending Arizona Revised Statutes section 18-552, not only requires that notification be made to consumers but also to the Director of Arizona’s Department of Homeland Security. If the breach impacts more than one thousand people, then the law requires the notification also be given to the three largest nationwide credit reporting agencies, the attorney general, and now the Director of Arizona’s Department of Homeland Security. 

While most states are shortening the time frame in which a consumer must be notified of a data breach to 45 days or less, some of these laws include exceptions or a short list of situations in which a delay in notification is permissible. For example, Indiana’s revised law, H.B. 1351, amending Indiana Code 24-4.9-3-3, limits a permissible delay in notification three circumstances: (1) when the integrity of the computer system must be restored, (2) when the scope of the breach must be discovered, or (3) when the attorney general or a law enforcement agency asked to delay disclosure because disclosure will impede a criminal or civil investigation, or jeopardize national security.

Both Maryland (H.B. 962, amending Maryland Personal Information Protection Act and section 14-3501 of the Annotated Code of Maryland)and Pennsylvania (S.B. 696, amending the Pennsylvania Breach of Personal Information Notification Act) expanded the definition of “personal information” to include medical and health information, including a definition of “genetic information” in Maryland’s law.

Since the webinar, Utah Governor Spencer Cox signed into law Senate Bill 127 on March 23, 2023, which amends the state’s data breach notification statutes. The amendments go into effect May 2, 2023.*

Along with updates to states’ laws, Federal regulators are also providing additional guidance too. For example, the Office of the Comptroller of the Currency (OCC) recently released more information regarding when banks need to know from their vendors about data breach including ransomware notifications.

Data Privacy Laws

In addition to creating and updating laws to help consumers in the event of a data breach, states have also been enacting laws dedicated to protecting consumer privacy. There are six states with comprehensive data privacy laws: California, Connecticut, Colorado, Iowa*, Virginia, and Utah. These laws give consumers various rights over their personal information, such as the right to know what information companies collect and use, a right to correct their information, a right to opt-out of the sale of such information, and a right to request deletion. 

In 2022, Congress introduced a federal privacy law, HR 8152, the American Data Privacy and Protection Act; however, it did not make it to the finish line despite having bipartisan support. It contained some preemption of state privacy and data protection laws, which would have been a relief to many companies navigating the existing patchwork of state laws.  As of January 2023, many states have introduced privacy-related bills and this is likely to continue throughout the years to come. 

California took the privacy law lead in passing the California’s Consumer Privacy Act of 2018 (CCPA) that went into effect in January of 2020 to protect the use and sharing of personal data. California recently expanded the CCPA with the California Privacy Rights Enforcement Act (CPRA) that took effect on January 1, 2023. The law created the new California Privacy Protection Agency and gave it the power, authority, and jurisdiction to implement and enforce CRPA. Additionally, businesses must regularly submit their risk assessment on the processing of personal information to this new agency. 

The four other states that followed suit have substantially similar laws with broad definitions of personal information. These laws typically apply to persons that conduct business in the state and processing a set minimum of consumer data records (typically 25,000 or more) or businesses who earn at least 50% of their revenue from the sale of consumer data. 

These laws give consumers various rights, such as the right to access their personal data, correct inaccurate personal data, delete personal data, in certain circumstances, obtain a copy of the personal data they previously provided to a controller, opt-out of the processing of their personal data if related to targeted advertising, sale of personal data or certain profiling activities, appeal a controller’s refusal to take action on a request, and submit a complaint to the attorney general if an appeal is denied. Interestingly, Colorado’s law makes clear that a consumer’s consent is not valid if obtained through the use of a “dark pattern.” 

These laws do not give consumers a private right of action but are enforced by the state’s attorney general with civil monetary fines calculated per violation. These laws also contain exemptions for data already protected by other laws, such as HIPAA, FCRA, and GLBA.

Virginia’s law took effect January 1, 2023. Both the Connecticut and Colorado Data Privacy Acts will go into effect July 1, 2023. The Utah Consumer Privacy Act takes effect December 31, 2023. The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on Tuesday, March 28, 2023. The legislation is set to take effect Jan. 1, 2025.*

Best Practices for the Future of Data Security & Privacy 

Having good security practices in place is not only beneficial for both consumers and businesses, but is absolutely critical to stay compliant with all the new laws and amendments being introduced. 

So what are some of the best privacy and security practices to implement to protect customers, companies, and stay compliant? 

  • Practice data minimization.
  • Know where personal information lives at all times by creating a data map of where the data goes and is stored throughout your systems, which includes knowing your vendor’s data security and privacy practices and controls. 
  • Know who has access to personal information and routinely examine if that access is necessary to complete that job function.
  • Be intentional with how data is organized and stored so it can be easily segmented and treated differently if need be (think network segmentation). 
  • Have a public facing Privacy Notice–and make sure it accurately reflects your practices for use, collection, deletion and correction.
  • Conduct an annual data security and privacy risk assessment to continually reassess areas for improvement and where you may need additional controls.
  • Ensure contracts with parties whom you receive and/or give personal information to specifically address each parties’ obligations and restrictions for how personal information is used, shared, disclosed, stored, and sold (if permitted).

Compliance with data privacy and data security requirements will continue to progress as new laws and regulations are passed. Best practices will continue to evolve as well, as we continue to learn more about the expectations from Federal and state legislators and regulators, and as companies navigate evolving threats and vulnerabilities. Watch the full Webinar: Coast to Coast— the State of Privacy and Compliance in 2023 here »»

Learn more in our Compliance & Collections Resource Center or schedule a consultation today

Footnotes: 

*The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on March 28, 2023 after TrueAccord’s Coast to Coast webinar. 

*The data breach law for Utah was passed on March 23, 2023 after TrueAccord’s Coast to Coast webinar

An email is less intrusive than a phone call, finds N.D. Illinois while granting TrueAccord’s motion to dismiss

By on April 12th, 2023 in Company News, Compliance, Customer Experience, Industry Insights, User Experience

By Katie Neill & Steve Zahn

A court victory by TrueAccord Corp. (TrueAccord) in the Northern District of Illinois continues to showcase the benefits of digital collection as the court found receiving an email about a debt is less intrusive to consumers than receiving a phone call. Messer Strickler Burnette represented TrueAccord and filed the briefing in the case.

In the Branham v. TrueAccord opinion, the court granted TrueAccord’s motion to dismiss finding that the alleged injuries claimed by the plaintiff—undue stress and anxiety, financial and monetary loss, uncertainty as to how to proceed about the debt, and a harm that “bears a close resemblance” to invasion of privacy—are insufficient to establish standing for a Fair Debt Collection Practices Act (FDCPA) claim.

Plaintiff’s Allegations

Plaintiff alleged that TrueAccord violated the FDCPA by contacting her twice by email after having received notice that she was represented by an attorney. TrueAccord had no record of receiving a notice of attorney representation from the plaintiff. However, when deciding on a motion to dismiss like this, the court must rely solely on the facts and allegations in the complaint and consider them as true, whether or not they are.

In the complaint, the plaintiff included a laundry list of alleged injuries suffered as a result of receiving the two emails from TrueAccord. These injuries included:

  • “Actual” financial and monetary loss without any specifics
  • Confusion on how to proceed with TrueAccord’s debt collection attempts due to “misleading statements”
  • Undue stress and anxiety as well as wasted time, annoyance, emotional distress, and informational injuries
  • A harm that “bears close resemblance to” invasion of privacy

Plaintiff Did Not Allege a Concrete, Particularized Injury

In its decision, the court shot down each of these alleged harms and found that the plaintiff failed to properly plead a concrete, particularized injury as the U.S. Supreme Court required in Spokeo, Inc., v. Robins

Specifically, the court found:

  1. Unlike telephone calls, two unwanted emails are insufficient to confer standing and wouldn’t be “highly offensive” to the reasonable person.
  2. Alleged physiological harms (e.g., emotional distress, anxiety, and stress) are abstract harms and not concrete enough to support standing without a physical manifestation of such harms.
  3. Vague and conclusory statements that the plaintiff suffered financial harm without any allegations of facts to support that alleged harm are insufficient.
  4. Attorney fees for bringing suit on a matter cannot be the sole basis of standing to bring the matter; to do otherwise would permit any plaintiff without standing to create it by retaining counsel.
  5. “Wasted time” is not a sufficient harm for standing where no facts are alleged to support the claim.
  6. The risk of an invasion of privacy without an actual invasion of privacy is too speculative and not sufficient to confer standing.

Sophisticated Omnichannel Communication Strategies

This decision is another step forward for the use of email in debt collection as the consumer-friendly way. It also showcases the need for mindfulness when implementing an omnichannel communication strategy. Notably, while the court found a couple of emails are less intrusive than a phone call, it also stated that text messages, voicemail, and calls are different as they “are sufficiently intrusive on an individual’s peace and quiet” to support standing. Using a sophisticated omnichannel strategy helps debt collectors reach consumers at times that are right for the consumer and through the right communication channel, which ultimately creates a non-intrusive consumer experience.

Schedule a consultation to learn more about how email and an omnichannel approach can help their business’s collection efforts today»»

Using Regulation F to Maximize Recovery: Highlights from CBANC Webinar with Kelly Knepper-Stephens

By on October 20th, 2022 in Compliance, Industry Insights, Industry Interviews, Webinars

Just as technology has evolved leaps and bounds, so have consumer communication preferences with that technology, especially when it comes to debt collection. So in 2021, the Consumer Financial Protection Bureau (CFPB) rolled out Regulation F under the existing Fair Debt Collection Practices Act (FDCPA). Regulation F seeks to provide additional clarity around the key FDCPA prohibitions covering everything from harassment, such as the 7-in-7 call caps, to sample language for the initial communication with enhanced disclosures and information to help consumers identify their accounts.

Now, one year after Regulation F has gone into effect, some organizations and lenders still have questions about these new rules and how they can impact their business overall.

To help elucidate the matter, TrueAccord’s Chief Compliance Officer and General Counsel, Kelly Knepper-Stephens, sat down with the CBANC Network to discuss Using Regulation F to Maximize Recovery.

Below are just a few highlights from the in-depth discussion, but we encourage you to watch the full on-demand webinar to learn more about:

  • Safe Harbors in Regulation F (and if they are worth it)
  • Social Media communication best practices
  • Rules on contacting consumers including from other laws like the TRACED Act
  • State and municipal laws applicable to debt collection
  • and more!

Watch the the full webinar Using Regulation F to Maximize Recovery here»»

Highlights from “Using Regulation F to Maximize Recovery” with Kelly Knepper-Stephens*

We have found at TrueAccord that maintaining strong compliance with Regulation F doesn’t decrease your ability to recover defaulted debts from consumers. We know that consumers like digital collections, because we primarily communicate using digital channels. 

At TrueAccord, we find that 65% of consumers are opening at least one email—and 35% click on the link in the email that directs the customer to the webpages with information about the account settlement offers and payment plans, how to dispute, et cetera. For TrueAccord, 96% of consumers resolve their account without any human interaction whatsoever because they find the information that they need through the self-serve platform.

The regulators understand the growing preference for digital and self-service methods, and have acknowledged in Regulation F that it is permissible for a debt collector to communicate with consumers via these digital channels, including adding rules about how to use social media in debt collection. 

TrueAccord was very active in the CFPB’s Regulation F rulemaking process for this reason. We served on the small entity review board business panel in order to provide feedback as to the potential impacts of the draft proposal on our small business. We also provided a lot of data and information on how we designed our digital communications, such as having unsubscribe links in all email communications. This was important because at the time TrueAccord was one of the only companies in the industry using digital. The end result actually mimicked some of our best-practices practices.

Engaging the consumer is the fastest path to resolution, so no matter the channel—email, text message, phone calls, et cetera—using all channels compliantly to identify the right time, right channel, right message to engage the consumer is the ticket to success. 

Watch the on-demand webinar, Using Regulation F to Maximize Recovery, to learn more»»

*Kelly serves as TrueAccord’s Chief Compliance Officer and General Counsel. This blog is not legal advice. Legal advice must be tailored to the particular facts and circumstances of each unique matter.

Top Five Compliance Questions Answered by TrueAccord Compliance & Collections Professionals

By on October 11th, 2022 in Compliance, Industry Insights, Industry Interviews

Whether you’re a startup or an established organization, understanding the laws and regulations that apply to debt collection can be overwhelming. Compliance is always evolving as new laws and regulations are passed, new technology is introduced, consumer preferences shift, and court decisions or regulatory guidance suggest modifications to best practices. Fortunately, the knowledgeable team at TrueAccord is here to help break down some of the top questions around compliance in the collections industry.

The Questions:

  1. What are the major regulations lenders need to know about?
  2. What are the consequences of non-compliance?
  3. What kinds of businesses need to comply with these regulations?
  4. What are the top challenges that you see ahead for compliance in collection?
  5. What keeps a legal or compliance professional in collections up at night?

We asked some of the TrueAccord compliance professionals to provide insight to these top questions.*

*This blog is not legal advice. Legal advice must be tailored to the particular facts and circumstances of each unique matter

1. What are the major laws and regulations lenders need to know that govern debt collection (and debt collection service providers)?

Steve Zahn [SZ]: Right off the bat, obviously the Fair Debt Collection Practices Act, or the FDCPA, is the major law lenders need to know about for debt collection. There are also some similar state laws, but the FDCPA is the big one that governs debt collection activity.

Kelly Knepper-Stephens [KKS]: The CFPB just finished a rulemaking in 2021 related to the FDCPA, referred to as Regulation F, in an effort to modernize and work through some of the issues that occurred and played out in the courts over the last 45 years since the FDCPA took effect. The TCPA—the Telephone Consumer Protection Act—is another law that impacts debt collection. It doesn’t just regulate phone calls. It also regulates text messaging and it regulates leaving pre-recorded messages for consumers. So it’s important to be aware of how that impacts the types of consumer communications that a business will be using.

Lauren Valenzuela [LV]: One of the most important laws that sometimes gets overlooked is the Dodd-Frank Wall Street Reform and Consumer Protection Act. This is what created the Consumer Financial Protection Bureau, the CFPB. It’s also what created what we know as UDAAP—Unfair, Deceptive, or Abusive Acts or Practices. The CFPB gets its UDAAP authority from that particular law, and it also gave the CFPB authority to interpret and make rules for the Fair Debt Collection Practices Act.There are other laws that impact our work as well, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, Electronic Signatures in Global and National Commerce Act, known as the E-Sign Act, among others.

Leana Lares [LL]: Additionally, if a business is working with consumer personally identifiable information, private information, then they should definitely know about all of the different federal and state privacy and data security laws.

2. What are the consequences of non-compliance?

LV: Consequences of non-compliance are very vast. Non-compliance can lead to increased consumer complaints. It could also lead to enforcement by state or federal regulators, which could result in fines and penalties. It could result in consumer litigation. Non-compliance can also jeopardize an agency’s collection license and ability to conduct business in a particular state or locality. But most importantly, the consequences of non-compliance is erosion of consumer trust and also your client’s trust. So compliance is incredibly important for everybody and especially for us here at TrueAccord.

SZ: In litigation, penalties can include: (a) statutory damages, e.g., up to $1,000 for the FDCPA or $500-$1,500 per violation for TCPA; (b) actual damages, e.g., physical manifestations that are the result of emotional distress; and/or (c) punitive damages, if the conduct is so outrageous or intentional that it gives rise to addition damages designed to punish. In addition, the court or regulatory agency can award costs and attorney fees to the prevailing party and can also enter an order prohibiting or requiring certain conduct in the future. Finally, regulatory agencies have the ability to order disgorgement of funds collected and/or an award of damages to the agency itself.

3. What kinds of businesses need to comply with these regulations?

LV: Third party debt collectors need to comply with these laws and regulations, and sometimes so do servicers and first party debt collectors in some form or fashion.

For example, creditors are exempt from some of the laws, such as the federal FDCPA, and sometimes they’re not (such as the case with some state debt collection laws). So it really just depends on the specific law, but needless to say, everyone should really be aware of the laws and regulations that apply to this particular type of line of business. Because even if you don’t have to follow it, sometimes there’s a lot of best practices that can be found in these laws and regulations as well.

KKS: Not just debt collectors. It really depends on the type of work that a particular business conducts and whether or not a statute covers that conduct. For example, the TCPA governs entities making phone calls, sending text messages, or leaving pre-recorded messages for consumers, so it regulates any entity, public or private, using these forms of communication. For the FDCPA, it regulates the collection of a debt, so a business needs to look at what is the definition of “debt” and are these accounts “debts” under that definition. As well as, whether the activities of the business fall under the statute’s definition of a “debt collector” or any of the exemptions?

4. What are the top challenges that you see ahead for compliance in collection?

LL: Some of the top challenges that we see ahead in compliance definitely has to do with the ever-changing landscape of our industry. For example, consumer privacy laws are popping up everywhere. Here in the United States, many of the privacy laws borrow aspects of the GDPR. California adapted their privacy law, the California Consumer Privacy Act (CCPA), to mirror the concept of transparency and granting individuals new rights over their personal information. We are seeing many different states implement privacy laws and all the different states have different rules (e.g., California, Virginia, Utah, Colorado, Connecticut). Some of them parallel each other, some of them are drastically different. So it’s very important to keep up with all of these things, and TrueAccord does a great job of that. 

LV: We’re seeing compliance professionals have to partner more and more with information security. It’s not a challenge so much as an area where I think compliance professionals in the industry are really going to have to increase their knowledge and competencies in the information security discipline. Also, making sure that they’re just staying ahead of the curve when it comes to best practices with cybersecurity and data privacy. We need information in order to conduct our business and to do it effectively;so making sure that you have all the necessary safeguards in place is of paramount importance. 

Another top challenge for the collections industry at large is figuring out how to best use machine learning (a subset of AI)—not only learning how to use it, but also how to mature your compliance management system (CMS) so that it accounts for your use of it. If you’re using any type of analytics or algorithms, or if your service providers are using any type of analytics or algorithms, you need to evaluate your CMS to make sure you have proper oversight of that technology.

5. What keeps a legal or compliance professional in collections up at night?

KKS: Uncertainty with changing regulatory rules. It’s relatively easy to provide legal and compliance advice when you have clear rules of the road. But when there are statutes with different interpretations, regulators with different approaches, or a patchwork of differing court opinions on a given topic it is more challenging. 

LV: The ability for a company to stay nimble while avoiding compliance fatigue. You have to be a cheerleader for compliance and keep up the energy, make sure everybody understands their compliance obligations so that they can adapt to it and operationalize it. Sometimes there can be ambiguity in the application of a certain law or a regulation to a particular set of facts or a particular technology or system. We often need to create clarity from ambiguity, while also doing what is best for consumers, what’s best for business, and lead the way in creating best practices when there may be ambiguity. 

SZ: As an Associate General Counsel at TrueAccord, not much keeps me up at night. We have a tremendous system, compliance program, and corporate culture of compliance and striving to be polite and friendly with consumers.

Learn more in Compliance & Collections Resource Center or schedule a consultation today!

The Future of Collections & Compliance: A Conversation with TrueAccord’s Associate General Counsel and Director of User Experience

By on October 5th, 2022 in Compliance, Customer Experience, Industry Insights, Industry Interviews, Product and Technology, User Experience, Webinars

Delivering communications to your customers has always been a compliance challenge with the plethora of laws, regulations, court decisions, and regulatory guidance in the debt collection space. Today with more communication channels available and regular communication from debt collection regulators—via consent orders, compliance bulletins, supervisory highlights, and even press releases—your compliance management systems and design must be flexible and easy to update.

To get expert insights on the newest compliance issues and opportunities that need to be front of mind when sending digital communications to effectively engage your customers, Associate General Counsel Lauren Valenzuela and Director of User Experience Shannon Brown teamed up to discuss the Future of Collections & Compliance in TrueAccord’s latest webinar.

Watch the full webinar on-demand here»»

Below are some of the key takeaways from their discussion, plus attendee poll results on top compliance questions.

*This blog is not legal advice. Legal advice must be tailored to the particular facts and circumstances of each unique matter.

The Current State of Compliance

Lauren Valenzuela [LV]: Needless to say, over the last 10 years the CFPB has fundamentally changed how we think about and approach compliance. That has really influenced our industry and how we think about communications in debt collection.

LV: Over the last decade the CFPB has taught us that compliance is an evolving thing. It’s not something that you can set and forget. It is something that is dynamic and that must constantly evolve and mature in order to be effective, because our environment is constantly changing.

Attendee Poll Question: What is the biggest compliance issue you face when trying to engage with your customers?

Changing Consumer Preferences for Collection Communications

LV: The CFPB recently published a blog and shared that it is a “mobile first” agency, meaning that most people who visit its website are using mobile devices or smartphones. Here at TrueAccord, what does our information show about mobile usage?

Shannon Brown [SB]: Consumer mobile use has skyrocketed. In 2016, about a quarter of our consumers were using their phones to read emails and visit our website—and that number has increased to consistently above 80%. We’ve put a lot of effort into making sure our emails and website are responsive to make sure we’re meeting the needs of our consumers who are overwhelmingly on mobile. We’ve made sure our pages are able to load faster for consumers that have less stable cell connections and really made sure our interactive elements are big and optimized for tapping with a finger instead of clicking with a mouse. As far as communications, our consumer research has really shown that most consumers don’t answer the phone and want to be contacted through digital channels—they want a multi-channel experience.

LV: So we’re seeing consumers increase use in mobile phones. Even the Bureau has seen that, and we’re seeing banks increase their use of digital technologies to communicate and facilitate transactions and engage with their consumers as well.

What’s the Role of the Legal Team in Your Collections Strategy?

LV: There needs to be a partnership between compliance and pretty much all core functions, and especially at a fintech company like TrueAccord where our technology and our digital communications platform are the center of what we do to help consumers. It’s really neat to see compliance interwoven, and I think that’s reflective of its compliance management system and company culture.

Compliance Management System Evolution

LV: Ten years ago, many collection agencies were likely in the undisciplined stage, where there was some type of compliance ongoing, but it didn’t have much structure—processes may be undocumented, potential exposure to vulnerabilities that expose themselves on lawsuits, for example.

The next iteration is reactive, meaning there is development of some policies and procedures, controls are identified, and the company is responding to issues and incidents reactively.

The next level is calculative. At this level, leadership is actively engaging the organization in compliance, risk assessment processes are maturing, corrective action plans are being developed and executed to remediate deficiencies.

This next level is proactive, meaning employees are trained and following clear policies and procedures, and such procedures have built in intentional redundancies. The organization is being proactive in identifying and responding to issues and incidents and is self-identifying deficiencies and essentially executing on comprehensive corrective action plans.

Generative means that there’s continuous improvement towards challenging goals, which are driven by data analysis. There’s critical evaluation of policies and procedures and controls, and risk is integrated in operations. Issues and incidents resolutions are driven by stakeholders and really enhanced controls.

Attendee Poll Question: Which category does your Compliance Management System (CMS) fall under today?

LV: So no matter where you’re at within your compliance management system and no matter what maturity level, the important thing to remember is that you don’t have to stay there—you can evolve. We can’t stress this enough. Compliance is an evolving and dynamic thing, and should be constantly evolving to stay effective in whatever environment it is in.

The fact that TrueAccord has a well-oiled compliance management system allows us to study that climate and then figure out how to translate it and make tangible improvements in our consumers’ experience. That’s something we encourage everyone to do: think about the consumer experience and the environment you’re collecting in, because it looks remarkably different than it did five years ago for example, and we should all be evolving.

The Product Perspective

LV: How has the CFPB influenced how we develop our products here at TrueAccord?

SB: Compliance has been built into our product development life cycle. Besides frequent meetings with our compliance team for feedback and approvals throughout the life cycle, we’ve designed and built our product so we can be nimble in responding to regulatory changes, which we know happen a lot.

LV: There are numerous federal, state, and local laws. Can you give some insight into how we at TrueAccord keep up with all of that?

SB: One of the ways we efficiently keep up with the requirements is through our code-driven approach.

But what does that mean practically? It means, for example, that for any phone call coming in, our agent knows exactly what disclosures need to be given to that consumer via our system, and then gives them an opportunity to log it. It means that any email that goes out has all the necessary disclosures appended, such as out of statute disclosures, state disclosures, et cetera, and these are all kept in our code base. Not only does it take the guesswork out of the equation for our agents and our content team that’s sending communication, it reduces human error. It also means that anytime anything needs to be updated, for example, a wording in a disclosure or when a new disclosure needs to be added, we can do it in one place instead of across a variety of templates and areas of the website. We can do it in one place and then that change propagates throughout the system. This helps us to react to changes really quickly.

Our compliance team is involved in every aspect of the process. They start as educators for the whole product team—we’re all aware of regulatory considerations and know where and when we need to ask for feedback and approvals from our compliance team. So they aren’t just making sure that agents are acting compliantly, but that the product team has that knowledge as well.

And as a product team, we have this wonderful research function that’s constantly talking to consumers and trying to understand their needs and asking for feedback, which we share with our compliance team so that they can go and advocate for consumers when they are talking with regulators and legislators

Future Forecast: Where is Compliance Heading in the Collections Industry?

LV: The next iteration of compliance can be seen in some of the recent CFPB and FTC activity. Last year in 2021 for example, the CFPB published a new section of its supervision and examination manual, specifically an information technology focused compliance management review section. The Bureau is looking at any type of technologies that you may employ, like machine learning models, algorithms, or analytics.

If you’re using any kind of algorithms or machine learning to help inform any aspect of your collection strategy—or if any of your service providers are using any type of algorithms or machine learning to help provide a service to you—you must pay attention to this section of the manual because it’s incredibly informative. We’re seeing the CFPB and the FTC addressing companies’ use of data and technology, wanting to make sure that companies have proper governance and oversight of it.

All of this recent activity shows how compliance within any company, more than ever before, must really take a cross functional approach to its work in order to keep up with the evolving environment. The compliance function should not be siloed. It really needs to be in partnership with all different disciplines and functions within the organization. We’re seeing right here and now and into the future, your information technology professionals, your information security professionals, your product professionals, your engineers, your data scientists, anybody who looks, touches, thinks about data and technology should all be working with compliance

Attendee Poll Question: Which of the following are you most interested in for the future of compliance and collections?

Three Key Takeaways

LV: Compliance is more than a department, it’s more than a program, it’s more than a system. It should be part of an organization’s cultural DNA. So when you think about compliance, wherever you are within an organization, think about how you can make it part of your organization’s DNA.

SB: Concentrate on building your tools to be nimble to the regulatory changes. Things like the design systems and the component libraries that allow you to make those changes quickly and easily, and make sure that they’re made everywhere across the system so you don’t have those older disclosures hanging out somewhere that someone forgot to change. Build your tools so you can make changes in one place efficiently.

LV: As our environments get more sophisticated around us, compliance professionals need to collaborate cross functionally more and more with other disciplines within a company to be effective and stay ahead of the evolution.The more the industry uses data and technology, we have a responsibility to make sure that it is being used in accordance with the law and best practices.

Have more questions about compliance in collections? Schedule a consultation with TrueAccord to learn more»»

Patchwork of Compliance Regulations

By on September 29th, 2022 in Compliance, Industry Insights, Product and Technology

Anyone working in the collections space should be familiar with the federal Fair Debt Collection Practices Act (“FDCPA”) and its regulation, Regulation F; but did you know that there are multiple debt collection laws and regulations at the state and local level too?

State and local laws and regulations often mirror aspects of the FDCPA, however, there are a handful which are remarkably different from the FDCPA. In fact, the FDCPA makes clear that it is not designed to “annul, alter, or affect, or exempt any person” from “complying with the laws of any State with respect to debt collection practices, except to the extent that those laws are inconsistent with any provision of [the FDCPA], and then only to the extent of the inconsistency” (refer to 15 USC § 1692n). The FDCPA goes on to clarify that “a State law is not inconsistent with [the FDCPA] if the protection such law affords any consumer is greater than the protection provided by [the FDCPA].” Therefore, debt collectors collecting nationally have to grapple with and reconcile a patchwork of federal, state, and municipal debt collection laws and regulations when collecting in multiple states.

It is no simple feat to build and maintain a compliance program which keeps a debt collector in compliance with this patchwork of differing and competing debt collections laws and regulations. Debt collectors take different approaches to stay in compliance—from training their collectors on each and every state law and regulation, to deciding not to collect all together in a particular state/locality. Ten years ago when I first started in the industry, I remember compiling a job aid of all the state and local laws debt collectors had to remember and abide by—it was long and nuanced.

For example, the FDCPA explicitly permits debt collectors to speak to a consumer’s spouse without such communication resulting in a third party disclosure (see 15 USC § 1692c(d)), whereas some states such as Arizona and Connecticut are silent on this issue and other states, such as Iowa, consider spouses as third parties. In those states, a consumer must provide their consent in order for a debt collector to speak with their spouse. Another example is communication frequency limitations. While Regulation F provides parameters for call frequency (i.e., calls made in excess of 7 times in a 7 day consecutive period, and calls within 7 days of having had a phone conversation, are presumed harassing), Massachusetts has an entirely different call frequency regime. Massachusetts outright prohibits debt collectors from engaging any consumer in a communication by phone (i.e., calls and texts) more than twice in a 7 day period. While these phone restrictions are similar, they are nuanced nonetheless (e.g., one applies only to calls while the other applies to calls and texts; one in a presumption of harassment and the other is an outright prohibition, etc.) These are just a few examples to illustrate how there may be little distinctions and differences between the FDCPA/Regulation F and state/local laws.

In an effort to simplify how many rules debt collectors have to learn and abide by, some debt collectors design and adopt policies which reconcile as many of the laws and regulations as it can for a particular topic. For example, choosing to adopt the strictest law/regulation as a company policy so that it applies across the board is one strategy some companies may adopt. While this approach will help a debt collector meet or exceed a state law requirement, this approach can unnecessarily limit a debt collector’s ability to communicate and/or collect in more places than necessary, thereby undermining those state economies that have no such restrictions.

While the patchwork may seem daunting, this is an area ripe for compliance innovation—where technology can be leveraged to automate controls and guardrails. For example, instead of requiring debt collectors to memorize multiple state laws/regulations, controls can be designed to automate guardrails for state laws in a collection system. Here at TrueAccord, compliance has a close partnership with its product and engineering teams, to help leverage technology when laws and regulations are introduced or changed. While technology will not replace a compliance monitoring team, it has the potential to increase the efficiency and efficacy of any human monitoring by helping front line agents understand their state by state requirements and compliance teams focus their auditing and monitoring efforts.

*Lauren serves as TrueAccord’s Associate General Counsel. This blog is not legal advice. Legal advice must be tailored to the particular facts and circumstances of each unique matter.