ACA Advocacy Resource Center

Tools to Help You Advocate for the Accounts Receivable Management (ARM) Industry When Meeting with Your Lawmakers and Regulators

The accounts receivable management industry is highly regulated by both federal and state laws and regulations, and new proposals are put forth every year that impact the ability of ACA International members to serve their clients and work with consumers. It’s critical for members to understand how current and proposed legislation and regulatory initiatives can affect their day-to-day business. ACA provides tools to help members engage with policymakers.
Know My Debt

ACA Comments

ACA International consistently evaluates Consumer Financial Protection Bureau (CFPB) and Federal Communications Commission (FCC) activity to determine potential impacts on the accounts receivable management industry. When appropriate, ACA submits comments to educate the CFPB and FCC on industry practices and to advocate for policies and regulations that are balanced, well-reasoned, and designed to avoid unintended negative consequences.

Advocacy Resource Center

Research and Statistics

Data that can help you gain a better understanding of the accounts receivable management industry.

Know My Debt was created by the members of ACA International, the Association of Credit and Collection Professionals as a valuable resource for consumer education on financial literacy.
Dealing with debt and credit issues can be an emotional journey for consumers and their families. As debt collection professionals, we believe having resources on legal rights, financial planning and the importance of communication with debt collectors will help consumers understand their debts so they can make informed decisions on payments. ACA International members can help consumers understand the debt collection process and work toward financial freedom through Know My Debt.

Frequently asked questions about the debt collection industry.

What is a professional debt collection service?

Third-party collection services collect on past-due accounts referred to them by various credit grantors, such as credit card issuers, banks, car dealers, retail stores or health care facilities—any business that extends credit or offers payment installment plans.

What does a typical professional collection office do?

Often creditors cannot locate consumers who have moved or changed their phone numbers. The first thing a collection service must do is obtain the consumer’s current address or phone number through a process called skiptracing. The collection office then sends the consumer a notice that allows him or her to dispute the validity of the debt and/or request verification of the debt. Once the notice is received, a collector may call or write to the consumer and ask for full payment of the debt. If payment in full is not possible, the collector helps the consumer make arrangements to solve the problem.

Why are accounts referred for collection?

Most accounts are referred for collection because they have gone unpaid for several months and the creditor has not received communication from the consumer. Third-party collection services, which use specialized phone systems, computers and software designed specifically for the collection industry, often are more effective than creditors at collecting payment on such delinquent accounts.

What is the difference between “in-house” collections and third-party collections?

Third-party collectors are directly regulated by the Fair Debt Collection Practices Act (FDCPA), which is administered by the Federal Trade Commission (FTC). The FDCPA sets forth strict guidelines designed to protect consumers from abusive, misleading and unfair debt collection practices. In-house collectors are credit grantors and are covered by the FDCPA only under certain circumstances.

Is there a typical debtor?

No. People from all walks of life face financial problems. These problems can stem from poor money management and budgeting skills, the loss of a job, prolonged ill health or a multitude of other unforeseen circumstances.

What should people do if they receive a collection notice?

First, stay calm. Just as consumers depend on an income to pay their living expenses, the people who sell goods or services on credit depend on your payment to meet their own expenses. Remember, by the time your account has been turned over to a collection specialist, the creditor has probably carried the account for several months. Second, work with the collection agency to resolve the problem before it gets worse.

What can’t a collector do when contacting a consumer?

Under the FDCPA, third-party collectors may not: make repetitive or excessively frequent phone calls to annoy or harass you; misrepresent his or her identity; threaten to take any action that is illegal or that the debt collector does not actually intend to take.

Why do we need collection agencies?

Most accounts are referred for collection because they have gone unpaid for several months. Without the quick actions of collection services, unpaid debt is often reflected by higher consumer prices. Since there is a limit on how high prices can be increased before businesses begin losing customers, bad debt also results in business failure and job loss.

How has the collection industry changed over the past 15 years?

In addition to more thorough training for collectors, the greatest changes in the collection industry have resulted from significant increase in automation. Fifteen years ago, most collection offices kept track of accounts on paper cards; information was recorded manually and collectors dialed their telephones themselves. Today, offices are computerized, use collection-specific software and have sophisticated telephone systems with automated dialers.

How is the collection industry likely to change in the next 15 years?

Collection businesses will likely offer a wider variety of client services, including an increased capacity for greater billing and accounts receivable management and increased “early out” or pre-collection services. Many agencies are expanding existing services and technology beyond the traditional contingency collection functions.

Security Requirements for the Collection Industry

The credit and collection industry is subject to stringent security regulations.

Debt collectors must follow specific federal guidelines that establish consumers’ rights and collectors’ responsibilities, including laws such as the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (FCRA). Many of these laws contain data security and confidentiality provisions.

In addition, individual state laws and regulations may impose requirements for the safeguarding of sensitive consumer information, including obligations that require collectors to inform consumers in the event of a security breach of consumer information.

Specialized laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require additional security standards to protect against the unauthorized access of consumers’ confidential information.

By creating liability for both debt collectors and their clients, GLBA and HIPAA demand that privacy and security be top priorities in the credit and collection industry. In fact, before a collection agency can enter an agreement to provide services to a health care provider or financial institution, the agency must demonstrate its capability to safeguard consumer information at the employee and physical security level, as well as the information technology level.

The following summary of GLBA and HIPAA privacy and security rules, as well as state laws, explains collectors’ responsibilities and the measures a debt collector must take to ensure compliance with these laws. It is important to note this is not an exhaustive list of the requirement under these laws.

Gramm-Leach-Bliley Act & Safeguards Rule

Under the Gramm-Leach-Bliley Act (GLBA), a debt collector must comply with the Safeguards Rule, which requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

The Safeguards Rule was recently amended. It now:

  • Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.
  • Adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
  • Exempts financial institutions that collect less customer information from certain requirements.
  • Expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the rule.
  • Defines several terms and provides related examples in the rule itself in one place rather than incorporate them from the Privacy of Consumer Financial Information Rule.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. A information security program must be written and it must be appropriate to the size and complexity of the business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

  • To ensure the security and confidentiality of customer information;
  • To protect against anticipated threats or hazards to the security or integrity of that information; and
  • To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

Learn more on ACA’s Safeguards Rule Resource Center.

View the text of the rule.

Read the FTC’s small entity compliance guide.



Under HIPAA, a debt collector must comply with the Security Rule, which requires administrative, physical and technological safeguards to protect the confidentiality, integrity and availability of electronic protected health information (EPHI) in ways appropriate to the agency. While the requirements under the Security Rule are extensive and not listed in entirety below, a debt collector must:

  • Develop and implement policies and procedures consistent with the covered entity the debt collector is operating for.
  • Designate an employee as a security official to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • Apply appropriate sanctions against employee(s) who fail to comply with the security policies and procedures of the agency.
  • Regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
  • Ensure that access to protected health information is only available to employees who need it.
  • Provide appropriate supervision of employees who work with protected health information or in locations where it might be accessed.
  • Control employee access to facilities in which paper records of protected health information are stored, and to software programs by which electronic records of this information can be accessed.
  • Ensure that when a staff member’s employment with the agency ends, his or her access to electronic protected health information is terminated.
  • Isolate the protected health information from other divisions of the company, if the agency is part of a larger organization.
  • Document and review employee use of electronic protected health information. Assign a unique login identifier and password for each employee, in order to trace the use of computer workstations or software programs to access the information.
  • Train all employees and management on the security policies of the agency.
  • Establish a contingency plan for responding to emergencies such as fire, vandalism and natural disasters that may damage systems containing electronic protected health information.
  • Implement a data backup plan to create and maintain retrievable exact copies of electronic protected health information.
  • Carefully monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • Ensure the proper disposal of electronic protected health information and/or the hardware or electronic media on which it is stored.
  • Use password–activated screensavers that terminate a computer login session after a predetermined time of inactivity.
  • Encrypt consumer information during transmission over an electronic communications network.
  • Report any security incidents to the client.

In addition to complying with HIPAA’s Security Rule, HIPAA also requires debt collectors notify a client of any unauthorized disclosure of unsecured protected health information held on behalf of the client in the event of a security breach.


State-Specific Data Privacy & Security Requirements

Debt collectors must also consider state-specific data security requirements. Several states have consumer data privacy laws, including California, Colorado, Connecticut, Utah and Virginia, and many others are considering such legislation.

The laws generally have several provisions in common, such as the right to access and delete personal information, among others. 

Alliance ACA
Alliance ACA
Benefit Hub

Economic Impact Study

To develop a deeper understanding of accounts receivable management industry trends, ACA International commissioned a report on the operations, characteristics, and economic impact of ARM companies.

Advocacy Resource Center

Advocacy News

One moment please...

Share Profile

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.