Compliance, Control, Transparency: The Key to Success in Today’s Market

Uncertainty Breeds Paralysis
As the recovery continues and delinquency levels normalize, those in our industry would
typically see creditors beginning to turn their attention to process improvement initiatives,
cost reduction strategies and efforts aimed at applying lessons learned from the last three
tumultuous years — but this recovery has been noticeably different.

Instead of the normal activity, this recovery has been overshadowed by the appointment of a new regulatory body and an expected host of new regulations designed to protect consumers. Rather than spending their resources focusing on embracing the latest communication channels and preferences of their customer base, creditors are instead in a “hurry up and wait” mode to deploy process changes aimed at complying with these new regulations — regulations that are, in some cases, hastily defined, and in other cases, still only rumored to be on the way.

Most of us in the industry have known for some time now (and been increasingly frustrated) that the existing regulations have gaping holes in terms of their applicability to the current environment we all face every day. The Telecommunications Consumer Protection Act (TCPA) and the Fair Debt Collections Practices Act (FDCPA) are well-intentioned legislative attempts to regulate the industry’s practices, but have grown so out of date as to be almost irrelevant. For example, most modern communication technologies aren’t covered, as text messaging, email, mobile phones and auto-dialed or IVR calls weren’t even part of the consumer landscape back then. Still, these regulations are continuously being interpreted by the courts and the new regulatory body. The creditors that have to comply with them face the always-evolving question: “Comply with what?”

Without clarity on how to interpret the laws that are on the books, what our industry is left with is a disarming lack of direction about how to apply the principles of these regulations in the context of the new technologies. A simple matter like calling someone at the number they provided to us in their application becomes a complex issue when that number can be ported to a cell phone for which express consent hasn’t been captured, etc.

Who’s On First?

Contact methods and the number of attempts are far from the only area of regulation to be contended with — fair lending practices, disclosure requirements, verifications of employment and consent are all in play. The overlap between federal rules and aggressive state attorneys general is also unclear: When regulations mandate conflicting actions, which one trumps? When channel communications allowed under one regulation are to be displaced by another, do the old rules apply to the new technology — and if not, who is going to clarify the interpretation of the new technology (something the FCC and FTC have routinely failed to do in the past 30-plus years)? When data on SCRA-eligible borrowers is hard to find, when cell-phone data is unreliable and expensive, when the existence of multiple account relationships for an individual customer changes the nature of the challenge, who is going to interpret how much effort (to comply) is enough?

New Kid on the Block

In 2010, Congress enacted the Dodd-Frank bill to address a host of issues across the broader financial services spectrum that led to, or were believed to have exacerbated, the financial crisis of 2008. Also included in that bill was the creation of a new agency, charged with protecting the interest of the consumer — the Consumer Financial Protection Bureau (CFPB).

Power Corrupts; Do Consumers Have Absolute Power?

In its creation under Dodd-Frank, the CFPB was granted a regulatory remit the likes of which have not been seen before:
> The CFPB has taken over authority for all consumer oriented Office of the Comptroller of the Currency (OCC) rules. The OCC retains ‘safety and soundness’ oversight of financial institutions.
> Likewise, CFPB is responsible for all consumer oriented Federal Trade Commission (FTC) rules, as well as the supervision and enforcement authority over all consumer-oriented regulations in the financial services arena that were the province of the Federal Communications Commission (FCC), including the Telecommunications Consumer Protection Act (TCPA) of 1991 and the Fair Debt Collections Practices Act (FDCPA) of 1977.
> In addition to interpreting the current laws and regulations, the CFPB is charged with authoring new rules and regulations that affect consumers across the broadest range of financial industry players possible: banks, mortgage and student lenders, payday lenders and debt collections agencies.
> The most surprising remit of the CFPB, however, is that it is also charged with both the supervision and enforcement actions arising from interpreting the laws and regulations. Adding to the agency’s challenges, it is the CFPB who is also responsible for hearing appeals.
> Here we have a federal regulatory body that is the creator, the interpreter, the supervisor and the final appellate arbiter of the appropriateness of any interaction with the consumer. When combined with the fact that the CFPB has authority to pierce the shield of attorney-client privileged information and is itself exempt from adherence to the tenets of the Freedom of Information Act, it becomes a potentially frightening situation.

No wonder the financial industry is concerned. While the proclamations coming from the CFPB Director so far appear to indicate that the agency is aware of the awe-inspiring power and reach it holds (and is prepared to wield that power judiciously), one can only watch the bureau’s actions to see how this situation will play out. For many financial executives, this uncertainty has caused them to adopt a “wait and see” position.

Alternatively, this can be viewed as a potential source of clarity for the industry. The agency will be a single point of focus that’s charged with solving the cross-agency confusion and resolving many long-standing questions. It is our belief that the winning strategy is a proactive re-evaluation and re-tooling of underlying systems in order to ensure compliance regardless of how the situation develops from here.
Let’s take a look at some of the areas that will be impacted by new regulation in the coming months:

It’s a New Day in Vendor Management

In April the CFPB released an official bulletin regarding service providers. The implications of this bulletin will have significant impact on the industry, as creditors place additional requirements on their agencies to produce documentation and audit responses aligned with the ever-changing regulations coming out of the CFPB.

The cost to comply with ill-defined regulations and then respond to regular examinations will likely force consolidation throughout the Accounts Receivable Management (ARM) industry. These are straight expense line items, without the potential of any off-setting revenue gains — a deadly combination for any employer that operates under tight margins to begin with.

Because the regulations are not well defined, it means that financial institutions will be forced to develop their own interpretations. The implication for agencies is a multitude of “standards” that actually vary slightly from contract to contract. This variation will drive significant overhead costs as reporting and compliance must be customized for each client.

So what does this mean for your business? We all understand that the financial health of our service providers is critical to their ability to provide effective collection results. If they have to expend energy and overhead on generating reports and responding to an ever increasing line of auditors at their door, then their ability to maintain collections performance will be tested.

Audits are required — agencies must be secure and treat their confidential information with safety and integrity. The cost of security is one that every business in the industry understands and appreciates; however, it is the costs expended to placate a multitude of interpretations in a variety of manners that will ultimately drive the costs up exponentially.

While We Wait

Most large scale agencies have been working under stringent security requirements for quite some time. Clients have long held service providers to a very strict code of conduct when it comes to compliance and security. What is different now is the level of responsibility the CFPB is placing on the financial institutions for the service providers’ conduct.

A thorough evaluation of each service provider, while expensive for both parties, is essential to ensure your exposure is limited and the proper precautions are being taken. The ability to maintain control of data, and to monitor compliance in real time, will be a critical step forward. The long-standing industry standard practice of distributing inventory to a variety of service providers may be nearing its end. Technology has progressed to the point that there is no compelling limitation that would keep a business from providing access to the data within their existing, approved, secure data centers rather than shipping the data out to a variety of locations on a daily basis and receiving/reconciling individual variations between what was sent and what was returned.

The benefit of a controlled collections and recovery environment go beyond compliance monitoring and enforcement. This is one area that may ultimately yield benefits from both cost and performance standpoints. Inventory management is an expensive endeavor. By eliminating the expense line items associated, creditors can re-direct resources to more performance-impacting practices. In addition, the ability to set strategy and quickly make strategic changes intra-day will yield significant increases to liquidation rates. Depending on your solution set, you may even be able to provide access to communication channels like texting, web self-service and email that you have previously been unable to allow from a purely outsourced standpoint.

Get Back to Business, Confident You Comply

It isn’t just the changes in the service provider expectations impacting the industry. Understanding the challenges posed by the evolving regulatory environment is one thing— being able to comply with what one knows is being asked is yet another entirely. Yet, the only way for executive management to be certain of success in significantly reducing reputational risk is:
> to re-take control over not just the strategy but the operational execution of the collections strategy;
> to maintain transparency in reporting and communication to all parties;
> to do so in a way that is provable not only to regulators but to internal management, in order to facilitate positive changes when needed;
> to ensure you have the flexibility needed to adjust on-the-fly to the rapid-fire changes in regulations, interpretations, and customer behavior data.

Get Control Over Offers, Channel Attempts and Touchpoints

In order to achieve compliance, you must be able to make sure that the internal and external contact strategies are all executed in accordance with the strategist’s design. This process includes covering the number of total attempts by device or channel (home, work or cell); by address; within specific periods of time and to specifically-allowed responsible parties; programs offered and the disclosures associated with each interaction. This is only possible if the execution component of the operation can be controlled by the strategist’s design. In order to provide that level of control, all of the data and strategies are best managed within a single source that is not subject to operational decisions made outside the strategist’s view.

What is at stake is the ability to maintain a flexible but compliant environment, which requires a fundamental re-balancing of power. If the system allows operational changes that can violate the strategy (and if they can, they will), you risk non-compliant behavior. The trade-off, of course, is that limiting freedom to adjust strategies on-the-fly can impact performance. As a result, freedom must be maintained in a single controlled environment in order to ensure that both compliance and performance goals are exceeded.

Maintain Transparency

The ability to control the operational execution in accordance with the strategists’ design is rendered truly powerful by the ability to see both the strategy and its execution in real-time, with both being able to change on-the-fly in response to data as it is received. Yet equally important is the need to be able to re-create exactly what is happening, has happened, and will happen so that there is no mystery in giving over control to the strategists. This ability is fundamental to the next item, but also necessary in order to provide control in a way that is acceptable to both operational managers and strategists.

Provability for Audit Purposes

The upside to giving operations and strategists visibility of the strategy-to-operations connection is that we can then allow compliance officers, auditors and regulators that same visibility. It is crucial that reports are easily available to prove what has been done, what is being done and what will be done. This is the flip side of the transparency issue: in order to be able to see clearly what is happening, and why it happens that way so that it can be modified as needed in day-to-day operations, the same is true after the-fact for provability. Only a system that provides the control necessary to transparently manage all aspects of a compliant operation will be able to provide the same level of reporting across all those aspects.

Flexibility — The Least Appreciated, but Most Important Attribute

Given the challenges posed in providing control, transparency, and provability across all components that need to be managed (channels, appropriate responsible party conversations, work/home/mobile addresses, offers, disclosures, etc.), one would be forgiven for thinking that a solution that offers these would be sufficient. The problem is, this isn’t a static problem and is subject to daily change given our currently-evolving regulatory environment.

The upshot of the above is that a system devised to ensure compliance must, first and foremost, be designed with flexibility and adaptability built-in. Anything less will provide a short-term win, at best, but more likely will be obsolete before it even goes into production. This is precisely what happened at a large retail banking organization that specified its online collections component prior to a regulatory change. The result was a nearly two-year development effort that had to be shelved because the end product had not anticipated or architected for the constant evolutionary changes that would be needed.

Subject-Matter Expertise is Not Optional

Which leads to the final element of flexibility: subject- matter expertise in collections and credit risk. Without it, an IT-driven solution will founder on the rocks of regulatory complexity and potential overlap, and the deployment will far short of the degrees of freedom necessary to anticipate future changes in requirements. While putting a business-savvy resource on your development team is better than nothing, it is actually more important to make sure that the solution architect him/herself has the business understanding required to ensure the solution will scale, not only to the potential complexities and contradictory requirements, but also to the level of change that has to be accommodated by the solution.

Scenarios to Ponder: Different “Levels of the game”
Customer versus Account versus Responsible Party

All of the above-mentioned challenges exist for each individual account managed at the product or portfolio level. Who you can speak with, how many times you can attempt to contact them, where you can contact them within a given time frame, and what you are required to disclose — all of these factors can vary by geography in ways that make things difficult from a systems point of view. The state of Massachusetts, for example, mandates that place of employment must be verified on a regular schedule before proceeding with contact attempts. Other states require that only the principal accountholder be counted as a right party, and even their spouses are deemed third parties — all things your system needs to “know” and convey to agents.

Also, it is worth noting that regulators are less interested in how systems were built to work and more interested in the customer experience impact. Regulators ask “why is it so hard to treat a customer consistently and sensitively across all elements (e.g. products) of their relationship with a lender?” That expectation is not unfair, but it may be when asked about current systems that weren’t architected with that goal in mind.

Defining Contacts, Attempts and Resolutions

Another complexity is that an “attempt” has been traditionally defined as a phone call, and “contact” has been defined as a Right Party Contact (RPC). “Resolution” means the past-due amount has been paid to current, or that a payment program has been created that will bring them current when it is executed. Unfortunately, those traditional definitions are subject to change: The Irish government, for example, has mandated that collectors could make no more than three attempts — letters, telephone dials, emails and text messages all count — within a 30-day window. While it’s unlikely that our regulators will compare notes with theirs, the day is not far off when any medium of contact will count as an attempt, and the definition of contact may expand as well. For instance, is an authenticated Web visit any different from an inbound call? Our industry will need to be prepared for that possibility, as well as the notion that any future scheduled payments must be considered a resolution unless it can be clearly demonstrated that the payments do not meet the proper criteria and that the borrower has been so notified.

“Contact Compliance” or “Disclosure Compliance” or “Operational Policy Compliance”

Different requirements between states and the federal regulations used to be manageable by adhering to the OCC’s guidance as pre-empting any conflicts, but that doesn’t appear to be the case anymore. States are now able to — and seem increasingly comfortable with —going their own way in setting their own rules for contacts, disclosures and policies. The state of Washington, for example, mandates that customer contacts be limited to three times within a specified period but only one of those contacts can be to the place of employment (POE). Massachusetts, as mentioned above, mandates POE verification more regularly than the Federal government or other states require. Navigating these various requirements — even just keeping track of which states require what specific contact, disclosure and operational actions and reports — represents a nearly full-time responsibility. As mentioned in the previous section, just meeting the requirements isn’t sufficient: one has to be able to prove that operations are compliant to the regulators’ satisfaction. Muddling forward “as best one can” in the hope that they don’t ask to see proof simply isn’t an acceptable strategy.

The Conclusion: Compliance Automation is Your Best Option

Ensuring agents only talk to the right people, at the right time, with the right offer and disclosures within each geography can only effectively be controlled when the strategists’ rules for contacts, offers and disclosures are consistently and uniformly followed. Operational managers, who need freedom in order to operate efficiently, can be effective while remaining compliant only if the rules and requirements are incorporated into the operational execution capability they use to manage their staff’s efforts, from dialer-based campaigns to manual or preview-dial calling efforts. Inbound contacts must be incorporated into the strategy set for decisioning the next contact across all touch points, or the effort to control all outbound calls will have been for naught.

Similarly, the addition of digital channels such as IVR, email, text and Web can only be executed in a compliant manner if the strategists’ central control point is maintained. That isn’t possible through printed “cheat-sheets” for agents – rather, a fully-automated solution that incorporates rules-based contact attempts across all channels, including fully informing agents of the current status of a customer and even preventing call (or other channel) attempts to borrowers who have reached the “maximum-allowed-threshold” status is necessary. On top of that, one must add the individualized offer and disclosure requirements and ensure that all content (whether conveyed in digital messages, letters or agent phone calls) is compliant before executive management can be confident that reputational risk has been mitigated.

That is the goal, and it is unlikely to be achieved without the help of fully automated solution that provides the control, the transparency, the provability and the flexibility mandated by today’s complex regulatory environment. Only then can collections executives stay on top of the wave instead of being crushed by it.