Executive leaders should treat compliance as an integral part of organizational strategic planning rather than the cost of doing business.
Organizations can face major penalties if they don’t comply with laws and regulations that protect customer data, like GDPR and HIPAA. Additionally, customers can lose confidence in an organization if their personal information is not protected properly.
A significant number of customer interactions occur in the contact center. Therefore, contact center leaders need to comply with regulatory requirements and smart business practices to protect customers’ rights. A combination of following legislative rules and thoughtful internal practices — such as call monitoring — can protect sensitive customer data while improving the customer experience.
Establishing and following a contact center compliance checklist provides a strong foundation of good practices that lead to successful compliance.
What is contact center compliance and why is it important?
Contact center compliance is critical. A failure, such as a data breach, can have significant negative effects on a customer’s life and devastate an organization’s brand image and reputation. Customers don’t want to buy services from organizations that can’t protect their personal information from bad actors. And, if there’s a security incident, organizations don’t want to pay fines and penalties to regulatory agencies.
Compliance requires participation from every individual in an organization. Contact center managers shouldn’t assume that documented processes always work or that agents always follow proper procedures. Ongoing monitoring and reporting must be in place to ensure things are working properly. Additionally, all employees must keep their eyes and ears open. Controls must be in place, and if something does not seem right, they must raise the issue with the appropriate individual.
Before the COVID-19 pandemic, most contact centers were on-premises, which, in many ways, made compliance easier to implement and monitor. For example, employees had to swipe their key cards to enter the contact center. Compliance became more of a challenge when contact centers began to operate remotely, so checklists can help contact center managers follow proper guidelines.
Contact center compliance checklist
Organizations can’t achieve compliance with a single tool or process. Compliance requires a multifaceted approach that integrates technology, processes and procedures.
The following contact center compliance checklist can serve as a starting point for contact center managers as they seek to comply with internal and external requirements.
1. Secure the network
Organizations should use network access control to limit who can physically and logically access system hardware and software. Physical security protects the physical components of a network, such as devices, modems or routers, from physical harm. Logical security uses passwords and system permissions to protect a network’s software and data from unauthorized individuals.
2. Lock down workstations
For remote workers, organizations must ensure workstation equipment adheres to pre-defined specifications or that the organization provides the proper tools.
Physical workstation audits enable an organization to inspect both on-site and remote employees’ work environments and ensure they support basic controls and meet compliance requirements. As physical visits to employees’ remote workstations aren’t always feasible, supervisors can use video conferencing to perform high-level audits. Beware: A video conferencing audit is limited in its scope and timing.
3. Authenticate customers
Customer authentication is a process where individuals prove they are who they claim to be. In some cases, single-factor authentication, where customers provide a single piece of information to confirm their identity, can suffice. However, many organizations have adopted multifactor authentication, which asks customers to provide distinct pieces of information — such as a password and a code sent to a mobile device — to confirm their identity. Additionally, some companies are using voice and facial recognition technologies to authenticate customers.
4. Record customer conversations
Call recording lets organizations review telephone conversations between customers and agents. Managers can review recordings through a QA program and AI tools to determine if agents fulfilled external requirements, such as appropriate disclosures and authentication processes. Managers can also review recordings to determine if an agent fulfilled internal requirements, such as providing a customer with accurate information or following the correct internal procedures.
5. Provide mandatory disclosures
Contact center agents must provide mandatory disclosures, which are legal statements to explain specific processes, rules and options to callers. For example, if a contact center in the U.S. wants to record a customer call, it must be disclosed to the caller, and consent must be provided, which is passive consent in most cases. Regulations require mandatory disclosures when agents record customer calls, perform collection functions or make financial transactions.
This compliance checklist can help contact centers adhere to important standards and regulations.
6. Adhere to local privacy legislation
Organizations must adhere to various global and local legislation on customer privacy, depending on the geographic reach of the business. Due to legislation, organizations can’t manage all customer information in the same way. Data privacy laws vary by country and region, so organizations must know where each customer resides before they transmit, process and store customer information.
Examples of location-based privacy legislation include the following:
- General Data Protection Regulation. GDPR provides guidance on how organizations can collect and process personally identifiable information (PII) for individuals who live in the European Union.
- California Consumer Privacy Act. CCPA provides guidance on how organizations can collect and process personal and household information for individuals who live in California.
Because privacy legislation is always evolving, organizations must be proactive to ensure they’re up to date on laws affecting their contact center operations.
7. Adhere to the Telephone Consumer Protection Act
Organizations in the U.S. must adhere to the Telephone Consumer Protection Act, which sets rules for how an organization can use outbound calls for solicitation. TCPA regulations state that telemarketing contact centers cannot use predictive dialers to contact a wireless phone without prior consent from the customer. It also ensures telemarketers adhere to the National Do Not Call Registry and special regulations, which may include restricted calling hours in a particular geographic location after a natural disaster event.
8. Manage sensitive information
To comply with standards, such as the Payment Card Industry Data Security Standard and HIPAA, organizations must protect sensitive customer data at rest and in motion. Sensitive information can include PII, credit card numbers or protected health information. To protect sensitive information, organizations should encrypt all data, minimize the amount of stored data and use automation, such as interactive voice response, to perform sensitive transactions.
9. Provide ongoing training
Organizations should provide annual training on proper compliance procedures and guidelines to all employees. All employees should be up to date on specific compliance rules and understand how they can protect their organization and its customers.
10. Promote self-service
Organizations should maximize customer self-service procedures through secured portals to limit the sharing of information with other individuals and reduce security risks.
11. Test, monitor and act on a continuous basis
Organizations can and should implement all the items on this checklist. However, business leaders shouldn’t assume everything is working properly or that bad actors have not found ways to bypass established controls. Organizations should continually test and monitor the various compliance controls, whether through automated processes, such as reporting unauthorized attempts to access customer data, or human processes, like placing test calls.
When something doesn’t seem right, organizations should analyze the issue and take action to ensure the controls in place are performing as expected.
A contact center compliance checklist can help organizations avoid compliance failures. Contact center managers can use this checklist to evaluate their organization’s current compliance protocols and ensure their teams follow proper guidelines.
Common contact center compliance issues and malpractices
If strong compliance controls and practices are not in place, the following negative events can occur:
- Calling customers who requested not to be called, which violates outbound calling restrictions.
- Allowing PII to be stolen due to incorrectly accessing customer information.
- Improperly recording customer conversations by not adhering to call recording and consent rules.
- Providing incomplete information to customers by not adhering to scripting requirements.
If these events occur, an organization can be liable for financial penalties, along with other legal consequences. Just as important is the potential for negative customer perception, which can lead to degraded customer loyalty and customer defections.
Leadership in all areas of an organization must keep in mind that a compliance checklist only provides a template of best practices. It must be more than a written document. The organization must translate the document into reality and embed it into the corporate culture by focusing on the following actions:
- Invest in technology to support key items on the checklist.
- Promote accountability.
- Reward adherence to policies and address any gaps that arise.
A contact center compliance checklist might not stop all unauthorized activities, but it’s a solid start to implementing a strategy that adheres to legal, organizational and customer requirements.
Scott Sachs is president and founder of SJS Solutions, a consultancy that specializes in contact center strategy assessments and technology selection.
