Call Recording

Do I need compliance call recording in the United States?

Jessica Kruger | October 12, 2020
CallCabinet-Social-Compliance

Compliance call recording

In every country and the US, compliance call recording is the legally required process of capturing (recording) phone calls in a manner that adheres to specific local, national, and global regulations. Call recording originated among the world’s most heavily regulated industries, such as financial services and healthcare, to protect both the consumer and business. These days, call recording is no longer treated as a necessary evil (due to the vast amounts of data created) but rather an opportunity to attain business intelligence from every conversation and for every business. 

Global and national compliance laws

While very few regulations are globally applicable, national laws can have an effect beyond their target country because of country-to-country commerce, like GDPR and CPPA.

These regulations often require us to establish consent with the called party, which is only provable with a recording of the call. Consent reasons range from customer permission to carry out financial transactions on their behalf, look up personal data, record the current call, finalize purchases, and so on. 

State and local compliance laws

In the United States, call compliance laws regulating call recording vary from state to state. California recording laws may not match Florida recording laws, making it vital to understand call recording laws by state. While call recording regulations differ locally and globally, the financial penalties for violating these laws, especially when data breaches occur, are steep and financially damaging to any enterprise.

Notification of call recording

The Federal Communications Commission (FCC) requires notification of call recording and defines the acceptable means of notification as:

  • Prior verbal or written notification of all parties to the telephone conversation.
  • Verbal notification before the recording is made. This is the most commonly used type.
  • An audible beep tone repeated at regular intervals during the call.

Two-party consent States

Currently, 12 states require the verbal consent of all parties on a phone call to deem the recording lawful. This is referred to as two-party consent, and it’s currently enacted in the following states (exceptions noted):

  1. California
  2. Connecticut (required if and when a 3rd, non-participating party records the conversation. When recordings are made in-person, one party consent will suffice)
  3. Florida
  4. Hawaii (two-party consent is required when the recording device resides in a separate or private location)
  5. Illinois (two-party consent, but not for electronic communications)
  6. Maryland
  7. Massachusetts (bans secretive recordings, uniquely, Massachusetts has a public location exception)
  8. Montana (requires notification of recording, but not spoken consent)
  9. New Hampshire
  10. Oregon (electronic communications require only one-party consent. Two-party is necessary for in-person recorded conversations)
  11. Pennsylvania
  12. Washington (but Washington law validates permission when any party announces recording is taking place in a reasonable manner and if the recording captures the announcement)

12 states map

Consider call recording for call (contact) centers

To any call center manager, regulatory compliance is a top priority. For this reason, managers expend time and funding for their call center on compliance training. Employing a scripted greeting is proven to keep your call recordings compliant. However, there are several ways to make obtaining informed consent easier. 

Recording inbound & outbound calls

Inbound call consent

Most inbound customer calls are picked up automatically by an Interactive Voice Response (IVR) system that plays a message. Depending on what state or country your business resides in, having your IVR tell the inbound caller that “this call is being recorded for quality and training purposes” will satisfy consent. 

However, not every state has the same support and customer service call recording laws. While it saves time and takes human error out of the way, it may not strike the tone you’re looking for on a sales call. Customers’ moods can quickly downshift merely because they are greeted by an IVR system and not a person. 

Outbound call consent

When your company makes an outbound call, obtaining consent becomes more difficult. The calling agent must immediately inform the called party (or parties) that the call is being recorded. If parties join the conversation while the call is in progress, consent must be obtained again.

Many live agents handle this disclosure right in their introduction. For example “Hi, my name is Sarah from Company A on a recorded line”. 

What if I don’t start my calls with a live agent?

Many companies use auto-dialers that will play a message informing the customer of the call recording before the agent picks up. This method may not be optimal because auto and predictive dialers tend to annoy customers before the call starts. In the big picture, how you obtain consent can be personal and seen as considerate by the customer, or it can be impersonal and imposing. 

Making your agents responsible for obtaining consent does introduce the possibility of human error. However, with training and the number of CRM tools available in the marketplace, these errors can be minimized. 

Suppose, you do not want to open your call with a recording notification. In that case, we recommend you rather use a record on-demand function to record only the required portions of the call – for example, after a different notification script is used later in the call.

Call center PCI compliance

As stated in one of our previous articles, whenever a customer gives your company a bank or credit card number, your company is subject to PCI DSS compliance. Since the customer gave the card number over the phone, it gets recorded and possibly transcribed by a speech-to-text application. Immediately, that data exists in 2 different recording media and is vulnerable.

Call center PCI compliance

PCI DSS laws mandate the protection of that data through masking and redaction. 

Masking alters the audio recording to encrypt sensitive speech segments, namely the numbers spoken on the call, while leaving the rest of the recording listenable. This encryption renders even a stolen recording useless to a malicious party. 

To comply, your audio recordings and text transcriptions should go from having vulnerable numbers (credit card, account, phone and social security)  in them to looking like this image. It’s wise to equip your call center with recording software automatically performs masking and redaction. 

Call compliance for financial institutions

Hospitals, insurance agencies, banks, investment firms, brokerages, and enterprises of every sort are subject to financial compliance laws like:

Dodd-Frank: Governs consumer lending, including credit and debit cards

MAD II & MiFID II—Market Abuse Directive, Markets in Financial Instruments Directive: Concerned with providing increased investor protection in EU financial trading venues

FDCPA—Fair Debt Collection Practices Act: Prohibits debt collection through deceptive or abusive means

TILA—Truth In Lending Act: Protects consumers through mandated disclosure of key lending terms

Overall, these regulations mandate accountability for financial data passing between the company and the customer. They also dictate security requirements for storing call recordings and text media. 

The fines for violations of these regulations can deeply damage any enterprise. In all of these laws, call recording is not only required; it is a company’s best line of defense in the event of a dispute. 

Compliance is the first step to establishing cause in any dispute, and if the dispute goes to litigation, the validity of a compliance recording can be questioned. For that reason, redundant Cloud storage with military-grade encryption is highly recommended. Your recordings, transcripts, and agent screen recordings (if you have them) all help you establish authenticity. 

Call recording and HIPAA compliance

When a medical practice, hospital, or health insurance company speaks to patients and customers over the phone, HIPAA—the Health Insurance Portability and Accountability Act, regulates recorded communications. If you’ve set up your operation for informed consent, PCI redaction, and encrypted storage, you might think you’re all set for HIPAA. However, there’s one last place you might need to shore up your compliance recording methods:

In healthcare markets, there are pieces of information providers can neither give over the phone nor by email. The solution is faxing, and because faxing is faster than other ways of sending data, its use has actually increased.

Online faxing produces an image file every time an online fax is sent. Millions of images with critical patient information are stored annually, and those images should be treated with the same concern your transcripts and call recordings are. The right call recording platform can be used to stay compliant anywhere you are in the world and no matter what industry you’re in. 

To learn more about how CallCabinet can help manage your call compliance needs, reach out to us today.

Recent Posts

How to Optimize Your Webex Customer Experience (CX) Deployments
Webex

How to Optimize Your Webex Customer Experience (CX) Deployments

  Webex recently announced the availability of four Customer Experience (CX) product

CallCabinet | 13, Mar 2024

What’s New With CallCabinet Conversation Analytics?
AI Analytics

What’s New With CallCabinet Conversation Analytics?

Since launching our AI-driven, next-gen conversation analytics just over a year ago, CallC

CallCabinet | 8, Mar 2024