A Beginners Guide to Call Recording and Compliance

January 27th, 2015 3:59pm | Call RecordingComplianceFCAPCI

In this educational piece, we look at what the law says regarding call recording and financial transactions and how Oak's solutions can help you tick the right boxes.

Compliance is a murky subject. A casual glance presents the uninitiated with a series of rules and regulations that can seem at once critical and yet apparently contradictory. Some state that certain financial transactions must be recorded, whilst others, so it seems, demand that financial details be excluded or covered up. The only thing that appears obvious is that as a company you have the obligation to get it right – or you will be in trouble.

Let us shine a little light on the situation.

There are currently several guidelines and laws relevant to the recording of calls. First and foremost under the Data Protection Act, you must let your employees and customers know that you are recording calls and why – the ubiquitous ‘calls are recorded for training and monitoring purposes’ serves this purpose well. In terms of what calls or parts of calls must be recorded or not, these are laid out by two central bodies: the FCA (Financial Conduct Authority) and the PCI DSS (Payment Card Industry Data Security Standard). In this article we’ll examine the requirements of both of these and explain how Oak’s products work to help you meet the necessary criteria.

The Financial Conduct Authority (FCA) – Thou shalt record thy calls

The FCA regulates firms and financial advisers so that markets and financial systems remain sound, stable and resilient, thereby inhibiting abuse and promoting confidence in the sector. Since March 2009, the FCA has determined that certain types of business must record some calls in particular:

i) calls that conclude an agreement with any client or with another regulated firm on behalf of a client; or

ii) calls that are conducted with a professional client or eligible counterparty with a view to concluding an agreement.

These calls must be recorded and stored securely so that they may not be tampered with (this also complies with EU law). They must also be made ‘easily accessible’ for a minimum of six months.

These rules apply to firms whose products include qualifying investments (shares, bonds, options and futures) that are traded on a prescribed market, or other types of investments that are related to these. The rules do not apply to other financial services (financial advisors, insurance and mortgage brokers, solicitors, estate agents and firms receiving and executing loans). However, these firms may well be advised to use call recording.

The FCA’s Policy on Telephone Recording 08/01 2.1 states that recorded communication increases the likelihood of successful prosecution. This in turn, it argues, reduces the perceived value of committing market abuse of the system in the first place, and in principle leads to greater market confidence and greater price efficiency.

Since November 2011, the FCA does not discriminate between landline and mobile calls, so a good call recording solution will be able to securely store transactions made on both.

Payment Card Industry Data Security Standard – Thou shalt not record thy calls

PCI DSS does not just affect certain financial services, but is concerned with any business that handles card payments. Its purpose is to minimise the risk of fraud etc through the best practice handling of card details. For our purposes here, that means that if your company uses call recording software, that software must ensure that the card validation codes and values in particular (the actual payment details needed to transfer money) are not accessible following authorisation and preferably not stored on a system. The PCI DSS website states:

“It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorisation even if encrypted.

It is therefore prohibited to use any form of digital audio recording for storing CAV2, CVC2, CCV2, CID codes if that data can be queried.... Where technology exists to help prevent the recording of these data elements, such technology should be enabled. “

Serious stuff.

For companies who record calls and take payments over the phone, this is a major compliance issue. Any call recording software must offer features that allow the required parts of the calls to be hidden or omitted.

Oak Call Recording Solutions

Oak’s call recording solutions have been designed to help you comply with all the legislation outlined above.

For when you must record calls, Oak solutions offer...

  • Full security - All call recordings are automatically encrypted and tamperproof.
  • High capacity storage – Our storage capacity far exceeds the minimum requirement of 6 months; you may choose to archive calls for much longer.
  • Easy search and retrieve – Calls can be found easily using criteria such as date, time, extension, CLI, DDI, phone number, user defined flags or even customer reference if linked to a CRM system.
  • Fraud deterrence – Just letting callers know that you record calls can prevent misconduct.

Mobile compliance - Oak’s mobile application is currently available for Blackberry users only. This is because the app can be loaded centrally onto the Blackberry Enterprise Server (rather than individual handsets) making it scalable from one mobile user to hundreds. The app enables calls to be recorded and stored on the business’ central Oak call recording solution, keeping all the call information in one place. The app we use is secure and tamper proof, it cannot be turned off, and will even flag up if a user tries to change the SIM. It is also a cost-effective solution, as most alternatives require a separate SIM and may vastly increase your call charges.

... And for when you must not record calls

Oak’s solutions also provide a number of means to ensure that card details are not recorded or stored on the system. Whichever option you choose, that part of the call is simply replaced with a silence.

  • DTMF Detection – This is the most basic method that will work on any system. To pause and resume the recording of a call, the agent simply presses a series of digits on their phone pad. The CV2 number is not recorded at all while the rest of the call is recorded and made easily available for playback. There is also a built in timeout option that can tell the system to resume recording should the agent forget to do so manually. Oak line side call recording solutions include this manual option as standard.
  • PCI Click – An Oak software client is installed on each client PC allowing a user to login as themselves with an associated extension. Calls are stopped and restarted on demand by right clicking. This method requires a CTI connection.
  • PCI Web – This automated method integrates Oak’s call recording system with a business’s payment system and is set up at the time of installation. A call can be paused either by a change of URL (when the user goes to a different screen to input payment) or by clicking on specific fields on the payment system. The call recording is resumed when the user clicks on a certain field or through some other agreed trigger. A CTI connection is essential to ensure that the correct call is paused.

Clear as mud?

Hopefully things will feel a little clearer now, but If you have further questions, would like to discuss the best options for your business, or want to know more about the benefits of call recording, then do get in touch. We’d be very happy to help.

sales@oak.co.uk

0800 9889 625