Call us: 855-269-9628
As a member of the collection and receivables management industry, Direct Recovery Services, LLC. is committed to conducting its business affairs and relationships according to the rules and guidelines that are compliant with industry self-regulatory principles set forth by the American Collectors Association (ACA), the Receivables Management Association (RMA), the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and various state banking regulatory agencies. We realize the importance of customer privacy and accept our responsibility to keep consumer and customer nonpublic personal information private and safe.
The Gramm-Leach-Bliley Act:
On November 12, 1999, the president signed Public Law 106-102, the Gramm-Leach-Bliley Act. (“G-L-B Act”) (Much of the Act will be found in 12 U.S.C.) This act, many years in the making, repealed the Depression era prohibition against banks, insurance companies, and/or stock brokers/underwriters from being commonly owned.
It also created new consumer information privacy and anti-disclosure policies for a wide range of entities, including collection agencies. The law required the banking regulatory agencies, the Securities and Exchange Commission (SEC), and the Federal Trade Commission (FTC) to adopt rules by mid May 2000.
Under the Act, all financial institutions must provide notification to each of their customers outlining their specific privacy policies related to the sharing of nonpublic personal information. If the institution does or intends to share such information with a nonaffiliated third party, they must first provide the customer with the option to request an opt-out. If the customer elects to opt-out, the nonpublic information may not be shared with any nonaffiliated third parties except under certain circumstances.
A “customer” is a consumer who has a “customer relationship” with the institution. A “customer relationship” means a continuing relationship with the debt buyer or the “financial institution.” Once a debtor on purchased debt has been located or an attempt has been made to collect on a purchased debt, a “customer relationship” with that debtor is established and the Act guidelines must be followed. Accounts that are still owned by the originator and that are being collected for on behalf of the original creditor (contingency collection services), are not subject to the notification rules as set forth in the Act. These debtors are considered “customers” of the original creditor, who is obligated to the notification rules and guidelines of the Act. However, the disclosure rules and regulations of the FDCPA must be strictly applied and adhered to.
Nonpublic Personal Information Defined:
Nonpublic Personal Information Defined:
Nonpublic personal information is defined as any personally identifiable financial information provided by the consumer to obtain a financial product; or resulting from transactions with that product; or information the “financial institution” obtains about the consumer in connection with that product (e.g., credit bureau information). For example: Social Security number; driver’s license numbers (in some states); place of employment or work telephone number; non-listed home phone; where the consumer banks; details about the particular account. Other examples of nonpublic personal information include: account balances; payment histories; transaction history; or any information that discloses that this individual has a financial relationship with the institution. This type of information is governed and restricted by the Gramm-Leach-Bliley Act.
Public Personal Information Defined:
Public personal information (or information which the “financial institution” reasonably believes is publicly available) can be disseminated without restriction under the Act and regulations; this type of information includes:
Motor vehicle ownership, drivers’ license information (in some states) and real estate ownership data, which have been, derived from public records; addresses and phone numbers from paper or electronic. Information obtained from any website which can be accessed by anyone without restriction (paying a fee for this information is not a restriction). Presumably, and the regulations do not mention it, information about a debtor that is publicly available in court records (e.g., banks successfully garnished for a debtor; employers successfully garnished for a debtor; existence of a debtor’s Chapter 7 or Chapter 13 filings) are examples of “public personal information” not subject to this regulatory regime.
However, you cannot disclose data about the debt or financial relationship to third parties unless that transaction is a matter of public record (for example, real estate mortgages).
These “public” data can be exchanged with third parties without privacy notices because the data is not “nonpublic personal information.” HOWEVER, as a “debt collector” under the Fair Debt Collection Practices Act (“FDCPA”), there are other restrictions on disclosure of any data about a debtor and his/her debt that are NOT supplanted or superseded by the privacy regulations. Familiarize yourself with the FDCPA and consult legal counsel before you transfer information about a debtor and his/her debt to a third party.
Privacy notifications will be sent to every account that Direct Recovery Services, LLC. has purchased and whereby a “customer relationship” has been created. All active accounts that maintain a “customer relationship” according to the Act’s definition will receive annual privacy and opt out notifications.
Opt Out Rights of Customers:
If a “customer” requests that information not be shared with any nonaffiliated third party, that request must be honored. The customer is provided with a Toll-Free number to call to make these requests. Once these requests are received they must be fully documented on the account and the request must be honored. Only in certain circumstances as outlined in the Act can information then be shared, such as court orders, etc.
Authorized Access to Customer Information:
Access to “customer” information is restricted to legitimate Direct Recovery Services, LLC. business and is limited to only those employees’ that have a legitimate purpose. Access to customer information is restricted based on “need to know” and all systems must be configured in conformance to the “least privilege” standard. Customer information must be safeguarded through all means available including physical and electronic means. All unauthorized access to customer information is strictly prohibited.
The Act does not prohibit the sharing or transfer of “public personal information” nor does it prohibit any lawful utilization of such information for legitimate business purposes. However, the Fair Debt Collection Practices Act must be strictly applied to third party disclosures and inquiries. The success of future skip-tracing attempts may be affected by other creditors’ application of the Act.
If skip-tracing calls are received by representatives of Direct Recovery Services, LLC., the representative must be careful to only disseminate public personal information according to the Act and FDCPA guidelines.
Fraudulent Attempts to Obtain Information:
Employees of Direct Recovery Services, LLC. must be careful in safeguarding the nonpublic personal information of the customers of its clients. If a representative becomes suspicious of a third party’s attempt to fraudulently obtain nonpublic personal information, they should immediately report this suspicious activity to management. Direct Recovery Services, LLC. goal is to preserve the integrity of its operations and the collection industry by safeguarding sensitive materials and data.
Conformance with Applicable Industry Standards and “Certifications”
Direct Recovery Services will adapt and comply with the security and operating Standards applicable to the asset recovery industry and required by DRS clients. Such Standards include, but are not limited to, the Payment Card Industry Data Security Standard (PCI-DSS), the ISO27001, the SSAE16 (SOC 1 or SOC 2), Gramm-Leach Bliley Act. This adherence will include the body of standards set forth by each of the above as well as the ancillary operations which may include external and internal network vulnerability scans and penetration testing by a Qualified ASV at the intervals recommended. Such penetration testing will include both the network and application layers and will also be performed following any significant infrastructure or application upgrade or modification which may conceivably alter the security and integrity of the environment.