Impact of Compliance on Process Service Companies
- April 01, 2016
- by ServeNow Staff
Impact of Compliance on Process Service Companies
Recorded on March 31, 2016 with Paula Ashcraft
With regulations, technology, and logging requirements quickly changing, the demand from clients are at an all-time high with requests to adhere to strict guidelines. These new expectations can seem overwhelming to business owners. New Compliance guidelines in our industry are a result of the trickledown effect of increased regulations on our clients. This may have you wondering how this will impact your business and how you could start to prepare. In this webinar, Paula Ashcraft will walk attendees through how to handle a compliance request, technology, GPS, and filing needs, and what you need to create an effective compliance management system. You can follow her on Twitter: @GreenTreeLegal
Paula Ashcraft has 22 years of experience in the process serving industry. She began her career working as a process server as a way to supplement income. In 1996 she transitioned into business ownership with the launch of Legal Ease, which she led for the next 10 years until selling in 2006. In recent years Paula has consulted with small and large process serving agencies by passing along knowledge of lessons learned. In January 2015 Paula launched Greentree Legal, LLC. leveraging her experiences that are now playing a pivotal role as she navigates the delicate balance between business development and compliance management.
Watch the Webinar
This webinar was presented as a part of the ServeNowEDU Webinar series. To watch other previously recorded webinars and to register for upcoming webinars, visit ServeNowEDU.
What does compliance mean for the legal industry and, specifically for process servers?
The official definition is: Conformity in fulfilling official requirements. For process service companies this would translate as implementing and conforming to set of guidelines that enhance vendor management and protection of consumer personal data.
Compliance started with a series of events that happened within banks and financial institutions. These events snowballed into serious regulations put in place to protect consumers. Regulations in the form of Compliance Requirements of Financial Institutions. After regulating banks it shifted to lawyers and requires them to sign service-level requirements that include having a vendor management program in place. That's where process servers come in. It basically comes down to protecting personal data and making sure there aren't any security issues.
Why compliance for process servers? Why are they being asked about what type of compliance management exists within their companies?
As the financial institutions were forced to regulate with a strict set of compliance guidelines, banks passed along compliance guidelines to law firms, which in turn forced the firms to request same from their 3rd party vendors. This trickle down effect is managed through vendor management policies and procedures. 3rd party vendors must adhere to compliance guidelines and now require some of the same compliance requirements of their vendors (4th party vendors or the companies we forward papers to). This is why it's important to understand that the compliance vetting process is used to determine if a company has adequate policies and procedures.
When your clients ask for things, it might seem like they're being picky, asking too much, or overly interested in your processes, but it's really because their clients are requiring it. In reality, they're just trying to conduct business and make sure their vendors have processes in place that protect data. Clients are asking attorneys, attorneys are asking us, and now we're asking our vendors for that and sending compliance packets to our vendors.
We're not talking about the nice things to have, like GPS data, timestamps, and transparency. We're talking about having policies in place that are going to be adhered to strictly. If you look at compliance and maintaining a Compliance Management System (CMS), it's going to affect how you train your employees and going to need constant updates.
What types of clients and jurisdictions require some level of compliance?
It's mostly happening in areas where attorneys practice in some kind of debt collection. Those are the hot areas right now, but law firms across the board in default and mortgage and other areas are moving forward with these types of issues. It's definitely not going away any time soon.
Part of this is because law firms are under such tremendous scrutiny, and these requests aren't coming from them specifically. According to numbers from a recent American Bar Association event, 80% of the largest law firms have been breached or hacked since 2011. Lawyer's don't have the luxury of working with their favorite process servers or the person who dropped off donuts last week, not anymore. Now they're requiring contracts, performing risk assessments, and spending an enormous amount of time and money making sure their vendors are compliant. Much like what happened with the banks, when it levels out for attorneys, the focus will turn to process servers and other 3rd and 4th party vendors.
Are there standards in compliance?
No. There is currently no set standards for compliance. Each bank has their own set of standards. This is the biggest hurdle and source of frustration for the law firms and vendors alike.
If no standards exist, where will they come from?
Ultimately the standard will be set from the financial community and not from a particular agency. Fannie/Freddie Does influence a large portion of the requirements, however 3rd and 4th party vendors will see conformity trickle down once the law firms see standard requirements from financial institutions. In the interim there is a core compliance concept emerging around security (securing personal data) and vendor management policies.
Can we start to create our own standards as an industry and self-regulate or are there too many unknowns at this points?
Yes. We can set our own core compliance standards within the industry and within our own companies. That's why it's important to have some core policies in place.
What is a Compliance Management System?
A Compliance Management System, or CMS, is a core group of compliance policies and the method in which those policies are implemented, reviewed and adhered to during the course of business. I created our CMS based upon a consistent series of questions that continued to emerge during the vetting process with law firms.
What elements does a Compliance Management System impact?
Your CMS will impact nearly everything, including...
- Physical Office
- Security and Access
- Records Management and Databases
- Physical Document Storage
- Training and Hiring
- 4th Party Vendor Relationships
What can I do to get started?
There are many things you can do to start building your own CMS. First and foremost, take note of the questions you are getting asked most frequently by your clients and security and IT requests. Start with a small, basic plan and move forward from there. Below is a checklist of items to consider when putting together your CMS.
- Document a protocol for securing your work space, whether it’s in your home or a commercial space.
- Make sure your office entrance is secure and access is limited
- Limit access to areas where physical records are stored
- Put together a sign in procedure that includes dates, times, and names of visitors
- Create a laptop acceptable use policy
- Make sure computers are password protected, have attempt limits, and lock after a period of idleness
- All computers should be password protected and the screen should lock after a set number of minutes of being idle. Passwords should be changed every few months and after an employee leaves
- Create a smartphone policy
- Make sure your vendors and employees know what information they can and cannot share
- Use a secure database platform that is secure and allows you to access your information from any machine
- Choose a software that takes the IT stuff off your hands that doesn't require you to do backups and has strong permission settings
- Have a record maintenance policy that outlines how long you keep records and how you dispose of them
- Document a protocol for document security for both physical and digital storage, including security of documents in the field and disposal
- Outline for how long you will maintain physical records, how they are stored, and how they are disposed of
- Secure legal documents within a locked file system any time you are moving them or taking them outside of the office
- Shred sensitive documents before disposing of them
- Conduct background checks, drug screening, and extensive training on all new and current employees
- Put together compliance packets to distribute to 4th party vendors and conduct audits to ensure they meet your standards
- Conduct background checks on all vendors and distribute a code of conduct for process servers
- Get Errors & Ommissions Insurance
- Create contingency plans for when things go wrong (i.e. internet outtage, natural disaster, systems down)
- Document a Business Continuity Plan: what will you do in the first 24 hours of Natural Disaster? Print Employee and Client information. Plan offsite work space.
- Start to document these policies and procedures and make it part of your training process
- If you are compromised in some way, don’t hide it! Immediately contact those that need to know and have a this process documented as well
We kept getting a series of questions in a common thread. It would start with your physical location, do you have a locked entrance, a sign in sheet, are your computers password protected, does it lockout after repeats? Do you have a smartphone policy? How is information shared within the organization? Have an information sharing policy. Put together a document storage policy. Is it locked? How long do we keep documents, what gets shredded and when? Get E&:O insurance. (Law firms can't even get insurance without those policies).
It's also important to train servers so that they aren't violating rules in what they can and cannot say.
Small one and two person shops can start by analyzing their current practices and make sure they have insurance and have contact info printed out somewhere in case the internet goes down. Inability to operate without their hard drive or if the internet goes down. You need to be able to pick up on the fly and be able to stay in touch and operate if the Internet outrage or disasters happen. As you add employees make sure you have a code of conduct or a best practices.
What has being compliant done for your ability to sell new customers?
Without compliance policies and procedures in place, we would not be able to onboard any new clients in the default sector. Going through this process assisted us to implement sound sustainable business practices.
How would someone approach setting up CMS within their own company or find more info about this topic?
There is a fantastic educational opportunity this year at the NAPPS annual conference June 2-4 in Albuquerque, NM. I am facilitating along with Eric Vennes who Chairs the Financial Services Compliance Committee (FSC). Together we will host a 1.5 hour educational seminar. In this seminar we will outline core compliance policies along with step by step guide to help folks get started with this process.
Greentree Legal has also started a Compliance Consulting team to assist companies that are serious about getting started but may need some guidance. We will also be conducting a series of webinars for a deeper dive into specific compliance components. Our contact information can be found on our website.