7 Takeaways From The RMAI 2022 Annual Conference
- February 11, 2022
- Category: Compliance Management
Recommended Reading
The Provana team recently joined the Receivables Management Association International (RMAi) Conference in Las Vegas where thought leaders from the credit and collection space came together to discuss and exchange ideas.
Over umbrella drinks at the cabana crawl and throughout the conference, conversations ranged from the CFPB’s current focus areas to pressing data security concerns that are looming large across the ARM landscape. Below are seven key takeaways from these discussions.
As more collection players comply with Reg F, the CFPB is currently placing its focus on Buy Now Pay Later (BNPL), junk fees (such as overdraft fees in one’s bank account or processing fees for concert tickets), inaccuracies in reporting, and consumers’ ability to access to their own data.
The bureau is also being watchful over what fintech apps are doing with consumer data, the dominance of key banking players, and the delisting of companies that run afoul of PCAOB regulations due to the lack of bipartisan agreement on being tough on China.
It is also important to be mindful of socially engineered attacks (phishing scams) as you skim through CFPB consumer complaint data. Increasingly, scammers are filing false complaints with the intention of stealing personal data. In a recent set of data breach incidents, socially engineered complaint emails had the same format of FirstnameLastnameLast4SSN. If you spot anything like this, or see the same email content coming from multiple sources, flag these falsified complaints to the CFPB immediately.
Amid rising cybersecurity concerns, it is important to add an additional layer of security to your IT infrastructure and business apps. The unfortunate irony is if you are a small agency, you might have not the resources to strengthen your security layer. Yet, you are most vulnerable to having your PII data (CC account data, SSNs) compromised due to a cyberattack.
To make big security changes in your current practices, begin with small steps. Start with doing “penetration testing” to make sure all your platforms are secure, by checking for exploitable vulnerabilities in networks, web apps, and user security. Before you work on an incident response plan (in case of a data breach), ask some questions about data access and privacy, including:
- Why do we have this data?
- How long will we have it?
- Who can access it?
- How is it stored?
- How will it be destroyed?
It is also important to have SOPs in place to retire data from your server if a client chooses to end their business with you.
Given the prevalence of cyberattacks in the space, the CFPB has published an IT Examination Manual on its website, which follows certain FTC rules and the Classic CMS (board controls, risk assessments, complaint management) model to deal with cyber threats. Align your incident response plan with the New York State Department of Financial Services (DFS), California Privacy Rights Act, Virginia Consumer Data Protection Act, and Colorado Privacy Act, depending on the state your business is based in. Some clear ways to prevent ransomware or a socially engineered cyber-attack include using multifactor authentication and monitoring-logging of all transactions.
As a practice, refrain from sending a consumer a text without their consent, which not only violates CFPB requirements under Reg F but is also restricted by some major phone companies, including T-Mobile. As a rule, and to avoid a scuffle with any telco providers, opt out all consumers from any form of text until you receive their consent.
Given that CFPB is serious about regulating electronic payments (Credit, Debit, ACH), it is best not to settle any payment with the consumer in crypto or any untraceable currency. As a rule of thumb, follow NACHA rules for any ACH transaction.
If you are managing an examination by client auditors, track interviews and update notes from examination in your CMS. As a rule, it is always best to interview people who are experienced at depositions or prior examinations.
While itemizing risks and issues, track where issues come from in the first place. It is always best to set timelines to get these problems resolved with a clear mean time to resolution (MTTR) threshold.
To remain compliant, it is best to keep in check with the creditor who owned the delinquent account from origination to current servicing. As a third party agency, it is also your responsibility to know what information the debtor had at the point of lending.
We had a wonderful time reuniting with old friends and making many new ones this year. We look forward to keeping in touch and seeing you at the next conference!
