Navigating the Compliance Rapids

By Brendan B. Read, Senior Contributing Editor  |  March 01, 2011

This article originally appeared in the March 2011 issue of Customer Interaction Solutions


If complying with laws and regulations can be likened to navigating a rapids-strewn river, here are the rocks and undercurrents for contact centers to watch out for:


Telemarketing Law Enforcement

More than ever before contact centers should take every pos­sible step to comply with U.S. federal and state telemarketing laws. The major reason is money: big federal and state budget deficits that are forcing officials to extract funds from whatever sources they can avail themselves without annoying voters.


Ryan Thurman, director of sales and marketing, Contact Center Compliance expects stepped-up enforcement in 2011. Telemarketer crackdowns yield fines that, subtracted for costs, yield treasury hauls as well as good publicity for the lawmakers.


Consumers have become very aware about the do not call (DNC); it is very easy to get on the list and to file complaints against suspected violators, he adds. Yet many individuals are not aware of the DNC registry exemptions, such for compa­nies they have existing business relationships with.


“The federal DNC registry is a popular consumer program but a complicated one to comply with as states have imposed further restrictions that are often more stringent, which makes it easy to trip up telemarketers and make them easy targets,” Thurman points out. “There are about 196 million numbers on the national list but there are many that should not be on it such as businesses and numbers that have been disconnected and re-assigned.


Also 13 states still maintain their own DNC lists, some seven years after the federal DNC law went into effect–that also required states to roll their lists into the federal one. Thurman’s firm ran the state lists against the federal data­base at the end of 2010 and found there were 4.5 million numbers on them that are not registered on the national DNC list. The Federal Communications Commission (FCC) reported that 36 states had their own DNC lists prior to the national list going into effect in 2003.


“The DNC lists are still a revenue generator for the states,” explains Thurman. “And they are under no pressure within the states or by the federal government to give them up.”



New Caller ID Regulations


Identifying callers, including where they are located, has become much more challenging with the advent and increasing popularity of VoIP, which uses IP addresses that could be anywhere that callers log in from, along with cellular phones and telephone number portability. That is because a phone number’s area code may no longer be in the areas–or states–in which the called or calling parties’ resides.


There are new readily-available applications that permit fraudsters to easily spoof legitimate callers’ names and numbers’, tricking called parties into answering their phones. These tools have made tracking and apprehending these perpetrators difficult.


The U.S. Congress has responded with the Truth in Caller ID Act of 2009 that President Barack Obama signed into law December 22, 2010. The legislation outlaws transmitting mis­leading or inaccurate caller ID information via any commu­nications voice service, including VoIP, for criminal purposes. It does not permit firms to prevent or restrict any firm or individual from blocking any caller identification service.


The FCC has been charged with developing enabling regulations that would be applied to the Telephone Consumer Protection Act (TCPA) with a June 22, 2011 deadline. The agency must also report to Congress on whether additional legislation is necessary to prohibit the provision of inaccurate caller ID information in technologies that are successors to telecommunications service or IP-enabled voice service.


Meanwhile the FTC has been seeking input as to whether it needs to modify the Telemarketing Sales Rule (TSR (News - Alert)) to protect consumers from altered caller IDs, facilitated by technologies such as VoIP and if so, how. The agency issued on December 7, 2010 an advance notice of proposed rulemaking on this subject; comments closed January 28, 2011.


Michele Shuster is an attorney and partner at MacMurray, Petersen and Shuster; she has extensive experience in telemarketing laws and regulations. One of the issues she sees with the Truth in Caller ID act and other caller ID rules is that they do not specify which name, a company’s legal one or the specific brand being represented, should be on the ID. She has at press time not seen a clarifica­tion from either the FCC or FTC.


“I recommend that in the meantime that a company use its company name or a name that is registered with the appropriate Secre­tary of State as a business name,” says Shuster.


Do Not Text?


SMS/text messaging has become a popu­lar means for individuals to commu­nicate with each other. Marketers have quickly caught on, and so are lawmakers, responding to consumer complaints from being charged for these unsolicited and unwanted messages.


The New Jersey Assembly has passed, and the state’s Senate is considering, a bill that would prohibit sending unsolicited adver­tising by text messaging if they will force recipients to incur charges or usage alloca­tion deductions. It would require commu­nications firms to permit their customers to block all inbound and outbound text messages from them. Similar legislation has been introduced into neighboring New York State’s Assembly.


Shuster recommends that firms treat SMS/text messaging like calls to cellular phones; if required obtain express signed consent from their customers before sending them.


“Most companies would and should not be alarmed if such legislation is passed to make that law,” says Shuster. It will, however, significantly impact resources available to businesses to provide their optimal customer experience.”


Is “DNCC” Next?


Is “DNCC” i.e. “Do Not Call Cell­phones” next? Firms could be required to obtain signed consent from American consumers before live-agent-calling as well as delivering pre-recorded messages to their cell numbers, even when there are existing business relationships.


A FCC proposal to harmonize the TCPA with the FTC TSR on pre-record­ed messages, announced in a Notice of Proposed Rulemaking (NPRM) in 2010, may have that effect if this requirement is included in future enabling legislation.


If such regulations go into effect observers fear it could have a devastating impact on outbound calling by telemarketers and col­lections firms–potentially rivaling the Do Not Call (DNC) registries. That is because more Americans are porting landline calls to wireless devices and increasing cases go­ing wire-free altogether.


“If this proposal becomes a regulation this is going to create problems as 25-30 percent of U.S. population is cell phone-only,” Thurman points out. “How many people are realistically going to signing consent for firms to call them for marketing purposes?”


Telemarketing calls, with certain exemp­tions, have long been prohibited to wireless numbers. Yet telemarketers have long had the right to call them if consumers had given their consent by providing them with their cell numbers.


Michele Shuster explains that the FCC issued declaratory rulings in 1992 and 2007 that “persons who knowingly release the phone numbers have in effect given their invitation or permission to be called at that number, which they have given, absent instructions to the contrary…”

The NPRM also includes proposing that the FCC align with the FTC regulations on permitting consumers to automatically opt-out of receiving pre-recorded calls without waiting to reach agents to do so via leaving messages. The FCC would also adopt the FTC’s per-campaign limitation on predic­tive dialer abandonment rates that it says would thwart telemarketers from focusing more on less-valued customers with a dis­proportionate share of abandoned calls.


Shuster has been advising, as a proactive measure, that her clients obtain express writ­ten–signed or e-signed–consent to contact consumers, including on their cellular phones, whenever they interact with them.


“I would like to see the state of the law remain as it is,” says Shuster. “If a consumer provides a cellular number at which to be contacted, a company should be able to contact the consumer at that number absent instructions to the contrary.”


More Stringent Data Security Laws


Authorities are cracking down on financial and identity theft and fraud. And they are writing more legislation and rules requiring companies to protect this information.


Three states, Minnesota, Nevada and Wash­ington, have adopted the Payment Card Industry (PCI (News - Alert)) Data Security Standard (PCI-DSS) standards into their data protec­tion laws. PCI-DSS applies to all entities— including contact centers that store, process, and/or transmit cardholder data.


Massachusetts has a strict new set of regulations–201 CMR 17.00, which went into effect March 1, 2010, requires firms that own, license, store and/or transmits residents’ personal information to have and maintain written comprehensive information security programs.


The rule, backed by Massachusetts General Law 93 chapter 93a, Regulation of Business Practices for Consumers’ Protection, says firms must have secure user authentication protocols and secure access control measures. Encryption is mandated for personal infor­mation that is to be transmitted across public networks and via wireless. Also for such data that is stored on all portable devices especially laptops; password-protect is not enough.


The regulation stipulates that companies must have and keep current firewalls, opera­tion system security patches and security soft­ware that must include malware protection. They must also educate and train employees on computer security, including the impor­tance of protecting personal information.


Many contact center solutions offer means to comply with these standards and laws. Calabrio’s (News - Alert) recording solution uses an advanced API that enables a contact center to stop and/or start voice and/or screen recording automatically. When a user enters a web-based application or touches a sensi­tive field within an application, the Calabrio API pauses the recording so that credit card or other sensitive data is not captured.


Kristyn Emenecker, Verint’s (News - Alert) vice president of solutions marketing recommends contact centers consider AES 256-compliant encryp­tion with strong key management that protects data when it is recorded, in transit and archived. Verint’s Impact 360 PCI and Recording Encryption solution offers it along with encryption, RSA key management and the option to pause and resume recording automatically based on desktop events or an API trigger. It also provides audit trails, access controls and server hardening capabilities.


“In most cases this PCI adoption by states has no impact on what an organization needs to do to be compliant, but it can raise the stakes for those that may be less-than-moti­vated by PCI alone,” says Emenecker. “Most industry watchers expect to see Federal legislation on data security at some point, but that of course remains to be seen.”


Call Recording Permission


The scripting “your call may be recorded to ensure quality” is not just there as information. It is there to comply with regulations. While U.S. federal law requires that one party must be aware and provide consent that the calls are being recorded there are several states that require them for all parties unless there are statutory exemptions, Shuster points out.

Evan Kahan, vice president of op­erations at Majuda recommends that inbound and outbound call scripts ask consumers for their permission to record their calls and if they say no, to stop the recordings, maintaining their refusals as records.


“Most companies have the permission scripting on the inbound calls but many forget to have them on outbound,” Kahan points out.



ATA’s Compliance and Legislation Programs


The American Teleservices Association (ATA) offers an in­tegrated set of compliance and legislation education, certi­fication and issues advocacy programs for its contact center members. It represents more than 4,000 contact centers that account for over 1.8 million professionals worldwide.


The ATA will be holding its annual Washington Summit that focuses on federal and state legislation issues October 10-12, 2011 at the Gaylord National Hotel. It is sponsoring a series of Compli­ance Seminars and the next ones for 2011 are in Dallas, Texas, April 28, New York, N.Y. Sept.8 and Phoenix, Ariz. Dec.1.


The ATA also sponsors the ATA-SRO, a comprehensive set of outside-audited standards that incorporates applicable government regulations and consumer protection rules. These provide contact centers with a platform of best practices, documentable procedures and measurable compliance tools. The program goal, says the ATA, “is to assure a positive teleservices experience for consumers and provide an objective system that reinforces companies’ commitment to government compliance.”


Creating a Compliance Culture


The key to compliance is building it into the corporate culture, where it is carried out as a natural part of doing business.


InfoCision (News - Alert) Management Corporation has a compliance culture and supporting practices. It has an internal API that helps save time in making changes to software when a new or changing law or regulation must be applied to the IT process of a particular telemarketing program. It is also an accredited contact center under the American Teleservices Association’s ATA-SRO compliance certification program. And as a condition of hire, every employee must sign a Client File Policy Agreement which says they agree to protect confidential information. This includes client infor­mation from scripts as well as personal consumer information they collect.


“Leadership needs to set the tone and a positive example for all employees to instill the importance of maintaining compliance, not just for the company but for clients as well,” InfoCision chief of staff Steve Brubaker points out. “If a company’s CEO does not place a high value on staying compliant, those feelings will trickle down throughout the company. The price of noncompliance is steep; potentially putting a company out of business and negatively impacting the client’s reputation.”

Prudent Data Security Compliance

Complying with existing laws and regulations is not enough in today’s climate: where data privacy and security issues are receiving attention from elected officials and government agencies.

Evan Kahan, vice president of operations at Majuda urges contact centers to go beyond what they are required to maintain excellent customer relations and to head off lawsuits, bad publicity and more onerous legislation and regulations. Here are some examples:

*          Blank out, for example, sensitive medical and payment card information off recordings

*          When inputting sensitive data into CRM and ERP systems, to bank the fields as they too could contain this information

He points out that HIPAA does not at present cover all medical data while PCI is a standard that does not with the exception of a handful of states have the force of law.

Majuda Voice 7.0, released in December 2010 has universal compliance modules that can encrypt and store sensitive data.

“Many firms and contact centers assume that once you’ve told consumers their calls are being recorded their compliance obligations have fallen away, but that is not correct,” Kahan points out. “They must put all the data security in place for the entire operation to be truly compliant in fact as well as law.”

Compliance in Canada

Canada is the U.S.’s largest trading partner, and a strong economy leading to a high-valued currency have made American goods and services very attractive to that country’s consumers.

American telemarketers take heed–Canada has been stepping up enforcement of its regulations including its Do Not Call list. The country’s communications regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), issued the largest-ever fine against a North American telemarketer—$1.3 million—to carrier Bell Canada which ironically has the CRTC contract to maintain the country’s DNC database.

Canadian telemarketing regulations are simpler. There is one list and set of standards, very few provincial ones, the list itself is not large and can be obtained from one source, explains Ryan Thurman, director of sales and marketing at Contact Center Compliance.

While Canada’s calling hours are different than the U.S.: 9am-9:30pm Monday-Friday, 10am-6pm on Saturdays and Sundays as opposed to 8am -9pm seven days a week in the federal TCPA and TSR, there are no provincial limitations as compared on holidays in several states. Canadian sources say Canadians will not be pleased and will let telemarketers know it if they are called before 9am; savvy telemarketers will not call them after 9pm weekdays to avoid similar reactions.

The major issue with Canadian compliance is the cost to subscribe and download Canada’s DNC list. It is priced at over $2,000 per area code per year compared to $55 for that in the U.S.

“Fortunately compliance with Canadian telemarketing laws is not as complex as it is in the U.S.,” says Thurman.


American Teleservices Association






Contact Center Compliance






MacMurray, Petersen and Shuster