Secure voice recording and data storage in financial services

The mandate to record conversations

The financial services industry has always been subject to regulation, its stringency dependent on the prevailing political winds and the degree of trust in the industry held by both politicians and the public. However, the financial crisis of 2007/08 and consequent recession inevitably resulted in a dramatic reshaping of the regulatory landscape.

As part of its efforts to shore-up financial services regulation, the European Union made significant revisions to an extensive pre-crisis piece of legislation called Markets in Financial Instruments Directive (MiFID), governing the transparency of trades.

Its successor, MiFID II, which comes into effect from January 2018, has significant ramifications for financial services. The landmark regulation has a broad sweeping scope, encompassing everything from research to more complex topics like over-the-counter derivatives. With such a wide range of services covered in MiFID II, there are inevitably changes that may not receive due attention. One such change is the increased requirement to record meetings.

Colossal data challenge

The Financial Services Authority (FCA) already mandates that anyone directly involved in equity trading must record calls. However, MiFID II broadens the scope of individuals coming under its mandate – it’s not just the top city traders, it’s also financial advisers and commodity traders not previously regulated by the FCA.

Consequently, the population of workers in the financial sector that will have to record their calls will swell from 30,000 to 500,000, and these records must then be securely stored for a period of at least five years – up to seven years – depending on the local regulator. Companies have to prepare themselves for the colossal challenge of storing and managing potentially petabytes of extra data.

Additionally, his is without recording face-to-face meetings. Whilst MiFID II states that meetings can be recorded by note taking, surely it would be more compliant to record face-to-face meetings and have these stored together with call recordings, but this adds to the volume of data, and the challenge of data storage, analysis and management.

Increased data protection sensitivity

With great amounts of sensitive data comes great responsibility. As calls and meetings about investments contain highly sensitive information, any breach of confidentiality which falls under the purview of both the UK’s Information Commission (ICO) and the new General Data Protection Regulation (GDPR) could result in significant financial penalties.

From a security standpoint, this new regulatory framework will have multiple implications for organisations due to concerns about when and how these records will be stored. For instance, if a meeting is recorded on a digital recorder, it is unsafe until it’s uploaded to a digital carrier, encrypted and deleted on the recorder itself. Also, if a call is recorded on a mobile device – how can compliance be guaranteed if the device is stolen?

Secure recording and data transit

For most people and organisations in the industry, fixed-line recording is not a problem, as they work in an office and implement technical solutions with relative ease. However, mobile phones are rapidly emerging as the voice communications platform of choice. As a result, the MiFID II strategy of any company has to focus on introducing a solution that makes it easy to record mobile phone conversations.

First and foremost, financial services companies should provide their employees with either an auditable device or an approved device management solution, which will allow them to record calls and meetings. Whilst the rules suggest that paper notes are acceptable it is hard to see how these are in any way secure, so a secure face-to-face recording app should be available.

Regardless of whether a phone call or face-to-face conversation has been recorded, consideration must be made as to how these conversations are being stored. If these are stored on a dicataphone or on a mobile phone’s SD card, then just how safe are these sensitive conversations if these are lost?

Secure archiving

MiFID II makes it very clear that recordings must be securely archived. Even in the event of a successful cyber-attack, conversations must be encrypted so they are unreadable. Ideally AES 256, with an option to encrypt with your own keys, should underpin the encryption from the point of entry, to the point of storage.

The number of employees who have access to recordings should be kept to a minimum, and they should be subject to appropriate confidentiality requirements and given appropriate data protection training. Files should be signed before storing and all access to these files should be captured in an audit log to ensure tamper evidence can be provided.

Finally, unless there is a regulatory requirement to keep the recordings for a particular time period, the organisation will have to fix its own retention period – no longer than required to comply with the recording policy. The recordings must be erased after the end of the retention period.

Recording policies that fail to properly respect the privacy of employees may undermine relations between management and staff. In addition, security and data protection breaches can generate bad publicity for organisations, and undermine the trust of customers and partners.

Analytics: The silver lining

The requirement under MiFID II for businesses to increase the volume of recordings and ensure that they are securely stored will undoubtedly carry a cost, but analysis of these calls could, for forward-thinking firms, provide deep customer insight and real competitive advantage.

By analysing recordings, for example, for the frequency of commonly used phrases used by both staff and clients, businesses will be able to gain real-time insight into changes in the market. By slicing and dicing this analysis across regions, teams and individuals, management will gain real-time insight into how trends are moving across the business, enabling them to predict developments, and adjust their service portfolio accordingly.

By using smarter tools such as sentiment analysis, business leaders can gain further understanding of market trends and propensity to buy, enabling them to build near real-time customer advice as well as objection handling strategies. In short, treating recordings as an asset rather than a compliance issue will enable businesses to differentiate themselves from the competition, and benefit from MiFID II.

James Foley, Vice-President of Customer Experience, BT Smartnumbers