ACA Advocacy Resource Center
The accounts receivable management industry is highly regulated by both federal and state laws and regulations, and new proposals are put forth every year that impact the ability of ACA International members to serve their clients and work with consumers. It’s critical for members to understand how current and proposed legislation and regulatory initiatives can affect their day-to-day business. We need help informing and, in some cases, changing the views policymakers have about debt collectors and debt collection practices.
Issues in the ARM Industry were recently discussed on Capitol Hill:
- Template Letter from ACA Members to Congressional Representatives
- Template Letter from ACA Members’ Health Care Provider Clients to Congressional Representatives
- Template Letter from ACA Members’ Health Care Provider Clients to the National Credit Reporting Agencies
- Power Point Presentation on ACA’s Response to the Omission and Removal of Medical Debt Credit Reporting
- Instructions for Sending Letters
- California Department of Financial Protection and Innovation
- New York State Department of Financial Services
- Consumer Financial Protection Bureau
- Federal Communications Commission
- Federal Trade Commission
- U.S. Department of Education
- U.S. Small Business Administration Office of Advocacy
- U.S. Department of the Treasury
- White House Advisories
- ACA Advocacy Booklet – updated May 2023
- ACA International Industry Talking Points
- Consumer Protection for Medical Debt Collections Act (May 2023)
- Fair Access to Banking Act (May 2023)
- Put on Your ARM Advocacy Hat: Tips for Getting Started as an ARM Industry Advocate (Fall Forum 2022 Presentation)
- Tips for Scheduling a Meeting with Legislators
- Sample Letter for Requesting a Meeting with Legislators
- The Economic Impact of Third-Party Debt Collection
Know My Debt was created by the members of ACA International, the Association of Credit and Collection Professionals as a valuable resource for consumer education on financial literacy.
Dealing with debt and credit issues can be an emotional journey for consumers and their families. As debt collection professionals, we believe having resources on legal rights, financial planning and the importance of communication with debt collectors will help consumers understand their debts so they can make informed decisions on payments. ACA International members can help consumers understand the debt collection process and work toward financial freedom through Know My Debt.
Frequently asked questions about the debt collection industry.
What is a professional debt collection service?
Third-party collection services collect on past-due accounts referred to them by various credit grantors, such as credit card issuers, banks, car dealers, retail stores or health care facilities—any business that extends credit or offers payment installment plans.
What does a typical professional collection office do?
Often creditors cannot locate consumers who have moved or changed their phone numbers. The first thing a collection service must do is obtain the consumer’s current address or phone number through a process called skiptracing. The collection office then sends the consumer a notice that allows him or her to dispute the validity of the debt and/or request verification of the debt. Once the notice is received, a collector may call or write to the consumer and ask for full payment of the debt. If payment in full is not possible, the collector helps the consumer make arrangements to solve the problem.
Why are accounts referred for collection?
Most accounts are referred for collection because they have gone unpaid for several months and the creditor has not received communication from the consumer. Third-party collection services, which use specialized phone systems, computers and software designed specifically for the collection industry, often are more effective than creditors at collecting payment on such delinquent accounts.
What is the difference between “in-house” collections and third-party collections?
Third-party collectors are directly regulated by the Fair Debt Collection Practices Act (FDCPA), which is administered by the Federal Trade Commission (FTC). The FDCPA sets forth strict guidelines designed to protect consumers from abusive, misleading and unfair debt collection practices. In-house collectors are credit grantors and are covered by the FDCPA only under certain circumstances.
Is there a typical debtor?
No. People from all walks of life face financial problems. These problems can stem from poor money management and budgeting skills, the loss of a job, prolonged ill health or a multitude of other unforeseen circumstances.
What should people do if they receive a collection notice?
First, stay calm. Just as consumers depend on an income to pay their living expenses, the people who sell goods or services on credit depend on your payment to meet their own expenses. Remember, by the time your account has been turned over to a collection specialist, the creditor has probably carried the account for several months. Second, work with the collection agency to resolve the problem before it gets worse.
What can’t a collector do when contacting a consumer?
Under the FDCPA, third-party collectors may not: make repetitive or excessively frequent phone calls to annoy or harass you; misrepresent his or her identity; threaten to take any action that is illegal or that the debt collector does not actually intend to take.
Why do we need collection agencies?
Most accounts are referred for collection because they have gone unpaid for several months. Without the quick actions of collection services, unpaid debt is often reflected by higher consumer prices. Since there is a limit on how high prices can be increased before businesses begin losing customers, bad debt also results in business failure and job loss.
How has the collection industry changed over the past 15 years?
In addition to more thorough training for collectors, the greatest changes in the collection industry have resulted from significant increase in automation. Fifteen years ago, most collection offices kept track of accounts on paper cards; information was recorded manually and collectors dialed their telephones themselves. Today, offices are computerized, use collection-specific software and have sophisticated telephone systems with automated dialers.
How is the collection industry likely to change in the next 15 years?
Collection businesses will likely offer a wider variety of client services, including an increased capacity for greater billing and accounts receivable management and increased “early out” or pre-collection services. Many agencies are expanding existing services and technology beyond the traditional contingency collection functions.
The credit and collection industry is subject to stringent security regulations.
Debt collectors must follow specific federal guidelines that establish consumers’ rights and collectors’ responsibilities, including laws such as the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (FCRA). Many of these laws contain data security and confidentiality provisions.
In addition, individual state laws and regulations may impose requirements for the safeguarding of sensitive consumer information, including obligations that require collectors to inform consumers in the event of a security breach of consumer information.
Specialized laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require additional security standards to protect against the unauthorized access of consumers’ confidential information.
By creating liability for both debt collectors and their clients, GLBA and HIPAA demand that privacy and security be top priorities in the credit and collection industry. In fact, before a collection agency can enter an agreement to provide services to a health care provider or financial institution, the agency must demonstrate its capability to safeguard consumer information at the employee and physical security level, as well as the information technology level.
The following summary of GLBA and HIPAA privacy and security rules, as well as state laws, explains collectors’ responsibilities and the measures a debt collector must take to ensure compliance with these laws. It is important to note this is not an exhaustive list of the requirement under these laws.
Gramm-Leach-Bliley Act & Safeguards Rule
Under the Gramm-Leach-Bliley Act (GLBA), a debt collector must comply with the Safeguards Rule, which requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
The Safeguards Rule was recently amended. It now:
- Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.
- Adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
- Exempts financial institutions that collect less customer information from certain requirements.
- Expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the rule.
- Defines several terms and provides related examples in the rule itself in one place rather than incorporate them from the Privacy of Consumer Financial Information Rule.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. A information security program must be written and it must be appropriate to the size and complexity of the business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:
- To ensure the security and confidentiality of customer information;
- To protect against anticipated threats or hazards to the security or integrity of that information; and
- To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
Learn more on ACA’s Safeguards Rule Resource Center.
Under HIPAA, a debt collector must comply with the Security Rule, which requires administrative, physical and technological safeguards to protect the confidentiality, integrity and availability of electronic protected health information (EPHI) in ways appropriate to the agency. While the requirements under the Security Rule are extensive and not listed in entirety below, a debt collector must:
- Develop and implement policies and procedures consistent with the covered entity the debt collector is operating for.
- Designate an employee as a security official to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
- Apply appropriate sanctions against employee(s) who fail to comply with the security policies and procedures of the agency.
- Regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
- Ensure that access to protected health information is only available to employees who need it.
- Provide appropriate supervision of employees who work with protected health information or in locations where it might be accessed.
- Control employee access to facilities in which paper records of protected health information are stored, and to software programs by which electronic records of this information can be accessed.
- Ensure that when a staff member’s employment with the agency ends, his or her access to electronic protected health information is terminated.
- Isolate the protected health information from other divisions of the company, if the agency is part of a larger organization.
- Document and review employee use of electronic protected health information. Assign a unique login identifier and password for each employee, in order to trace the use of computer workstations or software programs to access the information.
- Train all employees and management on the security policies of the agency.
- Establish a contingency plan for responding to emergencies such as fire, vandalism and natural disasters that may damage systems containing electronic protected health information.
- Implement a data backup plan to create and maintain retrievable exact copies of electronic protected health information.
- Carefully monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
- Ensure the proper disposal of electronic protected health information and/or the hardware or electronic media on which it is stored.
- Use password–activated screensavers that terminate a computer login session after a predetermined time of inactivity.
- Encrypt consumer information during transmission over an electronic communications network.
- Report any security incidents to the client.
In addition to complying with HIPAA’s Security Rule, HIPAA also requires debt collectors notify a client of any unauthorized disclosure of unsecured protected health information held on behalf of the client in the event of a security breach.
State-Specific Data Privacy & Security Requirements
Debt collectors must also consider state-specific data security requirements. Several states have consumer data privacy laws, including California, Colorado, Connecticut, Utah and Virginia, and many others are considering such legislation.
The laws generally have several provisions in common, such as the right to access and delete personal information, among others.
ACA International consistently evaluates Consumer Financial Protection Bureau (CFPB) and Federal Communications Commission (FCC) activity to determine potential impacts on the accounts receivable management industry. When appropriate, ACA submits comments to educate the CFPB and FCC on industry practices and to advocate for policies and regulations that are balanced, well-reasoned, and designed to avoid unintended negative consequences.
Economic Impact Study
To develop a deeper understanding of accounts receivable management industry trends, ACA International commissioned a report on the operations, characteristics, and economic impact of ARM companies.