Embed Size (px)
Citation preview
White Paper covering business issues regardingcompliance, regulation, legislation and governancerelevant to customer management.
A white paper from CM Insight
Sponsored by BT
Protection in DistanceSelling Transactions
Index
• Foreword 3
• Executive Summary 4
• 1.0 Introduction 5
• 2.0 The Rise in Remote Selling Activity 5
• 2.1 Does this apply to you? 6
• 3.0 Distance Selling Regulations 7
• 3.1 Distance Selling Activity 7
• 3.2 The need for Distance Selling Regulations 7
• 3.3 Safe Practices when Distance Selling 7
• 4.0 Distance Selling of Financial Services 8
• 4.1 History of Distance Selling in Financial Services 8
• 4.2 Distance Selling Regulations in Financial Services 8
• 4.3 How to ensure compliance with Distance Selling Regulations (FSA) 9
• 5.0 Compliance and Mis-Selling (Financial Services) 9
• 5.1 Definition of Compliance and Mis-Selling Regulations 9
• 5.2 Implications and consequences of (FSA) compliance regulation 9
• 5.3 How to prove compliance with FSA regulations 10
• 6.0 Data Protection and Security in Distance Selling 10
• 6.1 History and Definition of the Data Protection Act 1998 10
• 6.2 Implications and Consequences of the Data Protection Act 11
• 6.3 How to comply to the Data Protection Act 1998 11
• 7.0 Online Payment Security 12
• 7.1 Definition of Online Payment 12
• 7.2 The need for Protection of Online Payments 12
• 7.3 Ensuring Security of Online Transactions 12
• 8.0 Healthcheck – How are you doing? 13
• Appendices: 14
• U.S. Sarbanes-Oxley Act 2002 14
• Data Protection Principles 14
• Data Protection Infringements 15
BT’s own Compliance Case Study
Foreword
In today’s digital networked economy, where enterprises mustfulfil a large and increasingly complex set of legal and regulatoryrequirements when managing customer contact, the importanceof consumer protection and trust in remote business transactionshas never been greater. Whether online, phone or mail,enterprises must ensure they are aware, safe and compliant withregulation and best practice frameworks.
In this complex business environment where customers are ourrarest business asset, an organisations ability to offer customers a channel of choice in how they communicate and transact, will be the main competitive differentiator. Across all of thesechannels, organisations must give customers the confidence that their transactions are safe and secure, whilst remainingcompliant. The adoption of new channels to market such as the internet, whose speed of adoption has been an incredible3.5 times faster than the TV, and with online shopping expectedto account for 11% of total retail spending in the UK by 2007, it is easy to see why there has been a need to increase consumerprotection. In a CCA member survey, 25% of respondents whoaccepted that they should comply with distance sellingregulations, did not know whether they were actually complying.
It is important to achieve the right balance between customersatisfaction and compliance. Contravening the Data ProtectionAct could result in an enforcement notice which temporarily stops you from interacting with your customer, resulting inconsiderable loss of business. And it doesn’t always just relate to UK legislation, as online trading is often global by nature, for example the retailer will need to ensure it complies with the different Data Protection Acts in each country of operation.
BT’s practitioner experience, operating one of the largest multi-channel operations in Europe, means we have significantexperience in customer contact compliance. We also manage
3
and support customer management operations for manycommercial and public sector organisations, by providing global IT and networking services. In our experience, leveragingcustomer relationship management (CRM) systems is often the key to ensuring customer contact compliance whilst ensuring a high quality, personal customer experience. The right infrastructure, technology design and managed services, including the use of contact management, data storage, scripting and voice recording can make compliance more achievable. As leaders of best practice, BT has developed a case study on it’s own customer contact compliance. You will find this in the appendix section of the white paper.
BT has sponsored a series of white papers written by industryexperts, this paper researched by CM Insight reviews and bringssimplicity to a range of key compliance issues. This ‘Protection in Distance Selling Transactions’ white paper provides a valuableinsight into the regulations which apply to this area, withguidance detailing best practices on how to avoid the problemsand penalties.
For both ourselves and our customers BT has a wealth ofexperience in delivering customer management strategies andsolutions that get results and support legal and compliancerequirements. Contact us via our website atwww.bt.com/corporate/crmwhitepapers to download a copy the other white papers in this series and for more information on how BT can help you achieve customer contact compliance.
I hope you find this paper valuable and that it helps to simplify the complexity of customer contact compliance.
Gaby Heppner-LoganGeneral Manager, CRM
4
Businesses face many challenges when contacting theircustomers. In today’s multimedia business market, customerrelationship management carries with it responsibilities forprotection of the consumer and the business, both in terms of fulldisclosure (of terms and conditions) and appropriate behaviour,and also protection against misuse of the remote and electronicmedia used in business today. Remote business applies totransactions (which can be sales or contracts) carried out by anyother media than face-to-face; i.e. Voice (through contactcentres), Web (through online activity), IVR (through automatedvoice – for example cinema ticket sales).
BT has sponsored a series of papers produced by independentspecialist customer management consultancy, CM Insight1, tohelp businesses understand the legal framework behind doingbusiness at a distance, and how to leverage their CRM systems tosupport their regulative responsibilities.
Some of the key issues facing organisations today in distanceselling transactions include:
• More and more businesses are interacting with theircustomers and prospects remotely – online, through callcentres or mail. This is leading to the subsequent centralstorage of customer and prospect data – some of it highlysensitive.
• Doing business remotely brings risks to both the consumerand the business. There are certain legislations governingconsumer protection, but businesses need to takeresponsibility to safeguard their own interests.
• Consumers are protected by various laws, including dataprotection and distance selling regulations, and businessesmust comply with these or face prosecution.
• Retailer and supplier protection has little statutory backing,but the consequences of fraud, online theft and hacking canbe considerable; for example, 75% of online retailers have toabsorb the cost themselves when they are the victims ofcredit card fraud.
• Even if your contact with customers and prospects does notinvolve selling remotely, you are almost certainly governed byData Protection laws and must follow stringent guidelines onhow secure customer and prospect data is.
• Failure to comply with Data Protection laws bringsconsiderable legal penalties, the worst of which may involveshutting down the area of customer interaction, effectivelysuspending remote business.
• Companies can protect themselves from unwittingly breakingthe law by fully understanding the Data Protection Act andensuring that their technology supports safe and securestorage with protected access.
• Companies can protect themselves from being the victim ofonline fraud, hacking and theft by adopting a series ofprocesses and supporting technologies to validate theircustomers’ identities and minimise data exposure.
• Special and more stringent regulations apply to customercontact and transaction management if financial servicesproducts are involved. Financial Services sector companiesmust comply with rules governing sales (pertaining toinformation given to the consumer) and record keeping.
This paper highlights the key issues in distance sellingtransactions, and show how organisations can ensure confidence,trust and compliance when managing this area of customercontact compliance.
Executive Summary
1CM Insight at www.cm-insight.com
In a series of White Papers sponsored by BT, CM Insight look atthe range of regulatory issues that affect customer contact inbusinesses today. The Customer Relationship Management (CRM)journey is peppered with legislation, regulations and best practiceguidelines. In this paper, we will explore the issues that affectconsumer protection and trust in the context of remote businesstransactions, whether online or by phone or mail, the legislationand best practice frameworks and how to ensure that yourbusiness is aware, compliant and safe. Issues involved withconsumer protection for remote transactions include:
1. Generic Distance Selling Regulations
2. Distance Marketing of Financial Services
3. Compliance and mis-selling rules in Financial Services
4. Data Protection and Security
5. Online and Distance Payment Security
The rise of distance selling by telephone and the internet hasbeen increasing exponentially over the last few years, but hasbrought with it a number of risks to consumers of remotebusiness transactions. The growth of the internet has been 3.5times faster than TV in terms of speed of adoption. According to arecent report by Interactive Advertising Bureau UK, the web tookjust 4 years to achieve 50 million users, versus 14 years fortelevision and 35 years for radio. With this growth has been anequally meteoric adoption of online payment, leading torequirements for a regulatory framework to ensure consumerprotection. By December 2003, there were 11.2 million peopleshopping online in the UK, versus 9 million in December 2002,and this represents 5.8% of total retail spending in the UK – andis expected to rise to 11% by 20072.
People shopping online
Equally, the rise in telephone sales is notable. According toMarket Reports in 2003, the UK telemarketing industry has beenrising steadily and this trend is set to continue.
1.0 Introduction 2.0 The Rise in Remote Selling Activity
5
260k 310k 350k 480k1.0M
1.44M
3.07M3.37M
5.2M4.8M
5.8M 5.9M
9.0M
14.20M
Dec96
June97
Dec97
June98
1.Dec98
June99
Dec99
June00
Dec00
June01
Dec01
June02
Dec02
June03
2Source: Forrester Report ‘Choosing the Right Retail Strategy’ 2004
Forecast for UK telemarketing 2003-2007
Businesses need to support multiple customer channels (which are forecasting growth, such as the contact centre and website),along with multimedia interactions (e-mail, text chat etc.), in amulti-device environment: multidimensional customer contact.Many businesses are not yet prepared for true multidimensionalcustomer contact, but their customers are increasingly demandingthe ability to communicate effectively with them regardless ofphysical location, media or device.
Multidimensional Customer Contact
Source: DTI Report - Contact Babel 2004
2.1 Does this apply to you?
The legislation surrounding consumer transaction management isever-evolving and aims to instill consumer trust in doing businesswith your company at a distance. However, the range of relevantlegislations can be confusing – how do you know which ones applyto you and how to comply?
If you:
• Accept online, mail or telephone payments for goods and services
• Tele-market with a view to completing the transaction onlineor by telephone
• Initiate contracts remotely (by phone or online)
• Hold customer or prospect data with a view to marketing bytelephone, e-mail, fax or direct mail
• Hold customer or prospect data on a server-based model (ieavailable online) even without intending to use it formarketing purposes
• Operate in any business environment for the above, or sellregulated products such as financial services products,mortgages or general insurance
then you are required to comply with at least one legislation orset of regulations. We will address these issues, the impetusbehind their introduction, what penalties or risks can be expectedfor non-compliance and how to comply with them, in terms ofprocesses and supporting technology.
6
0
1
2
3
4
5
2003
Tele
mar
keti
ng S
pend
£m
2004 2005 2006 2007
PDA
Fixed line phone
PCMobile Phone
Digital TV
Traditional shop/office
Website
Contact centre
Self-service
Web collaboration
Text chat
Voice
Channel
Media
Device
3.1 Distance Selling ActivityDistance selling covers a range of remote purchasing media –online purchasing, mail order, phone shopping (either through alive agent or IVR) and digital TV. Of these, it is the internet thathas seen the most prolific growth over the last few years,although the anonymity of the web carries with it risks forconsumer and retailer alike.
In October 2000 the Consumer Protection (Distance Selling)Regulations 2000 came into force which required card issuers torefund any money made from fraudulent or dishonest use ofcredit and debit cards. Most consumers are aware that paying bycredit card affords them certain insurance and protectionprivileges, but this can be little comfort to the retailers, many ofwhom despatch goods paid for by stolen or cloned credit cards,and then find the payment withdrawn. Companies can findthemselves on the receiving end of illicit transactions, for whichthe retailer usually ends up bearing the cost.
3.2 The need for Distance SellingRegulationsExisting consumer protection law, including the Sale of Goods Actand Misleading Advertising regulations, applies online and viatelephone as with retail sales. However, additional legislation hasbeen drawn up to deal with the growth in remote commerce. TheDistance Selling Regulations (2000) give protection to consumerswho shop via any distance media – online, by phone or mail orderor through digital TV. The protection includes3:
• The right to receive clear information about goods andservices before deciding to buy;
• Confirmation of this information in writing;
• A Cooling off period of seven working days during which theconsumer can withdraw from the contract;
• Protection from credit card fraud.
Online and telephone retailers, mail order companies,telemarketing organisations and Digital TV retailers shouldtherefore ensure that they provide the framework to supportthese requirements.
In a CCA member survey, 25% of respondents who acceptedthat they should comply with distance selling regulations didnot know whether they were actually complying.
3.3 Safe Practices when Distance SellingWith the rise in remote sales activity, there is increasingresponsibility on businesses to provide correct information to thebuyer, including specific terms and conditions relevant to the saleand any contractual obligations inherent in the transaction. Forexample, when entering into a fixed or minimum-length contract(such as a phone line installation or insurance policy), the suppliermust ensure that information on the buyer’s commitment isforthcoming, and that the system (eg CRM software and callrecording) supports and captures this information sharing.
In financial services, buyer information is further complicated bycompliance regulations covering status disclosure (ie independentor tied agency), risk (eg on secured loans or assumed returns) andadvice caveats. The burden of proof has been accentuated by theSarbanes-Oxley Act (see appendix) which has increasedcompanies’ desire to provide a thorough audit trail of thecustomer relationship, which includes comprehensive recordkeeping and call recording. Ironically, the more information istaken from the customer (thus proving the ‘know your customer’rule), the more stringent the data protection requirements.
3.0 Distance Selling Regulations
7
3Source: DTI (Department of Trade and Industry) 2004
Protection, however, is also required by the supplier in e-commerce, as they are usually left to untangle the mess causedby fraudulently ordered (and despatched) goods. Often theretailer will only become aware of a problem following achargeback (when a credit card transaction is reversed).Chargebacks can occur for a number of reasons, such as double-charging, credit card expiration, bank errors and customerdisputes. Aside from customer disputes relating to fraudulenttransactions, many customers dispute online payments becausethey have forgotten about a purchase (especially of an ‘intangible’eg downloaded software) or because the name on the credit cardstatement does not remind them cohesively of the company fromwhich they bought. Retailers can minimise risks by following theseguidelines:
1. Tell the customer when confirming the order what name willappear on the credit card statement. Better still; ensure thatthe names match as much as possible. Best practicerecommends e-mailing customers an order confirmation withcontact details, billing details and the name under whichmoney will be collected.
2. Use address verification software to check the cardholder’sbilling address before despatch. Fraudulent transactionperpetrators will in most cases not be able to verify the actualcardholder’s correct address.
3. Be cautious and extra-vigilant of transactions from abroad.Research suggests that a high percentage of fraudulent e-commerce derives from Eastern Europe.
4. Keep a comprehensive audit trail of all aspects of thetransaction. A good CRM system with data security and back-up should support this without much extra manpower.
4.1 History of Distance Selling in FinancialServicesFinancial Services particularly lends itself to distance selling,especially online. Following the Industry’s growth in the late1980s and 1990s, coupled with the housing boom, consumers arenow much more aware of financial services products. Theconsumer preference for less high-pressure selling has increasedthe popularity of e-commerce in this sector in particular, andmany financial services providers have re-structured their salesforce from field sales teams to call-centre and online teams. E-Commerce and call centre growth in the Financial Services Sectorhas revolutionised consumer choice and driven down commissioncosts (via revealed homogeneity of product and reduced costs ofsales personnel). However, the new rules aim to ensure thatconsumers fully understand the implications of financial contractswhen sold at a distance – especially with regard to transparency ofrisk and charging structures.
4.2 Distance Selling Regulations inFinancial Services The Distance Marketing of Financial Services Directive is a sector-specific application of the Distance Selling Regulations andestablishes a set of EU-wide rules on the information that must besupplied to consumers when financial services are sold at adistance. The Regulations came into force in October 2004 andinclude:
• An obligation to provide comprehensive information toconsumers before the contract is concluded
• The application of a cooling-off period during which theconsumer has the right to cancel the contract – generally 14days for financial services products except for life insuranceand pension products, where the cooling off period is 30days. Products subject to short term fluctuations (eg shares,currency dealings) do not carry this cooling-off clause.
• Prohibiting abusive marketing practices aimed at obligingconsumers to buy an unsolicited service (inertia selling)
• Rules to restrict practices such as unsolicited phone calls and e-mails
4.0 Distance Selling ofFinancial Services
8
5.0 Compliance and Mis-Selling(Financial Services)
9
4SEC: Securities and Exchange Commission – US legislative body governing financialservices
4.3 How to ensure compliance withDistance Selling Regulations (FSA)Due to the stringent checks and processes required to complywith money laundering regulations, the supplier can be fairlycertain of the identity of the client. These can be achieved via anumber of security and know-your-customer checks, which can beprompted through integrating script prompts into the contactcentre’s CRM software, and proved via effective call recording andlive data verification (such as address verification software).
Compliance requirements in the financial services industry verymuch focus on what the sales person said. Controlling andguiding the agent’s side of the conversation is vital to ensure thatthe necessary disclosures and terms and conditions are given.Scripting software is very much part of this journey, and callrecording provides the proof.
With online or call-centre based transactions in financial services,one of the main responsibilities of companies is a reliable audittrail of transactions, and proof that selling tactics (egtelemarketing scripts) have been designed to meet generalFinancial Services guidelines. This reinforces the need for robustcall recording – both for the protection of the consumer andcorporation in disputes and for ongoing training designed toimprove the interaction and compliance of the agent and theconsumer. A single CRM software should also help to aggregaterecords into one system to capture the case history of eachcustomer, and a robust recording system ensure that voicetransactions are stored.
5.1 Definition of Compliance and Mis-Selling RegulationsThe Financial Services Authority (FSA) governs compliance withinthe financial services industry, and covers a number of issues,most of which imply a clear audit trail. These include:
• Auditable reporting of all financial transactions – from start tofinish, and through all media (e-mails and paper records). Thismeans that each transaction must be tracked and recordedand be ultimately available to the regulator.
• Robust management of outsourcing relationships –responsibility of compliance remains with the regulatedcompany so robust recording and reporting should bemaintained.
• Effective management of complaints, disputes and SLAs – theFSA imposes deadlines for response times and rules ondispute resolution. Therefore these must be tracked andrecorded.
• Fraud and Money Laundering – these are processes that thecompany must apply to minimise the risk of fraud or moneylaundering in financial transactions.
• Collateral and product information compliance – the FSA setsout rules governing literature (eg claims of financial returns,risk etc) and even application forms (for clarity).
5.2 Implications and consequences of (FSA)compliance regulationIn regulatory environments, non-repudiation of audit trails iscritical. This essentially means that data cannot have been giventhe opportunity to be tampered with, otherwise the company mayface a costly increase in regulatory scrutiny or damage to theirreputation, which in turn will have a negative impact on revenues.
Under America’s SEC4 ruling, e-mail and instant messages mustbe retained for 3 years. Depending on their activity, however,they may also be subject to international data retention laws –those of the UK/Europe for example, and vice versa. So acompany may need to comply with UK and International DataRetention guidelines. This implies the need for a secure off-serverrepository, and automating this process implies saving an enormousamount of cost – in technology storage and personnel time.
6.0 Data Protection andSecurity in Distance Selling
10
5See Appendix for Data Protection Principles.
Although regulations pertaining to recording and retention oftelephone calls are limited, many see this as the next area ofmandatory record keeping. Certainly, with millions of poundsworth of block trades per company, being able to produce arecorded call can prove definitive in dispute resolution andsubsequent avoidance of costly legal action.
Non-compliance carries with it substantial penalties. In 2004, theFSA banned David M Aaron (Personal Financial Planners) Ltd forthe widespread mis-selling of precipice bonds to nearly 8,000customers. According to the FSA ruling, precipice bonds soldbetween January 1998 and June 2003 contravened a number ofFSA principles, including failure to maintain adequate records andmisleading promotional material. As a result, the FSA haveeffectively banned the firm from conducting business, and theyare now in liquidation.
In 2003, Chase de Vere were fined £165,000 and Lloyds TSBwere fined £1.9 million in cases involving mis-selling ormisleading promotion of precipice bonds
However, even though the penalties of non-compliance are severeand, in the extreme, are capable of forcing a company to stoptrading, the FSA has mandated some fairly tight deadlines andhefty demands in its Policy Statement 04/09. The policy outlinesnew regulations for the collection and reporting of sales, financialand compliance data for general insurance products, mortgagesand other products. Companies failing to meet FSA deadlines facesubstantial fines. The answer is heavily technology-led, but theclock is ticking.
5.3 How to prove compliance with FSAregulationsThe biggest tool in the arsenal for compliance is undoubtedlyeffective call recording, data capture and storage. Call recordingtechnology has come a long way since cumbersome DAT-tapesand the Financial Services sector in particular is only too familiarwith new compressed DVDs, on-line retrieval and call replay androbustness through 100% redundancy. The latest technology,however, does not intend to add to the number of monitoring andanalysis tools a call centre needs to employ. Instead, it offers toolsthat are integrated and balanced with the centre’s processes, ortools that are accessible through the Internet and, as such,require no software or hardware installation.
6.1 History and Definition of the DataProtection Act 1998The latest Data Protection Act was passed in 1998 and set out togovern the use of data held on individuals to protect them fromunwanted marketing, incorrect data (and the implications of usingincorrect data) and infringements of privacy5. The need for DataProtection is increasingly obvious as more and more consumerspurchase online, or remotely, and therefore store their bankingdetails and personal purchasing preferences online. Companiessuch as Amazon, Interflora, Hôtel Chocolat and E-bay allow onlineconsumers to store personal data online to allow ease of repeatorders. However, this increases the sensitivity and availability ofthe data – both to the business and potentially to hackers.
The Data Protection Act has many implications for distanceselling. The Act gives legal rights to individuals (data subjects)regarding their personal data held by others, together with a rightto compensation for damage caused by unauthorised disclosure,inaccuracy or loss, but an online retailer is particularly vulnerableto abuse from employees or unauthorised entry (hackers) becauseof the nature of information likely to be held.
By its nature, online selling can be global (in the example of e-bay, or even Amazon, which has many different country sites).The retailer will need to ensure it complies with the different DataProtection Acts in each country of operation.
Data Protection Prosecution Case 2004:
Before resigning from his job with a recruitment consultancy,the defendant forwarded copies of the company’s clients’ CVsto his home e-mail address. He did not seek permission to dothis from his employer, nor were the clients aware of this. Hewas convicted of unlawfully obtaining personal data andprosecuted under the Data Protection Act.
Source: Information Commissioner Annual Report July 2004
11
6See Appendix for types of Data Protection infringements
6.2 Implications and Consequences of theData Protection ActThe IT manager will be especially involved in Data Protection forcompanies that engage in online or distance selling transactions,as most customer data, especially sensitive payment andpreference data, will be stored on their server. Theirresponsibilities include ensuring that out-of-date information isdeleted from computers, that systems are secure, consumers aregiven access to their own data if requested and there is a processto correct wrong or out-dated information. One of the key focuseswhen companies engage in online selling will need to be datasecurity.
Under the Data Protection Act the Information Commissioner mayserve an enforcement notice upon a data controller who theInformation Commissioner is satisfied has contravened or iscontravening any of the Data Protection principles.6
When a contravention takes place, an enforcement noticerequires a data controller to take, or refrain from taking, specifiedsteps or to refrain from processing any personal information (orpersonal information of a specified description) altogether, orfrom processing for a specified purpose or in a specified manner.This can effectively stop a business from interacting with itscustomer.
Contravening the Data Protection Act could result in anenforcement notice which temporarily stops you frominteracting with your customer, resulting in considerable loss of business.
Thus an online business who allows their customer data to beopened or accessed by unauthorised personnel could be subjectto drastic enforcement instructions from the InformationCommissioner, including the suspension of its server-basedtransaction practices from the consumer, whilst security is re-established. This could lead to considerable loss of business.
6.3 How to comply to the Data ProtectionAct 1998
100% of respondents to a CCA-member survey accepted andunderstood their Data Protection Act requirements. However,6% admitted that they were not yet fully compliant and 13%that they were unaware of the penalties of non-compliance.
Complying with Data Protection Laws implies a process-led policy,backed by information technology support and safeguards. Thefirst step is for a company to clarify and confirm that it needs toconform to the Data Protection Act, and if so to appoint oridentify the Information Controller.
A clear policy should be drawn up to ensure that processes andtechnology support Data Protection compliance. This mayinclude:
• Storing the data securely (so that it is not easily accessible tocriminal interference).
• Being able to provide information on request about whypersonal data is being collated and how it is going to be used.
• Being able to reveal the source of their data – for companieswho source information (eg by website registration, campaignresponse, list purchase etc) then a company’s database mustprovide for being able to identify the source.
• Allowing customers/consumers to unsubscribe. This is not thesame as deleting a record, as in theory this record could bere-registered via another list gathering exercise, but must besuppressed in such a way as is clear when undertakingmarketing activities.
• Backing up data (on a central, remote repository) with robustrecovery processes.
7.0 Online Payment Security
12
7Source: Web Developer’s Journal – Reducing Online Credit Card Fraud.
7.1 Definition of Online PaymentDespite the widespread adoption of the internet, online paymentremains a major area of Internet immaturity. Online creditpayments are classed as Mail Order and Telephone Order (MOTO)sales by credit card companies, yet suffer far higher levels offraud. Whilst Mail Order companies can take comfort that theyoften get signatures (when an actual piece of paper changeshands), and telephone sales have CLI (Caller Line Identification)information to add to address verification systems, online retailersoften have no more information than an email order containing acredit card number via a free email account.
7.2 The need for Protection of OnlinePaymentsPressure for online payment security has come about as a resultof the massive growth of fraud within online activity. Fraudulentonline activity ranges from using stolen credit card details toobtain goods and services, to hacking into websites (usuallyfinancial services) to download or expose sensitive data.According to a report by US company Celent Communications,cyber merchants are experiencing fraud rates that are 30 timeshigher than their bricks-and-mortar counterparts. Worryingly,although 90% of consumers are reimbursed when their cards areused fraudulently, 75% of online retailers have to absorb the costthemselves when they are the victims of credit card fraud7.
Online payment fraud is 30 times higher than in bricks-and-mortar retail shops.
Research suggests that the sectors most at risk from online creditcard fraud are ‘intangibles’ – including software sales, pay-per-view sites, gambling sites and informational sites. Other sites atrisk include ‘gift sites’ – where the payment and credit card billingaddress are different from the delivery address.
7.3 Ensuring Security of OnlineTransactionsIn any online transaction, both parties have cause for caution. Thebuyer wants to ensure that when they provide sensitive (iefinancial) data, that it is privacy-ensured and the seller needsreassurance that the transaction is valid and payment will not beretracted after despatch. Buyer protection can be improved by theuse of sophisticated encryption technology – the latest of which is128-bit encryption, which effectively produces a code of almostinfinite permutations to protect against hackers.
Protection for sellers (to verify the buyer’s legitimacy) can betricky, and may rely on careful processes and security checks. TheWeb Developer’s Journal offers some guidelines on practices thatmay help to reduce online payment fraud, including using addressverification software, avoiding shipping overseas or to Post Officeboxes and being suspicious of price insensitive customers (whoaren’t concerned with costs as they don’t plan to pay).
8.0 Healthcheck – How are you doing?
13
No NoNo
BT can help you to clarify your responsibilities in these areas and ensurethat your systems and process support compliance securely and efficiently
NoNoNo
No
Yes
YesYes
Yes
YesDo you sell regulated
products such asmortgages or generalinsurance remotely?
No
You seem tohave a grasp of
complience issues howeverthe laws in this area are currentlyunder review, You should check
that you are up to datewith legistation
You understand yourobligations to the consumer
but may not be protecting yourcompany against distace selling
fraud or security breaches.You should check
this urgently
The penalties aresevere if you do not
comply with the DataProtection Act. You should
act immediatley.
You must act now to ensure that you address yourregulatory responsibilities indistance selling transactions
Not complyingwith predictive dialler
guidelines can bring aboutlegal action and potential fines
You should investigate yourresponsibilities immediately
Yes
Yes
Yes
Do you hold customer data on a
server-based system?
Are you sure thatyour own systems
are protectedfrom remote
transaction fraud?
You need to complywith Data Protection
Act requirements. Areyou confident thatyou are doing so?
Are you confident that youunderstand and comply
with your distancemarketing and
compliance obligations?
Do you accept onlineor remote payments for
goods or services?
Do you understand andcomply with regulations
relating to consumerprotection in distance
selling (eg Data ProtectionAct, Distance Selling
Regulations)?
Are you part ofthe Financial
Services sector?
You appear tobe aware of responsibilities,if any. But you should check
that you are complyingefficientlyfor you.
Appendices
14
1. U.S. Sarbanes-Oxley Act 2002The U.S. Sarbanes-Oxley Act of 2002 (often shortened to SOX) islegislation enacted in response to the high-profile Enron andWorldCom financial scandals to protect shareholders and thegeneral public from accounting errors and fraudulent practices inthe enterprise. The act is administered by the Securities andExchange Commission (SEC), which sets deadlines for complianceand publishes rules on requirements. Sarbanes-Oxley is not a setof business practices and does not specify how a business shouldstore records; rather, it defines which records are to be stored andfor how long. The legislation not only affects the financial side ofcorporations, but also affects the IT departments whose job it isto store a corporation’s electronic records. The Sarbanes-OxleyAct states that all business records, including electronic recordsand electronic messages, must be saved for “not less than fiveyears.” The consequences for non-compliance are fines,imprisonment, or both. IT departments are increasingly faced withthe challenge of creating and maintaining a corporate recordsarchive in a cost-effective fashion that satisfies the requirementsput forth by the legislation.
The following sections of Sarbanes-Oxley contain the three rulesthat affect the management of electronic records. The first ruledeals with destruction, alteration, or falsification of records.
Sec. 802(a) “Whoever knowingly alters, destroys, mutilates,conceals, covers up, falsifies, or makes a false entry in any record,document, or tangible object with the intent to impede, obstruct,or influence the investigation or proper administration of anymatter within the jurisdiction of any department or agency of theUnited States or any case filed under title 11, or in relation to orcontemplation of any such matter or case, shall be fined underthis title, imprisoned not more than 20 years, or both.”
The second rule defines the retention period for records storage.Best practices indicate that corporations securely store allbusiness records using the same guidelines set for publicaccountants.
Sec. 802(a)(1) “Any accountant who conducts an audit of anissuer of securities to which section 10A(a) of the SecuritiesExchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintainall audit or review workpapers for a period of 5 years from the endof the fiscal period in which the audit or review was concluded.”
This third rule refers to the type of business records that need tobe stored, including all business records and communications,including electronic communications.
Sec. 802(a)(2) “The Securities and Exchange Commission shallpromulgate, within 180 days, such rules and regulations, as arereasonably necessary, relating to the retention of relevant recordssuch as workpapers, documents that form the basis of an audit orreview, memoranda, correspondence, communications, otherdocuments, and records (including electronic records) which arecreated, sent, or received in connection with an audit or reviewand contain conclusions, opinions, analyses, or financial datarelating to such an audit or review.”
2. Data Protection PrinciplesThere are fundamentally eight DPA principles, which can bedivided into how the data is used and security and storage ofdata. The eight principles put in place by the Data Protection Act1998 dictate that data must be;
1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than is necessary;
6. processed in line with your rights;
7. secure; and,
8. not transferred to countries without adequate protection.
And that processing may only be carried out where one of thefollowing conditions has been met;
• the individual has given his or her consent to the processing;
• the processing is necessary for the performance of a contractwith the individual;
• the processing is required under a legal obligation;
• the processing is necessary to protect the vital interests of theindividual;
• the processing is necessary to carry out public functions;
• the processing is necessary in order to pursue the legitimateinterests of the data controller or third parties (unless it couldprejudice the interests of the individual).
8Source: http://www.informationcommissioner.gov.uk
3. Data Protection InfringementsThere are a number of criminal offences created by the DataProtection Act and they include8:
• Notification offences
These are committed where processing is being undertaken bya data controller who has not notified the InformationCommissioner either of the processing being undertaken or ofany changes that have been made to that processing. Failure tonotify is a strict liability offence.
• Obtaining and disclosing offences
It is an offence to knowingly or recklessly obtain or disclosepersonal information without the consent of the data controller.This covers unauthorised access to and disclosure of personalinformation. If a person has obtained personal informationillegally it is an offence to offer to sell or to sell personal data.
Offices worldwideBT and the ‘connected world’ logo are trademarks of British Telecommunications Plc
The telecommunications services described in this publicationare subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract.
© British Telecommunications plc 2005. Registered office: 81 Newgate Street, London EC1A 7AJ. Registered in England No. 1800000.
Designed by Unigraph Limited 22331/05/05Printed in England.
PHME XXXXX
Case studyIndustry sector: telecommunications
Setting a leading customercontact example
Executive summaryThree years ago, BT started working atall levels of its organisation – andparticularly with its customer-facing staffin contact centres – to develop andimplement processes, training, tools andtechnologies to offer the highest level ofcustomer service, while remaining fullycompliant with a burgeoning regulatoryenvironment. BT’s approach, describedhere, provides best practice guidelineson how to achieve the right balancebetween running a profitable businessday-to-day at the same time as achievingcompliance with the various laws andregulations that govern that business.
The company introduced a BT Groupcompliance team to develop compliancestrategy as well as a customer contactcentre compliance team to helpproactively implement the strategyacross 33 contact centres. At the agentlevel, BT focused on providing people
with high quality training and equippingthem with integrated tools – including aBT-developed knowledge managementsystem – to guide them compliantlythrough every call, whether that callis to or from a consumer or a business.
BT now has an extensive customercontact compliance strategy that ishelping it to meet its legal obligations,while at the same time allowing it tomanage its business efficiently and costeffectively. It has welcomed visits byOfcom, customers and even competitorsto see its strategy in action. Now theCompliance Institute has been invited tobenchmark BT’s compliance performanceagainst other regulated industries.
To ensure customer satisfaction and adhere tocustomer contact regulation, best practice inBT embeds compliance into business as usual
“The volume of customer
complaints has decreased,
at a time when we have had to
be more compliant in many
more areas: exactly the
circumstances under which
you might expect complaints
to rise. We cannot prove a
causal link between the two
events, but the empirical
evidence is that BT is getting
its compliance regime
seriously right.”
Robin MackenzieHead of Consumer Strategy BT Retail
MarketplaceBT, a leading telecommunications serviceprovider, has 20 million residential andbusiness customers in the UK, more thanvirtually any other organisation in thecountry. Every year, it makes millions ofoutbound telephone calls to thosecustomers and receives many tens ofmillions from them. It is crucial thatthose calls are well managed.
In today’s fiercely competitivetelecommunications market, where agrowing range of new products andservices is being offered by an expandingnumber of operators, customers areeasily tempted to switch provider. To encourage customer loyalty,BT is aiming to excel in its dealingswith its customers, enabling it toremain a leading player in adynamic marketplace.
Three years ago, to underline itsimportance, BT made customersatisfaction a strategic priority. Sincethen it has been working at all levels ofthe organisation – and particularly withits customer-facing staff in contactcentres – to develop and implementprocesses, tools and technologies tocontinually improve customer service.
Business opportunityBT’s goal is to offer the highest levels ofcustomer service in terms not only of thesuccess of its customer contacts but alsoits compliance with the law. In a heavilyregulated industry liketelecommunications, every step of thecustomer contact process is covered bylegislation, from the Data ProtectionAct that governs the collection, storageand use of personal data to the Privacyand Electronic CommunicationsRegulations that controls whetherbusinesses and consumers can becontacted and the technologies that areused to contact them.
For BT, strict compliance has a three-foldpurpose. It helps to prevent reactiveinvestigation by Ofcom (the industryregulator formed in 2003 when theUK’s communications regulatory regimechanged) and it saves the companyincurring financial penalties andnegative publicity for non-compliance.It also assures business and residentialcustomers that they are not being misledor mis-sold products or services and thattheir personal information is not beingmisused – subliminally reinforcing thefact that BT is a brand they can trust.
Internally, however, compliance can bemisunderstood and seen as a barrier tobusiness. To combat this sort of attitude,at a time when the rules being applied tocustomer contact were increasing innumber and complexity, the companydecided to develop an approach thatwould embed compliance – asunobtrusively as possible – into the waypeople worked.
Furthermore, BT saw the opportunity toshare its customer contact complianceideas with other telecommunicationscompanies as well as other industrysectors that share similar customercontact compliance challenges, such asfinancial services.
“In the past, we tended to wait
until a contact centre told us
there was a problem and then
try to solve it. Now a member
of my team is always integral to
every new contact centre
initiative, helping and advising
on compliance issues. It is a
much more effective
way of working.”
Janet Fraser Compliance Manager, Customer Contact CentresBT
Case study Setting a leading customer contact example
BT solutionUnder BT’s new approach to customercontact compliance, one of the mostsignificant changes was theestablishment two years ago of a BTGroup compliance team. The teamdevelops compliance strategy, ensuresthat it is applied consistently, andmonitors progress within the business.Wherever possible, it arrangesbenchmarking studies against othercustomer-centric companies.
The team has an equally importantexternal focus, acting as a centralcontact point for Ofcom and helping tofoster an open working relationshipbetween the two organisations. This isbeing achieved through regular dialogue,and by Ofcom visits to BT to hear aboutits customer contact compliance thinkingand see it in operation.
Below BT Group level, there is acustomer contact centre complianceteam, set up in 2003 after BT hadlaunched a contact centre consolidationstrategy. The company merged what hadpreviously been separate activities(such as sales, service and repair) intofewer centres, 31 of which are located inthe UK and two in India. This teamworks across all of those contactcentres – ensuring that group strategyis implemented more proactivelythan before.
“In the past, we tended to wait until acontact centre told us there was aproblem and then try to solve it,”explains Janet Fraser, BT’s CustomerContact Centre Compliance Manager.“Now a member of my team is always anintegral part of every new contact centreinitiative, helping and advising oncompliance issues. It is a much moreeffective way of working.”
Compliance processUnder the current structure, newpropositions are reviewed at the designstage by the customer contact centrecompliance team working in co-operation with contact centremanagement to identify complianceissues and, in particular, any high-riskareas. A programme is then developed –with appropriate training, scripts,systems and measurements. Oncelaunched, it is monitored so that anyproblems are detected and resolved asearly as possible to avoid customercomplaints to BT or competitorcomplaints to the regulator.
For programmes and queries that includeparticularly sensitive compliance topics,such as competitor comparisons, BT usesspecialist groups that it has createdwithin its contact centres. These groups,which are more highly trained and moretightly monitored than other contactcentre agents, are given exclusive accessto sensitive BT material and are the onlypeople allowed to discuss it withcustomers.
Agent training At the agent level, where customercontact compliance is put into action, BT is focusing mainly on two areas: first,on giving people high quality training,not only when they join BT but alsothroughout their careers; and, second,on equipping them with smart tools tohelp guide them compliantly thoughevery customer call.
Every agent who joins BT (includingagency staff) is given thorough inductiontraining that stresses in the first few daysthe criticality of compliance, but not inlegal language. Instead, BT talks aboutfour compliance principles that addressin straightforward terms the keyelements of every telephone call with acustomer, and yet are the foundationsfor meeting rules and regulationsgoverning business conduct.
The four principles are:
• Validation (checking the caller’sidentity for compliance with the dataprotection rules)
• Mandatory statements (informationthat agents must convey to customersfor compliance with various legislation,including fair trading requirements)
• BT’s prices and services (providingaccurate price, delivery andcancellation data for compliance withthe distance selling regulations)
• Competitor discussions (selling onBT’s merits rather than denigratingthe competition for compliance withfair trading requirements)
Following this initial agent training,refresher courses are mandatory everytwo years. These are computer basedand one – called Winning throughCompliance – must be completed notonly by agents but also by everyone elsein the organisation, right up to the chiefexecutive officer. BT Group compliancehas systems that check when and ifemployees have taken the course.
Tools and technologyTo manage its customer interactions,whether they are through the telephoneor any other channel, BT uses state-of-the-art IT systems, including a customerrelationship management (CRM) systembased on Siebel software. Built intothese systems is functionality that isautomatically compliant with the rulesand regulations covering customercontact. For the agents who have to usethe systems, this means that they areguided through every customerinteraction, helping to ensure that theyask the right questions and preventingthem from moving on until they have.
In this way, BT is addressing manycustomer contact compliance issues.It is meeting the requirements of theData Protection Act by making sure that the correct data is captured fromcustomers and that customers are aware how the data will be used. It isalso meeting distance selling regulationsby ensuring that customers understandthe contractual nature of any purchasethey are making.
BT’s IT systems are adaptable and, atthe request of the customer contactcentre compliance team, can beupdated by BT’s in-house specialists toaccommodate new legislation. They arealso integrated with many other best-of-breed tools that assist compliance. Theyinclude call recording (in case of adispute with customers over informationthat has been given and received),automatic record suppression (to complywith corporate and consumer preference
“The processes and tools that
we have put in place ensure
that – in their dealings with
both consumers and businesses
– our customer advisors are
naturally compliant.”
Theresa WhatlingCompliance ManagerBT Group
Case study Setting a leading customer contact example
services contained in the Privacy andElectronic Communications Regulations),intelligent automatic dialling (to limit orprevent silent calls, and comply onceagain with the Privacy and ElectronicCommunications Regulations), call scripting (to help agents navigatea call and comply with the DataProtection Act, as well as distance sellingrequirements) and caller verification (tohelp authenticate the caller’s identity).
To further support contact centre agentsand make an often-difficult job easier,BT has also developed an onlineknowledge management tool called OWLthat has been rolled out to all contactcentres over the past two years. It is acentral repository of up-to-date andregularly reviewed information, coveringall BT’s business activities – consumer,broadband, mobile and so on. All agentshave easy access to the site, increasingtheir confidence that they are notinadvertently providing customers withdated, incorrect information. Insupporting such initiatives, BT ensuresthat all of its IT systems and tools worktogether seamlessly.
“The processes and tools that we haveput in place ensure that – in theirdealings with both consumers andbusinesses – our customer advisorsare naturally compliant,” saysTheresa Whatling, BT GroupCompliance Manager.
ResultsBT’s integrated customer contactcompliance approach helps to providethe company with the confidence that itis meeting its legal obligations – while atthe same time allowing it to manage itsbusiness efficiently and cost effectively –secure in the knowledgethat its people, especially its customer-facing agents, are adhering toproper procedures.
This new found confidence is manifestin many ways. BT now welcomesOfcom, customers and even competitorsto its premises to see its customercontact compliance strategy in action.Recently, BT also invited the ComplianceInstitute, the UK financial servicescompliance body, to benchmark itagainst financial services firms, and toshare best practice.
Another measure of BT’s belief in itscompliance processes and technology isits work with the UK’s Direct MarketingAssociation, lobbying for increasedpenalties against companies that fail tocomply with the Privacy and ElectronicCommunications Regulations, thelegislation behind the preference servicesand predictive dialler guidelines.
Over the past two years, BT can alsoshow that it has increased customersatisfaction, which was a strategic goal.“The volume of customer complaints hasdecreased, at a time when we have hadto be more compliant in many moreareas: exactly the circumstances underwhich you might expect complaints torise. We cannot prove a causal linkbetween the two events, but theempirical evidence is that BT is gettingits compliance regime seriously right,”says Robin Mackenzie, BT Retail’s Headof Consumer Strategy.
Technology blueprintBT’s CRM system is based on SiebelSystems’ software along with otherintegrated applications to supportcustomer contact compliance, especiallywith the Data Protection Act andthe Privacy and ElectronicCommunications Regulations.
In the case of data protection, BT usesscripting tools that provide agents withscreen-pops of compliant script to ensurethat the correct data is captured and thatthe customer is told what will happen tothe information. In addition, it uses callrecording technology to record and storeagents’ calls, enabling BT to monitorwhether calls are compliant and that thecorrect data is being captured.
BT’s CRM software also allows the sourceof a customer’s data to be identified, aswell as how long it has been on thesystem and whether the individual hasexpressed a desire not to be contacted –either specifically or via registration withone of the preference services. To ensuredata is protected, BT uses LiveVault toautomatically and continuously back upbusiness data via a secure Internetconnection and store it in a secure offsite facility, where it is available forimmediate recovery in the event of asystem failure.
To help comply with the Privacy andElectronic Communications Regulations,BT’s CRM system is programmed toautomatically suppress records in itscontact database against the latesttelephone, fax, mail or corporatetelephone preference service listsusing out-of-hours File TransferProtocol connections.
Main BT products & services
• BT customer relationship management system,based on Siebel software
• OWL knowledge management tool
• Eyretel call recording and storage
• LiveVault data back up and recovery
Offices worldwide
The telecommunications services described in this publication are subject to availability and may be modified from time to time.Services and equipment are provided subject to BritishTelecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any sort of any contract.
© British Telecommunications plc 2005 Registered Office: 81 Newgate Street, London EC1A 7AJ. Registered in England and Wales no. 1800000.
Designed by Ecoutez Limited.
PHME 000000000
Case study Setting a leading customer contact example
