As call centers manage sensitive customer information, they must follow specific compliance requirements.
Governments and regulatory agencies develop compliance rules for organizations to protect consumer data and remain fair and equitable. Call centers can develop internal rules and practices, such as call monitoring, to supplement external requirements and improve CX. Call center managers must ensure their agents follow compliance best practices, and a compliance checklist can help remote, on-premises and hybrid call centers adhere to best practices.
The role of compliance in call centers
Compliance is critical to call centers, as one failure can devastate an organization's brand image and reputation. Customers don't want to work with organizations that can't protect their personal information from bad actors. Additionally, a compliance failure can lead to fines and penalties from regulatory agencies.
Compliance requires participation from every individual in an organization. Call center managers shouldn't assume their processes always work or that agents always follow proper procedures. Managers and agents must keep their eyes and ears open, and if something does not seem right, they must raise the issue with the appropriate individual.
Before the COVID-19 pandemic, most call centers were on premises, which made compliance easier to implement and monitor. For example, employees had to swipe their keycards before every shift to enter the call center, so only authorized people could enter. Compliance became more of a challenge when call centers began to operate remotely, so checklists can help call center managers follow proper guidelines.
Call center compliance checklist
Organizations can't achieve compliance with a single tool or process. They should use a multifaceted approach that integrates technology, processes and procedures.
The following compliance checklist can serve as a starting point for call center managers as they seek to comply with internal and external requirements.
1. Secure the network
Organizations should use network access control to limit who can physically and logically access system hardware and software. Physical security protects the physical components of a network -- such as devices, modems or routers -- from physical harm. Logical security uses passwords and system permissions to protect a network's software and data from unauthorized individuals.
Call centers with agents that work from home may struggle to maintain physical security, as remote agents don't always have secure workstations. Call center managers can also perform physical or virtual audit checks on their agents' remote workplaces to ensure they meet security standards.
2. Perform workstation audits
Physical workstation audits enable an organization to inspect a remote employee's work environment and ensure it supports basic controls and meets compliance requirements. As physical visits to employees' remote workstations aren't always feasible, supervisors can use video conferencing to perform high-level audits.
3. Authenticate customers
Customer authentication is a process where individuals prove they are who they claim to be. In some cases, single-factor authentication -- where customers provide a single piece of information to confirm their identity -- can suffice. However, many organizations have adopted multifactor authentication, which asks customers to provide distinct pieces of information, such as a password and a code sent to a mobile device, to confirm their identity.
4. Record customer conversations
Call recording lets organizations review telephone conversations between customers and agents. Managers can review recordings through a quality monitoring program to determine if agents fulfilled external requirements, such as appropriate disclosures and authentication processes. Managers can also review recordings to determine if an agent fulfilled internal requirements, such as providing a customer with accurate information or following internal procedures.
5. Provide mandatory disclosures
Call center agents must provide mandatory disclosures, which are legal statements used to clearly explain specific processes, rules and options to callers. For example, if a call center in the U.S. wants to record a customer call, agents must disclose that information with the caller and receive that individual's consent to the recording.
Regulation requires mandatory disclosures when agents do the following:
- record customer calls
- perform collection functions
- make financial transactions
6. Adhere to local privacy legislation
Organizations must adhere to various global and local legislation on customer privacy, depending on the geographic reach of the business. Due to legislation, organizations can't manage all customer information in the same way. Different regions have different recording consent laws, so organizations must know where each customer resides before they record conversations with that individual.
The following are examples of location-based privacy legislation:
- General Data Protection Regulation. GDPR provides guidance on how organizations can collect and process personally identifiable information (PII) for individuals who live in the European Union.
- California Consumer Privacy Act. CCPA provides guidance on how organizations can collect and process personal and household information for individuals who live in California.
7. Adhere to Telephone Consumer Protection Act
Organizations in the U.S. must adhere to the Telephone Consumer Protection Act (TCPA), which sets rules for how an organization can use outbound calls for solicitation. TCPA regulations state that telemarketing call centers cannot use predictive dialers to contact a wireless phone without prior consent from the customer. It also ensures telemarketers adhere to the National Do Not Call Registry and special regulations, which may include restricted calling hours in a particular geographic location after a natural disaster event.
8. Manage sensitive information
To comply with standards, such as Payment Card Industry Data Security Standard and HIPAA, organizations must protect sensitive customer data at rest and in motion. Sensitive information can include PII, credit card numbers or protected health information.
To protect sensitive information, organizations should adhere to the following practices:
- encrypt all data;
- minimize the amount of stored data; and
- use automation, such as interactive voice response, to perform sensitive transactions.
9. Offer ongoing training
Organizations should offer annual training on proper compliance procedures and guidelines. All employees should be up to date on specific compliance rules and understand how they can protect their organization and its customers.
A call center compliance checklist can help organizations avoid compliance failures. Call center managers can use this checklist to evaluate their organization's current compliance protocols and ensure agents follow proper guidelines.