While there are many good reasons to record a business call, like training, compliance or quality control, many companies are unclear about what they can and cannot do under the current rules. This already exposes them to potentially disastrous consequences. Things look set to change with the advent of MiFID II, however.
There are big changes scheduled in the near future on the regulation of financial instruments, so it could well be time for financial services businesses to think again about the policies they have in place. The revised Markets in Financial Instruments Directive (MiFID II) comes into force next January and it will have a big impact on call recording policies. There is also the prospect of a big hike in fines for data misuse under forthcoming data protection regulation.
Current legislation isn’t straightforward, and business call recording needs to comply with a number of regulations. In particular, it must comply with the Data Protection Act 1998 (DPA) – because call recording usually results in the acquisition of someone’s personal data – and the Regulation of Investigatory Powers Act 2000 (RIPA).
Briefly, RIPA places limits on when telephone calls can be made, and an automated recording of a telephone call generally contravenes regulations unless all parties consent to it. For DPA purposes personal data means information held about identifiable individuals, such as a home address, and sensitive personal data would include information about someone’s ethnicity, religious beliefs, and so on.
Business call recording captures personal data and if personal calls are included in call recording policies then sensitive personal data is also easily captured.
Former barrister and data protection and privacy expert Ben Hooper says that “business calls may be recorded without contravening the DPA if the benefits of recording outweigh any adverse impacts and if appropriate steps are taken to satisfy other data protection requirements that apply”.
So, if compliance is already a minefield, what changes will the new regulations bring? Compliance is only going to become more important, according to Hooper. The new European General Data Protection Regulation (GDPR) replaces the DPA in May 2018.
This will tighten the rules on data protection and substantially increase the penalties for breaches, he says, from the current maximum of £500,000 to potentially four per cent of worldwide turnover.
Then there is MiFID II which comes into force in January 2018, and this significantly tightens the call recording requirements for financial services companies.
The present regulations for recording phone calls apply to about 30,000 traders in the city, but MiFID II will apply more widely. In fact, the number of individuals falling under the regulation could go up to 300,000 in the UK alone.
MiFID II stipulates that any firm providing financial services to clients linked to “financial instruments” will have to record and store all communication intended to lead to a transaction. It’s a big escalation of current obligations and means that anyone in the advice chain must record and store their conversations with customers.
It also includes the premises in which these calls or conversations take place. In fact, MiFID II will extend to all forms of communication, including face to face conversations. These won’t necessarily need to be recorded but they will have to be captured in written notes or minutes and they must be stored for up to five years.
Yes, under MiFID II recordings will also need to be stored for longer than they are at the moment: for a minimum of five years against the six months that is currently required.
Financial services businesses will need a comprehensive view of their compliance across all channels – phone, email, SMS and in person – in order to meet these new regulations. They will need to demonstrate that the policies, procedures and management oversight of the MiFID II recording and monitoring rules are in place.
There is much for London’s financial services business community to prepare for in these regulations, and not enough information available from the regulatory authorities to provide much in the way of meaningful guidance.
We can be sure that Brexit will have no impact on compliance with these new regulations, as even on the most optimistic timetable the UK will not have left the EU by early next year. In any case, we can be pretty certain that any future legislation which might eventually replace European law would be very similar in its scope and content.
The burden to comply with MiFID II and the GDPR Act rests entirely with the businesses involved, so it’s time for companies to check their call recording policies and make sure that they have the right processes are in place. The clock is ticking.
James Foley is VP of customer experience at Resilient