The following is an article brought to you by Bayview Risk Management Capital, a company that specializes in working with buyers and sellers of debt portfolios. Learn more about Bayview at www.bvs-llc.net.
It’s ironic that, when you talk to participants in the debt-buying industry about their information security procedures, inevitably, they will tell you that the reasons they take the steps they take is, because it boils down to “common sense.” But, when insiders gather and start swapping stories, the tales routinely involve someone doing something that is about as far from common sense as you can get. Tales of portfolios being double sold, or where an employee has walked away with thumb drives or files while heading out the door are as common as people pining for a Republican president.
Debt buyers, sellers, and brokers are still adjusting to the new era, brought on by the Consumer Financial Protection Bureau, which has increased the regulatory burden on an industry that long unregulated, and led to a shortfall in supply of portfolios for sale.
But it has also led to a shining spotlight on how those companies keep their information secure, whether on their computer, in their offices, or when transmitting files.
“It’s changed dramatically for us,” said Marko Galic, business development director at New Century Financial Services, a debt buyer based in New Jersey.
The industry is moving toward adopting a set of best practices for information security. To be certified by DBA International, for example, a third-party audit is required. Some companies are also moving toward using secure email for transferring files, which adds a layer of security over and above traditional email. But the idiosyncrasies of secure email – having to log in, being unable to forward messages, the extra time it takes to send emails – keep some companies from embracing the technology.
The one dynamic that companies need to come to grips with, as it pertains to information security, is that it is a significant expense. But also a necessary one.
“Compliance is essentially a business risk,” said Neil Gonsalves, the founder and CEO of AARC-360 a consultancy focused on information technology and security. “What companies need to do is based on their size and the complexity of their operations. They have to identify where the risks actually lie.”
For debt buyers, sellers, and brokers, that can be broken down into two primary areas — data and employees.
In terms of data, a relatively new best practice is the requirement for as much of the original account-level information as possible. The information is required when filing a lawsuit against a debtor and validating the debt’s owner. But getting account-level information is not always enough.
“People look at how much media they can get, but they don’t look at what the media says,” says Barbara Sinsley, a lawyer with the firm of Barron & Newburger. “You have to look at the documentation. Ae you missing important elements and do you need to dig deeper?”
When it comes to working with employees, knowing who has access to what is critical. Gonsalves noted a healthcare company where an employee stole the records of 10,000 patients and was selling the information online for $2-to-$3 each.
There was just a data breach disclosed recently, where a substitute doctor at a chiropractic clinic stole the health records of an indeterminate number of patients so he could use the information to solicit them for his own practice.
“Companies tend to look outside,” Gonsalves said. “But most data breaches don’t come from outside; they come from inside.”
If and when examiners from the CFPB comes calling, the ability to provide the documentation they are asking for is incredibly important, said Stefanie Jackman, a partner with the law firm of Ballard Spahr.
“The ability to extract information and show regulators in an efficient way, that is what the CFPB wants to see,” Jackman said. “Compliance is expensive and we’re having to do a lot of it.”
Again, a special thank you to Bayview RMC for sponsoring this article series. Please visit them at www.bvs-llc.net.