Some events have such a dramatic impact on the world that we can split our history into “before” and “after” that event. The COVID-19 pandemic is one such historical event. While it’s certainly true that remote working was on the rise pre-pandemic, the pandemic accelerated remote working to unprecedented levels. Supported by advancements in mobile technology capabilities, remote working is now commonplace worldwide.

However, as employees increasingly turn to cell phones to help support them in their roles, regulators are beginning to require that financial services, healthcare providers, insurers, and other sectors capture and retain call recordings made on cellular devices.

Unfortunately, the sharp rise in personal cell phones for business use has happened so quickly that many people are unaware of where they stand concerning compliance. With this in mind, let’s look at which sectors require call recording and what that means for mobile communications.

Which Sectors Are Required to Record Calls?

At Mobile2CRM, we’ve conducted extensive research into which sectors require call recording today and which are likely to require it in the future. Companies in all industries must keep up to date with the changing compliance landscape to avoid falling victim to fines and reputational harm.

Reading the information in this article, you might find that even if you’re mostly compliant, “mostly” doesn’t count and you should be taking a more effective approach. You might also find that you’re in an industry where cellular recording will be required for compliance in the very near future. Whatever the situation, it’s paramount that you prepare today to avoid the chaos when new regulations come in – no one wants regulators knocking on their door for a problem you could have avoided.

Fundamental Compliance Across All Sectors (Consent)

Unless you’ve been living under a rock, you’ve probably heard the phrase “this call is being recorded for…”. This phrase is at the route of fundamental compliance – requiring consent from one or all parties that the call is being recorded. Critically, consent laws vary between regions. For example, states like Kansas only require one-party consent, while states like California, Delaware, Florida, and Illinois require all-party consent.

It’s also important to note that implicit consent is sufficient in some areas of the world, like the US, while in other areas, it’s not. For example, in the US, simply informing someone that the call is being recorded is considered consent (consumers have the option to terminate the call if they don’t want to be recorded). However, in Europe, under GDPR, companies need to get explicit consent (the other party has to affirm they understand and are willing to proceed).

As a result, companies dealing with European customers should update their call scripts to ensure full compliance with GDPR.

Finance

Buckle up! The finance sector incorporates a lot of different organizations with distinct roles in local and global economies. For example, banks and credit unions, investment houses, private equity dealers, debt collection companies, hedge funds, mortgage brokers, and many more all fall under finance. And as a rich and complex industry, finance is subject to a wealth of regulations.

These regulations are constantly being updated to reflect the more prominent role of mobile devices in the workplace. For example, a Registered Investment Advisor (RIA) who advises clients on investments and manages their portfolio is more likely to communicate with clients on their personal mobile device today than ever before. But the RIA is still registered with the U.S. Securities and Exchange Commission (SEC) and will therefore need to be compliant with SEC guidelines. With this in mind, let’s take a look at the changing financial compliance landscape concerning mobile communications.

The SEC recently updated their advice to recommend that financial advisors “review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with their regulatory requirements.”

In simple words, the SEC is cracking down on the use of mobile devices by broker-dealers. Federal law requires that financial firms keep meticulous records of messages between brokers and clients to ensure compliance with anti-fraud and anti-trust laws. Unfortunately, mobile devices can tempt advisors to skirt around these laws. The SEC deems this unacceptable. We recently saw JPMorgan hit with a $200 million fine for doing this very thing – letting employees use WhatsApp to evade regulators’ reach.

Of course. financial organizations might not be intentionally trying to avoid regulators. However, the point still stands, that mobile devices might still land you in hot water if communications aren’t captured, logged and recorded appropriately.

Other financial regulatory bodies already have rules pertaining to call recording and are also updating their regulations to capture and retain the data related to the use of personal devices for business calls. For example, in the US, regulators like FINRA, NACHA, FDCPA, and the Dodd-Frank Act outline rules for advisors. NACHA for instance, requires that if you’re accepting ACH payments by telephone, you need to get verbal consent from the customer. Similarly, to increase transparency in the sector following the 2008 financial crash, the Dodd-Frank act requires all calls and texts with consumers to be recorded and archived.

Beyond the US, other locales have their own compliance rules to contend with. For example, financial institutions in the UK are subject to FCA guidelines on call recording, including the SYSC 10A rule^[1], which requires financial firms to take “reasonable steps” to record telephone conversations with customers and keep a copy of any electronic communications. MiFID II (an EU wide directive) also requires that firms periodically monitor transaction records and all relevant conversations relating to transactions to be compliant.

In Canada, firms must be compliant with IIROC and be able to supervise and retrieve all business communications made on any communication device.

We could go on, but you get the picture – the financial compliance landscape is vast and has a lot to say about capturing communications with consumers – including using cell phones. Falling short of these compliance standards can result in hefty fines.

Healthcare

In the US, all companies that handle protected health information (PHI) are subject to HIPAA regulations. In simple words, PHI is any medical record that can be used to identify an individual. This can include conversations between patients and medical practitioners, billing information, diagnosis code, health insurance information, etc.

To be HIPAA compliant, healthcare providers must ensure that all PHI data is handled securely, whether that information was presented in a phone call, email, text message, or any other communication medium.

HIPAA also stipulates several other rules around telephone calls with patients. For example, HIPAA outlines “allowable reasons” for contacting a patient via telephone, including appointments, health checkups, lab test results, and pre-operative instructions, among others^[2]. And critically, companies can’t contact patients for “allowable reasons” more than three times a week. Healthcare providers are also only allowed to contact patients with their consent (consent is typically assumed if the patient provides the company with their telephone number)^[3].

Additionally, healthcare organizations have to contend with other regulatory bodies where applicable. For example, if a healthcare employee takes credit card information, they must ensure they are PCI compliant (more on this in the next section). Similarly, patients have to give consent for their call to be recorded and should be notified of any additional parties (like a manager) listening in. 

Healthcare providers can prove HIPAA compliance by recording patient calls and other communications. How long must HIPAA compliance records be retained? For a minimum of six years. However, organizations also have to adhere to their state’s retention policies. For example, North Carolina requires that hospitals maintain patient records for 11 years from the date of discharge^[4]. Implementing this today over direct cellular calls between practitioners or staff and patients, without a native cellular solution or service that captures, and retains the information is quite impossible, ergo – non-compliance.

Call Centers

Beyond specific industry regulations, call centers must comply with other regulatory bodies, including PCI, TCPA, TSR, and HIPAA (where patient information is involved).

For example, all agents that accept payments must ensure they are compliant with the Payment Card Industry Data Security Standard (PCI DSS). This set of requirements is designed to protect consumers’ payment card information from nefarious actors. Essentially, criminals need both the long card number and the CVV security number to make fraudulent purchases. With this in mind, PCI requires businesses to ensure that CVV numbers aren’t recorded since this poses a significant security risk.

It’s also important to note that companies who engage in telemarketing must comply with the Do Not Call Implementation Act. This act aims to protect consumers from unwanted calls by allowing consumers to place their telephone number on the National Do-Not-Call Registry. To be compliant with this law, telemarketing companies have to verify their call lists against the National Do-Not-Call Registry.

^[1] https://www.lexology.com/library/detail.aspx?g=f96960ac-1c0e-4ecc-a5e6-de8dcfb63ec5

^[2] https://www.hipaaguide.net/hipaa-telephone-rules/

^[3] https://www.hipaaguide.net/hipaa-telephone-rules/

^[4] https://www.hipaajournal.com/hipaa-retention-requirements/