General Enquiries

+44 (0) 191 217 0775

Media Enquiries Gravity London

+44 (0) 20 7330 8810

Fax Us

+44 (0) 191 236 2709

Write to us

Credit Services Association

2 Esh Plaza

Sir Bobby Robson Way

Great Park

Newcastle Upon Tyne

NE13 9BA


CSA Privacy Statement


Additional Sections

Complaints Procedure

Useful Links

Making a complaint

We work hard to ensure our Members act within the rules set by the industry regulators.

Please click on the following link and read our Code of Practice. If you think a Member has broken the rules of this Code you can make a complaint by downloading our Complaints Form.

Before making a complaint we would encourage you to carry out the following activities:


  • Go to the Members Directory and check whether the company you wish to complain about is a Member of the CSA. If you are still unsure, feel free to contact us. If the company is a Member of the CSA then we are able to help you with your complaint.
  • On first instance, we recommend you contact the Member company to discuss any issues you have and enquire about their complaints process. If you are still dissatisfied with the outcome then you can review our Complaints Procedure.
  • If you believe that the Member has acted in breach of our Code of Practice and the complaint meets the necessary criteria, please complete, sign and return the Complaint Form to our registered address.

CSA Complaints Procedure

 How we deal with your complaint.

All complaints must be submitted in writing, with a signed complaint form. We require the form to be signed so that we, and our member, have the requisite authorisation to share information.

The following is the sequence of events after the CSA receive a complaint form;

  • CSA receive a signed complaint form
  • CSA register the complaint and send a copy to the relevant member company
  • The member is given eight weeks to respond directly to the complainant
  • CSA get a copy of the response from the member company
  • CSA considers both positions and determines whether the Code of Practice has been breached
  • Appropriate action is taken (if required) to remedy the situation
  • If further information is required the CSA contact the relevant party (the complainant or the member company).
  • After a full review, the CSA provides a formal response to the complainant


If you remain unhappy with the outcome of the complaint, you may have justification to escalate the matter to our our head of compliance, Claire Aynsley,


Please note: The CSA can only intervene when;

  • a member company is in breach of the Code.
  • the company is a member of the CSA (we cannot act when the complaint is about the client of a member company, a bank or building society for example).
  • the information supplied by a member company appears from the facts to be incorrect.

Methods of Contact



Credit Services Association

Complaints Department

2 Esh Plaza

Sir Bobby Robson Way


NE13 9BA


Why the CSA need a signed copy of your complaint




Blog: GDPR in credit and collections: getting through the early stages

Daniel Spenceley is the Credit Services Association’s Compliance Manager. 


The introduction of new data protection law earlier this year has had a significant impact on businesses across the UK, including in the collections and purchase sector. The General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 have brought in new and expanded requirements for companies handling personal data. CSA member companies have to share and hold vast amounts of customer data, much of it sensitive, as part of their core business, which meant they needed to make changes to ensure they were ready for the start of GDPR. Thus far, all indications are that our industry was well prepared for GDPR and we as the trade association put a lot of effort into helping members get to that position – producing and sharing detailed guidance; inviting expert guest speakers to our events; and hosting a series of webinars around key data protection issues.

The UK’s information commissioner, Elizabeth Denham, has made clear that 25 May 2018 was only the beginning. GDPR may have started to apply but that does not mean everything is 100% clear and that all firms are compliant. There is still work to be done. The CSA has therefore dedicated a whole stream to it at our UK Credit & Collections Conference on 13 September 2018.

One of the speakers delivering interactive sessions as part of the stream is Toni Vitale, a Partner and Head of Regulation, Data and Information at law firm Winckworth Sherwood. He provides legal advice to clients on data protection and privacy and has previously worked in-house for organisations such as IBM, Virgin Media, YouView TV and BGL Group (owners of He has also been a spokesperson on GDPR in the national media where he has highlighted the unnecessary flood of consent emails into consumers’ inboxes ahead of the 25 May 2018 implementation date. Previous attendees at CSA events will be familiar with Toni’s superb coverage of GDPR, demonstrating his expertise and knowledge by delivering highly informative presentations and workshops. Since Toni’s first presentation for the CSA back in 2014 we have asked him to return to our flagship events year on year due to the value attendees receive from attending his sessions.

At the conference, Toni will be looking at GDPR four months on from its implementation and assessing how industry, individuals and the regulator are adapting to the new requirements. He’ll also consider the regulator’s approach to enforcement under the new law, particularly around the increased potential penalties. And looking to what’s coming next, Toni will be taking a look at developments around the new E-Privacy Regulation.


Ongoing challenges with compliance

One of the sessions at the conference will focus specifically on the challenges with GDPR compliance and provide a practical case study of a Data Protection Officer who has been through the process so far. This will provide attendees with key insight into the day-to-day practicalities and demands of implementing and maintaining data protection compliance. As GDPR starts to become business-as-usual, consumer awareness and understanding will grow and evolve, so it is essential that firms and their DPOs are equipped to respond to challenges and requests efficiently and compliantly.

The GDPR stream will also present a valuable opportunity for members to share their experiences so far. It will be particularly interesting to hear from larger and smaller firms, to see how similar or different the impact and preparation has been.


The regulator’s response

There is a lot of interest in how the Information Commissioner’s Office (ICO) approaches the application of the new data protection laws. In the lead up to 25 May 2018, the ICO has indicated that it is not their intention, at least in the early stages, to dish out fines across every single breach of the new law; instead, they want to work with firms to help them comply. In fact, Elizabeth Denham has outlined her view in a recent blog. Of course,that does not mean the ICO will not be imposing fines; where there are blatant and deliberate or negligent high-risk breaches, they will act accordingly. The ICO has given firms a reasonable idea what their enforcement priorities will be in their draft Regulatory Action Policy, which outlines their approach to taking regulatory action under the new law.


Pre-implementation fears vs post-implementation reality

We will take a look at whether some of the initial fears specific to the collections sector have been realised in the opening months of GDPR application. For example, many members were preparing for an influx of subject access requests, with firms no longer permitted to charge a fee. A number of firms were putting teams in place in anticipation of an increase in requests, fearing that it would present a significant administrative challenge and potentially be exploited as a way of delaying the collection process. At this point, it remains to be seen whether this has been the case.

Another challenge for firms has been making sure that people actually understand what you’re doing with their data and why you’re processing it, and that you do actually have a valid reason to use it.  The new requirements to demonstrate compliance and to keep individuals informed has seen a vast amount of lengthy privacy notices landing in people’s inboxes, alongside a number of (potentially unnecessary) requests for consent, and it’s likely that the sheer volume of communications has in fact led to individuals knowing less about how their data is being used, rather than more.

With GDPR still such a hot topic and lots of areas still to understand, I look forward to seeing plenty of you in the sessions at the conference, identifying remaining areas of contention and sharing best practice, to make sure that we as an industry are positioned to maintain and demonstrate data protection compliance well into the future.


Learn more about the UKCCC 2018