Collection agencies can get lost in a sea of acronyms when it comes to audits. But regardless of the letters involved, the major issue with the different types of data security or compliance audits is that they act like snapshots – offering a view of a company’s compliance or security at a specific point in time. But, like so many snapshots, audits get put away never to be seen or heard from again, only to collect dust on a shelf or in a drawer. To put it differently, imagine checking the locks on doors and windows in a house, or the balance in a checking account, once a year. Locks and balances are checked and then frequently checked again to ensure we are “compliant.”
Data security audits and compliance audits today are writing “annual checks” that collection agencies can not afford to cash given the growing number of new threats and malware. To provide more assurance and to reduce risk, TECH LOCK has developed a new audit product specifically geared for the collections industry, called TECH LOCK Certified 2.0 ARM Industry Service Provider. What separates the new product from others is that it is meant to address the fact that 86% of companies that achieve compliance fall out of it within 45 days, according to Todd Langusch, the president and chief executive at TECH LOCK Inc.
Langusch will be hosting a webinar on November 11 at 2pm ET to discuss the new product and the state of information security in the collections industry.
As Langusch puts it, the days of asking if a collection agency has had an audit conducted or requiring agencies to fill out a questionnaire are over. Today, more creditors and financial institutions are requiring proof of audits, and not just for information security practices and procedures.
“In addition to data security, TECH LOCK 2.0 covers operational compliance topics like the (Telephone Consumer Protection Act), (Fair Debt Collection Practices Act), and the (Fair Credit Reporting Act),” Langusch said. “Where most audits fail in the collections industry is due to the auditors’ lack of knowledge with collection systems and processes.”
In Langusch’s experience, a number of critical risks are overlooked or completely missed by auditors when conducting an audit of a collections agency. Those risks include specific firewall rules, location and protection of consumer information, auditing and logging, and proper system hardening, which is a technological term for reducing security risks. For collection agencies, collection systems and dialers are usually overlooked.
TECH LOCK 2.0 provides ongoing compliance monitoring for a 12-month period to assure creditors and financial institutions that collectors stay on top of the ball and do not let their compliance guard down. While it can be hard to justify the expense of an audit, the return on investment is definitely calculable. The Ponemon Institute, for example, estimates the cost of a data breach at $215 per record. That is a very expensive number, which is separate from the headline risk that goes along with having to announce a data breach.
The new product also takes a holistic approach, covering many applicable laws and standards for that company being audited. In addition, it is a control-based audit vs the “criteria-based” audits that are subjective. The benefits to creditors and issuers is a view into the audited company’s compliance with additional applicable laws and standards that they would not normally see with a single-threaded audit. Lastly, a control-based audit allows a reviewing organization a more consistent view of the controls and the auditor’s results.
Many collection agencies have complained that financial institutions and lenders are not looking to add new vendors because the vetting process has become so cost-prohibitive and timely. But TECH LOCK 2.0 makes it easier to review the risk of vendors and service providers, especially collection agencies, Langusch said