By Becca Rowe, Junior Marketing Communications Associate
Call and contact centres are the beating heart of any organisation, and for companies providing a high level of customer support, they serve as the central hub of activity for all inbound and outbound communications. Not only do contact centres serve as gateways between the company and customers searching for answers to questions, they also provide an efficient means for completing important tasks, such as making payments, solving product or service issues, or even sensitive queries, like getting medical advice in the case of healthcare organisations.
Because of the often business-critical nature of these transactions, many organisations record all their calls. This practice can serve a number of purposes. On one hand, call recordings can be used as a valuable tool for training new customer service representatives (CSRs). On the other hand, they could be used as vital evidence in resolving potential customer disputes and even allow the company to defend itself against any possible litigation. Finally, maintaining call recordings is imperative because some governmental and industry-related regulations require organisations to maintain them.
With so many laws and regulations governing call recordings in the US alone, organisations may find themselves in a pickle when having to abide by several, or all, of them. Let’s look at some of the most pertinent regulations governing call recordings in the United States and what they mean for organisations operating contact centres.
One example of a recent regulation passed on call recordings, specifically within the United States, is the California Invasion of Privacy Act (CIPA). In Penal Code Section 632, California will now require all-party consent within confidential recording communications. Consequently, all inbound and outbound phone calls should be prefaced with an announcement: “This call may be recorded for quality-assurance and training purposes”. This piece of regulation is especially applicable to any organisation that is conducting business with California residents via telephone calls. The legislature deemed this to be a necessary measure because Personally Identifiable Information (PII) was being captured without all party consent and therefore, in scope
The Dodd-Frank Wall Street Reform and Consumer Protection Act, passed by the U.S. federal government, was designed to promote the financial stability of U.S. markets through the improvement of accountability and transparency within the financial system. The legislation outlines the necessity to record all oral communications relating to pre-execution swap trade information, including those that lead to a related cash or forward transaction. This was directly aimed at financial institutions where trade information and call recordings remained in scope.
The U.S. Federal government passed the Do-Not-Call Implementation Act & Telemarketing Sales Rule to reduce the volume of telemarketing calls that consumers were receiving. This piece of legislation calls for the direct and verifiable authorisation by customers to be billed, as well as introducing a statement that the customer understands he or she will be billed with the specific charge applicable dates of when the charges will be submitted. Depending on the method of payment being used, the seller may be required to obtain “Express Verifiable Authorisation” (EVA) from the buyer. This can be secured one of three ways: advance written authorisation from the consumer, a written confirmation from the seller prior to the transaction being submitted for payment, or an audio recording in the customer’s voice authorizing the order. This directly affects all industries because without maintaining a record of the customer’s verbal consent, telemarketers could find themselves in breach of the law.
The Electronics Communications Privacy Act (ECPA), also known as the Wiretap Act, was passed by the U.S. Federal government with the goal of protecting the privacy of wire, oral, and electronic communications while those communications are being made, are in transit, or have been stored on computers. Additionally, this legislation applies to telephone conversations, email, and data stored electronically. The privacy of these communications is the primary aim, while the ECPA also prohibits the interception, attempt of interception, use, disclosure, or even procurement of the previously mentioned communications. Violators of the ECPA face fines up to $250,000 and up to five years in prison. All U.S. organisations and individuals must comply with this regulation.
In 1978 the U.S. federal government passed the Electronic Fund Transfer Act (EFTA), which was designed to protect consumers when they were using electronic means to manage their finances. Any electronic fund transfers are most easily defined as… transactions that involve the use of computers, phone, or magnetic strips to sanction to charge a customer’s account. This regulation calls for the consistent recording and retention of any and all telephone conversations that authorise electronic funds transfers.
The U.S. federal government passed the Fair Debt Collection Practices Act (FDCPA) as a regulation that would prohibit any conduct by debt collectors which could be abusive or deceptive. It additionally includes boundaries on when consumers can be contacted by telephone, any misrepresentation of the consumer’s debt, or the debt collector’s legal authority on the matter. By maintaining full and complete call recordings, businesses can protect themselves against FDCPA claims. Not doing this inhibits the debt collector’s ability to clear themselves of any wrongdoing. Often, call recordings have a digital ‘watermark’ that prevents tampering but can be difficult to implement and maintain if the call recording has been broken up into several files or if there are periods of silence during the transaction.
The Federal Deposit Insurance Corporation (FDIC) was created by the U.S. federal government to preserve and promote confidence in the U.S. financial system. One of its mandates is controlling the recording of telephone call details at financial institutions. Specifically, FDCI 30-64-0020 Telephone Call Detail Records states that calls can be full or partial; but they must be password protected and only accessible by the appropriate and authorised personnel. This rule dictates that “records [must be] destroyed after the close of the fiscal year in which they are audited or after three years from the date the record was created, whichever occurs first.”
FINRA is a private corporation, operating as a self-regulatory organisation, that regulates member brokerage firms, exchange markets and the arbitration operations of the New York Stock Exchange. 2014 had FINRA adopting Rule 3170, which establishes and enforces taped recordings of conversations for certain broker/dealer firms that have hired more than a certain percentage of registered persons from firms that have been expelled. Brokerage firms that have been expelled or lost their dealer registrations must comply.
NACHA is a non-profit membership association that oversees the Automated Clearing House system, which in turn operates the largest electronic payment network in the world. Contact centres that are recording calls while processing direct payments or transactions through the ACH network, must therefore secure and redact all protected financial information of the customer. This is directly applicable to any organisation that process bank payments and ACH transactions.
The Conundrum Posed by the PCI DSS
One of the world’s only truly “global” data security standards, the Payment Card Industry Data Security Standard, or PCI DSS, is a set of twelve broad requirements that any merchant accepting credit card payments must follow. In regard to call recordings, the PCI DSS maintains that Sensitive Authentication Data (SAD) can never be stored, even while encrypted, which includes when read aloud verbally over a call recording. For organisations recording calls to abide by any of the aforementioned competing regulations, this may pose a conundrum. Many of these regulations require companies to maintain full recordings, but if these companies are taking payments over the phone, they cannot store the part of the call on which the transaction occurs.
Read our previous blog post to learn additional information about the effects of the new guidance on PCI DSS compliant call recordings and the conundrum.
Ease Compliance with Disparate Regulations – Employ DTMF Masking Solutions
Of course, the best way to protect your customers and your company’s reputation is to remove as much PII from the contact centre as possible. DTMF masking solutions, like Semafone’s Cardprotect, can solve the competing compliance conundrum and allow for customers to input numerical information, such as payment card details or social security numbers, using the keypad on their phone, while the agent remains on the line with them. The dial tones are masked so the agent cannot distinguish the digits and they are then passed directly to the necessary third-party processor, never entering the contact centre infrastructure. This not only helps reduce risk and creates a more seamless customer experience, but it also allows organisations to maintain full call recordings without capturing SAD, thus enabling compliance with the PCI DSS and other regulations.