What is contact centre compliance?
Navigating the complex landscape of compliance regulations within the contact centre can be challenging for many organisations, particularly, in contact centres where data can be sensitive and pose a significant compliance risk if there is a data breach.
Compliance is defined as adherence to a set of rules and regulations. These precepts can be set by a company internally or be governed by an external regulatory body, and they can also differ between countries and industries.
So, how do you ensure your contact centre adheres to all necessary regulations?
The solution is contact centre compliance.
However, as contact centre compliance can be challenging to navigate without the right tools, contact centre technology that supports compliance is critical. Organisations can safeguard data and automate compliance processes by implementing the right contact center solution to avoid costly mistakes and potential data breaches.
In this article, we’re exploring the area of contact centre compliance – how compliance is governed differently by industry, i.e., Financial Services and Healthcare, and how the right contact centre technology can be leveraged to simplify, streamline and optimise your compliance efforts.
The nature of contact centre compliance
Compliance encompasses data protection and ensuring agents act following duty of care, with an unbiased approach when providing certain information or advice.
While these various rules and regulations can make compliance challenging for organisations, ensuring your contact centre can keep data secure provides your business with legal protection and supports in delivering the best duty of care to customers.
How poor compliance can impact your business – what are the implications of non-compliance?
When considering implementing and maintaining compliance in your contact centre, you must be aware of the implications of non-compliance on your organisation.
According to research by IBM, the average data breach cost increased from $4.24 million (USD) in 2021 to $4.35 million in 2022. Additionally, the most significant difference for breaches with a high level of compliance failures compared to a low level was $2.30 million.
While cybercriminals are the most common source of data breaches, 23% of all data breaches stem from human error. This statistic highlights the importance of utilising the most effective contact centre solution to maintain compliance.
Contact Centre Regulations You Need to Be Aware Of
When referring to sensitive data in a contact centre, you’ll come across the terms ‘personal identifiable information’ and ‘personal payment information.’
These key terms can be defined as:
Personal identifiable information (PII) refers to data that can be used to distinguish or trace an individual’s identity.
Personal payment information (PPI) refers to data involved in financial transactions.
PII and PPI are highly sensitive and subject to strict compliance regulations, which differ by country and region.
In addition to PII and PPI, you may also hear ‘PCI DSS,’ which affects any organisation that takes payments over the phone.
Information relating to payments is one of the most sensitive types of data and the most targeted by cybercriminals. As a result, contact centres that handle any financial information must implement security practices to protect this data from breaches and fraud exposure, both internally and externally.
One such compliance practice involves adherence to the Payment Card Industry Data Security Standard (PCI DSS) – a globally mandated security standard for securing credit card numbers.
The regulation PCI DSS prevents contact centres from recording sensitive payment data, including CVV numbers, personal identification numbers (PINs), expiration date and the cardholder’s name.
Of the twelve areas of compliance mandated by the PCI DSS, five relate directly to contact centre operations, which include:
- Protect stored cardholder data at rest, in use and motion
- Encrypt transmission of cardholder data across open, public networks
- Restrict access to cardholder data by business need-to-know
- Restrict all physical access to cardholder data
- Track and monitor all access to a network resource and cardholder data
We will now explore the compliance regulations that apply to organisations by industry.
For the Financial Services industry, below are some of the regulations your organisation is required to adhere to:
- Regulatory Guide 271: explains what financial firms must do to have an internal dispute resolution (IDR) system that meets ASIC’s standards and requirements. It also subsequently revised to redefine what constitutes a ‘complaint’; (we will go into more details about RG271 below).
- The Australian Competition and Consumer Commission (ACCC) enforces Australian laws relating to debt collection, with strict rules regarding harassment, vulnerability, and deception.
Concerning the Healthcare industry, the following regulations will affect your organisation:
- The Privacy Act 1988 states the healthcare company must seek the patient’s consent before receiving and collecting personal patient information.
- The Health Records and Information Privacy (HRIP) Act 2002: outlines how healthcare service providers in New South Wales must store and manage identifiable patient information.
- The Royal Australasian College of Physicians (RACP) provides practical guidance on conducting telehealth appointments to uphold the patient’s privacy. When a consultation is recorded, the practitioner must securely store the recording to maintain the patient’s confidentiality.
General Data Protection Regulation (GDPR) Highlight:
In May 2018, The European Union (EU) mandated the GDPR legislation containing stringent data protection requirements that overhauled previous national data protection rules. The GDPR applies to Australian organisations if they:
- Have an established presence in the EU,
- Offer goods and services to EU citizens or,
- Collect personal information of EU citizens.
Under this legislation, organisations are faced with protecting any data that can be used to identify an individual, provide customers with access to any personal data they request, and ensure the ‘right to erasure’; customers have the right to be forgotten, meaning every piece of personal information that is related to the individual is required to be deleted.
This legislation has pressured organisations to adhere to new, rigorous privacy requirements. However, using the right contact centre technology can support complying with GDPR, which assists in avoiding tough penalties.
Regulation Spotlight: RG 271
In July 2020, the Australian Securities and Investments Commission (ASIC) released Regulatory Guide 271: Internal dispute resolution, which explains what financial firms must do to have an internal dispute resolution (IDR) system that meets ASIC’s standards and requirements.
They have redefined what a complaint now means – as defined under RG 271: “[An expression] of dissatisfaction made to or about an organisation, related to its products, services, staff or the handling of a complaint, where a response or resolution is explicitly or implicitly expected or legally required.”
The introduction of RG271 and its revised definition has impacted the number of organisations seeking technology solutions to help them detect dissatisfaction before it enters the formal internal dispute resolution (IDR) process.
Achieving contact centre compliance using technology
To ensure you meet your compliance requirements, you need a technology solution designed to deliver on the compliance needs of your organisation, industry, and country.
Leading contact centre solutions can support compliance obligations, providing you with easy tools to manage this. From call recording software to secure payment technology and speech analytics tools, here’s how contact centre compliance software can help you stay on top of your compliance without impacting the customer experience.
- Call Recording and Quality Assurance (QA)
Implementing call recording software in your contact centre can be a simple yet highly effective way to meet your compliance requirements.
Along with a QA module, managers can quickly and easily identify issues that may have occurred within the call and regularly review conversations to check that terms and conditions or policies were communicated during a call.
The QA module also enables managers to complete scorecards to evaluate their agents’ performance. This helpful training tool can allow managers to draw insights into crucial improvement areas.
Features to look for:
- Enterprise-grade voice quality: Calls are recorded in stereo to ensure high playback clarity.
- Easy retrieval of recordings to quickly locate required audio: This can include categorising the data by date, time, campaign, call duration and agent that completed the conversation.
- Call Bookmarks: A visual cue that signifies when specific compliance phrases were communicated in the call, such as terms and conditions or relevant policies. This feature eliminates the requirement to listen to the entirety of the call, improving efficiency.
- QA modules and scorecards: This feature allows contact centre managers to assess the agent’s performance and adherence to the script. Based on this evaluation, a score is then produced, and if required, the manager can take corrective action to improve the agent’s performance.
- Secure storage of call recordings: Ensuring your call recording solution has adequate security measures in place is essential. Some applications will delete call recordings after a set time for added security.
ipSCAPE Vault is a call recording storage solution designed for organisations to quickly collate and retrieve all call recordings with management features to enable the ability to search, filter and organise items to assist in achieving compliance objectives. Moreover, to support your organization’s security needs, all recordings can be stored for as long as required and are hosted securely on the Azure Blob.
ipSCAPE’s QA module enables contact centre managers to create QA questionnaires to evaluate agent conversations with customers and produce a score. Based on the score, managers can optimise their agent’s performance by conducting tailored training sessions using the results discovered.
- Ensuring PCI DSS compliance with secure payment technology
Suppose your contact centre handles personal payment information (PPI). In that case, you must ensure you comply with the regulations set out by the Payment Card Industry Data Security Standard (PCI DSS).
To ensure PCI DSS compliance during a call, the following procedures must occur:
Concealing payment details: The customer uses their phone keypad to input their credit card details; the agent sees asterisks in real-time as the customer enters their details.
Masking DTMF tones: Typically, when using a dial pad, dual-tone multi-frequency (DTMF) tones signal which number was pressed. Masking DTMF tones will ensure that card numbers are not recognisable by the agent.
Using tokenisation: Payments can be securely processed by substituting card numbers into a unique code known as a ‘token,’ ensuring that sensitive data never passes through the contact centre.
ipSCAPE Pay is a secure cloud-based payment solution that enables contact centre agents to handle credit card details and take payments over the phone to satisfy the PCI DSS regulation. To support the growth of your organisation, the solution allows multiple payment gateways to be added.
Using ipSCAPE Pay maintains voice communication throughout the entire conversation, so customers feel more comfortable when providing payment details, which helps improve the customer’s experience.
- Utilise Speech Analytics
Speech Analytics is a contact centre solution that uses recorded calls between employees and customers to assess phrases and words to optimise agent performance and manage compliance.
ipSCAPE’s Advanced Speech Analytics is a tool that transcribes 100% of all calls and analyses phrases, sentiments and customer expressions of dissatisfaction, including financial hardship, stress, anger, and vulnerability.
To specifically address and adhere to RG271, Advanced Speech Analytics uses AI models to produce a ‘complaint risk’ score, which enables organisations to take a proactive approach to resolve with the customer.
Taking a proactive approach, such as calling a customer to extend their loan term based on sentiment on financial hardship, can mitigate the risk that an official complaint will occur. This assists in increasing customer retention and avoiding the costly and complex IDR process.
Therefore, to ensure compliance with RG271, select a speech analytics software that delivers actionable insights, allowing you to create an environment of continuous improvement while enabling early detection of potential compliance risks.
If you’d like to discover how ipSCAPE can simplify, streamline and strengthen contact centre compliance in your organisation, check out our suite of automated compliance tools or get in touch to find out how ipSCAPE’s award-winning software can help your contact centre operate more efficiently and effectively.
ipSCAPE is a feature-rich, scalable cloud communication technology solution with advanced integration capabilities. We help businesses connect with their customers through multi-channel communications, including Voice, Web Chat, Email, SMS, IVR, and other emerging channels.