Back

Establish, implement, and maintain a consumer complaint management program.


CONTROL ID
04570
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Document consumer complaints., CC ID: 13903
  • Include how to access information from the dispute resolution body in the consumer complaint management program., CC ID: 13816
  • Include any requirements for using information from the dispute resolution body in the consumer complaint management program., CC ID: 13815
  • Post the dispute resolution body's contact information in an easily seen location at facilities., CC ID: 13812
  • Provide users a list of the available dispute resolution bodies., CC ID: 13814
  • Post the dispute resolution body's contact information on the organization's website., CC ID: 13811
  • Establish, implement, and maintain consumer complaint escalation procedures., CC ID: 07208
  • Report the analysis of consumer complaints to the Quality Management committee., CC ID: 07209
  • Establish, implement, and maintain notice and take-down procedures., CC ID: 09963
  • Process product return requests., CC ID: 11598


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should respond to user inquiries and complaints. Points of contact should be made available to users and should be displayed on websites, pamphlets, and other media. (O105.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • APRA envisages that a regulated institution would ensure audit trails exist for IT assets that: satisfy the institution's business requirements (including regulatory and legal); facilitate independent audit; assist in dispute resolution (including non-repudiation); and assist in the provision of for… (¶ 74, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Implement a means to manage reports of vulnerabilities (5.2, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Member States shall ensure that procedures are set up which allow payment service users and other interested parties including consumer associations, to submit complaints to the competent authorities with regard to payment service providers' alleged infringements of this Directive. (Art 99(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Member States shall ensure that payment service providers put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users concerning the rights and obligations arising under Titles III and IV of this Directive and shall monitor … (Art 101(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Those procedures shall be applied in every Member State where the payment service provider offers the payment services and shall be available in an official language of the relevant Member State or in another language if agreed between the payment service provider and the payment service user. (Art 101(1) ¶ 1, DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Member States shall ensure that adequate, independent, impartial, transparent and effective ADR procedures for the settlement of disputes between payment service users and payment service providers concerning the rights and obligations arising under Titles III and IV of this Directive are establishe… (Art 102(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • The organization should implement a mechanism to collect or obtain information about client satisfaction with services provided by the organization. (CORE - 12, URAC Health Utilization Management Standards, Version 6)
  • The organization must maintain a formal process to address consumer complaints that includes a process to receive and respond in a timely manner to complaints. (CORE - 35(a), URAC Health Utilization Management Standards, Version 6)
  • The organization should maintain a formal process to address consumer complaints that includes notice (written or verbal) of final result with an explanation. (CORE - 35(b), URAC Health Utilization Management Standards, Version 6)
  • The organization should maintain a formal process to address consumer complaints that includes evidence of meeting the organization's specified time frame for resolution and response. (CORE - 35(d), URAC Health Utilization Management Standards, Version 6)
  • customers, e.g. through a complaints handling system; (§ 9.1.3 ¶ 1 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. (§ 8.3.2 ¶ 5, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • feedback from interested parties, including suggestions for improvement, requests for change and complaints; (§ 9.3 Guidance ¶ 4(d), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • If the organization sells products or services over the Internet, it should provide a way for customers to click and contact the organization. (§ M1.5, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • The organization's privacy policies should include information on how an individual can contact the organization with complaints. (ID 10.1.1, AICPA/CICA Privacy Framework)
  • For electronic commerce systems, the website provides customers with where they can obtain warranty, repair service, and support related to the goods and services purchased on the website. (Processing Integrity Prin. and Criteria Table § 2.1 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • For electronic commerce systems, the website provides procedures for resolving processing integrity issues, such as complaints about Quality of Service, accuracy, completeness, and the quality of the product, along with the consequences of failing to resolve the issue. (Processing Integrity Prin. and Criteria Table § 2.1 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The process for submitting complaints is communicated to the authorized users. (Processing Integrity Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should have an implemented process to address inquiries, complaints, and disputes. (Generally Accepted Privacy Principles and Criteria § 10.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy policy should include a description of how individuals can make complaints, inquiries, and disputes. (Table Ref 10.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • A Medicare Advantage (MA) organization must notify individuals that complaints regarding noncompliance with advance directive requirements may be filed with the state survey and certification agency. (§ 422.128(b)(3), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The organization should develop tools to facilitate the complaint resolution process, such as standard complaint forms. (FAQ-Dispute Resolution and Enforcement "Recourse Mechanisms", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Some information an organization should place on its website is how to file a consumer complaint, how to contact the organization's customer support center, and the name of the organization and the location of its main office and branches. (Pg 38, Obj 1.8, Obj 6.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The CSP SHALL provide mechanisms for redress of applicant complaints or problems arising from the identity proofing. These mechanisms SHALL be easy for applicants to find and use. The CSP SHALL assess the mechanisms for their efficacy in achieving resolution of complaints or problems. (4.2 ¶ 1.5, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place. (GV.MT-P7, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. (IP-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. (IP-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)