Compliance: The Importance of Process Flow
In my last blog post, I identified two categories of mandating entities. I also gave examples of typical entities in the payment industry who do mandate requirements. Hopefully, you were able to use that information to start the Compliance Database I recommended in that blog post.
Now that you have identified the entities who can mandate, what areas of your business do their mandates impact?
Here is where process flow needs to be added to your Compliance Database.
Process flow first identifies your business products and services. Then it maps out the infrastructure, teams, outsource partners, and networks each product or service flows through.
An accurate process flow document will help you avoid two painful compliance errors:
Imposing compliance requirements too widely causing unnecessary requirement loads.
For example, you may want to apply payment network mandates to all your credit card products. This would be too wide of a compliance implementation and would cause you extra work and conflicting mandates.
Why?
While a credit card account has a card attached to it, there are payment network compliance requirements that account must abide by.
However, if this account is sent to collections for nonpayment, the account changes. It no longer has a credit card attached to it. The account is now listed as a bad debt to be collected. Therefore, the compliance requirements imposed by the payment network no longer apply to this account. In place of payment network requirements, there are now legislative requirements for debt collection that impact that account. The change of account status changes its product definition. This also changes who imposes compliance requirements and what those requirements are.
Implementing compliance requirements to narrowly causing noncompliance.
I find this often happens when companies outsource different functions of their business. While they may be completely compliant with requirements internally, they fail to notify, monitor, and get reporting on that same compliance that applies to their outsourced activities. An example would be PCI and data security requirements. These mandates apply to your data no matter where it is stored – at your premises or with an outsourced service provider.
Is this Compliance Database starting to sound complicated?
Contact me. I would be glad to help you shape your Compliance Database so that you can effectively manage your products, processes, and compliance going forward.