Security Risks and Compliance in Call Centers

The call center is your first point of contact with your customers. It’s your opportunity to build relationships, develop loyalty, answer questions, gain more business, and grow your brand. However, all that reward comes with risks regarding consumer data protection and privacy.

Nearly 96 percent of call centers admit that they face challenges in protecting their business and remaining compliant. And failure is expensive. In 2017, Dish Network was fined a record-breaking $280 million for not following the FTC’s Telemarketing Sales Rule (TSR), including explicitly violating the Do Not Call Registry and the Telephone Consumer Protection Act (TCPA).

So, the question is, how do you reduce the risk to your organization?

What is Call Center Regulatory Compliance?

First, let’s talk about call center regulatory compliance. What is it? It is a set of rules and standards designed to protect customer privacy and provide data safety. It covers everything from cybersecurity to vulnerability management, access control measures, and best business practices.

Every time you exchange, collect, or review sensitive information and communicate with consumers, it falls under regulatory compliance. The idea is to reduce opportunities for agent fraud and data breaches while also increasing security standards. And there are numerous compliance and regulatory mandates that call centers must follow.

Types of Regulatory Compliance in the Call Center

• Payment Card Industry (PCI) Security Standards: In 2006, PCI regulated how customer credit card data was protected against fraud. It includes rules on building a secure network, protecting cardholder data, maintaining vulnerability management, and implementing strong access control measures.
• Call Monitoring Consent: Federal and state laws require customers to consent for a call to be recorded.
• Fair Debt Collection Practice Act (FDCPA): Prohibits the use of threatening or abusive language to collect a personal consumer debt.
• Do Not Call Registry: Consumers must be able to opt-out of telemarketing calls.
• General Data Protection Regulation (GDPR): Businesses with customers in the EU (even if the business is not located in Europe) must comply with EU regulations about data ownership and sensitive information.
• Truth in Lending Act: Businesses must disclose information about loan terms, late fees, and interest rates to customers.
• Dodd-Frank Act: Requires all phone conversations to be recorded and saved with a date and time stamp.
• Sarbanes-Oxley Act: Recorded calls cannot be changed or deleted before the mandated end time.
• HIPAA: Strict steps to protect personal health information and ensure it’s not shared with other parties.
• Equal Credit Opportunity Act (ECOA): Prohibits businesses from using age, race, color, gender, religion, etc., as qualifications for loans or credit.
• Gramm-Leach-Bliley Act: Requires written documentation of contact center security protocols and sharing this information with customers to opt-out.

Mitigating Call Center Regulatory Compliance Risk Factors

Call center compliance isn’t just a “nice-to-have;” it’s a “must-have.” And you are constantly at risk, even just for normal operations. Below, we discuss the four areas where you face the most trouble and how to overcome it.

Cloud-Based Contact Center Software

Problem: If you run your call center from the cloud and store information there, you must ensure that you have the proper and necessary compliance tools. Hackers are waiting to steal your data, and employees are likely to make simple mistakes that leave you vulnerable. Each data breach costs $4 million, so cloud security is vital.

Solution: Ensure that your CRM, call recording software, and other internal and external call center software address all information safety measures required. Steps to take include:

• Implementing strict access control measures with unique IDs and passwords for each agent.
• Monitoring and testing your cloud network regularly for security risks.
• Employing two-factor authentication and robust encryption protocols.
• Keeping anti-virus software updated to the latest version.

Taking Customer Payments

Problem: Whether you’re taking customer credit card information over the phone or online, there are many risk factors for your business regarding customer payments. You must provide the highest level of data security and customer comfort. Already, 86 percent of consumers believe agents will misuse their credit card details, so you have to prove you are trustworthy.

Solution: PCI is the gold standard for mitigating risk, simplifying how you process and accept payments. To mitigate concerns, you’ll need to:

• Ensure enhanced cardholder data encryption—writing data down on paper is not permitted.
• Store sensitive data behind robust firewalls that follow strict safety protocols.
• Provide third-party phone lines or use call recording software that turns off (pauses) recording when customers share credit card information.
• Keep access to cardholder information highly secure and limited to only those individuals with the proper clearance and need.

Outbound Calling

Problem: Outbound call centers face many unique rules and regulations for contacting customers. They must call customers at the right time, not too often that they feel harassed, and allow customers to opt out of receiving future phone calls. This can be complicated.

Solution: The good news is that many tools and dialing controls are available to ensure that you meet compliance regulations. These include:

• Setting time zones so you only dial customers at permissible times.
• Limiting the number of dial attempts to a particular customer’s phone.
• Adding numbers to your Do Not Call (DNC) list when customers have asked to be removed or blocked.
• Matching zip codes to mismatched area codes makes you aware of the change even if a customer has moved to a different time zone.
• Scrubbing customer phone numbers as needed for effective list management.

Call Center Agent Training

Problem: Not everything in the call center can or should be automated. Your agents play an essential role in customer satisfaction, but they also carry the most significant risk of compliance. It’s often a lack of agent training that leads to consumer data protection regulations violations.

Solution: The key is to provide regular call center agent training using a learning management system and compliance activity log to track performance. Other ideas to mitigate risk include:

• Implementing a call center script with key compliance details that agents must follow.
• Using QA scorecards as an audit trail for regulators to track compliance after each customer interaction.
• Using software to automatically tackle the most critical and standard compliance measures—alerting callers that their call is being recorded and auto-pausing the recording for credit card details.
• Creating clear and concise security policies for consumer information storage, passwords, email, software use, and personal devices for work.

Keeping Your Call Center Compliant with Quality Assurance

The best way to mitigate compliance risk in your call center is to develop a detailed quality assurance program. This program should help you keep a close eye on typical areas for breach and ensure that you are alerted immediately when compliance fails. You want:

• Breach alerts when a compliance question is missed, including full breach details.
• Pass/Fail rates in a dashboard that makes reporting more straightforward.
• Compliance failure details so you know why compliance failed, and you can take remedial action.

You must follow many rules when dealing with customers—from how and when you can record calls to the right way to gain credit card information. These regulatory compliance concerns are essential to staying in business and being successful. By understanding your risks and taking the necessary steps to mitigate those concerns, you can avoid heavy fines and criminal prosecution.