Coming up with a plan for call recording storage can be a complex task. Your financial institution is regulated by multiple compliance laws like MiFID II, Dodd-Frank, CCPA, GDPR and FCA. These and other laws have something to say about where and how you store your call recordings. Let’s look at the key points of call recording data storage.
Data Retention
In some industries, call recordings only need to be stored for 1-6 months, but the mandated storage period is several times longer in the financial services sector. No matter what industry you’re in, your call recording data storage must be able to retain a large amount of data for an extended period of time.
Call Recording Storage in the US
Depending on the nature of the call, a recording that was taken through a financial institution typically needs to be stored for a minimum of five years. Notably, brokers must retain blotters (records of sales or purchases of securities) for a minimum of six years, but trade confirmation records only need to be kept for three years.
Though various laws may only demand five years retention time for call recordings, for the sake of your own compliance, especially when resolving disputes, it’s good to set up call recording data storage that lets you indefinitely prevent the deletion of files you choose.
Call Recording Storage in the EU
Call recordings made in the European Union are to be maintained only for the time needed for the purpose of recording. Additionally, data subjects are within their rights to demand access to any recordings they participated in. When a recording is demanded, it must be presented within 30 days from the request. An organization must have its call recording data storage organized and easily accessible to avoid fines.
Call Recording Storage Security Standards
The security of call recordings is your company’s responsibility. Assume that your call recording data is a target for cybercriminals and make a plan to deploy the highest level security possible to protect them. As an order of regulatory compliance, you’ll need to provide proof that you have deployed adequate security measures around your call recordings. Your calls should always be stored in an encrypted state with the highest possible AES encryption level (256-bit).
If possible, go beyond 256-bit AES encryption by using a rotating methodology for every single call file record. This means there’s a unique key for every call recording your company retains.
Implement penetration testing and regular risk analysis of your storage facilities. Cybercriminals target companies with lax security around their call recording data storage.
Employee Security
The law doesn’t dictate specific procedures for who has access to call recordings within your company, but It’s vital to include a permission plan in your call recording network. The larger the number of employees that have access to your call recordings, the greater the risk of customer data exposure. Set up a privilege chain that critically limits the number of people who can listen to, move, or handle in any way your call recordings.
Your call recording data storage plan should include a way to send encrypted links to specific calls (e.g., calls that are in a dispute) to necessary recipients. In most instances, sending a physical file through email or some other data transmission method is a breach of compliance because it will deposit a physical copy of the call recording on a device you cannot control. This is an exposure risk you must avoid. Companies that expose customer data or tamper with time-stamped call recordings face harsh penalties from customer lawsuits and their respective governments.
Make a Data Storage Plan
Remember, your storage plan must accommodate your compliance requirements. You’ll need to be able to:
- Retain your files for a minimum of five years
- Encrypt all your data at the maximum level
- Run penetration tests and risk analysis on your storage area
- Set up strict access privileges concerning your call recordings
Have a few questions about your call recording data storage needs? Contact our experts today for a short consulting session. We’re always happy to discuss anything related to compliance and call recording.
Brian Gocher
Brian is a freelance technology writer and media editor based out of Central New Jersey. He’s logged 20 years of experience in the Telecom industry and side-hustles in the record industry. Brian started his career in technology at a company that made analog modems. He migrated to a marketing career in the call recording industry where he learned exactly how and why calls are monitored for quality assurance. These days Brian fuses his skills together to deliver his researched observations about telephony and compliance laws in polished articles and videos. He’s also composed the music for a long list of big Hollywood trailers. He does not miss the sound of analog modems but he is endlessly fascinated with phones.