The Crossroads of Security and Compliance
No doubt a significant amount of any collection agency, debt buyer or law firm’s time over the past two years has been consumed with gathering new requirements implemented by regulators, distilling and understanding the impact of the new regulations on their business practices and scoping the effort, cost and time required to implement these new regulatory requirements.
Mandatory audits of financial services companies that meet the larger market participant definition have created an immediate need for all operators in the financial services space, as well as their service providers, to step up their game with respect to security and compliance. While this subject has been covered extensively, it is my opinion that the dots have yet to be fully connected on the subject.
The Requirement for Broader Policies and Procedures
Security audits and certifications can be provided by any number of competent third party firms including CPA’s, QSA’s, and other recognized third party security auditors to provide independence and audit compliance as it relates to any number of security certifications such as PCI-DSS, SSAE16 (SOC1 or SOC2), HIPAA, FISMA, ISO 27000, GLBA and numerous state certifications relating to plastic card acts in individual states. While these certifications are mandatory for any company operating in the financial services arena today who handles private consumer data, there is an additional requirement for a new set of policies and procedures that companies will need to have in order to demonstrate compliance with the rules outlined by the CFPB and FTC.
This set of policies and procedures are the merger of the security policies and procedures for the regulated entity as well as the operational policies and procedures outlined by the company. A close inspection of the CFPB’s audit and supervision manual will quickly reveal the blurred lines between these two disciplines in the organization.
The Emerging Need for Hybrid Policies and Procedures
But the development of this set of hybrid policies and procedure is no small undertaking, and subtle nuances exist by industry specialization such as debt buying, collections, legal collections as well as for the service providers supporting these industries. A one size fits all solution simply will not suffice for all industries, and furthermore, the effective demonstration of the implementation of these policies and supporting documentary evidence of compliance will not be a uniform exercise across all collection agencies or debt buyers.
Creating the body of work that will come to be a set of holistic policies and procedures, melding the practices of information security and compliance across an organization, is also only scratching the surface when it comes to defending one’s firm or agency in a civil investigative demand proceeding by the FTC or CFPB. Rather, this hybrid policies and procedures manual merely provides the roadmap a company must follow in order to demonstrate the effective implementation of operational practices, monitoring and oversight and, most importantly, the documentation of ongoing adjustments to business practices required by the regulators.
Be on Offense…NOT Defense!
In short, any company operating in the new regulatory landscape will have only one chance to get it right BEFORE being forced to go on defense against a regulatory agency bringing a civil investigation demand proceeding against it. It is imperative that you prepare now, select a trusted and competent advisor to assist your company in developing these new policies and procedures and have that advisor provide the third party independence to evaluate and monitor how your company is complying with their own policies. While the effort will be significant, and the cost not insignificant, the burden and costs to defend your company AFTER a civil investigation demand notice arrives will be exponentially more expensive and most probably a death warrant for most small to medium sized companies.
Cruise lines don’t perform evacuation drills as the water is coming over the rails and airlines don’t play the safety briefing videos as the cabin is filling with smoke. So why are you waiting for the day that the CID notice arrives and Federal agents demand boxes of documents and computer hard drives? Get your house in order today. It’s cheaper and a LOT less stressful in the long run.