Laws and regulations put in place to protect consumers have been a large driving force behind recording communications between businesses and their customer. As remote communication overtakes face to face human interaction, it’s paramount to have procedures in place to ensure people are who they say they are at other the end of the line and also to make sure that the communication is safely recorded to resolve any incidents in future.
We’ve all come across the common line when you’re waiting to get through to a customer service agent: “This call maybe recorded for monitoring and training purposes.”. However some organisations may be recording calls to follow regulations, which you might not be aware of. Here’s are some key industries who are keeping their consumers safe through intelligent communications recording:
Contact Centres (Non-financial)
The most common use case for call recording regulations is seen in contact centres where customer service resolve an array of users’ issues. For training purposes and to resolve potential disputes, calls often get recorded at call centres. According to Ofcom’s (the UK’s communications regulator) guidance for recording calls in the UK, contact centres who look to monitor, record calls and communications are required to adhere to a combination of UK & EU legislation which includes but is not limited to:
- Regulation of Investigatory Powers Act 2000 (“RIPA”).
- Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (“LBP Regulations”).
- Data Protection Act 1998.
- Telecommunications (Data Protection and Privacy) Regulations 1999.
- Human Rights Act 1998.
To summarise the legislation, a home or business user may record communications without permission of the correspondent as long as they do not share the data with a third party, where then they would need to have their consent.
Additionally through the aforementioned LBP Regulations. A business can monitor and record communications as long as they are for a series of laid out circumstances such as preventing or detecting crime or to measure quality. The purpose of most other legislation is to avoid misuse and abuse of recordings.
According to the UK’s financial regulator, the Financial Conduct Authority (FCA) a series of financial firms are bound by law to record and safely store their communications. These call recording regulations were put in place to “tackle market abuse by identifying and punishing those responsible”.
To begin with, only some financial services companies are required to adhere to call recording. For example retail finance advisors, mortgage brokers, insurance brokers and some others are not required to capture their communications. More stringent rules apply to firms which are in a highly influential position such as investment advisors and stock brokers.
The type of calls that need to be recorded are specifically outlined as ones which:
- conclude an agreement with any client or with another regulated firm on behalf of a client;
- are conducted with a professional client or eligible counterparty with a view to concluding an agreement.
Payment Card Industry (PCI Compliance)
On the back of an earlier initiative by VISA, in 2004, the major card companies aligned to form the Payment Card Industry Security Standards Council (PCI DSS). On December 15th 2004, the PCI DSS 1.0 was released. Over the following years PCI DSS has evolved to not only provide greater security to the industry, but also to accommodate new technology advancements and is today the global data security standard for payment cards.
If your organisation is looking be PCI compliant then as part of the PCI Data Security Standard (PCI DSS), you’ll be facing the issue of recording sensitive authentication data (SAD) when taking payments through the phone or other devices.
It is a violation of PCI DSS requirement 3.2 to store any SAD, including card validation codes and values, after authorisation – even if the data has been fully encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) to store CAV2, CVC2, CVV2 or CID codes after authorisation if that data can be queried; recognising that multiple tools exist that potentially could query a variety of digital recordings.
Dubber or similar services, could assist organisations to become PCI DSS compliant when it comes to recording their communication. Dubber does this in two ways:
- Dubber’s PCI integration technology with Automated Pause/Resume helps a customer to comply with the Payment Card Industry’s Data Security Standard (PCI DSS). This is accomplished by automatically muting and unmuting a recording when pre-defined system events are detected.
- The Dubber PCI Payment Node can easily implement PCI compliant payments using the new Dubber PCI Payment Node. During a call, a PCI compliance transaction is required and the process is triggered by agent. At that point the agent transfers call to the PCI Payment Node (hotkey or phone number) the Node scripts take over, requesting the relevant details (e.g. amount, card number etc). The captured payment details are sent automatically to the merchant for completion. Once the transaction is completed, the caller is connected back with the agent to complete the call.
If you’re looking to implement call recording and you’re not sure about the relevant compliance which you’ll need to adhere to, contact your industry authority for further information on specific regulations and legislations.