Recording rules for contact centers are confusing, as some of the regulations actually contradict each other at times. Here are some of the pertinent regulations and standards in the US:
- Dodd-Frank Act – requires financial services organizations to maintain complete and accurate (unaltered) call recordings for a wide range of activities, for up to 5 years
- Electronic Funds Transfer Act (EFTA) – requires recording and retention of telephone conversations that authorize electronic funds transfers
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule – requires organizations to safeguard their customers by retaining the least amount of customer data for the least amount of time
- Payment Card Industry Data Security Standard (PCI DSS) version 3.0 – prohibits the retention of payment card validation codes and requires protection of bank card account numbers
- Federal Information Processing Standards (FIPS) – places strict standards and requirements on computer security for hardware and software used in federal agencies and departments, including their contact center operations
Call Recording Rules and Regulations
There are many more general contact center regulations and requirements that also impact call recording. The Fair Debt Collection Practices Act (FDCPA) and the Health Insurance Portability and Accountability Act (HIPAA) both include stringent regulations for verbal communications. FDCPA contains several restrictions concerning what collection agents may or may not say to customers and third parties. The most common way for a collection organization to prove their adherence and avoid fines is to provide recordings of their calls. On the other hand, HIPAA takes privacy to a new level, placing restrictions on how protected health information (PHI), which is pretty much all information about each caller, is shared; this limits what can and should be recorded. Beyond the regulatory concerns, businesses also need a way to verify that their contact center agents are following scripts and are delivering the quality of service their customers demand. Call recordings are the primary, if not only, resource to provide this insight.
Making Sense Out of the Recording Regulations
Not capturing contact center call recordings in today’s regulatory and business environment is a risky proposition, as recording is often the only way to prove to regulators that your company did the right thing, be it obtaining explicit consent to send marketing content, transfer funds or purchase a stock, or delivering the mini-Miranda in a collections call. However, if you record certain transactions, you could (and likely are) breaking some of the rules. So, to satisfy regulatory expectations, reduce risk and protect customers’ private information, you need a highly flexible recording solution that takes all of these issues into consideration.
If you have not audited your recording environment and solution in the past five years, your organization is at risk, as the regulatory environment and the technologies and tools for compliance have changed. DMG recommends that you assess your current recording solution and practices, retention guidelines and access rights. The next step is to draft a recording strategy, obtain approval for it from management, legal and compliance, and then implement the plan.
To eliminate the risk of being penalized with what could be millions of dollars in fines for being out of compliance, we suggest you prioritize this issue.
To eliminate the risk of being penalized with what could be millions of dollars in fines for being out of compliance, we suggest you prioritize this issue.
Next, find a call recording vendor who understands your regulatory and business landscape and needs. There is a new generation of recording solutions available that are more flexible and scalable and designed to address the highly complex regulatory environment. Pay special attention to recording security, including the handling of encryption from point of capture, during transmission and for data at rest, as DMG anticipates these issues will become even more important in the next 3 – 5 years.
“To record or not to record” is no longer the question. Recording in a manner that meets the needs of regulators and your business while protecting the privacy and legal rights of your customers, is the answer.