Call recording and compliance with PCI / MIFID II: the questions you need to ask
Although the internet has become the main communication channel for many companies, the old fashioned phone still plays an important role in the business world and is likely to do so for quite some time to come. This fact has been recognised by governments and regulators who have taken an interest in the recording and storing of phone calls, particularly with regard to financial transactions.
Companies have long had to be aware of PCI regulations, and they now also need to comply with MIFID II regulations. These are much wider in scope and, realistically, many SMEs will find it more practical to buy in a third-party solution that guarantees compliance rather than to try to create their own in-house systems, which larger companies may be more liable to do.
In either case, there are 6 key points to check to ensure that whatever solution you choose is appropriate now and has a reasonable degree of future-proofing.
1. Platforms covered
You need to be able to record mobile calls as well as calls to landlines. It also wouldn’t hurt to have the capacity to capture data from other channels such as SMS or instant messenger to give your company some protection against future changes to the rules.
2. Ease of implementation
When looking at different solutions, think about the practicalities of actually getting them up and running. Will you pay your IT employees to do the extra work or outsource the technology to specialists? What are the costs of each approach and what are the benefits and risks?
3. Ease of administration
Once you have your system in place, someone is going to need to have day-to-day ownership of it and be responsible for ensuring that it continues to work as it should. How hard a job will this be? Could it be incorporated into an existing role or will you need to hire someone specifically?
Can your solution move in sync with your business rhythms, expanding during busy times and contracting in quieter ones? This may add to the upfront purchase cost, but over the long term, lead to meaningful savings.
5. Secure but accessible storage
MIFID II mandates that relevant calls be stored for five years after the transaction, which is 10 times longer than current standards.
These days, the cost of storage media and/or cloud storage is relatively low but the cost and practicalities of keeping data secure for this length of time may be another matter.
IT is a fast-moving area and therefore it’s entirely reasonable to assume that data security standards will change over the lifetime of a recording and that new standards may be applied to data that has been captured several years previously.
Therefore, it is clearly advantageous if a solution has the means to adapt to changes in the security landscape. At the same time, the data is being stored for a reason, namely that it may be required for legal/regulatory purposes and hence needs to stay accessible. This is where cloud storage has a clear edge over on-site storage.
6. Flexibility in adapting to other legal requirements
Laws and regulations can and do change, so it can be very helpful to have a solution that is able to adapt to legal and regulatory changes as well as security ones.
Having IT specialists on hand whose job it is to stay on top of legal and regulatory requirements can be a more effective approach than expecting your generic IT staff to learn this on top of the tech support and maintenance they are already doing on a day-to-day basis.