Many contact centers and enterprises must record customer interactions in order to comply with PCI, HIPAA, MiFID II, GDPR and other governmental regulations. Among other things, these (and other) mandates specify which types of interactions must be recorded, for how long and the types of data protection technology which must be employed to protect customer data. Therefore, what is needed is a highly versatile call recorder which provides all of the functionality and customizability these organizations require to fully maintain compliance.
The RECITE Interaction Recording Solution provides all of the compliance masking, customization, audit trail, encryption, recording retention rates and permission levels an organization needs to ensure compliance. RECITE also automatically encrypts all recordings, and digital signatures are used to mandate tamper proofing.
Below is some information on many of the different compliance standards that impact call recording, all of which RECITE helps you comply with:
The Health Insurance Portability and Accountability Act (HIPAA) seeks to protect sensitive patient information including when it is taken over the phone. According to CallRecordingWorld.com, “To avoid the necessity for any of these penalties, any organization involved in the healthcare industry needs to adopt specific rules and policies via best practices. This includes insisting that all interactions are recorded and monitored frequently to ensure compliance. This call recording is important, and the supporting software for management must be robust. The platform must include the ability to automatically mask or encrypt protected information from those lacking the proper authority to view it.”
HIPAA also requires recorded interactions be protected from unauthorized users. Fortunately, RECITE offers the most permission levels of any call recording software on the market – over 100 levels of restriction based on almost any type of criteria.
- FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls (HIPAA Journal)
- HIPAA Ruling – TCPA Omnibus Declaratory Ruling and Order
Credit card manufacturers formed the PCI Security Standards Council to enforce data protection rules to ensure cardholder privacy. The council created the PCI Data Security Standard (PCI-DSS) in March of 2011 to “provide payment security advice for merchants and service providers who accept and/or process payment card data over the telephone. This information highlights the key areas organizations with call center operations need to address in order to process payment cards securely, and how best to protect their business and their customers from the risks of data compromise and fraud.”
The Standard further stipulates, “There is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.”
PCI-DSS impacts call recordings and their storage and prohibits interaction recording which stores CAV2, CVC2, CVV2 or CID codes, Primary Account Number or PIN Number after authorization. The compliance masking capabilities of RECITE help ensure this sensitive data is never stored when credit card data is taken over the phone.
“GDPR” (General Data Protection Regulations) Is an EU-wide data protection regulation which will come into force in May 2018, replacing all national data protection laws in member states. GDPR is designed to further strengthen the rights of individuals when it comes to organizations collecting, recording and using their personal data, placing greater onus on companies to demonstrate compliance, and increasing the penalties for not doing so.”
The new law seeks to strengthen individual rights over those of an organization in terms of protecting privacy, including the collection and recording of personal data. According to the UK Information Commission Office, “Businesses wishing to record calls will be required to actively justify legality by demonstrating the purpose fulfills any of six conditions:
- The people involved in the call have given consent to be recorded
- Recording is necessary for the fulfilment of a contract
- Recording is necessary for fulfilling a legal requirement
- Recording is necessary to protect the interests of one or more participants
- Recording is in the public interest, or necessary for the exercise of official authority
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call”
RECITE offers over 300 customization options to ensure you record and store the interactions you need in order to comply with GDPR.
MiFID II COMPLIANCE
Requires firms to periodically monitor the records (including recordings) of transactions and orders, “…appropriate to the nature, size and complexity of its business. The monitoring should at least aim to ensure the records are readily accessible and accurately reconstruct the audit trail of a transaction.”
Financial firms are required to maintain recordings for five years and up to seven if requested by the authority.
Certain electronic communications also fall within the scope of MiFID II and must be recorded and stored, including video conferencing, fax, email, SMS, chat, instant messaging and mobile device applications. RECITE Recording for Skype for Business can help you comply with these stipulations. Click here for a free 20 day trial of Skype for Business Recording.
The Markets in Financial Instruments Directive (MiFID II) seeks to increase the transparency of financial markets in Europe, and therefore, the ruling stipulates which types of financial interactions must be recorded and for how long.
Here are some of the types of interactions that must be recorded and stored:
- Dispute resolution evidence
- Internal-transaction related
- Reception, transmission & execution of client orders