1www.lightico.com

The Regulatory Primer

Compliance Issues For Call Center Leaders

$

Key Regulations for Call Center Management

Ever-Changing Regulatory Environment

Contact Centers Are High-Risk

Key Regulations for Contact Centers

Consent to Record

PCI-DSS

GDPR

MFID II

HIPAA

TSR

TCPA

How To Drive Business & Avoid Non-Compliance

Simplify Compliance

About Lightico

3

3

4

6

6

6

7

7

8

8

9

9

10

11

Table of Contents

3www.lightico.com

Key Regulations for Call Center Management

Ever-Changing Regulatory Environment

There are innumerable rules and regulations that protect consumers against certain call center activity. As business leaders, its critical to understand the key bodies of regulation and areas of concern for contact center management. This resource is intended as a business primer for legal and regulatory compliance conversations around common business and regulatory challenges.

In the main, there are 3 primary motivations for these regulations: • Fraud prevention• Privacy protection• Abuse avoidance

This business primer helps highlight why contact centers are a key touchpoint, and flags the critical regulations that dictate how to operate.

With ever-evolving regulation, it is important to keep abreast of the pertinent regulations and theirnuances. While a full regulatory team is needed to track the hearings and new bill passage, there are few landmark regulations that impact many businesses.

The passage of the Dodd Frank Wall Street Reform and Consumer Protection Act in 2010 has intensified the enforcement of the consumer protection laws. Since its inception in 2010, there have been almost $1 billion in penalties and restitutions due to contact center violations. Add to that the recent passage of the General Data Protection Regulation and it’s easy to see why restrictions and regulations are only intensifying in nature.

4www.lightico.com

Contact Centers Are High-RiskIt’s easy to see why contact centers become unwitting offenders of consumer protection rules and laws. Here are the core reasons why call centers have high risk profiles for legal and regulatory teams.

Customer Interactions:

The number one reason is that the call center is the main point of contact with customers. In most centers, there are hundreds of opportunities for someone to make a mistake due to the volume of calls every day coupled with high agent turnover rates. It’s just a numbers game and it won’t take long for someone to unwittingly make a mistake.

Performance Metrics:

Extreme pressure to meet sales goals is another way that agents can inadvertently violateconsumer protection policies. In the rush to increase sales, agents can make more errors and even omit important steps that can lead to trouble.

Desire to Simplify:

Sometimes the intense need to please customers can lead to legal problems. In an effort to make customers happy, agents may over promise or provide shortcuts to problem resolutions which often result in negative situations.

Regulatory Understanding:

Part of the problem with call center violations is that agents and their supervisors simply are not well informed about consumer protection regulations. Most centers conduct pristine calltechniques like problem-solving and salesmanship but they just don’t invest time in learning about fundamental legal obligations. Given the high stakes with consumer protection today, it would be a good idea for call centers to provide at least a fundamental understanding of the laws and regulations for its agents.

7 Regulations You Need To Know

6www.lightico.com

Key Regulations for Contact Centers

Consent to Record

PCI-DSS

To help you stay informed of regulations, rulings, laws and industry standards to which contact centers are held responsible, we’ve identified some of the most important ones here.

The Consent to Record regulation forbids the wiretapping of any party without legal consent.Federal law and some state laws permit recording of calls if one of the participants agrees. Other states require that all call participants must agree. While the exact nature of who is entitled to record and with what permissions vary by jurisdiction, this continues to be a key area of concern.

Why is this important to contact centers? Those centers which operate in one-party consent states don’t have to provide advance notice of recording. Those centers working in all-party consent states would be well advised to request and then record an affirmative answer in order to proceed with any conversation. Obviously, if one or more of the call participants refuses, then recording must stop for that call.

An important regulation concerning payment information is the Payment Card Industry Data Security Standard (PCI-DSS). The Payment Card industry established strict rules around credit cards, PIN numbers and other identifiers in 2006. Call centers can avoid trouble by assuring that access to encrypted confidential information requires multi-factor authentication. They should also upgrade or replace recording software that doesn’t hide sensitive authentication data on agent screens.

Any recording solutions should provide end-to-end multimedia encryption where data isencrypted at the point of capture and remains so throughout its lifetime. Software should not store sensitive authentication data like CID numbers and supervisors should make an effort to make sure that agents don’t carelessly jot down card numbers or repeat them out loud for others to hear.

7www.lightico.com

GDPR

MFID II

The General Data Protection Regulation (GDPR) took effect on May 25, 2018. It replaces the previous Data Protection Directive and is the most important regulation in consumer dataprotection in years. The GDPR gives people more control over their personal data andconsolidates privacy regulations across Europe.

Contact centers need to take note that personal data is defined as any information related to an identified person. This includes the telephone numbers used as part of CRM systems that identify callers, clearly accessible by agents. It’s important to note that US-based businesses are subject to GDPR if they process personal data of European Union consumers. The location of the call center is irrelevant.

Businesses that operate in the financial industry are keenly aware of the endlessdocumentation, signatures, consent and evidence that needs to be managed for financial transactions. To process financial transactions through a call center, it’s important to be aware of both the regulatory requirements, and the call center technologies that are enabling simpler financial compliance for those complex processes.

Specifically, effective January 3, 2018, the Markets in Financial Instruments Directive II (MFID II) replaced the original directive that had been in force since November of 2007. The MFID II applies to companies involved in financial institutions in order to make European markets safer and more efficient.

Call centers should take particular note of formal scripts, consent and signature requirements as these are core to the disclosure of financial transactions and are immediately pertinent to MFID II. In step with that, it’s important that associated documentation is stored in a compliant fashion for quality control and auditing.

8www.lightico.com

HIPAA

TSR

Those working in the healthcare industry are familiar with The Health Insurance Portability andAccountability Act (HIPAA) which secures private health information while allowing for proper treatment of medical conditions. Patients have rights now to determine how their healthcare information is used and must sign an information release before any data can be sharedoutside of the doctor-patient environment.

Once captured, information in the care of a healthcare professional must be protected by certain guidelines. Wrongful disclosure of a person’s medical information can result in fines and/or imprisonment for any medical professional who disseminates it.

With the stringent HIPAA rules, call centers must now make sure that agents are trainedappropriately to protect patient confidentiality regarding medical records and paymenthistory. Some specific examples of requirements include ensuring that the recipient ofinformation is indeed entitled to receive it, and to ensure information is encoded and encrypted at a high level. Centers must have strict controls over customer databases and non-authorized personnel should never have access to the information.

Practically speaking, healthcare organizations need to be particularly careful whencontracting with 3rd party call centers to ensure they can be independently verified as HIPAA compliant. Agents and supervisors should be required to attend training seminars and stay current with any changes to the regulations.

Congress approved the Telemarketing Sales Rule (TSR) in 1994 to define and prohibitdeceptive and abusive telemarketing practices. The TSR requires that a telemarketer must promptly and clearly disclose fundamental information when making an outbound sales call. This information includes the identity of the seller; that the purpose of the call is to sell goods or services; the nature of the goods and services; and that no purchase or payment is necessary to participate in any prize promotions.

What this means for call centers is that they should provide compliance training, scripting and interaction recording to all their agents. Call centers should also check to verify whether the states in which they operate require licenses or bonds.

Companies that hire call centers need to assure that the call center complies with TSRrequirements since it is a violation of TSR regulations to work with a center that violatesTSR practices.

9www.lightico.com

The Telephone Consumer Protection Act (TCPA) governs mass transmissions of phone calls and text messages (SMS) in the United States. The TCPA was signed into law in 1991 as a response to a growing rise in unregulated and harassing telemarketing calls and faxes. It has since been updated to include SMS messaging.

Essentially, the TCPA restricts telephone solicitations (i.e. telemarketing) and the use ofautomated phone equipment. It limits the use of pre-recorded voice messages, automatic dialing, fax and SMS use. Without explicit customer consent, companies must adhere to strict solicitation rules and must honor the National Do Not Call Registry. As a protection,subscribers may sue a company that does not follow the TCPA guidelines.

Consumer consent is an essential factor under the TCPA and should be a primary focusof any business that communicates with consumers and customers directly via anytelephony method.

The TCPA was once again amended and more clearly defined in July 2015, when the FCCofficially released the TCPA Declaratory Ruling and Order which addressed petitions andrequests for clarity on how the TCPA is to be interpreted by the FCC.

How To Drive Business & Avoid Non-ComplianceAvoiding penalties and fines related to compliance issues is a substantial effort for call centerleaders but there are some tactics which will help make the job a little easier.

• Conduct periodic agent training• Focus on laws and regulations affecting your industry• Provide scripts to keep agents compliant - digitize scripts and workflows for 100% adherence • Police agent areas to make sure customer information is secure• Enforce encryption of personal information• Maintain a digital and auditable trail of interactions, documents and signatures• Utilize technology that makes compliance easier for customers and agents

Rules are in place for a reason. We are all consumers and want to know that our information issecure—whether it’s financial information or medical files. It is up to those in call centers to be the champions for their customers.

TCPA

10www.lightico.com

Learn How To Simplify Compliance

Customer Compliance Business

Gather Signatures

Complete Forms

Ensure Consent

Identify & Verify

Secure Payment$

Copyright © 2019 Lightico.

275 7th Ave.New York, NY 10011www.lightico.com

Contact Information:1-888-252-1440info@lightico.com

About LighticoLightico’s real-time customer collaboration platform empowers your agents to collect forms, documents,e-signatures, photos, consent to disclosures and to verify ID instantly while they have customers on the phone.

By simplifying customer interactions in the last mile of the customer journey, businesses make it easier for theircustomers to be their customers, earning their trust and loyalty, translating to higher profits.

Simplify Your Call Center’s Compliance

Learn More

Copyright © 2019 Lightico ltd. All rights reserved.

visit: www.lightico.com