CFPB States That it Did Not Scrap No-Action Letter and Compliance Assistance Sandbox Programs in Connection with its Overhaul of its Office of Innovation and Operation Catalyst

On May 25, 2022, my colleagues, Mike Gordon, John Culhane and Ron Vaske published a blog which reported on a press release issued by the CFPB on the prior day entitled “CFPB Launches New Effort to Promote Competition and Innovation in Consumer Finance.”  The blog stated:

In its press release, the CFPB states that “[a]fter a review of these programs [the No Action Letter (NAL) and Compliance Assistance Sandbox (CAS) programs], the agency concludes that the initiatives proved to be ineffective and that some firms participating in these programs made public statements indicating that the Bureau had conferred benefits upon them that the Bureau expressly did not.”

In lieu of a company filing an application for an NAL or participation in a CAS, both of which apply to an individual company’s specific product offering, the press release encouraged companies, including start-ups, to file rulemaking petitions to ask for greater clarity in particular rules.  The Bureau states that any action taken in response to a rulemaking petition “will apply to all companies in the market.”

The CFPB press release also announced that it “is opening a new office, the Office of Competition and Innovation, as part of a new approach to help spur innovation in financial services by promoting competition and identifying stumbling blocks for new market entrants.  The new office will replace the Office of Innovation that focused on an application-based process to confer special regulatory treatment on individual companies.”

Since the CFPB, in its press release, called the NAL and CAS programs ineffective, indicated companies were mischaracterizing the benefits conferred by such programs, and encouraged companies to file rulemaking petitions going forward, the clear implication was that these programs were being eliminated.

Not so, according to Raul E. Cisneros of the CFPB’s press office.  This is what Mr. Cisneros told me by e-mail on June 3 which he said could be attributed to the Bureau:

At this time, the CFPB has not rescinded the not[sic]-action letter or sandbox programs, and is still taking new applications and processing previously submitted applications.  However, this is not the primary focus of the Office of Competition and Innovation. 

Hmm.  Calling programs ineffective that an agency plans to continue strikes us as an odd way of doing business.  While the CFPB may continue to process new applications, we expect its disparagement of the programs will lead most companies to reassess whether filing an application is worth the investment of time, effort, and cost required to do so.

CFPB States That it Did Not Scrap No-Action Letter and Compliance Assistance Sandbox Programs in Connection with its Overhaul of its Office of Innovation and Operation Catalyst
http://www.insidearm.com/news/00048309-cpfb-states-it-did-not-scrap-no-action-le/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

CFPB Critical of Deleting Tradelines

On May 2, 2022, the CFPB issued its Supervisory Highlights for spring 2022 (the “spring 2022 Report”), which highlights legal violations identified by the CFPB’s examinations between July 2021 and December 2021. The findings in the spring 2022 Report cover the areas of auto servicing, consumer reporting, credit card account management, debt collection, deposits, mortgage origination, prepaid accounts, remittances, and student loan servicing. The spring 2022 Report also summarizes recent developments in the CFPB’s supervision program and remedial actions.

Focusing strictly on the area of consumer reporting, the CFPB notes that examiners have found deficiencies in credit reporting companies’ compliance with FCRA dispute investigation requirements and furnisher compliance with FCRA and Regulation V accuracy and dispute investigation requirements. The CFPB notes that in several reviews of credit reporting companies (“CRCs”), examiners found that they failed to conduct reasonable investigations of disputes. Specifically, CRCs deleted thousands of disputed tradelines rather than resolving disputes consistent with the investigation conducted by the furnisher and failed to review and consider all relevant information submitted by the consumer in support of their disputes. In addition, examiners found that CRCs failed to timely notify furnishers after receipt of a dispute and to timely and accurately notify consumers of the results of a dispute reinvestigation.

The CFPB also discusses several deficiencies with regard to credit card furnishers, deposit furnishers, and auto furnishers. The CFPB advises that credit card furnishers erroneously applied Regulation V’s “frivolous” designation to indirect disputes when the FCRA does not allow furnishers to deem indirect disputes as “frivolous.” The CFPB further advises that credit card furnishers sent incorrect indirect dispute investigation results to CRCs. Moreover, the CFPB notes that credit card furnishers failed to communicate the results of its investigations in response letters to direct disputes and failed to send updating or correcting information to CRCs after making a determination that the reported information was incomplete or inaccurate.

Lastly, the CFPB identifies violations of Regulation V’s requirement that all furnishers establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers. The CFPB emphasizes that furnishers must consider and incorporate, as appropriate, the guidelines of Appendix E to Regulation V when developing their policies and procedures, which address key business functions, such as record retention, training, third-party oversight, and receipt of feedback from CRCs and others. The CFPB identifies the following violations of the Regulation V requirement for reasonable written policies and procedures with respect to credit card furnishers:

  • Failure to specify how particular data fields, such as the date of first delinquency, should be populated when furnishing information about credit card accounts.
  • Failure to provide for the retention of records for a reasonable period of time to substantiate the accuracy of consumer information furnished to CRCs.
  • Failure to perform account level analyses to determine which accounts should be reported in bankruptcy status after a consumer informs the furnisher of a bankruptcy filing.

Given that the CFPB included similar findings relating to credit reporting in its summer 2021 edition of Supervisory Highlights, it is apparent that the CFPB has a continuing interest in furnishers’ compliance with credit reporting, as well as their written policies and procedures. Therefore, it is imperative that furnishers re-review written credit reporting policies and procedures and ensure that such policies are being followed.

CFPB Critical of Deleting Tradelines
http://www.insidearm.com/news/00048306-cfpb-critical-deleting-tradelines/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

California DFPI Proposes Extensive Rules Relating to Companies’ Responses to Consumer Complaints

On May 20, California’s Department of Financial Protection and Innovation (DFPI or Department) announced that it had filed a Notice of Proposed Rulemaking with the Office of Administrative Law, inviting public comments on the proposed rulemaking. The purpose of the proposed regulations is to implement, interpret, clarify, and make specific, certain sections of the California Consumer Financial Protection Law (CCFPL) that impose requirements on covered companies to respond to consumer complaints and report information about those complaints and responses to the DFPI.

[article_ad]

Specifically, the DFPI is proposing to make explicit what it means to provide a timely response to consumers and to the Department regarding complaints against or inquiries concerning a covered person and received by the covered person. Covered persons are expected to have appropriate procedures to review, investigate, respond to, track, and report consumer complaints and inquiries. Notably, these proposed procedures apply to complaints received directly by a company — they are not limited to complaints submitted to the DFPI.

For each complaint, covered persons must provide the complainant with a written acknowledgment of receipt. Under the proposed rules, the written acknowledgment of receipt shall advise that the complaint has been received and shall include the date of receipt, a unique tracking number to identify the complaint in subsequent communications, and the telephone number and email address that can be used to contact the appropriate representatives of the covered person who have been designated to handle the complaint. The timing and manner of providing this acknowledgment would vary depending on the channel through which the complaint was received:

Emailed complaints or complaints received via the internet. 

Covered persons would be required to provide the complainant, within one calendar day after receiving the complaint, an email confirming that the electronic submission of the complaint was successful and, within five calendar days after receiving the complaint, an email message with the written acknowledgement of receipt. Both email messages would be required to be sent from the email address provided to the complainant, and they may be combined if provided within one calendar day after receiving the complaint.

Complaints received via postal mail. 

The proposed rules would require that covered persons provide the written acknowledgment of receipt via postal mail within seven calendar days of receiving the complaint.

Complaints received via telephone. 

Under the proposed rules, covered persons would orally provide the complainant with a unique tracking number to identify the complaint and, within seven calendar days of receiving the complaint, provide via postal mail a written acknowledgment of receipt.

The proposed rule would allow written acknowledgments to be combined with the issuance of a final decision if the final decision is issued within the required time period for the acknowledgment.

Covered persons would also be required to maintain a written record of each complaint for at least five years from the time the complaint was initially filed. The written record mandated by the proposed rules is fairly extensive and includes:

  1. A unique tracking number.
  2. The name, phone, address, and email address (if provided).

  3. The name of the financial service or product involved.

  4. The name of the covered person or third party identified as the subject of the complaint.

  5. For oral complaints, the name of the representative who documented the complaint.

  6. The date the complaint was received.

  7. The date the covered person provided the acknowledgement of receipt.

  8. The dates of any investigation.

  9. The dates of all responses to the complaint.

  10. The nature and details of the complaints.

  11. If no investigation was performed, the names of all persons who decided not to investigate, and the reason why the investigation was not needed.

  12. The results of any investigation.

  13. Any corrective action.

  14. A copy of (or an electronic link to) all contracts, correspondence, and other relevant information upon which the covered person relied to reach his or her final decision.

  15. A copy of all written responses and summaries of all oral responses, including an explanation of the final decision regarding the complaint.

In addition, covered persons would be required to submit to the Department a quarterly complaint report, including the total number of complaints received, total number of complaints for which a final decision was issued (broken out by “within 15 calendar days,” “between sixteen and sixty calendar days,” and “more than 60 calendar days), which shall be made available to the public. The report would be required to include information regarding all complaints received by the covered person, including complaints forwarded by the Department. Under the proposed rules, the report should be prepared for the quarters ending March 31, June 30, September 30, and December 31 of each calendar year, verified by an officer authorized to act on behalf of the covered person, and filed with the Consumer Financial Protection Division no later than 30 calendar days after the end of each quarter.

The comment period on the proposed rules is open until July 5.

California DFPI Proposes Extensive Rules Relating to Companies’ Responses to Consumer Complaints
http://www.insidearm.com/news/00048303-california-dfpi-proposes-extensive-rules-/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Thriving in a Highly Regulated Environment

Medical debt collection has become a trending topic among state legislatures and federal regulators alike.  New legislation and regulations are systematically eroding asset value for healthcare providers. In the past year, we have seen California, Maryland, Nevada, and New Mexico enact new laws. Colorado and New York appear to be on the path to do so as well. To add insult to injury, the Consumer Financial Protection Bureau (CFPB) continues to aggressively focus on medical debt as well.

Below is an overview of the legislation and regulations that are dictating change in the world of healthcare collections today. While challenging, the new landscape is not impassable.  

California

Effective as of January 1, 2022, California Assembly Bill No. 1020 (amending California Civil Code Section 1788.14) requires, among other things, that general acute care hospitals licensed pursuant to Health & Safety Code Section 1250 to send a notice to debtors as required by Health & Safety Code Section 127425(e). This notice is to contain:

  • The date or dates of service of the bill that is being assigned to collections or sold.
  • The name of the entity the bill is being assigned or sold to.
  • A statement informing the patient how to obtain an itemized hospital bill from the hospital.
  • The name and plan type of the health coverage for the patient on record with the hospital at the time of services or a statement that the hospital does not have that information.
  • An application for the hospital’s charity care and financial assistance.
  • The date or dates the patient was originally sent a notice about applying for financial assistance, the date or dates the patient was sent a financial assistance application, and, if applicable, the date a decision on the application was made.

[article_ad]

California Civil Code Section 1788.14 now prohibits debt collectors from collecting hospital debts without including, in the first written communication with a consumer, a copy of the notice that the hospital is required to send its patient prior to assigning the debt for collections or selling the debt to a debt buyer. In addition, debt collectors must include in their first written communication with consumers a statement that the debt collector will wait at least 180 days from the date the consumer was initially billed for the hospital services that are the basis of the debt before reporting adverse information to a credit reporting agency or filing a lawsuit against the consumer.

The new law also raised the income level for hospital charity care eligibility to 400% of the federal poverty level, allows patients with high medical costs to get some form of charity care or discount, and requires hospitals to prominently display a notice of the hospital’s financial assistance policy for patients on its website.

Maryland

Maryland (Senate Bill 514 and House Bill 565) now requires hospitals to submit its policy on the collection of patient debts each year to the Health Services Cost Review Commission. Hospitals are also restricted from taking certain actions – such as charging interest or fees on debts incurred by certain patients – when attempting to collect their past due accounts. Hospitals are further prohibited from reporting a debt to the credit reporting agencies or filing a lawsuit to collect the debt within 180 days after the initial bill is provided.

Nevada

Nevada Senate Bill 248 (amending Chapter 649 of the Nevada Revised Statutes) became effective July 1, 2021. It requires collection agencies to send a certified letter to the consumer with certain disclosures prior to the commencement of collection efforts. There can be no collection or credit reporting for 60 days thereafter.

The statute, in part, reads:

Sec. 7.

1. Not less than 60 days before taking any action to collect a medical debt, a collection agency shall send by registered or certified mail to the medical debtor written notification that sets forth:

(a) The name of the medical facility, provider of health care or provider of emergency medical services that provided the goods or services for which the medical debt is owed;

(b) The date on which those goods or services were provided; and

(c) The principal amount of the medical debt.

2. The written notification required by subsection 1 must:

(a) Identify the name of the collection agency; and

(b) Inform the medical debtor that, as applicable:

(1) The medical debt has been assigned to the collection agency for collection; or

(2) The collection agency has otherwise obtained the medical debt for collection.

The statute also prohibits suing on medical debts less than $10,000 and prevents charging any fee of more than 5% of the amount of the medical debt.

New Mexico

New Mexico enacted the Patients’ Debt Collection Act (Senate Bill 71) which prevents health care providers from sending medical bills to collections or filing medical debt lawsuits against individuals whose household income is at or below 200% of the federal poverty level.  Health care facilities must take certain steps before seeking payment for emergency or medically necessary care (including offering certain information and assistance to patients).

Colorado

Colorado House Bill 1285 is moving closer to becoming a reality as it is seeing strong bipartisan support. The bill would prohibit hospitals that are not in compliance with a price transparency rule that went into effect in January 2021 from placing debts with third-party collection agencies, filing lawsuits to collect on unpaid debts, and reporting debts to credit reporting agencies. Published reports indicate that most hospitals in Colorado are currently not in compliance with the price transparency rule.

New York

New York passed an anti-garnishment and anti-lien bill (Senate Bill S.6522A) for certain medical debts. The bill prohibits nonprofit hospitals and healthcare providers from imposing and enforcing liens on a patient’s primary residence to satisfy judgments in medical debt lawsuits. It also prohibits nonprofit hospitals and healthcare providers from securing wage garnishments to satisfy such judgments. The governor is likely to sign it into law shortly.

CFPB and Credit Reporting

The CFPB has also been making waves by issuing bulletins, reports, and press releases criticizing medical debt collections and credit reporting.[1] [2] [3]

In response, the three major credit reporting agencies (Equifax, Experian, and TransUnion) announced that they will:

As of July 1, 2022, remove medical debts paid by consumers. Furnishers are still expected to report paid medical collections with a status code 62 (and the removal will be done directly by the credit reporting agencies).

As of July 1, 2022, extend the waiting period before furnishing medical debt from 180 days to one year (past the date of first delinquency). Furnishers will have to wait until this time period expires before reporting the debt.

As of March 30, 2023, stop reporting medical debts under $500. Furnishers will have to suppress such reporting.

The credit reporting agencies may have preemptively taken this approach to avoid more draconian regulatory action by the CFPB.

Conclusion

Collecting medical debt has become more difficult in the past year. Increased regulation of medical debt has prevented many providers from receiving adequate value on their past-due accounts receivable.  Utilizing a patient-centric approach to recoveries and complying with all applicable laws can help ensure the effective liquidation of nonperforming receivables.

———————-

Disclaimer: This article is presented for educational and general informational purposes only. Neither Cascade365 nor the author represent or warrant that the content is accurate, complete, or current for any specific or particular purpose or application. This content is not intended to serve as legal or other advice and should not replace the advice of your own legal counsel. Cascade365 is the sole owner of the content and all associated copyrights.

[1] https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-bulletin-to-prevent-unlawful-medical-debt-collection-and-credit-reporting/

[2] https://www.consumerfinance.gov/about-us/newsroom/cfpb-estimates-88-billion-in-medical-bills-on-credit-reports/

[3] https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-director-rohit-chopra-on-new-cfpb-medical-debt-report/

Thriving in a Highly Regulated Environment
http://www.insidearm.com/news/00048295-thriving-highly-regulated-environment/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Executive Q&A: A Conversation with Steve Akers, CSO/CTO of TECH LOCK Inc.

PCI DSS 4.0 will replace the current operating version on March 31, 2024, and while most of the changes are a simple codification of best practices, it’s important for organizations to have important conversations about those changes internally and with their service providers now. 

Learn how the changes in PCI DSS 4.0 might affect your organization, and how much complying with those changes might cost, in this Executive Q&A with Steve Akers, CSO and CTO of TECH LOCK, Inc.



[article_ad]


Erin Kerr (EK) (00:07): Hi everyone. And thank you for joining me for this episode of our Executive Q&A. I am here today with Steve Akers, CSO and CTO of TECH LOCK Inc. Steve, how are you doing today?


Steve Akers (SA) (00:18): I’m doing great. How are you?


EK (00:19): I am doing really well. Today, we’re going to talk a little bit about what you need to know about PCI DSS 4.0. 


Before we get started, why don’t you tell us a little bit about yourself?


SA (00:31): As mentioned, I’m the Chief Security and Technology Officer here at TECH LOCK. I’ve been doing cyber security and compliance for 25 plus years. I’ve been a serial entrepreneur and I’ve been in the space for a really long time, from both sides of the table, whether on the end-customer side,or on a service provider side. I’ve seen both of those areas and bring a lot of experience to this discussion.


EK  (01:00): I’m excited to get into the topic. Before we get into some of the more difficult questions, why don’t you tell me: what is PCI DSS 4.0?


SA (01:11): The Payment Card and Industry Data Security Standard has been around for a long time, and it goes through iterations.


The most current, active iteration is 3.2.1. It’s been out there for a while, and every so often the PCI Security Standard Council will go through review and decide it’s time to update it, it’s time to modernize the standard to better align it with modern threats and attacks and different types of security technologies that are available. 4.0 is the most recent one, which was released a little bit earlier this year.


EK  (01:44): It sounds like the industry has been operating at the same standard for a while, so making a transition might be difficult for some people. How hard will that transition be?


SA (01:57): The biggest concern for most clients will be the new requirements. There are 13 new requirements that are effective for anyone who wants to be assessed under 4.0, but the remainder of those new requirements really aren’t applicable until March of 2025. So, you have some time.


[Of the 13 new requirements] most are focused on things like better documentation, assignment, and training related to roles and responsibilities. For many organizations, this has been part of their overall good cybersecurity practices anyway, so it shouldn’t be too difficult to achieve. Even if they haven’t been doing that, for the remainder [of requirements] that are effective in March of 2025, there are definitely some more technical and procedural controls that will require planning and discussion, much like what happened when PCI DSS first came onto the scene. The lead time should be enough for organizations to meet these [new requirements]. The key will ultimately be not to wait until the last minute, and having a plan for moving your organization forward.


EK  (03:05): It sounds like there’s a little bit of time to prepare, but how much change will this cause in our environment?


SA (03:12): The first thing to consider when answering that question is “what’s changed in the standard itself?” 


There are over 70 evolving requirements, which means that fundamentally, they’re asking organizations to do something different than before, either through a new requirement entirely, or by adding a bullet point to a previous requirement. 


Of those new requirements, around 47% are really policy and procedure related. 41% will be technology related, meaning there’s something new that they’ll need to do from a technical perspective. Thirteen  are what I call  assessment related. There’s additional assessments that they want you to [be prepared for]. Policy procedures and assessment components are changes, but I don’t think that they’re daunting for anyone who is already compliant.


As I mentioned earlier, the technical requirements will have some impact and really require organizations to modernize how they’re protecting their environments, their users, and how they protect what’s called the CDE or pan data. 


When you kind of move out of the requirements, the next category is what they call classification or guidance. What this really means is that the requirement hasn’t changed; rather the Security Standards Council felt that they needed to clear things up. They’re getting rid of some of the interpretation. For example, if you look at an old requirement like 1.7, basically it says you need to review your firewall rules every six months. Most people understand that, but what it didn’t say is what you should really be looking for during that review. Now in 4.0, that requirement is now 1.2.7, and  it replaces the word firewall with NSC or network security controls. They did that because they wanted to encompass cloud environments that don’t have the traditional kind of firewall that most people are used to.


The guidance makes it more clear what you should be reviewing.  Arguably in 4.0, what they’re asking for here is probably what you should have been doing all along. For organizations that have been doing this properly, the change shouldn’t be difficult, but [the change] gives more guidance, which I think is really important. Ultimately the remainder of the changes that are included in the standard are really more structural, and really don’t have any material impact for anyone that’s already compliant


EK  (05:43): Well, that’s good news. It sounds like it’s a codification of what most folks should already be doing, which leads me to my next question. How much more is this going to cost?


SA (05:54): We get that question asked all the time and I wish it was more clear cut, but it really comes down to a few concepts. 


First, it’s about internal technologies. Organizations that have leveraged technologies that are not modern, like a legacy antivirus, or a basic logging or outdated point of sales or payment card software, etc., may find the cost to be higher to meet 4.0 organizations. They need to begin looking at all of these soon so they can prepare. Sometimes upgrading is the best path, but organizations have been reluctant to upgrade if everything worked and it met the requirements, so 4.0 is forcing those changes. 


The second concept is really about your service providers. Organizations need to get ahead of 4.0 and their service providers now to understand if and how those service providers plan to, or are currently meeting 4.0 requirements. A number of the new requirements are very specific to service providers. So [organizations] need to get enough clarity from those service providers that allows them to properly plan for the changes and version upgrades, maybe even changing service providers if they don’t like the answers. Obviously if you do some of those things, that could incur costs that were not necessarily in the original plan.


The last concept is really around risk analysis and testing requirements earlier. Depending upon your maturity and confidence, this may be something that you would’ve liked to have that you might want to have accomplished by a third party. It’s certainly not required, but this could be an additional cost. Even if it’s to build it out for the first time, that was not necessarily something that [an organization] budgeted for.


As for any absolute number of ranges, unfortunately, there’s just not enough data and evidence to give a realistic gauge to say exactly how much it will cost, because it can vary so widely, given some of the concepts that I’ve talked about.


EK  (07:52):  It sounds like it will really depend on the size of the organization and what that organization needs, and how far they are already along in compliance


SA (08:00): Certainly.


EK  (08:03): I think you might have mentioned this a little bit earlier, but when are we required to be assessed against version 4.0?


SA (08:11): First, no one can be officially assessed until the actual QSAs have been properly trained in 4.0. Even though it’s been released they’re supposed to be kick off the training here in Q2.


But right now, no one will have to officially align with 4.0 until Q1 of 2024. What I’ve been telling clients and other people that we’ve been talking to is that by the end of 2023,  you want to make sure that you have all your ducks in a row, and that you have everything set and aligned with 4.0. Like I said, with 4.0, there are 13 new requirements that are effective immediately if you’re going to measure yourself under 4.0. Then there’s another subset of requirements that are effectively required by March of 2025. 


You’ve got some time, but the first date that will really matter for most organizations is Q1 of 2024.


EK  (09:17): Like you mentioned, [organizations] have some time to get their ducks in a row, but I think sometimes those far off deadlines can be a bit of a curse, because folks don’t see [those deadlines] as an emergent need. Then all of a sudden that deadline is knocking on the door. 


Steve, is there anything else you’d add for the audience about PCI DSS 4.0?


SA (09:39): I think you touched on it.  [Organizations] should start planning now. Some of these things will be different than what they’ve already had in place today. If you’re not sure about how certain requirements apply, or if you have the technology that would even align with this [requirement] you should reach out to your trusted advisors and ask those questions. Certainly we would love to be part of that too, but if you’ve got somebody that you really trust to go, talk to them now to get ahead of it. 


As I alluded to earlier, all the other people that are part of your cardholder environment and part of your payment processing, etc., [get those conversations] set up today. So that way you’ll know what their lead time might be and whether or not that could theoretically impact your organization.


EK  (10:23): That’s great advice, Steven. Thank you so much for talking with me about this really important topic that people should really get in front of, especially as, like I said, those deadlines come knocking. 

Thanks so much again for your time, and thanks to the audience for tuning to this episode of Executive Q&A.

Executive Q&A: A Conversation with Steve Akers, CSO/CTO of TECH LOCK Inc.

http://www.insidearm.com/news/00048291-executive-q-conversation-steve-akers-csoc/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Executive Q&A: A Conversation with Steve Akers, CSO/CTO of TECH LOCK Inc.

PCI DSS 4.0 will replace the current operating version on March 31, 2024, and while most of the changes are a simple codification of best practices, it’s important for organizations to have important conversations about those changes internally and with their service providers now. 

Learn how the changes in PCI DSS 4.0 might affect your organization, and how much complying with those changes might cost, in this Executive Q&A with Steve Akers, CSO and CTO of TECH LOCK, Inc.



[article_ad]


Erin Kerr (EK) (00:07): Hi everyone. And thank you for joining me for this episode of our Executive Q&A. I am here today with Steve Akers, CSO and CTO of TECH LOCK Inc. Steve, how are you doing today?


Steve Akers (SA) (00:18): I’m doing great. How are you?


EK (00:19): I am doing really well. Today, we’re going to talk a little bit about what you need to know about PCI DSS 4.0. 


Before we get started, why don’t you tell us a little bit about yourself?


SA (00:31): As mentioned, I’m the Chief Security and Technology Officer here at TECH LOCK. I’ve been doing cyber security and compliance for 25 plus years. I’ve been a serial entrepreneur and I’ve been in the space for a really long time, from both sides of the table, whether on the end-customer side,or on a service provider side. I’ve seen both of those areas and bring a lot of experience to this discussion.


EK  (01:00): I’m excited to get into the topic. Before we get into some of the more difficult questions, why don’t you tell me: what is PCI DSS 4.0?


SA (01:11): The Payment Card and Industry Data Security Standard has been around for a long time, and it goes through iterations.


The most current, active iteration is 3.2.1. It’s been out there for a while, and every so often the PCI Security Standard Council will go through review and decide it’s time to update it, it’s time to modernize the standard to better align it with modern threats and attacks and different types of security technologies that are available. 4.0 is the most recent one, which was released a little bit earlier this year.


EK  (01:44): It sounds like the industry has been operating at the same standard for a while, so making a transition might be difficult for some people. How hard will that transition be?


SA (01:57): The biggest concern for most clients will be the new requirements. There are 13 new requirements that are effective for anyone who wants to be assessed under 4.0, but the remainder of those new requirements really aren’t applicable until March of 2025. So, you have some time.


[Of the 13 new requirements] most are focused on things like better documentation, assignment, and training related to roles and responsibilities. For many organizations, this has been part of their overall good cybersecurity practices anyway, so it shouldn’t be too difficult to achieve. Even if they haven’t been doing that, for the remainder [of requirements] that are effective in March of 2025, there are definitely some more technical and procedural controls that will require planning and discussion, much like what happened when PCI DSS first came onto the scene. The lead time should be enough for organizations to meet these [new requirements]. The key will ultimately be not to wait until the last minute, and having a plan for moving your organization forward.


EK  (03:05): It sounds like there’s a little bit of time to prepare, but how much change will this cause in our environment?


SA (03:12): The first thing to consider when answering that question is “what’s changed in the standard itself?” 


There are over 70 evolving requirements, which means that fundamentally, they’re asking organizations to do something different than before, either through a new requirement entirely, or by adding a bullet point to a previous requirement. 


Of those new requirements, around 47% are really policy and procedure related. 41% will be technology related, meaning there’s something new that they’ll need to do from a technical perspective. Thirteen  are what I call  assessment related. There’s additional assessments that they want you to [be prepared for]. Policy procedures and assessment components are changes, but I don’t think that they’re daunting for anyone who is already compliant.


As I mentioned earlier, the technical requirements will have some impact and really require organizations to modernize how they’re protecting their environments, their users, and how they protect what’s called the CDE or pan data. 


When you kind of move out of the requirements, the next category is what they call classification or guidance. What this really means is that the requirement hasn’t changed; rather the Security Standards Council felt that they needed to clear things up. They’re getting rid of some of the interpretation. For example, if you look at an old requirement like 1.7, basically it says you need to review your firewall rules every six months. Most people understand that, but what it didn’t say is what you should really be looking for during that review. Now in 4.0, that requirement is now 1.2.7, and  it replaces the word firewall with NSC or network security controls. They did that because they wanted to encompass cloud environments that don’t have the traditional kind of firewall that most people are used to.


The guidance makes it more clear what you should be reviewing.  Arguably in 4.0, what they’re asking for here is probably what you should have been doing all along. For organizations that have been doing this properly, the change shouldn’t be difficult, but [the change] gives more guidance, which I think is really important. Ultimately the remainder of the changes that are included in the standard are really more structural, and really don’t have any material impact for anyone that’s already compliant


EK  (05:43): Well, that’s good news. It sounds like it’s a codification of what most folks should already be doing, which leads me to my next question. How much more is this going to cost?


SA (05:54): We get that question asked all the time and I wish it was more clear cut, but it really comes down to a few concepts. 


First, it’s about internal technologies. Organizations that have leveraged technologies that are not modern, like a legacy antivirus, or a basic logging or outdated point of sales or payment card software, etc., may find the cost to be higher to meet 4.0 organizations. They need to begin looking at all of these soon so they can prepare. Sometimes upgrading is the best path, but organizations have been reluctant to upgrade if everything worked and it met the requirements, so 4.0 is forcing those changes. 


The second concept is really about your service providers. Organizations need to get ahead of 4.0 and their service providers now to understand if and how those service providers plan to, or are currently meeting 4.0 requirements. A number of the new requirements are very specific to service providers. So [organizations] need to get enough clarity from those service providers that allows them to properly plan for the changes and version upgrades, maybe even changing service providers if they don’t like the answers. Obviously if you do some of those things, that could incur costs that were not necessarily in the original plan.


The last concept is really around risk analysis and testing requirements earlier. Depending upon your maturity and confidence, this may be something that you would’ve liked to have that you might want to have accomplished by a third party. It’s certainly not required, but this could be an additional cost. Even if it’s to build it out for the first time, that was not necessarily something that [an organization] budgeted for.


As for any absolute number of ranges, unfortunately, there’s just not enough data and evidence to give a realistic gauge to say exactly how much it will cost, because it can vary so widely, given some of the concepts that I’ve talked about.


EK  (07:52):  It sounds like it will really depend on the size of the organization and what that organization needs, and how far they are already along in compliance


SA (08:00): Certainly.


EK  (08:03): I think you might have mentioned this a little bit earlier, but when are we required to be assessed against version 4.0?


SA (08:11): First, no one can be officially assessed until the actual QSAs have been properly trained in 4.0. Even though it’s been released they’re supposed to be kick off the training here in Q2.


But right now, no one will have to officially align with 4.0 until Q1 of 2024. What I’ve been telling clients and other people that we’ve been talking to is that by the end of 2023,  you want to make sure that you have all your ducks in a row, and that you have everything set and aligned with 4.0. Like I said, with 4.0, there are 13 new requirements that are effective immediately if you’re going to measure yourself under 4.0. Then there’s another subset of requirements that are effectively required by March of 2025. 


You’ve got some time, but the first date that will really matter for most organizations is Q1 of 2024.


EK  (09:17): Like you mentioned, [organizations] have some time to get their ducks in a row, but I think sometimes those far off deadlines can be a bit of a curse, because folks don’t see [those deadlines] as an emergent need. Then all of a sudden that deadline is knocking on the door. 


Steve, is there anything else you’d add for the audience about PCI DSS 4.0?


SA (09:39): I think you touched on it.  [Organizations] should start planning now. Some of these things will be different than what they’ve already had in place today. If you’re not sure about how certain requirements apply, or if you have the technology that would even align with this [requirement] you should reach out to your trusted advisors and ask those questions. Certainly we would love to be part of that too, but if you’ve got somebody that you really trust to go, talk to them now to get ahead of it. 


As I alluded to earlier, all the other people that are part of your cardholder environment and part of your payment processing, etc., [get those conversations] set up today. So that way you’ll know what their lead time might be and whether or not that could theoretically impact your organization.


EK  (10:23): That’s great advice, Steven. Thank you so much for talking with me about this really important topic that people should really get in front of, especially as, like I said, those deadlines come knocking. 

Thanks so much again for your time, and thanks to the audience for tuning to this episode of Executive Q&A.

Executive Q&A: A Conversation with Steve Akers, CSO/CTO of TECH LOCK Inc.

http://www.insidearm.com/news/00048291-executive-q-conversation-steve-akers-csoc/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Spring 2022 with the Crown Asset Management Team

DULUTH, Ga. — Crown Asset Management, LLC, a receivables purchasing and management firm, welcomed Spring with team-building events and employee recognitions. The growing team is grateful for the ongoing teamwork, leadership, and learning that’s been taking place and is pausing to appreciate employee engagement with a few highlights and notable mentions. 

“Life-long learning, communication, and teamwork have always been staples of what we value in our business. We’ve been fortunate to retain and grow an incredible team, and we’re still growing. Through all of it, we want to make sure we continue to maintain a strong culture and meaningful employee engagement. We recognize that the types of connections that occur more organically require greater intentionality as teams expand or work remotely. We have a lot of exciting new things happening, with many other things that we’re continuing to develop,” said Brian Williams, Crown CEO and Manager.

The Biggest Loser Challenge

The Crown team participated in a 12-week wellness challenge from February to May in a team effort to shed the pandemic pounds and step into summer with greater health. This was a great opportunity for increased camaraderie and relaxed team-building activities along with friendly competition and mutual encouragement toward practical personal goals. Angelica Hicks, Compliance Specialist took first place, and a total of 55 pounds were lost by a total of 10 participants!

Crown School of Business

Ongoing professional growth is important to the culture of Crown. Celebrating its inauguration, the “Crown School of Business” was opened in April 2022 to provide a more structured program and intentionally selected resources for employee training and development. Additions are ongoing as the program is developed and refined, but the program has initially been a great success. 

New Lean Six Sigma Certification

Sharn Fuller, Senior Compliance Auditor, earned his Lean Six Sigma Green Belt Certification on March 18, 2022. Sharn joined CAM in November 2018 and has been with the Audit and Compliance Department since January 2020. Sharn’s recent promotion from Compliance Auditor to Senior Compliance Auditor will allow Sharn to be immersed in additional aspects of the department’s responsibilities and deliverables while continuing to support CAM’s ongoing compliance goals and objectives. The Crown team would like to congratulate Sharn on this achievement!

Chat-n-Chew Book Club

Much of the team participates in a company book club, “Chat-n-Chew.” The book club is a practical way to bring team members together over food (and food for thought), stay motivated and inspired, and build internal relationships. In coordination with the Receivables Readers virtual book club, the Spring selection was Atomic Habits by James Clear. As it turned out, this book also lined up perfectly with Crown’s wellness challenge!

Corporate Gatherings

Engaging in activities together outside of work is one way the Crown Asset Management team maintains high morale and grows greater communication and collaboration amongst and across teams. “Feel Good Fridays” were rolled out in April to provide an opportunity for the entire team to engage in a game together virtually. April also marked the first annual Easter Egg Hunt, and the team enjoyed a Spring Cookout in March to welcome the warm weather! 

Team Outreach

Charitable involvement has always been central to Crown’s culture. The team participated in the North Gwinnett Co-Op Food Drive throughout the month of May for its Spring cooperative service event. 

“The leadership team is looking forward to future opportunities planned for employee recognition and engagement and continuing to develop new ways to integrate the company values across the culture. We’re all still learning every day and so many business leaders can relate to similar challenges and opportunities. With that in mind, we believe positive news can be powerful and worth sharing as we can learn from each other,” said Mr. Williams.

For more information about Crown Asset Management, their team, or their services, visit crownasset.com or follow Crown Asset Management on LinkedIn

About Crown Asset Management

Founded in 2004, Crown Asset Management, LLC, is a professional receivables management firm that outsources purchased accounts to a nationwide, proprietary network of collection agencies and law firms. Utilizing a cutting-edge predictive analytical model during pre-purchase portfolio due diligence, their team focuses on achieving appropriate financial returns while ensuring the best possible experience for consumers. They are an RMAI Certified Receivables Business headquartered in Duluth, GA. 

Spring 2022 with the Crown Asset Management Team
http://www.insidearm.com/news/00048294-spring-2022-crown-asset-management-team/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Women in Consumer Finance Announces Inspiring Keynote Speaker Anu Shultes

POTOMAC, Md. – Anu Shultes will take the stage
on the first day of the 5th annual Women
in Consumer Finance
, a unique professional development for women,
December 5-7, 2022 in Palm Springs, California.

Women
in Consumer Finance is a one-of-a-kind conference where we help women lead
inspired careers, creating value for themselves and for their employers.

We place a particular focus on what’s needed
to get more women – particularly women of color – to the decision-making tables
where products are designed and policy is set. The
event is designed to address several key issues:

  • There is a connection problem. Women of
    all colors simply haven’t had the same opportunities as men to build their
    network, which is how most senior and board positions are filled.
  • There is a confidence problem. Many women
    are hesitant to assert themselves in a leadership structure dominated by men.
  • There is a career example problem. Most
    women lack exposure to female mentors and leadership examples, particularly
    ones of color.

Our predominantly workshop-style content is
designed to build confidence. Our unique small group-based structure
helps to ensure everyone leaves with meaningful new connections, and our
mainstage storytellers provide inspiring yet relatable career examples.

Keynote
speaker Anu Shultes is an entrepreneur and prestigious Forbes 50 Over 50 honoree
for her commitment to and progress towards financial inclusion.

[article_ad]

She is a 30-year veteran of the Financial
Services industry with senior leadership roles at Providian, National City,
AccountNow, Blackhawk Network and more. Her significant experience in building
efficient operational processes and teams to support them has led her to become
one of the few female CEOs in Fintech.

Shultes is currently the CEO of Ahead
Financials, a visionary fintech company at the forefront of defining financial
equity, inclusion and service for the world’s emerging middle class. Ahead’s
mission is personal for Anu as she has experienced the very financial
challenges she seeks to solve for her company’s clients. As an immigrant to the
U.S. from India, Anu remembers living paycheck to paycheck as a graduate
student, and even struggling to find her first job. She also is a cancer
survivor and went through treatments while raising three children and working
full-time.

Shultes’
keynote is sponsored by Provana, the Women in Consumer Finance ‘Education = Confidence’
sponsor.

Provana interaction management and compliance
solutions are the first of their kind, providing effortless control over
process-intensive operations. Available for consumer lending, legal, ARM,
insurance and other industries that handle heavily regulated consumer
interactions. Provana technology is based on a decade of business process
management, AI, RPA, regulatory compliance and secure data operation
experience. Solutions include speech analytics, a compliance suite, omnichannel
payments, and business analytics, comprising a one stop digital transformation
platform for small and medium enterprises.

“We shape and evolve our technology solutions
and managed services based on the needs we see foremost among our clients,”
said Karen Powell, Co-Founder and COO of Provana. “We are excited to partner
with Women in Consumer Finance to help promote the many women leaders inside
Provana and in the finance industry at large.” 

Women
in Consumer Finance is for women at all levels in the context of a common
industry.

If you work in any role at a lender, creditor,
servicer, law firm, technology or service provider, or regulator, this event is
for you. We provide inspiration, a guiding hand, and a support system women can
leverage to continuously recharge their careers and deliver value to their
employers. WCF is not about compliance, best practices, or even finance. It’s
about women, our common professional challenges, and how to tell our own career
story – no matter where we are on our professional journey. We take a unique
approach to building confidence, connection, and careers. There is nothing else
like it.

Learn more or register at www.WomenInConsumerFinance.com

Women in Consumer Finance Announces Inspiring Keynote Speaker Anu Shultes
http://www.insidearm.com/news/00048289-women-consumer-finance-announces-inspirin/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

California Updates Debt Collectors on Processing Delays

On May 23, California’s Department of Financial Protection and Innovation (DFPI or Department) sent an email notifying license applicants and prospective license applicants that the issuance of licenses under the Debt Collection Licensing Act is unavoidably delayed at this time.

The original deadline for applicants was December 31, 2021; however, that deadline was extended to March 15 in mid-December. Two months later, and the Department still finds itself unable to process new applications.

The Federal Bureau of Investigation (FBI) has informed the DFPI that new changes are needed to state agency protocols — specifically fingerprinting — for requesting federal background checks. According to the Department, the delay was unforeseen, but is necessary to enable the DFPI to fully implement the licensing background check required under the Debt Collection Licensing Act.

The delay does not necessarily affect debt collectors doing business in the state. Per the DFPI, applicants may continue to engage in business, and the Department will not take action for unlicensed activity against applicants who filed their applications after December 31, 2021. For purposes of including California debt collector license numbers when contacting or communicating with debtors as required under Civil Code Section 1788.11, an applicant who has filed its application through NMLS may indicate “license number pending” or similar verbiage until a license is issued.

The DFPI previously has stated that persons who file an application by March 15 would be deemed temporarily in compliance with California’s licensing requirement, pending the approval of the license application. That deadline was not impacted by this new statement. In other words, while the DFPI is not yet issuing licenses, it is taking the position that only collectors who have applied for licensure are authorized to collect in California.

California Updates Debt Collectors on Processing Delays
http://www.insidearm.com/news/00048285-california-updates-debt-collectors-proces/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance

Eighth Circuit Finds that Class-Action FCRA Plaintiff Lacks Article III Standing Under Spokeo

The Eighth Circuit reiterated in a decision last month that trial courts must distinguish between FCRA plaintiffs who have suffered concrete harm and plaintiffs who merely seek to collect statutorily allowed damages as a way to ensure compliance with the law.  Under the Supreme Court’s decision in Spokeo, the former have Article III standing to assert FCRA claims but the latter do not.

In Schumacher v. SC Data Center, Inc., plaintiff Ria Schumacher sought a job with defendant SC Data.  During the application process, Schumacher responded “no” to a question asking whether she had ever been convicted of a felony.  SC Data offered a position to Schumacher and then obtained her authorization to allow a third party to independently investigate her criminal records.  SC Data later rescinded its offer to Schumacher when the report that it obtained revealed Schumacher’s 1996 felony conviction.

Schumacher alleged three FCRA violations on behalf of herself and a class: (1) taking an adverse employment action based on a consumer report without first providing the report to the applicant; (2) obtaining a consumer report without providing an FCRA-compliant disclosure form; and (3) obtaining more information about an applicant than allowed by the authorization.  Four days after the Supreme Court’s decision in Spokeo, SC Data moved to dismiss Schumacher’s claims for lack of standing.  The trial court found that Schumacher had standing to pursue all three claims, but the Eighth Circuit reversed.

The Eighth Circuit began with Schumacher’s adverse action claim.  The FCRA provides that before an employer takes an adverse action against a consumer based on a consumer report, the employer must provide a copy of the report to the consumer. 15 U.S.C. § 1681b(b)(3)(A).  The Court concluded that SC Data violated the FCRA when it did not provide a copy of the report to Schumacher before rescinding her job offer.  Still, the Court noted the split in authority regarding whether an employer’s failure to provide a pre-action report is a bare procedural violation or conduct that causes an intangible harm sufficient to confer standing. 

Those courts that have found standing, the Court explained, did so on the premise that an employee has a right to discuss with an employer the information in a report prior to any adverse action.  However, the Eighth Circuit agreed with the Ninth Circuit that no such right is found in the FCRA’s text or supported by its legislative history.  Instead, the FCRA was intended to protect against the dissemination of inaccurate information.  Schumacher did not claim that the information contained in the report was inaccurate, so her adverse action claim was not redressable under the FCRA.

The Court turned next to Schumacher’s improper disclosure claim.  When an employer obtains a consumer report for employment purposes, the FCRA requires the employer to provide the applicant with a “clear and conspicuous” written disclosure “in a document that consists solely of the disclosure.” 15 U.S.C. § 1681b(b)(2)(A)(i).  Schumacher pointed to several purported statutory defects in SC Data’s disclosure form, including the size of the disclosure’s font.  However, the Court held that a technical violation of the disclosure provision, without “something more,” is insufficient to confer standing.  Schumacher did not point to any tangible or intangible harm that flowed from the purported technical violations, such as confusion about the consent being given.  Thus, she lacked standing to pursue this claim, too.

Finally, the Court turned to Schumacher’s failure-to-authorize claim.  The FCRA forbids an employer from obtaining a consumer report without the employee’s written authorization. 15 U.S.C. § 1681b(b)(2)(A)(ii).  However, Schumacher indisputably authorized SC Data to obtain a type of consumer report documenting her criminal history.  The Court found that the report at issue fit within these parameters.  To the extent the report exceeded Schumacher’s authorization, Schumacher failed to plead any facts demonstrating a concrete harm.  Thus, regardless of whether the report contained noncriminal information, Schumacher lacked Article III standing.

Because Schumacher lacked standing to assert any of her claims, the Court vacated the trial court’s orders and remanded the case with instructions to return the case to the state court.

The post-Spokeo landscape is still very much in development.  Schumacher provides a reminder that employers who find themselves defending against FCRA claims should closely scrutinize whether plaintiffs have alleged mere procedural violations or the kind of concrete harm sufficient to open the doors to the federal courthouse.

Eighth Circuit Finds that Class-Action FCRA Plaintiff Lacks Article III Standing Under Spokeo
http://www.insidearm.com/news/00048283-eighth-circuit-finds-class-action-fcra-pl/
http://www.insidearm.com/news/rss/
News

All the latest in collections news updates, analysis, and guidance