Audio recording is commonplace for financial institutions (FIs). This is because well established regulations concerning recording, handling, and retention have been in
place for some time, such as Dodd-Frank, PCI-DSS, FSA, and the Data Protection and
Freedom Information Acts. Recording requirements expanded with the revised Markets
in Financial Instruments Directive (MiFID II), which aims to strengthen financial stability
by ensuring maximum transparency in markets. This, along with new privacy laws like
EU GDPR require shifting to a new plan to manage audio recording supervision.
The Impact of New Regulations
To ensure fairer and safer financial markets, MiFID II now requires firms to record both phone and electronic communications for investment services, such as reception and transmission of orders and execution of orders on behalf of clients. The recording requirements previously applied to the conversations of individuals directly involved in trading, and under MiFID II, this widened to include anyone involved in the advice chain that may lead to a trade.
As a result, FIs were tasked with conducting a fundamental review of business processes, including the recording and storing of conversations. Following the scramble to implement broader call recording, FIs are now experiencing large and growing archives of audio call recordings, as well as more requirements to review recordings for conduct risks and customer data protection and handling. Now that FIs have a fast-growing archive of recordings, coinciding requirements like EU GDPR, the California Consumer Privacy Act of 2018, and the South Carolina Data Insurance Security Act mean that it’s now longer acceptable to have a superficial understanding of what is in your recordings.
Financial organisations must adopt supervision processes and make best effort attempts to identify who is on the recordings to protect client identity. And in the case of GDPR, this also applies to erasure requests (i.e., when a client invokes their right to be forgotten). Further, FIs need to identify and protect recordings that contain PII, CII, and PCI. In the event of a breach that impacts the integrity of the recordings, you also need to know the identity of those to notify.
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst