Call Recording: What You Need to Know to Meet Regulatory Compliance

By Bill Johnson

It’s a fact of business life: Every company and organization must meet regulatory compliance with governmental and other trade organizations. And they better do it right. After all, regulatory agencies aren’t sitting around waiting for offenders to fall in their laps. They are aggressively looking for companies that do not comply and slapping them with hefty fines.

Capital One was hit with a $210 million fine in July 2012 by the Consumer Financial Protection Bureau to settle charges of deceptive marketing of credit card “add-on” products such as payment processing and credit monitoring, reported Bloomberg. Of the fine, $140 million was returned to Capital One customers who were pressured or misled into buying credit card products they did not understand or couldn’t even use. Founded in July 2011 to increase oversight of consumer financial products as a result of the Dodd-Frank Act, this was the bureau’s first case.

Beyond the Dodd-Frank Act, financial organizations must also comply with a variety of other regulations, including the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes Oxley Act, Financial Services Authority regulations, Gramm-Leach-Bliley Financial Services Modernization Act, Fair Debt Collection Practices, and the Social Security Act.

Healthcare is likewise challenged with complying with a variety of regulations, and it’s not always easy. For example, SC Magazine noted that Blue Cross was fined $1.5 million by the US Department of Health and Human Service’s Office for Civil Rights (OCR) for a 2009 security breach that affected more than a million members. In the fall of 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tennessee, during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what the call center staff saw when handling the calls.

Healthcare’s Health Insurance Portability and Accountability Act (HIPAA), enacted in 2003, tightened regulations on healthcare organizations, and those that do not comply pay big time. For example, Cignet Health was fined $4.3 million in February 2011 for not complying with HIPAA’s privacy regulations. Even though fewer than sixty records were breached, the fact that it did not cooperate with the Office for Civil Rights resulted in this hefty fine, according to Health Data Management.

Financial and healthcare organizations are not the only ones challenged with meeting regulatory guidelines. In fact, regardless of industry, regulations affect every organization with a contact center. For example, the Do-Not-Call Implementation Act and the Telemarketing Sales Rule affect every contact center, whether inbound or outbound. Violators pay fines up to $16,000 per incident.

Contact centers that accept payment cards must comply with regulations set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, PCI Security Standards Council and PCI Standard note that MasterCard and Visa fine merchants as much as $25,000 for the first violation.

Because most contact centers record their calls and screenshots associated with the calls, they are also required to adhere to the various regulations. And if they are accepting payment cards, there’s even more compliance. Simply put, to comply, contact centers must ensure that all their data is securely stored, and they must strictly control usage of the recorded conversations and interactions. With PCI-DSS, they must also adhere to regulations regarding the storage of payment card data so that it is not easily accessible to agents or others.

For compliance of both written and recorded data, there are five key areas to consider:

1) Storage security: How secure is your data storage? Is your security up to date?

2) Access: Who has access to the information? How is access controlled?

3) Type of data: What type of data will be stored? Is it only call recordings or also screenshots associated with the calls? Are written documents or other documentation stored?

4) Length of data storage: How long will the data need to be stored? What is required to meet compliance? What is needed for the health of the organization?

5) Compliance in an investigation: What is the procedure to quickly and accurately access and produce data in the case of an investigation?

For call recordings, there are ten key ways to help ensure regulatory compliance.

1) Have call recordings stored, organized, and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid of these.

2) Provide the ability for authorized users to easily access, search, and save call recordings using a familiar file management system, similar to email organization in Microsoft Outlook.

3) Provide access via encrypted streaming for the highest level of security.

4) Share only through link distribution, which is more secure than file sharing.

5) Restrict information access by using a combination of call data, account code, and other criteria.

6) Utilize digital watermarking, which provides the ability to verify and prove that files have not been altered. This is essential in legal situations.

7) Take advantage of variable data lifecycle management, which allows the user to tailor how call recordings are stored, staged, and purged based on a variety of criteria, such as account code, extension, and caller ID.

8) Implement automatic storage and purging based on unique individual criteria to ensure uniform practices, rather than requiring tedious and inefficient manual review.

9) Utilize an archival database to enable authorized users to instantly search and access recordings.

10) Create custom archiving rules based on call data and implement a media management functionality that allows users to further restrict and control information in individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance, such as call slicing, merging and redacting, and call-segment exporting.

Although not required by regulations, additional search and mobility features can help support compliance and improve the ease of proving compliance in the case of an investigation. For example, speech search provides the ability to quickly search for specified key words and phrases within call recordings. Additionally, mobile access via a secure Web-based application makes it fast, easy, and secure for authorized users to access documents when they are away from their desks.

In addition to meeting important regulatory compliance requirements, call recordings can help organizations monitor the quality of agent calls, provide agent training and agent self-evaluations, and help resolve disputes by providing part or all of a call recording to the other party.

While stiff fines and bad publicity are strong motivators to stay compliant, the best motivation for regulatory compliance is the peace of mind knowing that you are protecting your organization, customers, partners, and vendors.

Bill Johnson is the director of client services and channel programs at Oaisys Inc.

[From Connection Magazine Jul/Aug 2013]

%d bloggers like this: