Call Compliance Recording 101: Five Ways to Close Financial Compliance Gaps

Financial Compliance

Call Compliance for Financial Institutions is a Must!

Whether your organization is a brokerage firm, a bank, an insurance company, or a financial planning institution, your business falls under compliance laws like MiFIDII or GDPR. In general, these regulations require all financial organizations to:

  • Record every customer call
  • Inform customers that calls are being recorded
  • Remove vulnerable customer data from the call recording
  • Keep the recording data secure
  • Retain the data for a set amount of time

Failure to adhere to these compliance regulations can be incredibly costly to a company. Violating the terms of these compliance laws exposes your company to lawsuits and legal action from customers, credit institutions, and the government. In this article, we will discuss five key areas of compliance that are relevant to financial institutions.

Record Your Calls Means More Than Call Audio

One of the main reasons any company must record its calls is to have a clear record of who said what and when they said it. This requirement is not limited to financial institutions but generally involves any industry where customers might make purchases or discuss personal financial details over the phone.

Having a high-quality audio recording of the customer interaction is a start. Still, if a call is ever needed to solve a dispute, there will need to be evidence of several key data points.


Every call should automatically include key pieces of metadata, such as the date and time the call occurred, along with the audio recording.

Caller ID

Every call should also include which outbound number was dialed by the company or which inbound number made a call. While the availability of this data will vary depending on multiple factors, your call recording platform shouldn’t prevent you from collecting this data when it’s available. It’s highly recommended that all calls record both sides of the call separately. This is done by recording a stereo file where the caller and the receiver have their audio separated between left and right.

Crosstalk can make parts of the conversation indistinguishable, and when the recording is combined into a single file where separation is unavailable, critical moments of a call may be unclear.

Securing Your Call Recordings

Financial institutions must protect every recorded call between the company and customer. Malicious parties routinely target calls and transcripts that contain customer credit card numbers, National ID and Social Security numbers, and any other valuable piece of data that they can exploit.

Your institution should store every call recording with the highest grade 256-bit encryption. Industry experts recommend using a cloud-based call recording platform because they eliminate a host of on-site security flaws. Typically, a cloud-based recorder like Atmos discreetly records every phone call directly to encrypted cloud storage without the need for any additional on-site hardware.

Legacy hardware recorders are more difficult to deploy, expensive to maintain, and can only move your data to a cloud storage network after the call data has already been captured on-site. Centralizing your call recordings in a penetration-tested, encrypted cloud is the most effective way to prevent data thieves from breaching your customer data.

Use PCI Redaction on Call Recordings

Having multiple layers of security isn’t just an effective way of protecting your customers; in the financial industry, it’s a requirement. The Payment Card Industry Data Security Standard (PCI DSS) is a data security regulation for any company that handles credit cards. Credit card numbers referred to as “PCI Data” must be scrubbed from audio recordings and speech-to-text transcripts.

This would be a near-impossible task at almost any level of call volume if it were done manually. However, this task can be capably managed by AI-driven call recording platforms. These platforms analyze each call, identify number strings, and then redact or “mask” those sections of the call, both in the audio file and in the transcript.

Some call recording platforms can be configured to remove any number string spoken on the call. That means you can add a greater level of security for your customers by eliminating phone numbers, addresses, account numbers, and any other numerical data from the call.

Train Your Employees in Best Compliance Practices

Human beings, amazing as we are, are also the point of failure in many security systems. As a financial institution, you should take every precaution necessary to limit which employees can see and access your customer data. This is especially true of your customer calls and transcripts.

Set Up Your Call Permissions

Your call recording platform should allow you to select who can review customer call audio and transcripts as well as who can send that data outside of your company network. (More on that later.)

Employ Call Scripts

Call scripts are a vital component of avoiding compliance pitfalls. An agent without a script may forget to inform the customer that the call is being recorded. Some industries require even deeper compliance statements where they read language provided to them through the law. Instituting a call script will not only have a positive impact on your security standards but can also vastly improve customer satisfaction.

Control Who Can Hear and Send Call Recordings

Data is most vulnerable when it has to move around. It’s easy to break compliance these days when it comes to sending data. Email is typically not secure, and yet it is the most common way to traffic business data.

Sending a customer call through email to an outside party is an automatic violation of numerous compliance laws. However, if a dispute needs to be resolved and a call recording or transcript must be sent to an outside party, say a legal firm, there needs to be a way to transmit that data securely.

This is where several of the previous steps all come together. Designate a manager who can administrate the secure sending of call data through an encrypted link. The encrypted link can only be opened by the party that it’s being sent.

The call should already have its PCI data redacted both in the audio and the transcript. This single action, done correctly, combines secure storage, best agent practices, PCI redaction, and a proper chain of permissions.

Protecting Your Calls Protects Everyone

Financial institutions handle incredibly vulnerable data. In the short and long run, protecting that data keeps your customer confidence high and protects your bottom line. If you’d like to know more about how to securely record your call data, reach out to us today to talk about Atmos by CallCabinet.