Adam Parks (00:07)
Hello everybody, Adam Parks here with a very special episode of the Receivables Podcast. Today I have Sara Woggerman here with me to talk about RMAI certification, what's changing, how to prepare for audits, and what's sticking people these days as they're going through their audit process so that you can get better prepared. Because now that we know that more debt buyers are requiring certification from RMAI of their vendors, their law firms, their agencies. I think we're gonna see a lot more people engaging in the process. So Sara thank you so much for coming on and sharing all of your insights.
Sara Woggerman (00:45)
Absolutely, glad to be here, Adam.
Adam Parks (00:47)
Sara, for anyone who has not been as lucky as me to be your friend through the years, could you tell everyone a little about yourself and how you got to the seat that you're in today?
Sara Woggerman (00:56)
Yes, hi, Sara Woggerman. I have been in the industry for going on 20 years. I have worked for three debt buyers. So it was an easy decision to jump into the auditing side of RMAI certification program because I've been living and breathing the debt buying space since I started. I now run Arm Compliance Business Solutions. And, you know, I basically wanted to go into a consulting role after again, working for all those debt buyers, being in hundreds of collection agencies, felt like I had a unique skill set to be able to help a broader audience. And so I take a lot of pride and very passionate about this industry. And I'm really excited to talk to you about the RMAI certification program and everything that goes on with the audits because that's a big part of what my company does.
Adam Parks (01:45)
Sure, as a certified auditor, I know that you're intimately involved with all of this and as someone who operates as a chief compliance officer for different organizations in all of your experience as a reformed compliance professional myself, I understand the breadth of understanding and how deep you get to see into all of these different operations and what that ultimately means in terms of the insights that you're able to share. Now, I've heard through the grapevine that more debt buyers are starting to require RMAI certification. What are you seeing on the ground level?
Sara Woggerman (02:17)
My phone has been blowing up about certification. So I can help companies in one of two different ways. I can perform your audit as a certified or as an authorized auditor. Or I can help you prepare
Sara Woggerman (02:29)
for an audit as your fractional chief compliance officer. And so there are three larger debt buyers that I have heard are actually requiring this of their collection agencies and collection law firms. This is a change from policy. They might've encouraged it previously, but now they're actually making it a requirement to be part of their network, which I highly commend them on doing. And why is this important? So for those of you who maybe have thought they,
Sara Woggerman (02:57)
you know, maybe you didn't want to get certified or didn't maybe see how it would help you. I want to make sure that everyone understands that certification is really a tool that is above and beyond just being compliant. It is to make sure that there is a baseline for compliance amongst the industry.
And there's a lot of thought that goes into these certification standards. I can talk a little bit about how I see that come through as an auditor. But what this enables RMAI to do on the behalf of its membership is to really advocate for legislative amendments or changes, right? So if the state of California has some wacky law, I'm just, you know, not that they would ever do that, right? Or New York is coming out with some, some law that's going to be extremely detrimental to the industry. One of the biggest tools in RMAI toolkit is to say,
Adam Parks (03:49)
God no, they would never do that.
Sara Woggerman (04:00)
we check for this within our certification standards. We have a robust standard for this that we don't need a law, guys. We don't need a law for this because we're already managing to this. You would be, because I sit on like the legislative committee and other committees within RMAI, I see that play out, not just from being an auditor, from literally watching it from their advocacy side. And I truly believe that this helps everybody in that sense to negotiate those laws that can be highly detrimental to our business practices.
Adam Parks (04:37)
As a board member for almost 10 years of RMAI and a past president, I concur with everything that you're saying. I think the self-regulation of the industry itself has really helped us to not only build bridges in Congress, but with the regulators and on both sides of the aisle. Because the third party auditing aspect of the program, I think is really what gives it its teeth.
Adam Parks (05:01)
And now they've got the engagement with the Better Business Bureau and other organizations are taking it more seriously. We've seen some of that language start to show up within legislation. And I think it's been able to arm the board of directors, the association, David Reed specifically, and all of the great work that him and Don Maurice and Mike Becker are doing as they're engaging with the attorney generals.
Sara Woggerman (05:04)
Over. Amazing work those three guys are doing, yes.
Adam Parks (05:25)
Right state level attorney general and even at the federal level, because let's not pretend that the CFPB is going to disappear. I think that we've got a stay of execution here on some level, but nothing is really going to go away. So continuing to go down this path and continuing to take this opportunity to strengthen our industry even when we think we are holding all of the cards because you never hold all the cards forever. But the.
Sara Woggerman (05:27)
Yes. Correct.
Adam Parks (05:52)
Constant change, it's the evolution of the program itself too. And so talk to me a little about what has happened with the 13.0 certification program and what has changed.
Sara Woggerman (06:06)
Yeah, so there was a couple specific things I want to talk about about version 13.0. So this is probably hitting you. It's end of year going into the beginning of 2026. Just PSA to the industry, take a good look at your policies, right? It is easy to forget that sometimes the standards, the number might not, the name of it might change or not change rather, but there's something in there that is really important that needs to be updated and you need to consider for a policy and procedure. So one area in which that happens is in the in the complaint and dispute section. So in the complaint and dispute section specifically, for those of you who are following the state law trends, they have added coerced debt in there. And so what is coerced debt? Well, it's defined as any forced debt against somebody's will, right? So RMAI standard is that you need to consider it. It needs to be treated in an empathetic and be sensitive to it. But they're not telling you exactly what to do with it. Not at this point, because right now there are states that are coming up. I believe there's 11 states as of today that have coerced debt laws on the books and there's a handful of others. Again, coerced debt, because we're getting 11 different versions of this at the state level. We want to be able to say our folks are already looking for coerced debt, we're already treating it with care, we're segmenting it, we've got a process for it and our auditors are checking for it for our certified businesses. This is a great example of like an issue that's popping up all of a sudden everywhere and that RMAI is getting in front of before it becomes something that the CFPB takes up, which they've already started to do.
Adam Parks (07:58)
So it sounds like this is exactly one of those examples where we can see that the changes in the marketplace or what is happening within the regulatory or legislative bodies is having a direct impact. And by putting these things into the program, we're able to further those discussions and demonstrate our forward progress over time because the again, 13.0, this is clearly not the first round of changes to the certification program, right? It's been going on for quite some time, so it has become an evolution, a living and breathing mechanism for the industry to hold themselves to a particular standard and then have it audited by a third party. What else are you seeing in the 13.0 that the audience should be aware of?
Sara Woggerman (08:29)
No. So AI, artificial intelligence, is getting weaved in there in spots. So for example, your non-discrimination in collection practices policy, that standard was added several versions ago. But now, if you are using artificial intelligence for decision making, you have to make sure that you've factored that into your policy.
If you listen to Adam and I talk about AI governance and any other podcasts, we've talked a lot about that. Go back and check those out. So I won't go down that path, but we're seeing that we've done also on the data security section. We're seeing that we've done there as well. Right. How do you make sure that data is being contained? PII isn't being shared in open source, artificial intelligence tools, things of that nature. There's some other changes within the data. security section to I'll point out they're beefing it up a little bit right so as we all know is data security is that's a it could have its own it does have its own audits right
Adam Parks (09:49)
Well, the data security is the number one concern of the debt collection industry per the TransUnion 2024 debt collection industry report and the survey. Like that was number one for everybody. We've seen some really well-known organizations been around for 30 plus years that are no longer with us because of data security incidences. And AI amplifies that in two ways. One, it amplifies it in terms of what we have to deal with from an attack vector.
Sara Woggerman (09:59)
Yeah.
Adam Parks (10:16)
Right, the surface area that we have to defend from an attack perspective now that artificial intelligence can be used not only to try and penetrate systems, but from a social engineering perspective to try and trick people into taking next action. And then how do we look at artificial intelligence in terms of protecting ourselves and our organizations and our policies? And it was really you that kind of turned me on to the idea of the
Sara Woggerman (10:27)
Yes.
Adam Parks (10:41)
privacy impact statements and what is that kind of reporting going to look like as we're looking at artificial intelligence? Because three years ago we talked about the black box. Now we're talking about the black box is not gonna be an acceptable answer by anybody. We know it's not gonna be accepted by the CFPB, any legislation, any regulator, no one's going to accept. Well, I didn't know it was in the black box. So we have to go a little bit deeper and understand the models and what's happening.
And sometimes we need to have somebody in our organization that's capable of it, but I'm glad to see RMAI starting to move in that direction. I was always against us really regulating artificial intelligence because it's not even regulated by the associations for artificial intelligence, but the application of artificial intelligence for the purposes of debt collection, I think is where we can have a serious impact.
Sara Woggerman (11:31)
I agree with that. So it makes sense where they've they interjected it into the standards, right? And the discriminatory practices piece and within data security and your IT infrastructure. So make sure, especially for those of you who may have smaller companies, maybe you have outsourced IT support instead of you know somebody that's in-house. Please go look at those standards and just make sure that you are tightened up. They are in line with the FTC safeguards rules. But there are very specific things that have been added to these standards and I just don't want you to be caught off guard because these are harder things to remediate. The data security section when you when you have a remediation area it's a little bit harder to turn that quickly. It's different than just having a policy update.
Adam Parks (12:16)
That's a really good point because it does require you to actually deploy and to make sure that all of your technology pieces are meeting those standards and know SOC 2, type 2 and the other standard certifications that we have in place don't necessarily look at artificial intelligence in the same way or necessarily even data security. So I think it's important to
Sara Woggerman (12:21)
Yes.
Adam Parks (12:36)
to look at it through the RMAI lens to ensure that you're going to be able to conform and that you're going to slide through your audit or move through your audit process with as little friction as possible.
Sara Woggerman (12:39)
Yes. Right. And the other element of this data security is your data retention policy. One of the things I was talking, and this isn't the first time I've had this conversation, but I've had clients say, well, I keep stuff forever. And I go, that's a terrible answer. That is the absolute worst answer you can ever say. And they're like, what do you mean? Because there was a time in this industry where people wanted to hear that. You do not want to hang on to data forever. The data breaches that we have experienced that have been catastrophic have become a lot of times it is due to legacy data that wasn't truly wiped. You don't have to keep it forever. It's not good to keep it forever. So take a look at your data retention and then make sure you have controls to properly purge that data in a way that is compliant and the secure disposal of that information.
Adam Parks (13:45)
If you're gonna hold it forever, isn't that increasing your cyber liability policies exponentially because you're protecting a number of records and now the risk vector is significantly higher and the insurance premiums that you're gonna pay are gonna be a lot higher as well.
Sara Woggerman (13:50)
Huge. Yes! Nothing scares me faster than that response is, we keep it forever. No. And they're always so shocked when my face goes like that, like, no, stop it. Because they truly.
Adam Parks (14:10)
Because it's a 2010 response, not a 2025 response.
Sara Woggerman (14:13)
Exactly! That's a great way to say it, yes!
Adam Parks (14:18)
Like you said, there was a time in which some of these things were kind of the requirement or that's what they wanted to hear. But that was also before we started moving toward cloud infrastructure versus all of this on-premise. I think debt buyers specifically have really were kind of the leading edge to moving away from some of that on-premise and leveraging the cloud infrastructure. But I guarantee you that the engineers at AWS are going to be significantly better.
Sara Woggerman (14:30)
Yes. right.
Adam Parks (14:47)
poised to protect a data set than anyone that you're going to have on your local premises.
Sara Woggerman (14:52)
Yeah. Yep. I know that's a subject you like. I like to just like pretend I know what I'm talking about a little bit. No, never want to be a data security expert. My brain can't function that way. I will be a consumer financial law expert. That's a different person.
Adam Parks (14:53)
not to get on my soap box. And that's what we need in this industry right now, right? We need more people who understand how to operationalize these challenges and to help organizations be prepared to execute on this. Is there anything else coming out in 13.0 that I'm not considering yet?
Sara Woggerman (15:24)
Right? Those are the main things. There's some things that changed like for law firms, your malpractice insurance limits went up. Everything else there is, but coerced debt was the biggest one that they weaved into the disputes that I'm making sure people are aware of because we also have state laws we need to comply with. So those are the biggest areas.
Adam Parks (15:50)
So with all these changes coming and every, you know, there's a whole set of groups that are going to start going into their renewal cycle. What are those things that are tripping up organizations the most as they're going through their audit process?
Sara Woggerman (16:04)
So there are two standards that are very, similar that they were new several versions ago, but the last couple rounds of audits, it's been a pain point to get the examples. So when you go through an audit, there is a section that you're gonna be transactionally audited on.
You have to prove that you are doing all the things that you say you're doing in your policies and procedures. The hardship policy and the FEMA alert declarations, what you do for those, being able to evidence that you did those things on those dates has proven to be difficult. The reason why is because when a disaster hits, Adam, what do we do? We stop it at the dialer. We stop outbound calling at the dialer. We don't typically update anything in the system of record. So when I say to you, send me all of the accounts that had a FEMA declaration in the audit period, not everybody can, most people can't send that to me. They go, we just turn it off at the dialer. And I get that operationally. I understand that.
Adam Parks (17:02)
Interesting.
Sara Woggerman (17:16)
Okay, well then how do you prove to me that you didn't call these people these zip codes during these days? So it makes it a little bit difficult. So if there's a way to make that a reportable field, even if it's maybe you can pull it from your notes, maybe, you know, that there's a FEMA alert put on specific accounts, that has proved to be challenging in the audits. Hardship policy when someone tells you they're, you know, they've got a severe situation, they've lost their job. When does that actually get deployed? What most agencies do is they just go to their below blanket with that client, right? If you're a third-party debt collector or they just work on a deal, they don't tag it as hardship.
Again, how do I transactional audit? How do you identify when your hardship policy came into play? So those two things are tripping companies up. We have found workarounds where we go through accounts, we look for examples, but it is how do you identify when those events happen to prove that you're doing the things within your policy and procedure?
Adam Parks (17:58)
It's not specifically being identified. Yeah.
Sara Woggerman (18:22)
And I think it's a good, I'm kind of glad it's coming up as a challenge because if a regulator comes in and asks you, will prove to me that you ever used this hardship policy, how are you gonna prep it to them? Like you're gonna have to evidence it somehow, just like I'm asking. Those are two and they're very similar. They usually are in even the same policy, but they're tripping, it's causing a friction point. And so,
Adam Parks (18:35)
Yeah, better to do it here.
Sara Woggerman (18:47)
think about how you can pull that data from your system and evidence that story that you are doing those things. Because I know you guys are doing them. That's the thing. I know we're doing them.
Adam Parks (18:59)
Well, look, the FEMA audit is a or the FEMA stoppage is something that you could drop into the notes. You could do it in bulk. There's searchable fields. You could pull those zip codes, right? Like that's easier to be managed. But how do you go about evidencing or creating the evidence trail for the hardship itself? So if we're going to think about the hardships, is it a
Adam Parks (19:20)
What would you recommend for people to look at in terms of a process there? Is it still something that you try to manage within collector notes? Does that then become a field that becomes searchable, reportable, identifiable? Have you seen any solutions that have worked for organizations to kind of manage that process?
Sara Woggerman (19:37)
So I haven't seen a great solution yet, but if I was developing this, if I was the person talking to my system of record and said, I need a solution for this, I think what I would do is I would establish a feel. We all have, most collectors all have some kind of a settlement authority or range to work within.
And typically you might need to get approval for anything that would technically be qualified as a hardship, right? So if you have a, if your process includes a secondary supervisor or manager review, maybe they have a specific note that says this qualified for our hardship policy, because usually you need to justify that. But I also think it's, it would be great if it was a reportable field. Like if you triggered it, like you were able to put some kind of a hard note in there or something for it to be pulled because wouldn't you want to know how many times do have to use our hardship policy? Do we need to rethink our settlement parameters or things like that in order to make our hardship policy more effective, right? Because for example, we've all probably worked for clients. You worked for a debt buyer, probably all worked for clients that have really high settlement authorities. like, oh, you could take 10 % off. Well, if everything's a hardship because only 10 % off the balance is what you're authorized to do, well then maybe you should, it's not very effective if a manager has to be involved with every one of those decisions, right? Like that's data that can help us operationally and talk through what are the trends with settlements, the hardship trends, what are we seeing out there? I think it can actually help you with really effective conversations with your clients, not just make my life easier as an auditor.
Adam Parks (21:25)
No, but it's not just about being an auditor. It's about being able to evidence the policy and whether it's you coming in to do an RMAI audit or it's a regulator who's coming in with a whole host of individuals to tear you apart. It's important that you're able to evidence it. And from what you're saying, what I hear is
Sara Woggerman (21:27)
Yeah.
Adam Parks (21:42)
boolean fields that allows for notes, right? So it's a boolean that triggers a notes field. And now I can actually start to collect that information. So I can understand, yes, no, was this used? And in the instances where it was used, why? And if I can understand that, that gives me a reportable field, right? I can use the Boolean to trigger a report, and then I can use those notes fields to demonstrate exactly how we've done it according to our policy. So kind of hitting both.
Sara Woggerman (21:48)
I'm good. Bless. Yeah.
Adam Parks (22:08)
factions of that. Again, it's not a problem that I have to live with today as a podcaster. However, from being a reformed compliance professional, I would like to think that that is one of the solutions that I would consider. Now, beyond those those two items that are starting to trip people up, any advice for those organizations that are preparing for their first RMAI like to preparing to go through that first RMAI certification audit?
Sara Woggerman (22:33)
Yes! Your first full compliance audit is always more challenging because either, well, it's just going to be, it's the first time you're doing it, right? It's just the way it goes. So, you know, if you're somebody who's worked with me,
Adam Parks (22:46)
It should be.
Sara Woggerman (22:52)
you know that I really, try to spend, when I know it's your first time, I really try to hold your hand as much as possible, not in a patronizing way, like just be like, listen, we got this, we're gonna get through this and I'm going to help you along the way and explain anything. But what often happens is there is a failure to make sure that the policies and procedures directly align with the certification standards. Not word for word, but that you're covering everything that the standard is saying. So one of the requirements of certification is that you review the governance document every time it changes. So you should change it or you should update. review the updated governance documents. When 14.0 comes up, they usually, the new versions typically come out around March. They send out red lines for comments. You can give feedback. There's a whole process that I don't think a lot of our membership takes advantage of. So if you are one of those people who is like Sara, I'm guilty, please get involved in that process. It all happens after the annual conference.
Look at them because you do have a say in what gets approved. This year there was a bigger 13.0 was supposed to have a more prominent language about artificial intelligence and requirements. A lot of people said, what does that even mean? Like, how do you quantify that? And so they ended up tabling it. It doesn't mean it might come back in a different form, but they were like, okay, we agree with you. How do you actually quantify this?
Adam Parks (24:24)
But they're listening to those people that are certified, they're listening to the membership and because there's a committee that's working through how these should change, like how these standards should be modified over time. But that active engagement and comment period, I think really is what keeps everybody engaged across the industry and allows us to provide that feedback and keep everything even keeled.
Sara Woggerman (24:29)
Us. So yeah, so you'll get a red line version. They even posted on their website. You can see the red lines of 13.0 on the certification page, just so you know. So like, if you wanted to go, okay, Sara, you're right, I forgot.
I have not updated my policies this year. Go just look at the red line sections that apply to you and make sure that you are in line because so much of the remediation that happens between my audit and when I send the report to RMAI is policy updates. That's like, that's a simple checkbox thing that you can do. You need to make sure it's happening because I'm going to test to it. But a lot of times my testing stuff comes up clean, documents aren't right. And so that there's a disconnect there. And I know document management is frustrating and not always easy, but it's a simple thing that you can do. You should be doing annually anyways. Do it when the standards come out or at the end of the year.
Adam Parks (25:44)
That seems like a pretty good process for organizations to keep their finger on the pulse of what's changing, because it's not just living to the audit time period. It's about staying in line with the expectations of the association, which will ultimately be mirrored in the expectations of many major debt buyers and their expectation of the servicers.
Sara Woggerman (26:05)
That's right. Yes. That is, you know, the people that sit on the certification committee come from all the different roles, right? You've got the debt buyers. I believe they've got literally representation from all size debt buyers. They've got, you other folks like brokers involved in there. I mean, you were really involved. I, of course, as an auditor, can't sit on that committee, but like, I know that they've got the stakeholders from across the industry, right? They've got creditors on there having conversations about what they're expecting. So these things, they're not just dreaming up crazy things to throw in the standards. And it's so cute because I mean, as David Reed once said to me, I never intended to have to change this thing every year. Like, like I never intended to have a new version every year, but that is what has happened because we, we never sleep in the compliance space because something's always changing. and just to sort of put a bow on that.
We're going to see some unique things probably come into the certification standards as it relates to AI. we'll continue to see that get threaded through the standards. Just like we see saw with coerced debt, a lot of that is based off of not what's happening at the federal level, but because of what is happening at the state level. I believe the number is up to like 12 or 13 lobbyists.
Like the largest amount of lobbyists RMAI has hired in history, places that we've never had to have lobbyists before, like Puerto Rico, we have lobbyists in. That's because of the activity that is happening on the ground within the states because of the change in Washington, right? And so, you know, there's a lot of people who say things to me sometimes like, Well, nothing really happened this past year. Well, yeah, but it's there was a lot of noise. It'll come to fruition and.
Adam Parks (27:55)
Doesn't mean there wasn't a lot of work in order to ensure that nothing happened this year. I think sometimes...
Sara Woggerman (27:58)
Right, 2026 and 2027, I guarantee you, are gonna give us a little bit of whiplash in some of these states. And we need our associations to be fighting on our behalf because these are battles we don't wanna be fighting individually. And again, the certification standards are a big tool in that toolkit. So that is why I continue to support it and be the cheerleader I am for it.
Adam Parks (28:26)
I believe that opens the door for me to mention that the legislative fundraising for RMAI is one of the most important things that the association does. And our donations to the legislative fund are what powers the hiring of these lobbyists to ensure that a true and accurate story of the credit economy and the debt collection process is being told at the state level. Because anything can happen in a state and it can happen overnight. It's important that we are
Sara Woggerman (28:47)
Thanks.
Adam Parks (28:55)
vigilant and we provide our association and all of the volunteers and lobbyists and staff with the tools and resources that they're gonna need to continue to protect our industry into the future.
Sara Woggerman (29:10)
As a small business owner, I give to them every single year. Since I've been a small business owner, I couldn't agree with you more, Adam.
Adam Parks (29:17)
Well, Sara, I can't thank you enough for coming on sharing all of your insights with me yet again. I mean, we always find something new and interesting to talk about. And I think this is a really important subject, especially with the RMAI annual conference, just a few weeks away and everybody there and talking about these things. So thank you for helping me to continue to inform a great industry.
Sara Woggerman (29:42)
Absolutely. Anytime, Adam.
Adam Parks (29:45)
For those of you that are watching, you have additional questions for Sara or myself, you can ask us in person at RMAI, or you can leave it here in the comments on LinkedIn and YouTube. And if you have additional topics you'd like to see us discuss, you can leave those in the comments below as well. And I'm willing to bet I can get Sara back here at least one more time to help me continue to create great content for a great industry. But until next time, Sara, thank you so much for your insights. I really appreciate your time.
Sara Woggerman (30:11)
Thank you.
Adam Parks (30:13)
And thank you everybody for watching. appreciate your time and attention. We'll see y'all again soon.
