RSH & Associates, LLC. (“RSH”) is a licensed, bonded, and insured third-party collection agency in all jurisdictions where we collect. We specialize in compliance-driven, consumer-centric collections for financial institutions and other regulated enterprises.

Our operating model is built on three pillars:

1. Regulatory and Legal Compliance – Policies, procedures, and controls aligned to federal and state requirements, including Regulation F and other major debt collection and consumer protection laws.
    
2. Code-Controlled Digital Collections – A digital collections framework in which regulatory rules and client-specific requirements are enforced through configurable code and workflows.
    
3. Enterprise-Grade Information Security – Infrastructure, processes, and tooling designed to meet the expectations of security-sensitive financial institutions.
    

RSH maintains written policies and procedures for collections operations, information security, data protection, vendor management, and business continuity / disaster recovery, which are reviewed and updated periodically and after material legal or operational changes.

For a detailed description of how we collect, use, protect, retain, and dispose of personal information, please refer to our Privacy Policy. 

• Compliance Leadership: RSH’s legal and compliance functions are responsible for monitoring regulatory developments, case law, and regulatory guidance related to collections and consumer financial protection.
   
• Policy Management: Regulatory requirements are translated into written policies, standard operating procedures (SOPs), and system rules that govern front-line operations and digital workflows.
   
• Change Management: When laws, regulations, or case law change, compliance reviews impact, defines required changes, and works with operations and technology to implement updates in our platform and training.
   

• RSH is licensed, bonded, and insured in each jurisdiction in which we collect.
   
• Licensing and bonding status is reviewed and maintained centrally as part of our regulatory compliance function.
   
• Documentation supporting licensing, bonding, and insurance coverage can be provided to clients and regulators upon request.
   

Our collections approach is intentionally digital and code-driven:

• Rules-Based Workflows: Regulatory requirements (e.g., contact frequency caps, time-of-day restrictions, channel consent, and opt-out handling) are embedded in the logic of our systems so that non-compliant activity is automatically prevented where technically feasible.
   
• Configurability: Client- and state-specific requirements can be configured in our platform, enabling differentiated treatment strategies, disclosures, and communication rules.
   
• Auditability: System configurations, communications, and account activity are logged to support audit, examination, and regulatory inquiries.
   

This code-controlled model helps ensure consistency of execution and reduces reliance on manual intervention for compliance-critical tasks.

RSH’s collections compliance program is designed to align with applicable federal and state laws, including, but not limited to:

• Regulation F under the CFPB’s authority (implementing the FDCPA)
   
• Federal and state Fair Debt Collection Practices Acts, where applicable
   
• Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) principles
   
• State debt collection, communication, and licensing requirements
   

The program is focused on:

• Ensuring accurate, clear, and non-misleading communications
   
• Managing contact frequency and channels consistent with legal limits and consumer expectations
   
• Providing compliant disclosures and honoring consumer rights and preferences
   
• Maintaining robust documentation to substantiate compliance
   

• Training: Collections staff receive initial and periodic training on applicable laws, regulations, policies, and procedures, with additional training upon changes in law or policy.
   
• Quality Assurance (QA): QA protocols review account interactions, documentation, and system behaviors to validate alignment with regulatory and client standards.
   
• Monitoring & Testing: Compliance monitoring and periodic testing are conducted to identify control gaps or trends and to validate that system rules and procedures are functioning as intended.
   

• Complaint Intake: RSH documents and tracks consumer complaints received via phone, email, and other channels.
   
• Investigation & Resolution: Each complaint is reviewed, investigated, and addressed per written procedures, and corrective actions are implemented as needed.
   
• Root Cause Analysis: Trends from complaints and operational incidents are analyzed to drive improvements in process, training, or system logic.
   

Where third parties are used (for example, payment processors, mailing services, or data verification providers):

• Vendors are engaged under written agreements that address data protection, permitted use, and compliance obligations. Privacy Policy
   
• RSH discloses only the minimum information required for the vendor to perform its function, consistent with our Privacy Policy and contractual requirements. Privacy Policy
   

RSH’s technology and security environment is designed by professionals with expertise in scalable, reliable, and secure systems. Our objective is to satisfy the requirements of security-sensitive financial institutions and regulators by implementing layered controls across people, process, and technology.

Key characteristics of our security program include:

• Written information security policies and standards
   
• Risk-based control design and periodic risk assessments
   
• Separation of duties and role-based access controls
   
• Encryption of data in transit and at rest where appropriate Privacy Policy
   

We operate in a secure physical office environment with:

• Access-controlled facilities
   
• Document retention and destruction procedures
   
• Funds management procedures designed to protect consumer payments and client funds
   

These controls align to industry expectations around physical security for financial data processing environments.

• PCI-DSS: RSH ensures that payment card transactions are processed using PCI-DSS-compliant payment processors, and card data is handled consistent with PCI-DSS expectations.
   
• Regulation E: Electronic funds transfers are managed in alignment with Regulation E, including appropriate authorizations, notices, and error-resolution processes.
   

Consumer payment and account data is treated as sensitive personal information and is subject to strict access and use controls. Privacy Policy

RSH’s Privacy Policy describes, among other items: Privacy Policy

• Categories of personal and sensitive personal information collected (e.g., identifiers, account information, payment card data, bank account details, and certain device/network information)
   
• Purposes of collection and use (e.g., account servicing, identity verification, processing payments, legal and regulatory compliance)
   
• Sources of information (creditors, consumers, employees, vendors, etc.)
   
• Disclosures to service providers and regulators, including minimum-necessary disclosure for specific business purposes
   
• Consumer rights under applicable laws (e.g., access, correction, deletion where permitted) and contact channels to exercise those rights
   
• Retention practices and legal bases for retaining or deleting data
   

RSH does not sell personal information and does not share personal information for cross-context behavioral advertising, as described in our Privacy Policy. 

• Access Control: Access to systems and data is restricted based on job role and business need, and subject to approval and periodic review.
   
• Monitoring & Logging:
   
  • System performance and security are continuously monitored.
     
  • Changes to infrastructure, software, and data are logged and reviewed.
     
  • Logs are used to support incident investigation, forensic analysis, and regulatory inquiries.
     
• These capabilities help ensure traceability of activities within our environment and support both internal and external audits.
   

As described in our Privacy Policy: Privacy Policy

• Personal information is protected in transit using encryption such as Transport Layer Security (TLS).
   
• Personal information at rest is protected using strong encryption mechanisms (e.g., AES-256) where appropriate.
   
• Systems holding personal information are operated in controlled environments with limited physical and logical access.
   

• RSH maintains an incident response process for identifying, managing, and remediating actual or suspected security incidents.
   
• Incidents are triaged, investigated, and documented; corrective or preventive actions are implemented based on root cause analysis.
   
• Where required, we cooperate with clients, regulators, law enforcement, and other authorities, including providing information pursuant to lawful requests. Privacy Policy
   

RSH maintains business continuity and disaster recovery considerations within its technology and operational planning:

• Data backups and redundancies where appropriate
   
• Procedures for continuing critical operations during disruptions
   
• Periodic testing of recovery capabilities, adjusted as systems and business requirements evolve
   

RSH retains personal information for the period necessary to provide services, comply with contractual obligations, and meet legal and regulatory requirements. Privacy Policy

In particular:

• For consumers in collection, retention is informed by:
   
  • The underlying contractual relationship between the consumer and creditor;
     
  • Applicable statutes of limitations; and
     
  • State or federal statutes requiring record retention for specified periods.
     
• For employees, applicants, and business contacts, retention is based on the nature of the relationship, legal obligations, security needs, and legitimate business purposes. Privacy Policy
   
• Once the applicable retention periods and legal obligations have expired, data is deleted in accordance with internal data retention and disposal procedures.
   

Consumers, regulators, and clients may contact RSH via the channels outlined in our Privacy Policy for questions about data handling, privacy rights, or related matters. Privacy Policy

• Consumers in collection:
   
  • Phone and email as listed in our consumer-facing materials and Privacy Policy.
     
• Business contacts, regulators, and clients:
   
  • Dedicated contact details for privacy, security, and general inquiries as outlined in the Privacy Policy and our corporate website.