Vendor selection for ARM partners has gotten more complicated. The regulatory environment got harder. The litigation risk got more specific. And the institutional scrutiny that comes with collections has raised the bar for what ‘compliance-ready’ actually means.
This checklist covers the 6 areas where ARM compliance programs most often have gaps, and the specific questions that reveal whether a partner is genuinely covered or just describing policies that don’t translate to operations.
- Licensing coverage
ARM partners need state-specific licenses in every jurisdiction where they operate. Requirements vary by state. Some require agency-level licenses. Some require individual collector licenses. Some require both.
The right question: How many active state and federal licenses does the vendor maintain? Can they provide a current license inventory?
A partner maintaining 200+ licenses across operating jurisdictions is doing something real. A partner who says they’re ‘licensed where required’ without specifics may be describing an assumption rather than an audit.
- Data security certifications
Collections operations handle sensitive personal data at scale. The certifications that matter depend on your industry, but the floor has moved up.
For healthcare AR: HIPAA compliance and HITRUST certification. HITRUST independently validates security controls against HIPAA, PCI, and other standards.
For financial services: SOC 2 Type II. Type II matters. Type I tells you controls exist. Type II tells you controls have been running reliably over time.
For government contracts: FISMA Authorization to Operate. NIST CSF 2.0 adoption is now a baseline expectation for federal-adjacent work.
TSI holds SOC 2 Type II, HITRUST, FISMA ATO, PCI DSS 4.0, ISO 27001, NIST CSF 2.0, and HIPAA certifications. Ask for current certificate copies, not just a list.
- Communications compliance architecture
Reg F compliance, TCPA consent management, and FDCPA call documentation aren’t just policy items. They’re operational processes that have to run at transaction level, consistently, on every account.
The right questions: How does the vendor manage consent status across the account lifecycle? What happens when a consumer revokes consent? How quickly does that revocation propagate to the contact queue?
Real-time monitoring is the standard you should be looking for. If a vendor audits communications by sampling, they’re detecting problems after they’ve generated liability. TSI’s Ripple AI monitors 100% of communications in real time, across all channels.
- AI and technology accountability
If the vendor uses AI for account scoring, contact optimization, or channel selection, ask for documentation on how it works.
Explainability: Can the vendor show you why a specific account received a specific contact strategy? If the answer is ‘the model recommended it,’ that’s not a compliance answer.
Freshness: Is scoring done at placement or continuously? Static models create exposure when account status changes. CollectX rescores 200 million records daily.
Fairness testing: Has the vendor run bias testing on their models? Disparate impact claims are showing up in collections litigation. If the vendor hasn’t checked for it, you’re relying on luck.
- Attorney network and legal escalation
For accounts that require legal action, the vendor’s attorney network coverage matters. Patchy coverage means delayed escalation, which reduces recovery rates and increases statute-of-limitations risk.
The right questions: What’s the geographic coverage? Are these contracted relationships or ad-hoc referrals? What’s the typical time from escalation decision to first legal contact?
- Vendor management oversight
If your ARM partner subcontracts work to other collection agencies or specialty vendors, you inherit their compliance exposure.
The right questions: What portion of your volume do you place with third-party agencies? How do you audit them? What’s your liability framework if a subcontractor generates a TCPA claim?
This is where a lot of institutional buyers get surprised. The compliance program you audited covers the primary vendor. The subcontractors are a separate question.
The bottom line
Compliance due diligence on ARM partners used to be a checkbox exercise. Complete the questionnaire, collect the attestations, file the documentation. That approach still satisfies procurement requirements, but it doesn’t reduce risk in the current environment.
The state AG landscape, the FCRA litigation uptick, and the TCPA exposure have all raised the actual operational bar. The vendors who meet it aren’t claiming compliance. They’re running documented, certifiable, auditable operations that hold up when regulators or plaintiff attorneys start asking questions.
Use this checklist at the start of any ARM vendor evaluation. The answers you can’t get are as informative as the ones you can.