PCI Compliance, SOC, and HITRUST

  • Written by Debra J. Ciskey

ciskey debra jWith the June, 2019, disclosure of a data breach at AMCA looming large in the rearview mirror, debt collectors both large and small are scrambling to verify the security of their consumer portals and their consumer information in general. With numerous vendors and auditors serving the industry in this key area of compliance, it is helpful to understand who’s who and what they can offer industry members. This article is the first of a series profiling data security firms serving the collection industry.

A newer player in the debt collection sector despite loads of experience in other business sectors, is the Drummond Group. As a first-time participant in the recent ACA Annual Convention and EXPO in San Diego, company representative Pierre Jamet told me that the Drummond Group’s booth was abuzz with industry members seeking information about data security audits, PCI compliance, SOC, and HITRUST.

I asked Jamet what sets the Drummond Group apart from other vendors and consultants offering similar services. He described their “security first” approach, which for clients means more than merely checking the “compliant” box on a data security questionnaire. It ensures achieving best practices for security at the same time as reaching a compliant status. Being secure provides a higher level of safety than merely being compliant.

No Jerks

Jamet explained that automated audits provide peace of mind that audits are occurring on a timely basis with little impact on the workload of IT staff. Such audits help agencies maintain compliance with client requirements for regular and timely audits. The Drummond Group regularly performs PCI DSS and PA-DSS audits and any other body of work required, including on site audits, quarterly vulnerability scans and gap assessments. Applying the company’s “No Jerks” policy, which says that the company will be there for its customers, and won’t make their customers feel stupid, Jamet taught me that PA-DSS are examinations of proprietary payment applications developed internally by a company for its own use. PCI Compliance services, including assessments for level 1 and level 2 service providers or merchants, provide strategies for ongoing compliance management. Gap analysis and self-assessment questionnaire support is also available.

For the assurance of clients, many of whom have become focused recently on quality assurance, Drummond Group provides audits and SOC attestations for SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and, once released, SOC for Supply Chains. In the collections space, SOC 2 exams meet most client requirements regarding principal service level commitments and system requirements.


Another differentiator in the marketplace is the company’s HITRUST Assessment Services. They have twice as many assessors on staff than many other providers, ensuring timely completion of projects. In fact, their approach to audits allows clients to complete multiple certifications with only one assessment engagement because the company gathers evidence once, broadly, so it is available for multiple uses. This approach also restrains costs considerably. Additionally, Drummond Group employs only U.S. based, full time and certified team members.

Knowing to whom to turn for client-required data security certifications can be a strain on debt collectors of any size. With huge concerns about data security, clients may consider this branch of compliance even more important that the consumer protection compliance issues we face under the CFPB and the pending Regulation F. In my next several articles I will profile other data security assessment and certification providers to make this process easier for readers.

Debra is the Executive Vice President at The Collections Coach, LLC. She began her nearly 40 year career in the collection industry in 1980 at ACA International in the federal affairs department, then leading the association’s Education initiatives as Director of Education. As an ACA instructor since 1983, Debra has taught nearly 200 ACA Seminars, and she served on ACA’s Board of Directors for 2 terms spanning 2012 to 2018. In 2000, Debra was inducted into ACA’s International Fellowship of Certified Collection Executives, and was named ACA’s Instructor of the Year in 2005.

Compliance Controls for the New Age of Collections

  • Written by Debra J. Ciskey

ciskey debra jIn a “be careful what you ask for” kind of way, the CFPB has suggested in its proposed Regulation F that debt collectors may communicate with consumers in ways that consumers may prefer over telephonic communication, namely, via email and text messaging. By the time readers see this article, readers have most likely attended numerous webinars, online classes, and face-to-face sessions at collection industry conferences and gatherings that discussed the provisions of the proposed regulation. New vocabulary such as opt-out, eSign, clear and conspicuous, and non-work have become part of our daily conversations. Some of us have had at least preliminary conversations with letter vendors, telephone vendors and bulk text messaging vendors about the technical innovations necessary to make 21st century communication possible.

The New Communication Methods

Compliance controls around the use of electronic communication will be key to risk avoidance. The proposed rule references the maintenance of procedures that include steps to reasonably confirm and document controls that will prevent third-party disclosure, allow emails only to email addresses that the consumer has not opted out of using for debt collection communication, allow text messages only to phone numbers that the consumer has not opted out of using for debt collection communication, prevents email and text messages from being sent to work email addresses and telephone numbers, and ensuring that initial emails used were recently used by consumers to communicate with the debt collector or creditor.

Controls are generally preventative in nature. They are designed to prevent avoidable risk and noncompliance. Consider how controls can prevent non-compliance related to email. Will you aspire to limit email communication to system generated notices, such as payment reminders? Will collectors be allowed to generate emails? If so, will you have counselapproved templates in place to prevent free-form additional comments by individual collection staff? If additional comments are allowed, what will the process be to review additions to prevent overshadowing, false representations and threats, and deceptive practices? How will you prevent emails being sent to opted-out email addresses? What could go wrong with the use of email? What could be unintended consequences of using it? Each idea your team generates as the result of brainstorming might be the basis for a policy and procedure to control risk.

Essential Detective Controls

Detective controls are designed to uncover what went wrong. Who will be responsible for testing emails and text messages before they are sent out to consumers? Detective controls test whether your preventative controls are strong enough. If emails and text messages are sent by a vendor using immutable templates, is the same amount of scrutiny applied to emails sent by individuals in your organization? What mechanism will you have to put into place to conduct quality assurance and compliance audits on emails and test messages? Will you test only emails that your system perceives are not consistent with the provided template, or will you review every email that is generated?

The protections for consumers provided in the proposed rule will require innovative thought and potential modifications to account management systems, especially those that never anticipated that electronic communications with consumers would occur. At the most basic level, systems will need to add fields to contain an email address, or multiple fields for multiple email addresses the consumer may use to generate emails to a debt collector. Indicators will be required for the opted-in or opted-out status of the email address. What if the consumer uses an opted-out email address to generate an email to the debt collector? Does that reopen that email address as a “receiving email” address to which the debt collector may send subsequent emails until it receives another opt-out from the consumer? Consumer behavior is often unpredictable and often contradictory.

TCPA Isn’t Addressed?

The proposed rule does not address Telephone Consumer Protection Act provisions related to consent and revocation of consent for calls and messages to wireless numbers. The ACA Declaratory Ruling, issued by the Federal Communications Commission in 2015, said a party who provides his/her wireless number to a creditor as part of a credit application “reasonably evidences prior express consent by the cell phone subscriber to be contacted at the number regarding the debt,” and this applies to the creditor and any third party acting on behalf of the creditor. (ACA Declaratory Ruling, 23 FCC Rcd at 564, para. 9.) The burden of proof related to the source of the consumer’s number falls upon the caller. Innovative technological solutions will be required to sort this out for collectors who feel emboldened to text consumers with reminders or other messages.

Debra is the Executive Vice President at The Collections Coach, LLC. She began her nearly 40 year career in the collection industry in 1980 at ACA International in the federal affairs department, then leading the association’s Education initiatives as Director of Education. As an ACA instructor since 1983, Debra has taught nearly 200 ACA Seminars, and she served on ACA’s Board of Directors for 2 terms spanning 2012 to 2018. In 2000, Debra was inducted into ACA’s International Fellowship of Certified Collection Executives, and was named ACA’s Instructor of the Year in 2005.

CFPB Report Reveals Telling Statistics

  • Written by Debra J. Ciskey

ciskey debra jThe CFPB issued its Semi-Annual Report of the Bureau of Consumer Financial Protection (Report) on February 12, 2019. This 42-page report provides a comprehensive summary of the Bureau’s activities between April 1, 2018 and September 30, 2018, including rulemaking completed, plans for upcoming rules, complaint analysis, summaries of enforcement actions taken during the period, reporting on its Fair Lending initiatives, and its efforts to increase workforce diversity at the CFPB. In depth analysis of a consent agreement described briefly in the report should speak volumes to the collection industry.

Compliance and Operations

Operations folks should be most interested in practices that resulted in enforcement actions, and in particular, the action filed on July 13, 2018 in the matter of National Credit Adjusters, which concluded in a consent order. Collection agencies working on NCA’s behalf to collect purchased debt inflated the amount actually owed on accounts, threatened consumers and family members with legal actions including lawsuits and arrest when there was no intent nor legal authority to do so, among other things. Members of NCA’s compliance team recommended terminating the agencies because of the illegal acts and practices they observed in audits, but NCA continued to place accounts with the agencies and refused to implement corrective recommendations made by NCA compliance personnel.

This action demonstrates the true partnership that needs to exist between any collection agency’s compliance team, the operations team and executive management. The compliance team identified problems and communicated those to the appropriate parties, yet the recommendations went unheeded. This demonstrates to the regulator that the continued relationship with the agencies was deliberate and that their potentially illegal processes were sanctioned. In my experience with such investigations, it is assumed that industry members seek to subjugate the law for their own financial benefit. Ignoring the advice of one’s compliance team related to the collection practices of a vendor provides the evidence. I recommend a full reading of the action.

- Click here for the referenced Action (Collection Advisor Professional Network Members Only) -

The Concentration of Complaints

The industry is always interested in the CFPB’s reporting on complaints it receives related to debt collection. In fiscal year 2017-2018 (October 1, 2017, through September 30, 2018), according to the report, “the Bureau received approximately 329,000 consumer complaints.” Not surprising to anyone who responds to consumer complaints, the CFPB reports that “consumers submitted approximately 82% of these complaints through the Bureau’s website.” Another 5% were submitted via telephone calls and referrals from other state and federal agencies accounted for 8% of complaints. Companies responded to approximately 93% of complaints that the CFPB sent to them for response during the period, and only 2% of responses were considered untimely, which means responses were submitted after the 15-day deadline, after the extended 60-day deadline if the complaint was placed “in progress” by the complaint recipient.

Debt collection complaints do not sit at the top of the complaint categories during the reporting time period, a fact that is at least notable, and even laudable. The CFPB reports that 25% of complaints during the period were related to debt collection, while the top spot on the list belongs to complaints related to credit or consumer reporting, at 37% of complaints. With 13 categories on the list, the remaining 38% of complaints are spread rather thinly.

My own latest analysis of the debt collection complaints in the public database showed that the debt collector with the most complaints had nearly 9,500 on record since the inception of the database in July 2011. On the other hand, 1,850 companies had 9 or fewer complaints, with a whopping 651 companies garnering a single complaint since 2011. 3,374 distinct companies with debt collection complaints are listed, and many of these are first party creditors collecting their own debts—names you would recognize. My purpose here is not to call anyone out, but merely to point out that the numbers tell a story.

The report mentions the work of the CFPB on the Debt Collection Rule. We have been awaiting the Rule since the inception of the CFPB. The Report affirms that “The Bureau will work towards releasing a proposed rule concerning FDCPA collectors’ communications practices and consumer disclosures.” (p. 16). No further specifics are provided, but this brief description confirms the narrow focus that CFPB-watchers have expected, based upon work previously published by the CFPB. Most recently, the CFPB has expressed its intention to reissue a consumer survey to provide more data about contacts by debt collectors, which some have thought would delay the publication of the Rule. No doubt we will all need to adjust our consumer contact schemes once the rule is published.

Debra J. Ciskey is an ACA International Certified Instructor. She is a former member of the board of directors and a certified instructor for ACA International.

Using Scripting to Prevent Potential Law Violations

  • Written by Debra J. Ciskey

ciskey debra jThe CFPB Supervision and Examination Manual is a 1,697-page tome containing examination procedures and templates for the use of CFPB supervisory examiners. It is organized into sections related to each type of entity for which the Bureau has supervisory authority. Available on the bureaus website ( documents/cfpb_supervision-and-examination-manual.pdf ) anyone can download the entire manual or only the sections applicable to their entity.

In the FDCPA section, examiners are directed to obtain and review scripts for employee use. While it doesn’t specify which sections of the manual might require scripting for debt collectors, scripts provide expectations for consistent presentation of offers which can reduce the potential for discriminatory practices on the part of individuals when making discount offers, for example. Having scripts for required and desired disclosures can provide evidence that shows that any violation in regulated practices was not intentional and was the result of a bona fide error that arose despite procedures reasonably designed to avoid such errors.

A walk through the FDCPA section of the examination manual reveals many opportunities to provide scripting for collection staff. Equally important is a policy requiring that any script must be provided verbatim, focused and specific training related to the use of the scripts, a process for evaluating the delivery of the scripts, either through manual evaluation of phone calls or recordings, or the use of a speech analytics tool, and formal feedback to staff related to their success or failure with proper use of the scripts. Technology based job aids, either incorporated into your account management system or accessed on demand by staff when a script is needed, will be key supports to the implementation of scripting.

While we aspire to hire and train people that can use their best judgment about how to convey information properly to consumers, people also have the capacity to make mistakes. Communication is affected by emotion, memory lapses, attitude, lack of understanding and sometimes just plain laziness. Providing scripting related to key areas of compliance may help combat the human frailties of staff. Following is my list of conversation points that can be more closely controlled with proper scripting.

1. Disclosing the debt collector’s identity and the purpose/ nature of the communication when:

  1. Leaving a live message, an answering machine/ voice mail message, or when speaking directly with a consumer.
  2. Seeking permission or acknowledging permission to call a cell phone, at a place of employment, or at an unusual time or place.
  3. Acknowledging or receiving instructions not to call at any specific time or place.

2. Clarify the character, amount or legal status of a debt, such as when asked by a consumer:

  1. If I can’t pay this will my wages be garnished?
  2. Are you going to sue me? Have you sued me?
  3. Is this going on my credit report?

3. Assist staff in responding to angry or abusive consumers.

4. Seek and obtain location information for a consumer from a third party, and, in that conversation:

  1. Identify the company name to a third party who requests to know it, without indicating that the consumer owes a debt.
  2. Follow up script to handle inquisitive requests.

5. Convey discount offers, along with when such scripts should be used.

6. Request attorney’s name and address upon being informed that the consumer is represented by an attorney.

7. To obtain permission to speak with a third party.

8. To clarify for consumers the nature of the summons and complaint without providing legal advice.

9. To solicit post-dated checks and/or recurring EFT payments, and confirm the payment schedule.

10. Confirm Payment by credit card/debit card.

11. Solicit instructions from consumer for application of payment when multiple accounts exist.

12. Just as you have your collection letters reviewed by counsel, have your scripts and the policies and procedures underlying them reviewed by counsel as well.

Debra is the Executive Vice President at The Collections Coach, LLC. She began her nearly 40 year career in the collection industry in 1980 at ACA International in the federal affairs department, then leading the association’s Education initiatives as Director of Education. As an ACA instructor since 1983, Debra has taught nearly 200 ACA Seminars, and she served on ACA’s Board of Directors for 2 terms spanning 2012 to 2018. In 2000, Debra was inducted into ACA’s International Fellowship of Certified Collection Executives, and was named ACA’s Instructor of the Year in 2005.

What the CFPB Has to Say About Your Production Incentives

  • Written by Debra J. Ciskey

ciskey debra jCollectors are the beating heart of a collection agency. Over the years I have heard described any number of tactics collection management has used to make collectors happy in an effort to prevent them from jumping ship, including giving the best collectors the most desirable parking spaces, providing food nearly daily, providing cushy chairs and treadmill desks, using flexible scheduling, providing a special, private lounge for the top dogs, and providing creative and lucrative commission and bonus plans.

“Collectors will leave for a dime an hour increase.”

As much as management may do to create a comfortable, even festive work environment, I have heard it said that for collectors, it all comes down to the paycheck. I would propose that for nearly all workers, except maybe members of Saint Teresa of Calcutta’s Order of the Sisters of Charity, this would be a true statement. Management tries to come up with the most lucrative commission and/or bonus plan so that the hourly wage can remain low while top performers are well compensated.

CFPB’s Opinion

What does the regulator say? The Consumer Financial Protection Bureau shared its position on production incentives in a compliance bulletin in 2016 (CFPB Compliance Bulletin 2016-03). It feels that production incentives may pose risks to consumers that are “significant, and both the intended and unintended effects of incentives can be complex. . .” However, the CFPB acknowledges the value of production incentives and says they can be beneficial: “When properly implemented and monitored, reasonable incentives can benefit all stakeholders and the financial marketplace as a whole.” They acknowledge that incentive programs can assist with retention of high performing employees, and can benefit consumers by leading to improved customer service or introduction to services that may benefit them. The CFPB fears programs that result in overly aggressive collection tactics, for example, and outright violations of consumer financial protection laws.

The CFPB is very clear related to its expectations regarding incentive programs: “The CFPB expects supervised entities that choose to utilize incentives to institute effective controls for the risks these programs may pose to consumers, including oversight of both employees and service providers involved in these programs.” The compliance management system should include board and management oversight of incentive programs, policies and procedures governing incentive programs, training which includes standards of ethical behavior, monitoring, and corrective action, as well as complaint monitoring and compliance audits to oversee the application of the incentive program.

In Writing or Else

Incentive programs must be well framed, well documented, and considered from the point of view of management (how will this increase production?), collectors (how much can I realistically make under this plan?), consumers (does this guy hear what I am saying? It seems like he only wants his money) and the compliance officer (can’t we just pay everyone straight salary? No, okay, let me write a policy). The CFPB is concerned about unintended consequences that can occur when incentive programs are too lucrative—think about the Wells Fargo debacle. The compliance team will want to build controls intended to prevent occurrences of consumer harm caused by overzealous attempts to make bonus.

Focused call monitoring will be necessary to ensure the controls are effective. Training and retraining related to ethical conduct and negative consequences for displays of improper conduct, offsetting any potential gain from such conduct are necessary components of a compliance focused production incentive program.

Using speech analytics can support your effort to reward collectors for the use of compliant, ethical production practices. If your plan includes, for example, a provision to make any collections that resulted from calls in which policy violations occurred ineligible for inclusion in the bonus calculation, the use of speech analytics can help by flagging calls that need to be reviewed for potential violations. Unless one has an army of call reviewers, this would be impossible to perform without such automation. Incentives with a compliance component could actually help you attract good performers without investing in creature comforts and daily pizza runs.

Debra Ciskey is the Chief Compliance Officer at Wakefield & Associates. Inc. She is a member of the board of directors and a certified instructor for ACA International.