Regulation Hub Update - January 2020

20 Jan 2020

This article is written by Rachel Goddard and Steve Sullivan who is the Deputy Chair of the Contact Centre Council.

ICO

After a sleepy end of last year, the ICO’s got quite active:

After quite a delay, the ICO has started a period of consultation – running until the 4^th March – on its proposed new Direct Marketing Code of Practice. This will be very important to the contact centre industry as the DMA’s Direct Marketing Code will be the “go to” source of advice of what’s acceptable practice, even for some activities that you wouldn’t necessarily consider to be ‘direct marketing’. The Draft Code already includes contact centre examples, so this should be on all our radars.

Unsurprisingly, the DMA will be collating members’ views and providing its response. Members should let John Mitchison and Michael Sturrock know their thoughts by Friday 14^th February.

Dixons Carphone (DSG Group) has been fined £500,000 for a major data breach (this is the maximum fine available under the old Data Protection Act; DSG were lucky enough to identify and close the breach just before the 2018 Act came into effect). An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys, PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine months before the attack was detected, which allowed unauthorised access to 5.6 million payment card details used in transactions alongside the personal information of approximately 14 million people. This data included full names, postcodes, email addresses and failed credit checks from internal servers.

The ICO state ‘DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.’. This follows a £400,000 fine of Carphone Warehouse (part of the same group) in January 2018 for similar security vulnerabilities.

Although different EU regulators’ interpretations of the GDPR rules vary, there’s a cautionary tale from Germany.

The German equivalent of the ICO has fined internet provider 1&1 £8m for what it considered the inadequacy of its identification and verification of customers through contact centres. 1&1 used name and date of birth which the regulator considered to be far too widely accessible to be secure. 1&1 are appealing the fine and have since introduced a customer Personal Identification Number, but it may pay to review how you ID customers.

Finally, in the past few weeks, the Insolvency Service has handed out 7 year bans on acting as company directors to Charlotte McKeever and Jason Gambling who ran Advanced VOIP Solutions and Legend Alliance, respectively. Both firms had promptly folded after failing to pay six-figure ICO fines

Cryptoasset activities are now regulated by the Financial Conduct Authority.

The FCA is now the anti-money laundering and counter terrorist financing (AML/CTF) supervisor for businesses carrying out certain cryptoasset activities. Amongst other things, the FCA will require cryptoasset businesses to:

• identify and assess the risks of money laundering and terrorist financing which their business is subject to whilst ensuring they have policies, systems and controls to mitigate such risk

• dependent on the nature and size of the business, appoint an individual who is responsible for compliance with Money Laundering Regulation

• undertake customer due diligence when entering into a business relationship or occasional transactions and enhance this due diligence when dealing with customers who may present a higher risk

• undertake ongoing monitoring of all customers to ensure that transactions are consistent with the business’s knowledge of the customer and the customer’s business and risk profile.

The PSA has fined ECN Digital £250,000 for operating a fraudulent - or at least deceptive - ‘call connection’ service (is there any other kind?). Their online service provided big brands’ customer service and contact numbers to consumers via Google searches. However, ECN was unclear that the webpages provided were theirs, not the brands’ own content; didn’t clearly explain that they were running a call connection service; and were insufficiently clear that they charged consumers a fee of “13PPM” which was confusing in itself.

Tobaji – a company which has failed to pay a PSA fine levied in late 2018 – has been barred from operating in the premium rate world for another 5 years

Some interesting research findings were issued by the Fundraising Regulator, this month. The FR sampled some charities’ annual reports and found that 60% failed to give sufficient information about their fundraising practises to meet the requirements of the 2016 Charities (Protection and Social Investment) Act. Themes identified included:

limited detail about how fundraising campaigns are run and managed, including who carries out the work;
failure to demonstrate how the Code of Fundraising Practice is used to guide their work;
a lack of thorough description about fundraising carried out on behalf of the organisation;
frequent omission of the number of complaints received; and
limited explanation of how vulnerable people are protected in the organisations’ fundraising work.

For contact centres delivering services for and on behalf of charities, a number of these failings are likely to directly impact their work and reporting needs.

In an example of peak cheek, it seems that phone scammers seeking to fraudulently obtain consumers’ bank details have now started making calls claiming to be from Ofcom. Also, Ofcom’s announced the withdrawal of service of 0500 numbers. Now, none have been newly issued in 20 years and there has been a 3 year process of either closing or migrating remaining 0500 numbers, so this shouldn’t have an impact on anybody. But if you’re responsible for contact centres in a large, established organisation, it may be worth a quick check that legacy references to old 0500 numbers aren’t still hidden about your website or other collateral – because if there are any, someone will probably decide it’s your fault!