ACA Advocacy Resource Center

Tools to Help You Advocate for the Accounts Receivable Management (ARM) Industry When Meeting with Your Lawmakers and Regulators

The accounts receivable management industry is highly regulated by both federal and state laws and regulations, and new proposals are put forth every year that impact the ability of ACA International members to serve their clients and work with consumers. It’s critical for members to understand how current and proposed legislation and regulatory initiatives can affect their day-to-day business. ACA provides tools to help members engage with policymakers.
Advocacy Resource Center
Collector Magazine
Know My Debt

ACA Comments

ACA International consistently evaluates Consumer Financial Protection Bureau (CFPB) and Federal Communications Commission (FCC) activity to determine potential impacts on the accounts receivable management industry. When appropriate, ACA submits comments to educate the CFPB and FCC on industry practices and to advocate for policies and regulations that are balanced, well-reasoned, and designed to avoid unintended negative consequences.

Advocacy Resource Center

Research and Statistics

Data that can help you gain a better understanding of the accounts receivable management industry.

Frequently asked questions about the debt collection industry.

What is a professional debt collection service?

Third-party collection services collect on past-due accounts referred to them by various credit grantors, such as credit card issuers, banks, car dealers, retail stores or health care facilities—any business that extends credit or offers payment installment plans.

What does a typical professional collection office do?

Often creditors cannot locate consumers who have moved or changed their phone numbers. The first thing a collection service must do is obtain the consumer’s current address or phone number through a process called skiptracing. The collection office then sends the consumer a notice that allows him or her to dispute the validity of the debt and/or request verification of the debt. Once the notice is received, a collector may call or write to the consumer and ask for full payment of the debt. If payment in full is not possible, the collector helps the consumer make arrangements to solve the problem.

Why are accounts referred for collection?

Most accounts are referred for collection because they have gone unpaid for several months and the creditor has not received communication from the consumer. Third-party collection services, which use specialized phone systems, computers and software designed specifically for the collection industry, often are more effective than creditors at collecting payment on such delinquent accounts.

What is the difference between “in-house” collections and third-party collections?

Third-party collectors are directly regulated by the Fair Debt Collection Practices Act (FDCPA), which is administered by the Federal Trade Commission (FTC). The FDCPA sets forth strict guidelines designed to protect consumers from abusive, misleading and unfair debt collection practices. In-house collectors are credit grantors and are covered by the FDCPA only under certain circumstances.

Is there a typical debtor?

No. People from all walks of life face financial problems. These problems can stem from poor money management and budgeting skills, the loss of a job, prolonged ill health or a multitude of other unforeseen circumstances.

What should people do if they receive a collection notice?

First, stay calm. Just as consumers depend on an income to pay their living expenses, the people who sell goods or services on credit depend on your payment to meet their own expenses. Remember, by the time your account has been turned over to a collection specialist, the creditor has probably carried the account for several months. Second, work with the collection agency to resolve the problem before it gets worse.

What can’t a collector do when contacting a consumer?

Under the FDCPA, third-party collectors may not: make repetitive or excessively frequent phone calls to annoy or harass you; misrepresent his or her identity; threaten to take any action that is illegal or that the debt collector does not actually intend to take.

Why do we need collection agencies?

Most accounts are referred for collection because they have gone unpaid for several months. Without the quick actions of collection services, unpaid debt is often reflected by higher consumer prices. Since there is a limit on how high prices can be increased before businesses begin losing customers, bad debt also results in business failure and job loss.

How has the collection industry changed over the past 15 years?

In addition to more thorough training for collectors, the greatest changes in the collection industry have resulted from significant increase in automation. Fifteen years ago, most collection offices kept track of accounts on paper cards; information was recorded manually and collectors dialed their telephones themselves. Today, offices are computerized, use collection-specific software and have sophisticated telephone systems with automated dialers.

How is the collection industry likely to change in the next 15 years?

Collection businesses will likely offer a wider variety of client services, including an increased capacity for greater billing and accounts receivable management and increased “early out” or pre-collection services. Many agencies are expanding existing services and technology beyond the traditional contingency collection functions.

The credit and collection industry is subject to stringent security regulations.

Debt collectors must follow specific federal guidelines that establish consumers’ rights and collectors’ responsibilities, including laws such as the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (FCRA). Many of these laws contain data security and confidentiality provisions.

In addition, individual state laws and regulations may impose requirements over the safeguarding of sensitive consumer information, including obligations that require collectors to inform consumers in the event of a security breach of consumer information.

Specialized laws such as the Gramm–Leach–Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require additional security standards to protect against the unauthorized access of consumers’ confidential information.

By creating liability for both debt collectors and their clients, GLBA and HIPAA demand that privacy and security be top priorities in the credit and collection industry. In fact, before a collection agency can enter an agreement to provide services to a healthcare provider or financial institution, the agency must demonstrate its capability to safeguard consumer information at the employee and physical security level, as well as the information technology level.

The following summary of GLBA and HIPAA privacy and security rules explains collectors’ responsibilities and the measures a debt collector must take to ensure compliance with these laws. It is important to note this is not an exhaustive list of the requirement under these laws.

Gramm–Leach–Bliley Act

Under the GLBA, a debt collector must comply with the Safeguards Rule which requires the development of a written information security program containing administrative, technical and physical safeguards appropriate to the agency’s size and complexity, nature and scope of its activities and sensitivity of the consumer information at issue. The GLBA Safeguards Rule requires a debt collector to:

  • Designate an employee to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • Identify reasonable, foreseeable internal and external risks to the security, confidentiality and integrity of consumer information and assess the sufficiency of any safeguards in place to control such risks.
  • Implement policies and procedures to control security risks to customer information and monitor their effectiveness.
  • Oversee service providers by selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information and requiring service providers by contract to implement and maintain such safeguards. Evaluate and adjust information security programs in light of the results of testing and monitoring required, material changes to operations, or any other circumstances which may have a material impact on the company’s information security program.

Further, procedures recommended by the Federal Trade Commission (FTC) for debt collectors to remain in compliance with the GLBA Safeguards Rule:

  • Lock rooms and file cabinets where paper records are kept.
  • Use password–activated screensavers.
  • Use strong passwords (at least eight characters long).
  • Change passwords periodically and do not post passwords near employees’ computers.
  • Encrypt sensitive customer information when it is transmitted electronically over networks or stored online.
  • Refer calls or other requests for customer information to designated individuals who have had safeguards training.
  • Recognize any fraudulent attempt to obtain customer information and report it to appropriate law enforcement agencies.
  • Train employees regularly on the agency’s safeguard policies.
  • Limit access to customer information to employees who have a business reason for seeing it.


Under HIPAA, a debt collector must comply with the Security Rule which requires administrative, physical and technological safeguards to protect the confidentiality, integrity and availability of electronic protected health information (EPHI) in ways appropriate to the agency.  While the requirements under the Security Rule are extensive and not listed in entirety below, a debt collector must:

  • Develop and implement policies and procedures consistent with the covered entity the debt collector is operating for.
  • Designate an employee as a security official to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • Apply appropriate sanctions against employee(s) who fail to comply with the security policies and procedures of the agency.
  • Regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
  • Ensure that access to protected health information is only available to employees who need it.
  • Provide appropriate supervision of employees who work with protected health information or in locations where it might be accessed.
  • Control employee access to facilities in which paper records of protected health information are stored, and to software programs by which electronic records of this information can be accessed.
  • Ensure that when a staff member’s employment with the agency ends, his or her access to electronic protected health information is terminated.
  • Isolate the protected health information from other divisions of the company, if the agency is part of a larger organization.
  • Document and review employee use of electronic protected health information. Assign a unique login identifier and password for each employee, in order to trace the use of computer workstations or software programs to access the information.
  • Train all employees and management on the security policies of the agency.
  • Establish a contingency plan for responding to emergencies such as fire, vandalism and natural disasters that may damage systems containing electronic protected health information.
  • Implement a data backup plan to create and maintain retrievable exact copies of electronic protected health information.
  • Carefully monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • Ensure the proper disposal of electronic protected health information and/or the hardware or electronic media on which it is stored.
  • Use password–activated screensavers that terminate a computer login session after a predetermined time of inactivity.
  • Encrypt consumer information during transmission over an electronic communications network.
  • Report any security incidents to the client.

In addition to complying with HIPAA’s Security Rule, HIPAA also requires debt collectors notify a client of any unauthorized disclosure of unsecured protected health information held on behalf of the client in the event of a security breach.

Alliance ACA
Compliancy Group
Alliance ACA
Benefit Hub

Economic Impact Study

To develop a deeper understanding of accounts receivable management industry trends, ACA International commissioned a report on the operations, characteristics, and economic impact of ARM companies.

Advocacy Resource Center

Advocacy News

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!