Tuesday 21 January 2014

Where next for compliance?

As we all know, the compliance landscape for debt recovery has changed dramatically over the past decade.  Regulators have gradually been stepping up the expectations of our industry, principally since the Office of Fair Trading’s (OFT) first release of debt collection guidelines in 2003.

Initially the industry tried to carry on with existing practices and just tick the compliance boxes.  In recent years though, there has been a shift in thought, with many in the industry genuinely embracing the intent of the regulators to treat indebted customers better.  

My own view is that many DCAs have now improved their contact approach with customers to the point where the majority of calls and interactions with that DCA are dealt with well.  For example, when call listening it’s rare now to hear aggressive agents, railroading of the customer and other such practices. In a nutshell, whilst there are still gaps, many DCAs are now doing a pretty good job with the debt they are given.  

So, if this is true, where does the regulator go next?  Or do they even need to go anywhere next? To answer this, the question needs reframing from “are collections operations doing as good a job as they can” to “is there any remaining material customer detriment?”

I believe there is, and one example is the blunt instrument of recycling. Recycling non-payers from first placement DCA to next placement is industry standard practice and, in itself, is not inappropriate.

The problem comes with the way recycling operates in our industry. The standard practice is to recycle after a set number of days (typically between 90 and 180) with no payment. The assumption being that if a consumer has not paid within this timeframe, they are not going to pay and the agency has no reason to maintain interactions with that consumer.

The truth is often more nuanced. What happens if the DCA has just managed to achieve a first right party contact (RPC) with that customer, or just reached a payment arrangement, only to have the account whipped away from them by the arbitrary application of the placement expiry?  True, agencies can request that an account is not closed, or request information from the previous agency.   But how often does this really happen?

In addition, when accounts are recycled, the quality of information passed from the first agency to the second is often poor. The vast majority of accounts are returned simply as ‘efforts exhausted’ or ‘unable to collect.  In reality, the first DCA has much more information that could help the second agency to have a more empathetic and informed conversation with the customer. For instance, has a conversation with the customer taken place?  Was an arrangement reached but broken? Did the customer say they were in financial difficulty?  Does the customer have certain special circumstances that are understood?  We have all heard the impacts of this when we listen to second and third placement calls; ‘I’ve explained all this to the last company’, ‘what about the issues I raised over 2 months ago’, and other similar interactions with customers.

It is my belief that one area regulators will start to explore next (to some degree they have already started) is the transition of accounts between parties, including the originating creditor.  We need to understand more about how this transition impacts the customer, and the quality of information that is passed between those parties to ensure that, even though the debt is changing hands, the customer at least feels like some kind of joined-up thinking is going on.

Taking a more holistic view, I believe it won’t just be good enough for each party to do the best job they can for the customer within their part of the process. What will matter next is the overall customer treatment from cradle to grave. This will require originating creditors to work with their vendor network to ensure the customer experience is fluid and connected through all stages, placements and vendors.  Key to this will be provision of more and accurate information as debts are passed on through each stage in the collections and recoveries process.  

To summarise, I see two likely directions for future regulatory oversight:
  • The Financial Conduct Authority (FCA) regulatory oversight is likely to be more rigorous in terms of identifying discrepancies versus the existing requirements.
  • New requirements will look at the cradle-to-grave experience, particularly information continuity between parties dealing with the customer.

By Rob Barrett, Director of Debt Recovery, TDX Group

Tuesday 14 January 2014

How proposed EU data protection changes could impact your business in 2014 – part 2

In the first instalment of this two-part update, we looked at some of the most striking changes in the proposed EU Data Protection Regulation and how these might affect UK business. The highest profile change is the increase in monetary penalties from the current £500,000 to a staggering €100m or 5% of global turnover, whichever is higher – but other changes may have a more immediate impact on your business.

The benefits of certifying your compliance
Organisations will be protected from the €100m monetary penalty in the event of a security breach (unless the breach is due to negligence) if they are audited against a new EU-sponsored data protection standard. The new standard may also provide a commercial advantage against competitors who do not hold the certification, if it becomes a trusted “kitemark” for data protection.

The scheme will also be available to non-EU companies as a method of providing a legal basis for international data sharing (or offshoring). This is particularly important as most of the current provisions for non-EU data transfers will expire either five years after the regulation comes into force (for the current “whitelist” of non-EU countries, including the USA’s Safe Harbor) or after two years (for agreements which use binding corporate rules, most commonly used by multinationals).

The right to be forgotten
Now referred to as the “right to erasure”, this provision allows individuals to request the deletion of personal data. The personal data must not be related to an ongoing transaction or contract, and must no longer be required for the original purpose of processing. You may also be obliged to delete data if you rely on the customer’s consent for processing (e.g. if no formal contract is in place, such as with free services or marketing lists) as consent can be withdrawn at any time.

Deleting all of someone’s personal data (including anything which could identify them as an individual, such as contact details down to postcode level) requires knowledge of every location where the data is stored and processed. Even organisations with mature data management processes may struggle to replicate that capability throughout their supply chain, and companies should also be aware of their contract terms with third parties.  If a supplier charges for each manual deletion of personal data, this could rapidly become an unreasonably expensive process.

Introduction of a mandatory timeline for notification of data breaches
The regulation mandates that data breaches are notified to the Information Commissioner and to data subjects “without undue delay” – an improvement on a previous draft which gave a strict 24-hour timeline for reporting. According to a leading data breach report (1), around two-thirds of breaches take months or even years to discover; having 24 hours to provide details of personal records affected by a breach, several months after the attack occurred, seems unachievable. Even just providing out-of-hours cover for security staff can lead to disproportionate additional expense.

Restricting consent
The draft EU regulation protects the customer from being forced to accept “unnecessary” processing which isn’t required by the offered service (for example where companies use personal data for  marketing or behavioural profiling in addition to providing the core service). Consent will only support the processing of personal data when it is freely given, and is for a specified core purpose.
This could also affect employers, as the draft regulation states that organisations can no longer rely on consent for processing personal data when the individual is not in a position to deny consent. The main example of this relationship is that of the employer and employee - if an employer decides to record the nature of an absence-related illness (thereby processing sensitive personal data), consent is unlikely to be seen as freely given as the employee does not have the power to refuse.

Summary
While the majority of media attention has focussed on the headline-grabbing €100m penalty for security breaches, the day-to-day impact of less dramatic changes such as the “right to be forgotten” may have a more significant long-term impact on UK businesses. Small businesses in particular may need to adopt different working practices, including increased documentation of their systems and processes, in order to avoid increased costs or reliance on third party knowledge for compliance. 

All companies can prepare for the change in legislation by:
  • Avoiding complete reliance on customer consent (which can be withdrawn at any time).
  • Schedule 2 of the Act contains a list of valid reasons for processing personal data.
  • Implementing retention periods for data so that personal data is deleted or anonymised once it is no longer required. Not only will this minimise storage costs and reduce risk, but it will also provide an automated and repeatable process for the “right to be forgotten”.
  • Putting systems in place for early detection of potential data breaches and to respond appropriately. Security incidents are increasingly a “when, not if” scenario which can be addressed in the same way as business continuity and disaster recovery.
If the regulations are delayed, which is possible due to forthcoming European elections, taking these steps (and those in the first blog post) will still improve an organisation’s resilience and may provide a competitive edge. Large organisations are increasingly focussing on managing risk throughout their supply chain and a modern business which can boast of its data management and security practices will be well equipped to win new business, and to cope with future regulatory change.

(1) – Verizon data breach report, 2013.

David Rimmer, Head of Information Security, TDX Group

Friday 10 January 2014

Understanding performance: start influencing outcomes instead of just measuring them

Come month end the same old questions are invariably asked about collections:
  • What are the changes in collections compared to last month?
  • Performance isn’t in-line with forecast; should we expect this to continue?
  • Performance is in line with plan but shouldn’t we be doing better with the introduction of initiative X?
Your standard MI reports should enable you to answer some of these questions:
  • Have placements dropped recently?
  • Is liquidation declining?
  • Has a particular DCA had an issue with remitting payments this month?
But how well do you really understand your portfolio’s performance?
 
Identifying the true trends in your portfolio is much more difficult. To really understand performance you need to stop just measuring your performance outcomes, such as collections, liquidation, penetration, breakage rates, average payments, etc. You need to start measuring the inputs as well.
For example:
Upstream changes – changes made in acquisition and customer management can have a huge impact on the problems/debts being managed in collections and recoveries. For example the introduction of smart metering in the water and utilities sectors is going to have a huge impact on portfolios, as will the reduction in fees for the use of mobile phones abroad in the telecommunications industry. Knowing about these changes and adjusting your processes and strategies accordingly will give you a head start on other creditors.
 
Debt quality – a change in the mix of debt flowing in today will have a limited impact on collections this month, but if it continues will have a large impact in the future. As above knowing about this early will enable you to adapt your strategy to maximise performance.
 
Collections activity – monitoring the activity of your collections team/DCA will enable you to ensure all the accounts are receiving the activity you want at the time you want. If your portfolio is only on the dialler in working hours this could have a huge impact on your performance. By monitoring activity you will spot this long before you would have noticed the collections drop and so will be able to make the change immediately.
 
Strategy effectiveness – knowing if your strategy is performing well is vital; any new strategy needs to be tested so you know the effects. Lots of performance issues can be traced back to a change in strategy such as removing a letter that was not fully understood.
 
So, understanding your performance better isn’t just about answering those tricky questions come month end, it is the key to you achieving great performance. Understanding performance is the first step to being able to implement improvements to your processes and strategy. These improvements are much more likely to work as a result as you know what they are addressing, you are able to monitor their performance and thus make adjustments as required.
 
By Stephen Hallam, Value Analyst, TDX

Friday 3 January 2014

Gazing into our Crystal Ball – The key themes in the US debt collection market for 2014

Our recent post summarized the key themes in the US debt collection market through 2013. Following a week of staring deep into TDX Group’s crystal ball, we can now provide our view on the key themes for the forthcoming year, 2014.

1. Regulatory requirements will continue to grow
Ok, so maybe I didn’t need the crystal ball for this prediction but this is of huge importance, the regulatory challenges of 2013 are not disappearing, they will continue to grow. The recently published ANPR (Advanced Notice of Proposed Rule-making) by the CFPB demonstrates that the regulators are looking to make significant changes to industry regulations and that creditors will need to continue to ensure that they respond to these.

2. Regulatory impacts will broaden to other sectors
The focus of regulators has been extremely targeted through 2013; they have identified marquee players in each sector, identified their failings and then taken decisive action through imposing significant fines and consent orders. Initially they focused on major financial institutions, before progressing to other sectors such as auto, pay-day lending and debt settlement companies. Through 2014 we predict this trend to continue into other sectors such as telecoms and utilities, once again, with regulators expected to target major players.

3. Performance will remain a secondary focus, although some strategies will be unsustainable
The biggest change of the last year has been the industry’s shift in focus (particularly in the financial services sector), away from performance and firmly towards regulatory adherence; although discussed previously, the actions of the past 12 months undeniably highlight this. This will continue throughout 2014 and probably long into 2015, although we do believe that a number of the performance-damaging strategies deployed by creditors as an immediate response to regulatory pressures (e.g. the prevention of sale activity) will become unsustainable and will slowly start to be reversed.

4. The auditing of vendors will fundamentally change
Compliance and audit activity surrounding vendor management continues to focus on ensuring that suppliers have the right policies and processes in place. This, however, has been identified by regulators as being insufficient, as demonstrated by recent fines and consent orders. The actions (and not just policies) of vendors are the responsibility of creditors and so sufficient monitoring, oversight and risk mitigation is required around this. As a result, we see the audit landscape shifting throughout 2014, with more focus being applied to account level monitoring to ensure that identified policies are being adhered to.

5. Best practice will utilize new regulatory requirements to improve, not hinder, performance
The reactionary response to regulatory requirements through 2013 has resulted in creditors being forced into performance-damaging decisions such as reductions in panel sizes and the pulling of sales from the market. As such, new requirements have often been viewed as performance-damaging. As we enter 2014 creditors at the forefront of the industry which apply best practice will start to identify that new requirements can, in fact, drive and not hinder performance. By taking a more customer-centric approach to collections and improving the overall customer experience, underlying performance will naturally improve; examples of this include ensuring that all disputes are responded to in a timely manner and having a clear view of agency activity levels.


  


By John Telford, CEO TDX North America