Shipping & Mailing

Regulatory Compliance: best practices

There are complex laws around customer communications in regulated sectors, such as finance and healthcare. Are your digital (email) and physical (mail) communications compliant?

Are your digital and physical communications compliant? For those who send out messages in regulated industries, the answer is often a hesitant "maybe."  The reason for this is simple: staying compliant with the complex laws that surround communications (both digital and physical) in various countries and in regulated sectors is a big challenge. Add the fact that these laws may vary from industry to industry -- and in different locations -- makes compliance even more difficult.

The penalties for non-compliant practices can be significant.  Many organisations are not even aware that they are at risk. To put it into perspective, printed data (such as invoices, statements or insurance notices) is often subject to many of the same regulations as electronic data. While some organisations go to great lengths to protect their electronic communications and examine their data security issues, few have acceptable safeguards when it comes to their printed mail.

Organisations need to bring their mailing operations into compliance, and ensure that their physical and digital communications have similar scrutiny, and Pitney Bowes can help. Read on and learn about key issues that can impact your communications, along with best practices you can take that will help to reduce risks and improve efficiency.

1.    Regulations that impact physical and digital mail

Privacy and security regulations can affect sending out communications, either by email or through printed mail. Here are three examples of regulations, as well as the consequences for those found to be in violation of them:

AU: Privacy Law

In Australia, The Privacy Act 1988 (Cth) governs how most Government Agencies and Departments and private sector organisations can handle personal and sensitive information. The Act includes a single set of 13 privacy principles that regulate how these organisations can handle personal and sensitive information.

Following the introduction of these privacy principles, there is now a greater onus on agencies and private sector organisations to advise customers and suppliers on how “personal information” is collected, accessed, stored, used, disclosed and corrected as well as other mandatory requirements in the handling of personal information of individuals. 


The Office of the Australian Information Commissioner, the Federal Government Department that looks after privacy laws in Australia, has the power to impose penalties of up to $1.7 million AUD on agencies and private sector organisations found in breach of their responsibility to protect sensitive and personal information, and individual penalties of up to $340,000 AUD, as well as the ability to undertake a Commissioner initiated investigation into whether the actions of an agency or private sector organisation may be an interference with the privacy of an individual.

U.S.: Healthcare (Insurance Portability and Accountability: HIPAA Act 2.0)

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) 2.0 impacts healthcare organisations and healthcare providers. Its goal is to protect patient and consumer privacy. For example, HIPAA regulations specify that only authorised employees can view patient information.

Medical practitioners have gone to great lengths to safeguard their electronic data. However, they may not have as much control over their physical mailings. When mail preparation is outsourced, the people who handle patients' medical claims forms, statements and other sensitive information may not be authorised to do so. This may increase the likelihood of security breaches or the theft of personal information such as Social Security numbers. To minimise this risk, medical providers can engage in "best practices" and verify that all third-party suppliers meet standard certification requirements.

Insourcing technologies can also monitor the processing and paper-handling events to ensure that only authorised personnel are performing the mailings and in contact with the mailings at the facility where mail is produced. "File based processing" technology further provides proof-of-content and proof-of production of each individual mailpiece in-house. Plus, while the USPS does not offer a named “proof of mailing” service, using the USPS® Intelligent Mail® barcode technology can enable and act as proof-of-mailing security by electronically geo and time stamping the initial induction into the Post Office.


HIPAA 2.0 maintains tough penalties for violations, with fines ranging from $25,000 to $1.5 million USD, depending on the severity and frequency of the offense.*

American Medical Association

U.K.: Financial Regulations

For financial institutions in the U.K., compliance with major regulations, such as the Bank Secrecy Act (BSA), Anti-Money Laundering (AML), the USA Patriot Act and Know Your Customer (KYC) requires complete transparency and consistency in the use of data. These regulations are designed to protect customer information, privacy and accuracy of information.

To be compliant with these various regulations, financial institutions need to be pro-active and consistent in their processing. This might include automating customer validation steps during the account opening process to guarantee that the information being fed into other systems has been validated.

“Best practices” can include “defensive” workflow processes, from universal addressing and universal naming to global, automated watch-list monitoring. For example, universal addressing captures, validates and corrects addresses for the United States, Canada as well as over 220 countries worldwide. Universal naming provides flexible and global name knowledge across many cultures, with parsing capabilities and gender and ethnicity appends, to better segment and target the customer base. That builds confidence when matching, standardising, analysing and consolidating complex records.


The consequences of not complying with financial regulations have been severe. ThomsonReutersnotes that “total fines levied by the UK Financial Services Authority jumped to £474 million in 2013, up from £26 million in 2008.

Is your organisation compliant?

If you’re sending out communications digitally (i.e. by email) or through printed mail, are you sure that you’re protecting customers' personal information? Are you currently compliant with all government regulations? Ask yourself:

  • Do your digital communications have the proper safeguards in place?
  • Does your printed mail have comparable safeguards and comparable levels of security?
  • Can you audit any communication to prove that it’s safe, secure, and properly processed?
  • Do you have this type of audit trail for quality assurance?

If the answer is not "yes" to all of these questions, don't panic. Now is your opportunity to implement best practices for mailing compliance.

2. Minimise the risks of outsourcing

If you’re sending out physical or digital communications and you’re outsourcing, you face a number of risks; here are ways to lower your risks:

Visibility. Make sure that your current information doesn’t disappear into a black hole. You should be able to track any given communication (printed or digital) at any given time. You need to know exactly what’s going on and when it’s happening.

Quality assurance. Ask your third-party provider to show you that messages were sent correctly and that your mailing was produced to required standards. This might include time-stamped visibility into serialised mail pieces.

Delivery deadlines and standards. Third-party providers can – and should -- let you know exactly when mail was actually produced or inducted into the postal system.  This helps you to understand when it will be delivered.

Consistency. Be sure that your provider prepares mail pieces at the highest standards, at all times. It’s not acceptable for one mailing to be of high quality, delivered on time, while the next one is poorly prepared or delivered late.

Secure. Allowing a third-party to access your customer database increases the risk of data theft and security violations. Don’t be caught victim to a theft of your mailing list, or risk the theft of private or valuable of consumer information, such as Social Security numbers because of third-party oversight. 

Remember: your organisation will be held accountable for any regulation violations or security breaches. While it is possible to outsource the work, it isn't possible to outsource the responsibility. Be sure that you’re safe and secure when it comes to sending out all communications.

3. Best practices for regulatory compliance

Whether you outsource your digital and printed communications or you handle it all in-house, there are a number of best practices that can help reduce your compliance risks, including:

A. In-house best practices

If you do your digital and physical communications in-house, visibility and quality controls ensure and track the integrity and successful completion of every communication. 

Using the latest technology, such as 2D input scanning and file-based processing technology that embeds handling instructions into mailings. It also serialises individual mail pieces and their contents for closed-loop tracking and reporting.

Government or industry regulations may requiretracking the postage spendfor each mailing. It’s ideal to have software tracking various campaigns or efforts.

Government or industry regulations might also require the highest security for privacy of customer information. Again, the latest software and internal personnel practices will help you to be compliant.

B. Outsourcing best practices

Make sure that your outsourcing service maintains all of the industry standard certifications necessary for compliance. These types of certifications include:

  • In-depth auditing 
  • Meeting international standards for security and data integrity
  • Meeting your country’s local postal service’s processing quality standards

While price quotes from companies that meet these standards may be higher than quotes from non-certified third-party providers, you’ll feel better knowing that your communications meet the highest quality and security standards available.

4. Talk to Pitney Bowes

Government and industry regulations can affect your business and create risk. However, using the right best practices processes, technology and services can help to minimise these risks. It can also help you to be more efficient in sending out critical messages.

If you'd like to learn more about your organisation's risk profile and how to abide by your industry's regulations, contact a Pitney Bowes representative. We’re here to help.