THE FTC SAFEGUARDS RULE - Will the collection industry be ready on June 9th?

By Ranjan Dharmaraja, CEO Quantrax Corporation

THE BACKGROUND

On December 9, 2021, the Federal Trade Commission (FTC) published a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). In May 2022, the FTC published a paper titled "FTC Safeguards Rule : What your business needs to know". This publication was intended to serve as the small entity compliance guide under the Small Business Regulatory Enforcement Fairness Act.?The effective date of the rule was December 9, 2022. On August 5, 2022, Advocacy submitted a letter to the FTC requesting an extension of the effective date. They referenced a letter from ACA International and other trade associations that asserted they "could not meet the December 2022 effective date because of the shortage of labor, lack of external resources and necessary equipment and provided data to support their assertions." For us, this was "déjà vu". The industry had over two years to be ready for Regulation-F, but many companies still do not have comprehensive solutions for that important change. Are we ready for the Safeguards Rule? If we aren't, why not? The rule is now scheduled to take effect on June 9th, 2023.

Having received inquiries about Quantrax's readiness for this new rule, we decided to use the FTC's paper to share our thoughts on the subject. We will discuss the relevant areas of the rule and what our technology offers to address the requirements. This is an important topic, and as always, our comments should not be construed as legal advice. Please consult an attorney for legal advice.

WHO'S COVERED BY THE SAFEGUARDS RULE?

The simple answer is that the Safeguards Rule applies to financial institutions that include account servicers and collection agencies. This means that every collection agency and first party operation needs to be concerned about this rule. The information available suggests that fines may be as much as $100,000 per violation, with an additional $10,000 against officers and directors; a good reason for even small companies to pay attention.

WHAT DOES THE SAFEGUARDS RULE REQUIRE COMPANIES TO DO?

Several high profile data breaches later, protecting customer data has become a very high priority. "The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information."?The rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”?

Just as Regulation-F seems to have been designed for financial institutions but now applies to different types of debt, we must interpret the rule to apply to high volumes of medical debt and other types of paper. Social security numbers, credit card data and bank account information are clearly nonpublic personal information and your collection platforms must protect this data using proven and accepted methods. In the past, the concerns about consumer data revolved around unauthorized use of this information being used in identity theft. This new law is could have a much greater reach. If you call your bank to check your balance or ask why your card was declined, you have to answer several questions before you can obtain any information. The collection industry has never been forced to do this. We start out by assuming we are probably talking to the consumer. To meet the requirements of financial institutions, we were once asked to find a way to only allow an agent to access an account, after they had verified that they were talking to the consumer. That solution today exists in our collection platform.

This document will focus on technical safeguards that largely revolve around your collection software. We will leave the administrative and physical safeguards to our clients to address using their staff, consultants and attorneys. Every company should have paid attention to the objectives of the Safeguards Rule many years ago, and most of the requirements should not be difficult to meet if you and your software vendor have taken data security seriously.

Let's look at the key concepts and objectives of the rule.

• The FTC states that your written information security program "must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue". Based on historical data, we can expect the FTC and CFPB to target larger companies for enforcement action, while we could see many lawsuits against smaller companies from attorneys who focus on collection agencies
• You must ensure the security and confidentiality of customer information
• You must protect against anticipated threats or hazards to the security or integrity of that information
• You must protect against unauthorized access to that information

HOW DID QUANTRAX ADDRESS THESE REQUIREMENTS?

Many lawsuits result from ambiguity, and Quantrax avoids this by treating smaller and larger, or simpler and more complex businesses in the same manner, when it comes to data security. We have a single product and most of our clients are on a current version of our product. A client with 20 users has the same data security features as the company with 1,000 users.

• Our collection software runs on the powerful and secure IBM i platform.With the appropriate network segmentation and access controls, a security breach is close to impossible. This is a significant advantage compared to the risks associated with the more vulnerable "PC servers" used by other vendors.
• Fifteen years ago, everyone had premise-based hardware. Today you would need need to have an expensive SOC-1 or SOC-2 certification to publicly state that your data was secure. A reputable hosting company would be responsible for obtaining these certifications. They are responsible for maintaining HIPAA standards, installing hardware (e.g. firewalls) and software (e.g. VPN's) for safe access controls. Quantrax will insist that your company and your users also maintain the highest security standards. Quantrax and its software is now SOC-2 certified for its multi-tenant architecture in our data center (hosting site). Dedicated servers are also available.
• Many collection agencies allow their key clients to access their accounts and selected reports. It can be challenging to set up access controls like VPN's for these users, and Quantrax's solution to this problem is its 2-factor authentication option. A code is sent to the user via text message or e-mail, and the client will be asked to enter that code after they sign in with a User ID and password.
• Users are forced to change their passwords at regular intervals.

• Disks are encrypted and this functionality is a part of the IBM i infrastructure.
• Quantrax's software encrypts all socials and financial data using the AES 256-bit algorithm. The Advanced Encryption Standard (AES) is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. Data must also be encrypted in transit. These options are built into options such as FTP, which may transfer information between consumers, your clients and your business.
• The collection industry traditionally moves data from its collection platforms to other companies, to take advantage of the services they offer. For example, a 3rd party payment portal you use may require you to transmit a list of your active accounts along with information to authenticate a consumer. Even though there are many secure data transmission protocols available, this will be perceived as one more area you need to be concerned with. In Quantrax's case, we created intelligent chatbots that can be contacted through a link on a client's website, through a browser or with a phone call. Once the consumer is authenticated, the consumer is accessing data stored on the collection platform and not on a third-party server. In the case of integration with products like dialers or text messaging services, we create secure links with access controls, for the transmission and access of data between different systems.
• We do not store credit card information on the system, even though the data is encrypted. The payment gateway securely stores credit numbers and returns a token that we store for processing future recurring payments.
• After COVID and the need to sometimes have agents work from home, we have created technology to stop agents from asking for or even hearing a credit card number. A link sent to the consumer's phone allows the consumer to securely enter their credit card information. When the information is submitted, the the agent is notified and can process the payment from their desktop.

• Unauthorized access can take place from within a collection operation. Protecting consumer data can be extended to making sure that access is limited to individuals authorized to access the information. Our system offers role-based access (limiting access to medical information would be an example). There are options to mask socials and financial data based on the user accessing an account. The system can be trained to allow a specific client's information to only be viewed by selected individuals.
• How do you discourage your agents from accessing accounts they should not? Our technology will document the fact that someone accessed an account, even if they quickly viewed the account and exited or "closed the window". As we stated earlier, we even have an option to stop an agent from seeing the details of an account until the consumer has supplied information that uniquely identifies the account (for example part of the social or date of birth).
• The FTC requires you to "Maintain a log of authorized users’ activity and keep an eye out for unauthorized access." Our system maintains an "Activity log" that tracks access to different areas of the system by user, date and time. Today's operating systems give you many options to recognize and handle unauthorized access. Our collection software offers many features to control access of data to authorized users.
• In most systems, partial searches offer flexibility and speed in locating information (for example, searching by a part of the street address). Allowing a user to enter a part of a social and displaying a list of accounts based on the input is a security risk. Partial social searches are not permitted with our system.
• Data security is a double-edged sword. It can protect your data and make it difficult for genuine consumers to work with you. Our advanced chatbots can be securely accessed without your unique account number, offering flexibility and user-friendly customer service.
• There are other areas of a collection platform that can compromise financial data. If an agent is taking credit card information, we are able to turn off call recording so credit card information is not saved on call recordings.
• Internal reports that print social security numbers and financial data such as credit card numbers, have been modified to mask the information.
• There is an interesting and probably little-known section on securely disposing of customer information. This may affect the way you work and store accounts. The FTC's document states that you should "Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained." With some companies retaining accounts placed over 15 years ago, it is very likely that this topic will be discussed in collection forums and webinars for many months to come. If you have credit reported an account, do you need to have access the information as long as it is on a consumer's credit report? If the account is still assigned to your agency and there has been no activity because you lost contact with the consumer, are you now forced to delete the information and return the accounts to your client? In our system, you can physically delete an account based on the required criteria, but we retain some limited information to respond to questions that may come up. Is that permitted?
• The FTC insists that you "Train your staff.?A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact." The architecture and design of your collection software play a critical role in administering this requirement. In our experience, several poorly designed systems have the same data stored in multiple files and locations. This is data security's worst nightmare. Quantrax's collection platform is an AI-driven system running on a well-designed relational database, offering many systemic features to add machine-thinking and automated controls to your data security program.

That will give you an idea of how collection software plays a key role in demonstrating that you are ready to meet the requirements of the FTC's Safeguards rule.

HOW DO YOU COMPLETE THE REQUIREMENTS OF YOUR INFORMATION SECURITY PROGRAM?

The FTC goes on to list nine elements that your data security program must include. Here is a summary of those items from their paper that was used to frame this article.

• Designate a qualified individual to implement and supervise your company’s information security program
• Conduct a risk assessment
• Design and implement safeguards to control the risks identified through your risk assessment - In addition to creating review processes, this section reiterates the need for encrypting customer information, assessing your applications, implementing multi-factor authentication, disposing of customer information after its valid use, and assessing the impact of internal network changes
• Regularly monitor and test the effectiveness of your safeguards - We believe that most companies may need to hire dedicated resources or a third party to carry out these tests
• Train your staff
• Monitor your service providers - There are many ways to interpret and act on this. With few collection companies having the resources to manage technical projects, Quantrax always takes on the role of integrator. Even though you may have contracts with our partners like Revspring, Solutions by Text, VOAPPS, TCN or Palinode, we manage the integration, take responsibility and are your first point of contact for any questions or support issues. This reduces the scope of "monitoring your service providers"
• Keep your information security program current
• Create a written incident response plan
• Require your Qualified Individual to report to your Board of Directors

As we recommended, please review the non-technical aspects of the rule. Work with your staff and outside consultants to address those areas too.

IN CONCLUSION

The items covered by the Safeguards Rule are not new or surprising. Implementation is likely to take place soon. With the high-profile breaches that still occur, we are likely to see enforcement actions too. For attorneys looking for lawsuits to file, this will be an encouraging target.

The proactive collection operations have already implemented processes to meet many of these requirements. There will be gaps that will need to be filled quickly as a result of the FTC's changes to the rule and a final implementation date. Predictably, most of the industry has not taken this seriously in spite of being given plenty of time to address the logical and practical requirements in the rule. Your collection technology is a critical part of creating acceptable solutions and responses to the rule. If the solutions offered are not a part of your current collection platform, you will be forced to create workarounds, as you may have had to do with Reg-F. It's time to think longer-term for your plans, technology, people and processes. In the short term, you should consider a hosted infrastructure and obtaining SOC-2 certification for your business (separate from the certifications that your hosting or software vendor may offer).

Revisiting your collection software options is not such a bad idea too!

__________________________________________________

Quantrax Corporation is a technology company that created an intelligent collection platform over 25 years ago. They believe that the ARM industry has been poorly served by collection technology that has not evolved or kept up with the great potential of computing power, or challenging industry changes. Self-funded, Quantrax has continued to successfully develop and deploy technology that offers modern solutions to old problems.

Ranjan can be reached at [email protected]

www.quantrax.com – (301) 657-2084?