Ensuring contact center compliance is a thankless task.
After all, most regulations are incredibly intricate, long-winded, and – most critically – punishable.
Moreover, new legislation can come in and rip up the existing rulebook.
Just speak with those in the finance sector, many of whom faced an almighty struggle to ensure compliance with new Consumer Duty regulations.
Some may have fallen into various compliance pitfalls, including those our roundtable guests highlight below.
This month, these guests include the following industry experts:
- Geoff Forsyth, Chief Information Security Officer at PCI Pal
- Russell Evans, Global Sales Director at Dubber
- Jamie Stewart, Marketing Manager at Sytel
After pinpointing various pitfalls, they share best practices for kickstarting an audit and consider the role of technology in supporting today’s compliant contact center.
Examples of Contact Centers Compliance Pitfalls
Mishandling Sensitive Payment Data
Forsyth: Payments and the handling of sensitive payment data is a classic area where contact centers can fall short when it comes to compliance.
Any organization that takes card payments needs to comply with the PCI DSS (Payment Card Industry Data Security Standard).
While PCI DSS provides its own penalties for non-compliance, the regulations are frequently the foundation for achieving compliance with many regulatory requirements such as GDPR, HIPAA, and PIPEDA.
Indeed, there are many areas for non-compliance in contact center environments, given their diverse workforces, communication channels, and payment options. Then, there is the potential compliance minefield the work-from-home transformation has spurred on.
After all, many contact centers moved to remote work in 2020, and suddenly their workforce spread across multiple locations, making it much more difficult to maintain compliance using traditional compensating controls. Pause and resume is a classic example of this.
Failing to Inform Customers of Call Recording Practices
Evans: Compliance regulations such as GDPR mean contact centers must implement a process to inform customers that they record their calls. Then, they need to ensure correct and safe storage of the captured data.
Yet, contact centers often fail to implement the proper security protocols, such as data encryption.
Additionally, service operations must have a process to delete call recordings after the appropriate retention time.
If done manually, there is significant room for human error, given the number of calls contact centers handle on a daily basis.
Lastly, without a proper system, contact centers can struggle to keep track of customer preferences around marketing communications, which they must log and adhere to.
Predictive Dialer Misuse
Stewart: In the UK, Ofcom has historically enforced UK regulations on silent/abandoned calls caused by predictive dialers, striving to reduce the number consumers receive.
Largely, it has succeeded. From Jan 2023, Ofcom still monitors breaches (so beware!) but seems to have relaxed its enforcement.
In recent years, Ofcom has instead focused increasingly on companies who contact consumers registered with the Telephone Preference Service (TPS), the UK version of a national Do Not Call (DNC) list.
This seems to make strategic sense. TPS violations are far easier to prove than silent/nuisance calls, but TPS violators are likely doing both, so it could be that Ofcom is killing two birds with one stone.
Note that Ofcom doesn’t hand down fines lightly; only after deliberate, persistent abuse, which often continues while under investigation.
How Can Contact Centers Kickstart a Compliance Audit?
Follow This Six-Step Approach to Compliance
Stewart: Consider the following six-step approach:
- Frame Compliance Correctly – First, protect consumers from harm. Second, protect the organization from fines and reputational damage.
- Identify the Goal – What rules must the contact center comply with? Are they internal (e.g., specific language) or external (GDPR, CFPB, TPS, Regulation F, FTC, etc.)? Have any regulations changed since the last audit? Consider engaging a third-party legal counsel to identify gaps.
- Appoint the Auditors – To stand back and assess critically, the business must at least separate the audit team from operations.
- Isolate the Process – How will the team test for compliance with each detail of every regulation? Can they monitor in real-time? What can they deduce from contact logs/ reports? Pay attention to any processes that the company has not previously audited.
- Establish the Follow-Up – When uncovering a problem, dig into the root cause, and have a change management plan to take corrective action. Is there anything the team can automate to prevent further breaches?
- Document Every Discussion, Conclusion, & Action – Regulators like to see evidence of continuous improvement.
Start By Assembling a Team of Experts
Forsyth: PCI Compliance should is not a one-and-done exercise. Instead, it is about implementing a continuous strategy and process to, first and foremost, protect sensitive payment data and remain compliant with the PCI DSS.
To begin the process, contact centers must assemble a team with the expertise to navigate the varying industry standards and regulations.
They should also consider having a partner in the process who can identify and guide them through nuances and complexities, mitigating potential pitfalls down the line.
A comprehensive internal audit identifying potential gaps in compliance is another significant piece of the puzzle and can be a big undertaking.
Also, remember that it’s imperative to thoroughly understand how the business collects, stores, and processes data so that the contact center can implement the appropriate security measures.
Evans: To carry out a compliance audit, contact centers can gather a team to establish the scope of the audit, specifying the regulations and compliance standards the service operation must meet.
Gathering the relevant documents, policies, procedures, and contracts related to operations, the team can assess the current process:
- Are callers notified that their conversation may be recorded?
- Is the data logged accurately, and is only the necessary information stored?
- What security measures are in place to protect against data leaks?
- How are customer preferences around marketing communications logged and carried out?
- If the customer asks for their stored data, can this be actioned quickly?
- What is the retention period for customer data, and how is it deleted after the allotted time?
Lastly, identify risks where there could be non-compliance. That includes surveying the team to assess their understanding of how to be compliant in their role.
What Tech Does Your Business Provide to Help Contact Centers Stay Compliant?
PCI Pal Secures Customer Payments
Forsyth: PCI Pal solves the PCI compliance challenge for contact centers, allowing businesses to take payments securely and ensuring consumer data protection.
Our agent- and IVR-assisted phone payment solutions use Dual Tone Multi-Frequency (DTMF) masking and speech recognition technology.
As a result, companies may utilize a secure, compliant way of handling payments by phone without bringing the environment into the scope of PCI DSS.
PCI Pal also offers digital payment solutions that ensure sensitive card data never enters the contact center environment, minimizing the risk of misusing data.
Finally, we continuously push the boundaries to provide proven payment solutions that keep clients compliant and their customer data secure.
Dubber Digs Into Customer Conversations
Evans: AI, specifically conversational analytics, helps contact centers comply with current regulations such as GDPR.
Dubber’s conversational intelligence uses natural language processing (NLP) to accurately capture what customers and reps discuss on a call. That includes logging ‘moments’ within the conversation, such as specific actions the company must carry out.
The capability extends across multiple channels, which end-users can manage together in a platform.
With this AI analyzing conversational context, contact centers can ensure reps complete agreed actions, removing the risk of errors in capturing data.
Additionally, Dubber uses enterprise-grade security to meet the needs of industry, government, or regulatory requirements in storing customer data.
Sytel Safeguards Outbound Dialling
Stewart: For outbound calling, Sytel:
- Sets the target abandoned call rate in the license, so users have no option but to comply. Set it up and leave the dialer alone!
- Offers real-time DNC/TPS screening against multiple lists – i.e., company, state, country – and ensures instant removal of any consumer requesting not to be called, preventing further contact.
- Provides time zone management – i.e., by area/ZIP/state codes – so calls are only made during permitted hours, no matter the consumer’s location. It also end-users to start and stop campaigns automatically at the prescribed times.
The contact center vendor also provides a Global Compliance tool, allowing service operations to set multiple rules across channels and meet various cross-territory and -sector regulations.
Miss out on our previous CX Today roundtable? Check it out here: Video for Customer Service, Engagement, & Retention