WSR 21-03-046
[Filed January 14, 2021, 1:10 p.m., effective February 14, 2021]
Effective Date of Rule: Thirty-one days after filing.
Purpose: To codify into permanent rule the option for collection agencies to offer licensees and their employees the ability to remotely work. This would outline detailed and necessary security measures and data storage requirements; and detailed definitions and requirements of remote work.
As per the governor's proclamations to keep Washington residents safe and healthy during the COVID-19 pandemic, it was identified that to be consistent with other business and professions in this state that are able to remotely work from home that rule language was needed to allow the option for collection agency licensees and their employees to do the same. It is necessary to offer licensees the option to remotely work to support the return of commerce in all business sectors. This would allow them to continue to offer the public their necessary services.
Citation of Rules Affected by this Order: New WAC 308-29-085; and amending WAC 308-29-010.
Statutory Authority for Adoption: RCW 19.16.351.
Adopted under notice filed as WSR 20-23-083 on November 17, 2020.
Changes Other than Editing from Proposed to Adopted Version: In new WAC 308-29-085(4) a nonsubstantive change was made removing the word "debts" from OTS 2393.3. This simplified the definition of collection agency activities and removed any opportunity for different interpretations in the industry. The board unanimously voted and approved it on January 12, 2021.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 0, Amended 0, Repealed 0.
Number of Sections Adopted at the Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's own Initiative: New 0, Amended 0, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.
Number of Sections Adopted using Negotiated Rule Making: New 1, Amended 1, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 0, Amended 0, Repealed 0.
Date Adopted: January 14, 2021.
Damon Monroe
Rules Coordinator
AMENDATORY SECTION(Amending WSR 01-11-132, filed 5/22/01, effective 6/22/01)
WAC 308-29-010Definitions.
(1) Words and terms used in these rules have the same meaning as each has under chapter 19.16 RCW unless otherwise clearly provided in these rules, or the context in which they are used in these rules clearly indicates that they be given some other meaning.
(2) "Branch office" is any location physically separated from the principal place of business of a licensee where the licensee conducts any activity meeting the criteria of a collection agency or out-of-state collection agency as defined in RCW 19.16.100.
(3) "Business office" is the licensed principal place of business or certified branch office from which the licensee conducts any activity meeting the criteria of a collection agency or out-of-state collection agency as defined in RCW 19.16.100.
(4) "Collection activities" as used in this section means those activities performed by collection agencies or the employees of collection agencies pursuant to chapter 19.16 RCW.
(5) "Employee" is a natural person employed by a licensee and shall not be deemed a "collection agency" or a "branch office" as defined in RCW 19.16.100 (5)(a) so need not have an additional license or certificate to perform collection activities on behalf of the licensee whether working from a business office or from the employee's virtual office.
(6) "Repossession services" conducted by any person shall not be deemed a collection agency as defined in RCW 19.16.100, unless such person is repossessing or is attempting to repossess property for a third party and is authorized to accept cash or any other thing of value from the debtor in lieu of actual repossession.
(((4)))(7) "Managing employee" is an individual who has the general power to exercise judgment and discretion in acting on behalf of the licensee on an overall or partial basis and who does not act in an inferior capacity under close supervision or direction of a superior authority (as distinguished from a nonmanaging employee who is told what to do and has no discretion about what he or she can and cannot do and who is responsible to an immediate superior).
(8) "Remote work" occurs when an employee performs collection activity for a licensee from the employee's "virtual office" as defined herein and more particularly described in WAC 308-29-085. Work performed by a licensed attorney litigating claims on behalf of a licensee is not remote work subject to WAC 308-29-085.
(9) "Virtual office," for purposes of chapters 19.16 and 18.235 RCW and chapter 308-29 WAC, is a virtual extension of the licensee's business office, which is fully connected via electronic means and telecommunications to the business office and its employees and from which an individual employee may perform the same collection activities and be similarly monitored as if located in the business office and as more particularly described in WAC 308-29-085.
WAC 308-29-085Remote work requirements.
A licensee may allow qualified employees to perform collection activities from virtual offices if the following requirements are met:
(1) Employee list. A licensee must keep a record of employees who are permitted to perform collection activities from a virtual office. The list must be kept current, and must include the employee's name, telephone number and email address, and the virtual office location address.
(2) Equipment list. A licensee must maintain a current record of licensee equipment supplied to an employee for use in their virtual office.
(3) Employee remote work agreement. A licensee must provide the employee a written agreement or checklist signed by the employee that indicates the employee has reviewed and agrees to the following requirements:
(a) While working remotely, the employee must agree to maintain confidentiality of consumer data, must maintain all collection agency data electronically and may not print hard copies or otherwise reproduce copies of collection agency data.
(b) The employee must read and agree to comply with the licensee's IT security policy and any updates.
(c) Employee must agree to maintain the safety and security of licensee's equipment at all times as more particularly described by the licensee.
(d) An employee must review a description of the specific type of collection work the employee or class of employee is allowed to perform while working from their virtual office.
(e) The employee must agree not to disclose or convey to the consumer that the employee is working from a virtual office or that the virtual office is a place of business.
(f) An employee must be advised that the employee's collection agency activities are subject to review and calls to and from the virtual office will be monitored and recorded.
(4) Virtual office requirements. An individual employee's virtual office is an extension of the licensee's business office and must meet the following requirements:
(a) It must have full connectivity with the licensee's business office systems including computer networks and phone system and must provide the licensee the same level of oversight and monitoring capacity as if the employee were performing their activities in the business office.
(b) It must have the capability to record calls made to and from the virtual office and to monitor virtual office calls in real time.
(c) It must be located within the United States and, within one hundred miles of the licensee's business office.
(d) It must be in a private location where the employee can maintain consumer confidentiality during the performance of their collection activities.
(e) It must meet all security requirements of this section and contain the equipment necessary to conduct the licensee's work safely and efficiently.
(f) Each employee shall be connected to the business office via a virtual office that requires unique credentialing for access by each employee.
(g) No more than one employee may work from a virtual office from the same physical location, except that cohabitating employees may each maintain a virtual office from their shared residence.
(h) Employees may not print or store physical records in the employee's virtual office.
(5) Employee requirements. The licensee is responsible for ensuring that an employee working from a virtual office meets all of the following requirements:
(a) To become eligible to work from a virtual office, the employee must have completed a training program at the licensee's business office, which covers topics including compliance, privacy, confidentiality, monitoring and security, and other issues that apply particularly to working remotely from a virtual office.
(b) In addition, an employee must complete a minimum of forty-five days of direct oversight and mentoring in the licensee's business office prior to working from a virtual office. This requirement may be waived by the board under emergency circumstances that the board has determined makes it impossible to perform.
(c) Once an employee begins to work from a virtual office, they must be subject to the same levels of communication, management, oversight and monitoring via telecommunications and computer monitoring as they would if working in the business office.
(d) While working remotely the employee must comply with all applicable laws and regulations as outlined in chapters 19.16 and 18.235 RCW and chapter 308-29 WAC.
(6) IT security requirements. Licensees are responsible for developing and following a written IT security policy for virtual offices that outlines the security protocols in place safeguarding the company and consumer data. Consumer data in the form of an electronic record must have the appropriate protections against unauthorized or accidental disclosure, access, use, modification, duplication, or destruction.
The IT security policy shall include the following additional requirements:
(a) Virtual office access to the collection agency's secure system must be through the use of a virtual private network "VPN" or other system that requires usernames and passwords, frequent password changes, authorization, multifactor authentication, data encryption, and/or account lockout implementation.
(b) The immediate installation or implementation of any system updates or repairs in order to keep information and devices secure.
(c) The provision of safe and secure storage with expandable capacity for all electronic data including consumer and licensee data.
(d) Virtual offices must contain computers and/or other electronic devices that have secure computer configurations and reasonable security measures such as updated antivirus software and firewalls.
(e) Access to licensee's systems must occur on company-issued computers and electronic devices whose use is restricted to authorized employees while working at their virtual office, and an employee's use of devices must be limited to employment related activities on behalf of licensee.
(f) Consumer data is accessed securely through the use of encryption or other secure transmission sources.
(g) An action plan has been developed and communicated with relevant employees on how to handle a data breach arising from remote access devices in accordance with applicable laws, which shall include any required disclosures of such breach.
(h) A disaster recovery plan has been developed and communicated with relevant employees on how to respond to emergencies (e.g., fire, natural disaster, etc.) that have the potential to impact the use and storage of licensee's data.
(i) The secure and timely disposal of licensee's data as required by applicable laws and contractual requirements.
(j) An annual internal or external risk assessment is performed on the collection agency's protection of licensee's data from reasonably foreseeable internal or external risks. Based on the results of the annual risk assessment, the collection agency shall make adjustments to its data security policy if warranted.
(k) The licensee can stop the virtual office's connectivity with the network and remotely disable or wipe company issued computers and electronic devices that contain or have access to licensee's information and data when an employee no longer has an employment relationship with the company.
(7) Call recording and monitoring. Licensees must consistently record and monitor calls in which employees are performing collection activities. Call recordings must be maintained for a minimum of four years and call monitoring must be regularly performed, a portion of which must be in real time. Recording and monitoring calls from virtual offices must meet industry standards for collection agencies and ensure that virtual office calls comply with chapter 19.16 RCW and more particularly with RCW 19.16.250 (13)(c), (18), and (19) and also chapter 9.73 RCW.
(8) Nondisclosure. Neither the employee nor the licensee shall represent to debtors or any other party that the employee is working independently from licensee in a virtual office. Such acts include, but are not limited to:
(a) Advertising in any form, including business cards and social media, an unlicensed address or personal telephone or facsimile number associated to an unlicensed location.
(b) Meeting consumers at, or having consumers come to the employee's virtual office.
(c) Holding out in any manner, directly or indirectly, by the employee or licensee, an address that would suggest or convey to a consumer that the virtual office is a licensed collection agency location or "branch office," including receiving licensee's mail, or storing books or records at the virtual office.
It shall not be considered a violation of this section if, in response to an inquiry about the remote worker's location, a remote worker responds that the worker is working remotely or working from a virtual office, or words to that effect.
(9) Data breach. Should a licensee or virtual office experience a data breach as defined under chapter 19.255 RCW, the licensee must comply with the requirements of chapter 19.255 RCW.
(10) Evaluation. The board will review and evaluate the adequacy of this section at least annually and will make amendments, as the board deems necessary.