5 Compliance Questions to Ask a BPM Partner
In our earlier blogs, we have mentioned how more collection businesses are getting used to the idea of outsourcing over hiring full-time amidst the current talent crisis, which shows no signs of course-correcting soon. We also learned how growth-focused agencies have found success with Business Process Management (BPM) over Business Process Outsourcing (BPO), thanks to the sophistication of the BPM model that lets the service provider hire, train and manage off-roll talent.
However, despite its benefits, the BPM model can go wrong when an agency is not vetting a potential BPM partner on their Production Management, Transition Management, Compliance and Performance, Resource Management, SOPs, and Key Performance Indicator (KPI) practices. With the "Questions for A Potential BPM Partner" blog series, we aim to help you avoid these missteps that can otherwise cost your business its brand equity. This time, our focus is on compliance-focus questions.
Compliance is of obvious importance for regulated industries such as credit and collections, particularly given the new CFPB leadership and its focus on upholding stricter rules for consumer protection – these not only impact your operations, but those of your vendors and outsourcing partners. Here are the five most important questions you should ask a potential BPM provider to ensure they have solid compliance management in place.
1. Are you ISO27000 certified for security management processes?
An outsourcing partnership is effective when the service provider responsibly plays the role of a partner. And a responsible business partner should always possess a framework for Security Management Systems (SMS) and legal compliance. An ISO27000 certification demonstrates that a BPM partner has identified compliance risks, assessed the implications, and put in place systemized controls to limit any damage to their organization.
2. How do you manage PII and other sensitive data?
Many service providers don’t put in the right controls to protect their identifiable information (PII) data assets. They are constantly collecting, storing, and distributing PII and sensitive data but still don’t quite understand the repercussions of mishandled data. Partnering with the service provider who fails to secure PII will leave your sensitive data open to highly targeted social engineering attacks, heavy regulatory fines, and loss of customer trust and loyalty. Hence, it becomes important to ask the service provider as many questions as possible around PII and sensitive data management. To begin with, ask how will the service provider:
- Identify the PII and find all the places to store PII
- Classify PII in terms of sensitivity
- Establish an acceptable usage policy
- Encrypt PII and eliminate any permission errors for key management
- Develop an employee education policy around the importance of protecting PII
Establish an accessible line of communication for agents to report suspicious behavior
3. Do you document your policies and procedures? Will you be able to add our proprietary compliance policies on top of your general policies?
Policies and procedures change over time, so it is important to partner with a BPM service provider who has an established process for updating and redistributing their SOP documentation. Although it might feel like extra work to print and replace process documentation on a repeated basis, the provider should have all SOP documents version-controlled and easily assessable by all agents.
A simple question such as "How do you manage third-party compliance?" should help know how the service provider (once partnered) will manage your additional compliance requirement on top of their general policies. Since the answer to this question is quite subjective, always look for more details in their response. Ask what process the provider will use to get your policy and procedure acknowledged. Once your policies and procedures have been communicated to the provider, they should be able to chalk out a plan to ensure their agents know your compliance requirements.
4. How do you keep track of policy training for your personnel?
Effective training around compliance and company policy involves much more than simply reading compliance procedures aloud or sending all-hands memos. For best results, the service provider should use a training program that features interactive hands-on learning opportunities. Employees should learn why each policy was created, and also how, by adhering to the policy, they can help ensure consistent, compliant performance. And this can only be achieved by keeping a track of policy training and conducting frequent training gap analyses.
5. Do you use any technology for managing compliance? Can you provide a demo of your compliance management system?
On the surface, a compliance management system (CMS) looks like a collection of policies, procedures, and processes governing all compliance efforts. In reality, it should help a service provider do more than just meet legal requirements and comply with applicable laws and regulations. An effective compliance management system should include board and management oversight, the compliance program itself, and regular audits of the compliance program. Automated tools should enable the provider’s CMS to work effectively.
Since visualizing different elements of the provider’s CMS could be challenging, ask if they can show a demo of their CMS. This will help you gauge the compliance risk of the service provider from violations of laws, regulations, codes of conduct, or organizational standards of practice standpoints.
A word of caution: Compliance is a complex topic, with many implications and branches of activity. In the realm of CFPB compliance, as well as other consumer privacy statutes, many additional questions can be asked around complaint and dispute management, Reg F compliance, and of course UDAP, FDCPA, among others. Not sure you’re getting what you need from your vendor partners? Our comprehensive compliance audit can identify gaps and help you establish a more secure path for the future. To get more information, click here.