Sunday, January 15, 2012
As we enter 2012, it still amazes me that companies are not moving faster to mitigate HEADLINE RISK. HEADLINE RISK? It’s the risk that a major event or story will spread throughout various media publications, and will negatively impact a company’s stock. The risk is due to the harmful nature of the story, even if the news is not justifiable. • CEO OF XXX Bank resigns after vendor loses laptop with two million customers social security numbers. “I take full responsibility” says John Doe of XXX Bank. I should have: 1. Paid more attention to my Risk and Security teams 2. Hired better people to manage my Risk and Security teams 3. Asked tougher questions so our customers identities were always protected to the best of our ability 4. Hired better vendor managers to audit our vendors. They made the audit trips, but in hindsight, (after seeing the pictures of them golfing and partying on Facebook) I may need auditors to audit my auditors in 2012. When I started Find John Doe in 2007, I spent Ten Grand to have Fulbright & Jaworski give me a legal opinion in writing on what I could and couldn’t do when it came to skip tracing. I started the first skip company in 1998, and ten years later, I knew the rules had changed, and so had the www dot playing field dot com, so I figured I’d lawyer up and get an opinion. As we enter 2012, it amazes me the now obvious things I was told then that I couldn’t do are still common occurrences by companies that range from Large First Party Lenders, to their Servicers, and mostly, by the vendors whom the large, medium and small lenders hire. Why don’t the lenders pay more attention to the HEADLINE RISK they face? • No “PHONE BREAKS”, as now the person requesting it is just as liable as the person providing the info, thanks to Private Investigators hired in 2006 by Hewlett Packard leaking details to the media about how they allegedly were hired by the Chairwoman of the Board of HP to access the phone records of the other Board members and Nine Analysts who covered the company. After Congressional Hearings and President Bush Signing the Telephone Records and Privacy Protection Act of 2006, hiring companies to break phone numbers is just as illegal for the person doing the “break” as it is for the collector, or his boss, who authorized it; wink…wink. • No “UTILITY BREAKS”. Yes Mister CEO, your collectors still do request this information brokers who illegally access the utility records of public and private utility companies to see if your customer still lives at the last known address. This should make every CEO, VP of Operations, Risk Manager and anyone accountable for the protection of their company to ask and INSURE their company, or the companies they hire are not doing this, or THEY might be the one the DA goes after and puts in jail, and it’s a ten year sentence, BTW. This leads to the obvious question…Is your Collection Supervisor or those accountable really on top of Privacy, Risk and Security when it comes to how you manage risk and how you work your higher risk accounts? As we hit 2012, those still breaking phone numbers have significant issues, but ladies and gentlemen, the bar has been lowered, and if you are not in the fire yet, get ready, because it’s scary, and it should be as there are bad people out there and they will mess with you, AND YOUR CUSTOMERS, if you give them the opportunity. Ask yourself, and your staff some questions, but don’t take the answers at face value. Do some in depth auditing and find out the real answers, and make sure your auditor is craftier than the skip tracers, repossessors, collectors, collection supervisors, risk managers, operations managers etc. are, or better yet, promote your best skip tracer to the Risk audit team. Some other questions to ask within your organization are : Do you still access public records data on your customers via web-based sites? YES,…Oops. That’s Old school….and a huge RISK. Do you have printers, or worse, can these documents be stored and downloaded en mass on a zip drive, or emailed, and if they are emailed, do you even know what your new employee is emailing from their CPU? These reports are accessed through the data providers web site and they come in the form of a .pdf report that can be fifty pages long. It’s a challenge to read a fifty-page document on a 15” screen, so many times I see these reports printed and sitting on people’s desks, or in a “file” in their drawer. A file is a large envelope that is used to hold papers, its what people used to use in business back before there were paperless requirements put in place by the companies who avoid headline risk like the plague. Walk on your collection floor and if you see papers, you have issues. Are you tracking everything your staff is doing during the collection process? Are you auditing your vendors who do collections, skip tracing and repossession? Oh Really, good for you. How often do you visit them? Quarterly, Annually, Semi-Annually? Is it dinner and drinks, or an actual audit? How in depth is the audit? Is it a surprise, or planned with a list of what they want so it’s “easy on everyone”? I hear one of my competitors down the street knows when the audit is coming and they hire temps to make them look like a bigger company than they are to help convince the large lender they can handle their business. Would your auditors catch that? Apparently not, as they keep growing. How detailed is the audit? How do you dig to find out what they really do? Do you use vendor managers or auditors, or should you use a skip tracer or at least bring one along? What web sites do they visit? Oh, you let them access Facebook, cool. That’s a great site to get info from people who don’t protect their privacy. What about the people who mark their Facebook pages private. Do you let your employees or Vendors “Friend” people? Of course not ! Really, how do you know? Well… How do you REALLY know? Ok, let me be frank….if your people have access to Facebook and if you have no record of what they’re doing, you have …. MAJOR HEADLINE RISK. Google “Facebook Collection Agency Lawsuit” to see what I mean, lots of HEADLINE RISK opportunities here. You may still subscribe to the “old school theory” of what goes in the TOP SLOT and comes out the BOTTOM SLOT is OK, as long as “I don’t know what happened in between”. OLD SCHOOL. The Telephone Records and Privacy Protection Act says you are not only responsible to know what is happening, you also can spend TEN YEARS in the slammer if you are accountable, but if I’m a CEO of XXX Bank, I can care less about the Three Years my Ops Mgr got in the pokey, because I just lost my job because I didn’t know what was going on. How do they “Friend” people on Facebook? They log in with an account they created that is only used for finding people. Oh, you didn’t think they would do that cause you told them they might get fired? Are you giving them a bonus if they find more people? Are you in a city where there are more jobs for collectors than there are collectors? If you fire them will your HR department tell the company calling for a reference that they got you in a class action lawsuit over Friending hundreds of people on Facebook and then repossessing their cars, hammering them for payments, posting on their walls and embarrassing them? If they’re looking for a guy, your collector will have a site with a hot chick’s picture, and if it’s a chick they’re looking for, it’s a photo of some dude with a six pack; abs not beer, well, maybe beer. Chances are there are a lot of “friends” on each page who have already been repossessed, or know someone who got repossessed. Class Action. In my next blog I’ll talk about Repossession and the HEADLINE RISKS here as this is even worse as the stakes go up, and so do the lawsuit settlement amounts and HEADLINE RISK potential as people get killed, customers and repossessors.
Posted by John Lewis at 9:22 AM