Do you have a plan in place to track and address consumer complaints? Are you looking for more information on the CFPB’s updated policies about consumer complaints related to debt collection? Are you unsure about what data your organization needs to be tracking? In this webinar, hear Todd Stephenson and Jessie Skibbe answer these questions.

What is the CFPB’s Complaint Resolution Process?

The CFPB began accepting consumer complaints related to debt collection in 2013. The complaint resolution process that was since determined by the CFPB is:

  • The consumer submits complaint via the CFPB portal
  • The CFPB reviews and routes the complaint
  • The company provides a response to the complaint
  • The consumer reviews the response and responds
  • An investigation takes place
  • The complaint is analyzed and reported

To get started resolving and tracking consumer complaints, consider following these five easy steps:

  • Define: Internally evaluate what your definition of a complaint is using a risk-based approach
  • Document: Ensure that your policies, procedures, and work instructions are understood and followed; note any changes made to your CMS because of monitoring efforts
  • Educate: Train employees and compliance staff
  • Communicate: Effectively communicate expectations with all compliance staff; share findings with Board of Directors/Management to identify areas for improvement and determine needed changes
  • Monitor: Make sure that complaints are promptly addressed, categorized, reviewed, and analyzed

For more information about CMS or CFPB compliance, contact us today.

HIPAA Business Associates

Under HIPAA, a business associate includes the following: health information organizations, e-prescribing gateways, personal health record vendors, and entities providing data transmissions services for PHI and that require routine access to such PHI. Business associates are required to be compliant with the HIPAA/HITECH Rule, and are faced with many of the same compliance requirements as their covered entities. This means that business associates will be held responsible for their own compliance by establishing appropriate physical, administrative, and technical safeguards to protect PHI.

Preparing for HIPAA Compliance

The healthcare industry must take the appropriate measures to ensure HIPAA compliance because the integrity of the industry relies on keeping Protected Health Information (PHI) secure. If a business associate is unable to comply with HIPAA, it could mean more than just organizational, financial, and reputational implications for their organization—it could be life-threatening to patients. As the number of healthcare security breaches reported to the HHS continues to grow, it’s more important than ever for business associates to make sure that they are doing their due diligence to ensure that they are keeping PHI protected. So, what’s the first step that business associates can take to ensure that PHI is protect? Business associates should delegate personnel to oversee compliance efforts.

You need to have a person responsible of making sure that your organization is establishing and implementing physical, administrative, and technical safeguards to protect PHI. This person should also be responsible for ensuring that you have formally written policies and procedures. Think of it this way: if a client scheduled an onsite visit, could you produce adequate evidence to show how you are following your procedures? Protection from data breaches should be the top priority among your organization and can begin by setting a tone from the top and delegating a person to oversee compliance efforts.

Want all the answers to the SOC 1 FAQs?

Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? In this free whitepaper, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.

Developed primarily for third-party service providers by the AICPA, SOC reports are issues by Certified Public Accountants (CPAs) and report on a service organization’s internal controls – policies and procedures – which could impact their client’s sensitive data. SOC reports help service organizations’ clients (referred to as user entities) to comply with regulatory and/or contractual requirements. SOC reports allow user entities to obtain an objective evaluation of the effectiveness of controls tat address compliance, operations, and financial reporting of a service organization. SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), formerly known as SSAE 16. SOC 1 reports are specifically designed to report on the controls at a service organization that could ultimately impact their client’s financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

Many organizations are legally required to verify the suitability of internal controls at a service provider prior to engaging with the service provider. Generally speaking, publicly traded companies looking to comply with Sarbanes Oxley (SOX), financial institutions looking to comply with the Gramm-Leach-Bliley Act (GBLA), as well as state and local government, have all standardized on SOC reports to meet this requirement. If your clients outsource any of their information technology systems management activities to your organization, you may be asked for a SOC 1 report, so they can gain a better understanding of the controls at your organization and how they meet specific requirements.

Download the whitepaper to learn more about SOC 1 audits. For more information, contact us today.

What is Vendor Compliance Management?

An effective risk management strategy includes the assessment and monitoring of vendor compliance with your company’s policies and procedures. Today’s compliance program involves an ongoing struggle organizing vendor responses utilizing spreadsheets and questionnaires while manually tracking reoccurring events and supporting documents. Where should you start?

According to CFPB Bulletin 2012-3, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.”

What Do You Need for a Vendor Compliance Management Program?

In the past, managing vendor compliance contractually used to be sufficient. Compliance risk and responsibility was transferred to the service provider, and through this process, compliance activity was kept at arm’s length. However, now a full chain of custody is necessary to ensure full compliance. In order for this to happen, an effective process must be in place. So, what does this include?

  • Policies and procedures: Policies and procedures should define your vendors’ due diligence requirements as well as list the policies and procedures surrounding the process of terminating contracts with vendors. You should also have policies and procedures that verify that policies and procedures are being implemented.
  • List of third parties: A key step in vendor compliance management is creating a list of all vendors and the services they provide to your organization.
  • Contracts with third parties: In contracts with vendors, you need to list specific expectations and obligations. Your contract should include the scope of the relationship, cost, performance standards, reporting guide, security standards, dispute resolution, and termination rights.
  • Evidence of due diligence: To ensure that your vendors are practicing due diligence, you should monitor their compliance efforts. This can include monitoring their performances, audit reports, compliance requirements, training effectiveness, quality of services, and risk management practices.

Do you need to establish a compliance management system (CMS)? Are you interested in learning more about the CFPB’s requirements for creating and maintaining an effective compliance management system?

What is a Compliance Management System?

A CMS is a set of interrelated or interacting elements that organizations use to direct and control how compliance policies are implemented, and compliance objectives are achieved. A CMS typically has four core interdependent control components:

  • Board and management oversight
  • Compliance program
  • Response to consumer complaints
  • Compliance audit

A CMS also follows a four-phase plan:

  • Phase One: Plan
  • Phase Two: Do
  • Phase Three: Check
  • Phase Four: Act

Why is a Compliance Management System Important?

According to the CFPB, “A critical component of a well-run financial institution is a robust and effective compliance management system…. Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the Compliance Management Systems employed by the financial institutions under the CFPB’s jurisdiction.”

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.