Call Recording on the Record - Regulations in the Contact Center - Prepared by Industry Analyst Dick Bucci Principal, Pelorus Associates - Nice
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Call Recording on the Record - Regulations in the Contact Center Prepared by Industry Analyst Dick Bucci Principal, Pelorus Associates
Table of Contents
Introduction 3
Consent to Record 6
Payment Card Industry Data Security Standard (PCI-DSS) 9
General Data Protection Regulation (GDPR) 12
Markets in Financial Instruments Directive II (MiFID II) 15
Privacy Rule - Health Insurance Portability and Accountability Act (HIPAA) 18
Telemarketing Sales Rule (TSR) 22
NICE Compliance Center 26
2 | Copyright © 2018 NICE Ltd. All rights reservedINTRODUCTION
The headline on the press release from the Federal Trade Commission read, “Utah operation responsible for making more
than 117 million illegal telemarketing calls.” The statement explained that a jury trial found the company violated six different
Telemarketing Sales Rule (TSR) provisions. The FTC imposed a $45.5 million civil penalty. The TSR is one of many USA laws
enacted to protect consumers.
Since the passage of the Dodd Frank Wall Street Reform and Consumer Protection Act in 2010 enforcement of these laws
and regulations has intensified. One of the results of Dodd Frank was the creation of the Consumer Financial Protection
Bureau which now has regulatory authority for 17 federal laws that were previously administered by separate agencies. It is
noteworthy that since 2010 nearly $1 billion in penalties and mandated restitutions have been assessed because of violations
that occurred in contact centers.
Looking ahead, we can anticipate continued growth in laws and regulations, particularly in the matter of consumer privacy
rights. There been several highly publicized breaches both in the United States and globally that have caught the attention of
legislators. With recent passage of the General Data Protection Regulation the European Union is well ahead of the United
States in terms of privacy protections. However, it is reasonable to assume that public outcry in the US will drive adoption of
the same or similar provisions embodied in the GDPR.
Why contact centers?
Contact centers can be unwitting offenders of relevant laws and regulations for these key reasons:
• Primary point of contact- The sheer volume of interactions coupled with the high turnover of agent staff produces a
reasonable likelihood that someone at some time is going to make a mistake.
• Agents and supervisors are not well-versed on regulations - Contact centers conduct extensive training on call control,
courtesy, problem-solving, and salesmanship but do not always pay sufficient attention to fundamental legal obligations.
No one in contact center management can be an expert on legalities but given the high-risk factor it is important to have
a basic understanding of the requirements that impact your specific operations
• Pressures to meet KPIs and sales goals - Today customer service representatives have multiple and sometimes
conflicting objectives and measurement metrics. There is intense pressure to meet KPIs and these often include revenue
goals. This can lead to errors and omissions particularly in up selling.
• Ardent desire to please the customer -We want customers to be happy. An important metric of customer satisfaction
is first call resolution. This can lead to temptations to make unauthorized commitments or shortcut detailed mandatory
disclosures for the sake of pleasing the customer and getting a favorable post-call satisfaction review.
3 | Copyright © 2018 NICE Ltd. All rights reservedINTRODUCTION
Purpose and scope
Reading this resource guide won’t make you an expert and won’t relieve you of the necessity of checking with your
compliance officers or legal resources in time of need. However, we can almost guarantee that you will learn something new
and have a better understanding of the current legal and regulatory environment as it concerns your specific responsibilities.
We can’t emphasize enough that this is a very handy resource guide, not a legal document. We recommend that you
become a member of a trade association that retains legal counsel and issues periodic alerts and guidelines. If your firm or
organization has a compliance office, work closely with them to assure that the steps you take are the correct ones and in
keeping with overall corporate policies and IT established processes.
There are literally hundreds of laws, regulations, rulings, and industry standards that can affect contact center practices. We
will discuss only the statutes and standards that – in the author’s view – most directly impact the broadest range of contact
centers. Further, the scope is limited to the United States and the European Union. In the United States federal laws apply
to interstate commerce. Typically, individual states enact similar legislation to address intra-state commerce. In the case of
the data security standards for payment cards, requirements are established by an industry organization but over 30 states
have codified some or all of the standards into state statutes. In the European Union the General Data Privacy Regulation is
a legal requirement for all member states. Individual nations may enact more restrictive requirements. In the EU, regulations
have binding legal force. By contrast, the Markets in Financial Instruments Directive (MiFID II) lays down certain results that
must be achieved but each Member State is free to decide how to transpose directives into national law
The following table lists the statutes and standards covered in this guide and their primary focus:
Prevent Stem Protect
Title Geography Regulatory body
fraud abuse privacy
Payment Card Industry Data Security Major card Issuers, 38
Global
Standards US States
European Data
General Data Protection Regulation European Union
Protection Board
Markets in Financial Instruments European Markets and
European Union
Directive II Securities Authority
Health Insurance Portability and Health and Human
USA
Accountability Act Services Dept.
Federal Trade
Telemarketing Sales Rule USA
Commission
Consent to Record States Individual States
4 | Copyright © 2018 NICE Ltd. All rights reservedINTRODUCTION
Recommendations
• Contact center leaders cannot be experts on everything so strive to understand the business you are in and focus on
key laws and regulations that affect your business. For example, if your company is involved in the healthcare space you
need to understand the privacy provisions of the Health Insurance Portability and Accountability Act.
• Conduct periodic training. There is turnover, people forget, and the rules change.
• Provide scripts where mandatory disclosures are required and use tools such as text messaging for reminders and
speech analytics to flag possible violations
• Police the workplace. There is a lively trade in personally identifiable information. Make sure your people are not jotting
down credit card numbers, reciting them out loud for others to hear, or using thumb drives to capture information.
• Personally identifiable information should be encrypted.
• Be cognizant that there are no exceptions for smaller companies. For example, the TSR applies to individual sales reps
as well as contact centers.
• Be proactive in explaining your technology to other functions within the enterprise that deal with confidential information
or interface with customers. These may include service departments, collections departments, and human resources.
From the standpoint of the law these are call centers. Take the lead in explaining how interaction recording works and
how it can benefit their functions.
• Maintain a compliance plan and develop KPIs to measure your success.
• Notify agents that their calls will be recorded and secure signed acknowledgments of the practice.
• Coordinate closely with compliance officers.
• Your hardware and software should be capable of recording and reconstructing multichannel communications. It should
be quick and easy to retrieve specific interactions. Some laws require that recordings be archived for five or even seven
years.
5 | Copyright © 2018 NICE Ltd. All rights reservedConsent to Record Background In the United States the legal right to record conversations between two or more parties is addressed by both federal and state wiretapping laws. Federal laws are aimed at interstate and international calls. The Federal Electronic Protection Act permits recording of telephone calls and in-person conversations with the consent of at least one of the parties. Intent Federal laws are primarily intended to protect the privacy of its citizens and to support the lawful interception of communications intended to help solve or prevent crime. The Federal Wiretap Act protects individual privacy in communications with other people by imposing civil and criminal liability for intentionally intercepting communications using a device unless that interception falls within one of the exceptions in the statute. Although the Federal Wiretap Act originally covered only wire and oral conversations (e.g., using a device to listen in on telephone conversations), it was amended in 1986 to cover electronic communications as well (e.g., emails or other messages sent via the Internet). State laws are also designed to protect privacy. Terms Consent is given if the parties to the call are clearly notified that the conversation will be recorded, and they engage in the conversation anyway. Under federal law consent may be explicit or implied. To achieve consent courts have held that is sufficient to establish that the consenting party received actual notice of the monitoring and used the monitoring system regardless. Scope In addition to federal law, thirty-eight states and the District of Columbia have adopted “one-party consent” laws and permit individuals to record phone calls and conversations to which they are a party or when one party to the communication consents. Eleven states require the consent of everybody involved in a conversation or phone call before the conversation can be recorded. Those states are: California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington. These laws are sometimes referred to as “two-party” consent laws but technically require that all parties to a conversation must give consent before the conversation can be recorded. Nearly all states include an extensive list of exceptions to their consent requirements. Generally, it is permissible to record conversations if all parties to the conversation are aware of and consent to the interception of the communication. 6 | Copyright © 2018 NICE Ltd. All rights reserved
Consent to Record Pertinent Provisions USA While federal law is clear about requiring only one-party consent, it is not always clear which state law takes precedence when calls are conducted between individuals in one-party consent states and two-party consent states. It is almost always illegal to record a phone call or private conversation to which you are not a party, do not have consent from at least one party, and could not naturally overhear. In all -party consent states employees must also consent to the recording or monitoring of the content of their communications. The Federal Communications Commission defines accepted forms of notification for telephone recording by telephone companies as: • Prior verbal (oral) or written notification of all parties to the telephone conversation. • Verbal (oral) notification before the recording is made. This is the most commonly used type. Canada Canada has an “all-parties’ consent” approach. To record a call, you need to obtain informed consent by notifying others on the call that you (1) intend to record the conversation (2) explain what the recording will be used for, and (3) explain that the call may only be recorded with each person’s consent. Finland In the case of private persons, calls and conversations may be recorded by any active participant. There is no requirement to make other parties aware of the recording, but the use of recordings, depending on their content, may be subject to various laws, such as data protection (privacy) legislation, libel laws, and others. Germany Germany is a two-party consent country, meaning telephone recording without the consent of the two or, when applicable, more, parties is a criminal offense. In addition, Germany requires that VOIP users have a German address to use a German number. United Kingdom Call recording in the UK is subject to several laws. It’s best to think of the UK as a Two-Party Consent jurisdiction. 7 | Copyright © 2018 NICE Ltd. All rights reserved
Consent to Record Penalties In the United States it is a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Each state within the USA or other nations establishes its own penalties Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorney’s fees and possibly punitive damages and disciplinary action against any attorneys involved; and in suppression of any derivative evidence. Importance to Contact Centers State laws vary greatly. For contact centers which operate only in one-party consent states it is not necessary to provide advance notification of recording. However, as a courtesy it may still be advisable to alert customers that they may be recorded. For contact centers that receive or originate calls to or from all-party consent states or Canada, it is advisable to request and record an affirmative consent to proceed with the conversation. In the event one or more parties declines to be recorded then recording should cease for that interaction. The recording system should record the disclaimer that precedes the conversation, (“This call may be recorded….” In addition to the conversation itself. If the contact center is based in an all-party consent state management should secure a signed acknowledgment from each employee that they understand that their calls may be recorded. 8 | Copyright © 2018 NICE Ltd. All rights reserved
Payment Card Industry Data Security Standard PCI-DSS Background The Payment Card Industry (PCI), which consists of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, established the PCI Security Standards Council in September 2006. The council subsequently issued a Data Security Standard (PCI-DSS) which details security requirements for members, merchants and service providers that store, process or transmit cardholder data. Among other provisions, the PCI regulations specifically forbid storing unencrypted credit card numbers, PIN numbers, and other specified identifiers. Payment processors, service providers and merchants that process more than 20,000 e- commerce transactions and over 1 million regular transactions are required to engage a PCI-approved Qualified Security Assessor (QSA) to conduct a review of their information security procedures and scan their Internet points of presence on a regular basis. However, no organization that accepts cards issued by the founding members of the council is exempt from compliance. Compliance with the data security standard is not a federal regulatory requirement. However, 38 states have now codified variations of PCI-DSS. The standard is periodically updated primarily to address new threats and support evolving technologies. Most call centers have a recording system which can capture the customer’s recitations of card data or DTMF tones of the card information as entered on the keypad. This recorded data is accessible to many individuals within contact center. Therefore, contact centers are highly susceptible to violations of the data security. Scope The standard applies to all businesses of all sizes worldwide which accept our process credit or debit cards issued by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. Intent The Data Security Standard is intended to combat credit card and debit card fraud. In the United States 15.4 million consumers were victims of credit card identity theft. Total losses in 2016 are estimated at $16 billion. In most cases the issuing financial institution is responsible for individual losses more than $50. Pertinent Provisions It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. The standard prohibits the use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings. 9 | Copyright © 2018 NICE Ltd. All rights reserved
PCI-DSS
Render Stored Account
Storage
Date Element Data Unreadable per
permitted
Requirement 3.4
Primary Account
Yes Yes
Number (PAN)
Cardholder Name Yes No
Cardholder Data
Service Code Yes No
Account Data
Expiration Date Yes No
Full Magnetic Stripe Cannot store per
No
Data† Requirement 3.2
Sensitive CAV2/CVC2/CVV2/ Cannot store per
No
Authentication Data* CID Requirement 3.2
Cannot store per
PIN/PIN Block No
Requirement 3.2
Instructions from the payment card industry stipulate that “Where technology exists to prevent recording of these data
elements, such technology should be enabled.” Such technology does exist and is provided by leading producers of
recording solutions including NICE Systems.
The standard applies to all individuals and functions which accept payment via member debit and credit cards. If recorded,
the same data security requirements apply. Further, effective February 1, 2018 (PCI DSS 3.2) the standard also requires
multifactor authentication to access cardholder data. In addition to a password or other single form of authentication,
individuals must also present at least one other form of authentication such as a token, smartcard, or a biometric indicator.
Penalties
Noncompliance Fines- The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by
banks and credit card institutions. Banks may assess fines based on forensic research they must perform to remediate
noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of
increasing fines. The following table is an example of a time-cost schedule which Visa uses.
10 | Copyright © 2018 NICE Ltd. All rights reservedPCI-DSS
Month Level 1 Level 2
1-3 $10,000 monthly $5,000 monthly
4-6 $50,000 monthly $25,000 monthly
7 and on $100,000 monthly $50,000 monthly
Breach Consequences - Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still
occur. Cardholder Breaches can result in the following losses for a merchant.
• $50-$90 fine per cardholder data compromised
• Suspension of credit card acceptance by a merchant’s credit card account provider
• Loss of reputation with customers, suppliers, and partners
• Possible civil litigation from breached customers
• Loss of customer trust which effects future sales
State penalties vary. For example, the Minnesota statute allows financial institutions to sue merchants in certain
instances where data is stolen from the merchant.
Importance to contact centers
Deploy call recording solutions that are compliant with PCI – DSS requirements:
• Assure that access to encrypted confidential information requires multifactor authentication. This means individuals
seeking access to that data must provide more than one proof that they are who they claim to be.
• Replace or upgrade any recording software that does not mask or otherwise prevent the display of sensitive
authentication data on agent screens after authorization.
• For maximum protection, it is prudent to invest in recording solutions that provide End-to-end multimedia encryption
– where data is encrypted at the point of capture and remains encrypted throughout its lifetime.
• Assure that your recording software does not store Sensitive Authentication Data such as CID numbers.
Supervisors should monitor their teams to assure that card numbers, expiration dates, and other private card information is
not carelessly jotted down on notepads or repeated out loud for others to hear.
If your organization deploys a voice and data recording system for the call centers it would be advisable to extend that
application to all functions within the enterprise where credit or debit card payment may occur. Coordinate actions with your
compliance officer. Recording requirements are just one small part of a much broader list of requirements.
11 | Copyright © 2018 NICE Ltd. All rights reservedGeneral Data Protection Regulation
GDPR
Background
For member states of the European Union the General Data Protection Regulation (GDPR), replaces the prior Data Protection
Directive. The GDPR is directly applicable in each member state and will lead to data protection harmonization across EU
nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive,
the GDPR contains several new protections for EU data subjects and threatens significant fines and penalties for non-
compliant data controllers and processors once it comes into force.
May 25th, 2018 is the effective date for GDPR implementation. With new obligations on such matters as data subject
consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to
name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform. The General
Data Protection Regulation also addresses export of personal data outside the EU.
Objectives
• To give people more control over their personal data.
• To consolidate the different regulations, laws, and guidelines across European Union member states into a single, central
source.
• To streamline and create a clearer legal environment which will hopefully improve business opportunities and lessen
ambiguity with data sharing.
Terms
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); An identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural, or social identity of that natural person.”
This basically covers anything from a name, a photo, an email address, bank details, social media posts, medical information,
or even computer’s IP address
A controller is the entity that determines the purposes, conditions and means of the processing of personal data.
The processor is an entity which processes personal data on behalf of the controller.
Scope
The GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless
of the company’s location. If an organization employs fewer than 250 persons there is a clause that allows for exemption
from the GDPR. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or
processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of
whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing
the data of EU citizens will also have to appoint a representative in the EU.
12 | Copyright © 2018 NICE Ltd. All rights reservedGDPR
Pertinent Provisions
In the European Union consumers will have to volunteer to share their information by providing “clear and affirmative
consent” to the processing of their confidential information. The GDPR adds that consent must be specific to each data
processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be
“clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily
accessible form, using clear and plain language.”
The data subject may consent by “choosing technical settings for information society services.” Article 9 requires “explicit”
consent for the processing of “special categories of personal data.” This includes data “revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data,
biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a
natural person’s sex life or sexual orientation.”
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights
and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors
will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data
breach.
Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. Also known as Data
Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease
further dissemination of the data, and potentially have third parties halt processing of the data. Data subjects have the right to
receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable
format,’ and have the right to transmit that data to another controller.
“Privacy by design” is a concept that is becoming part of a legal requirement with the GDPR. It calls for the inclusion of data
protection from the onset of the designing of systems. The controller shall implement appropriate technical and organizational
measures to meet the requirements of this Regulation and protect the rights of data subjects. The expanded definition of
personal information impacts businesses that specialize in analytics, advertising, and social media. This is because the
definition of personal data now includes “location data” and “an online identifier”.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for
an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed
outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate
rules.
Penalties
Below is a very high-level breakdown of the GDPR sanctions that may apply:
• A warning in writing in cases of first and non-intentional non-compliance
• A fine up to 20 million EUR or up to 4% of the annual worldwide turnover of the preceding fiscal year in case of an
enterprise, whichever is greater
13 | Copyright © 2018 NICE Ltd. All rights reservedGDPR Importance to Contact Centers Personal data is defined very broadly to include any information “relating to an identified or identifiable natural person.” This includes telephone numbers. Since most CRM systems present customer information based on incoming phone numbers it is essential to obtain “clear and affirmative consent” to capture and store phone numbers and related customer metadata that is accessible by agents and others. There will be some individuals who will not consent to sharing personal information with businesses. The recording software should be able to block the capture and storage of caller phone number, email address, twitter handle, or other identifiable personal information Article 9 requires “explicit” consent for the processing of biometric data. This would include voiceprint technology. Contact centers that adopt this technology should implement some durable means of recording and storing explicit consent. Individuals have the right to receive personal data that they had previously provided “in machine-readable format. “This would clearly include recorded interactions. Businesses subject to GDPR need to assess how this would be managed. US-based businesses are subject to GDPR if they process personal data of consumers within the European Union. It does not matter where the contact center is located. 14 | Copyright © 2018 NICE Ltd. All rights reserved
Markets in Financial Instruments
Directive II
MiFID II
Background
MiFID II represents a major overhaul of the existing law, building on and extending the scope of the first Markets in Financial
Instruments Directive, which originally came into force in November 2007. MiFID II became effective on January 3, 2018. It
will create a more equal regulatory playing field across the EU for investment firms by harmonizing several areas that were
previously regulated by individual EU Member States. The directive is administered by the European Commission and applies
to all member states of the European Union. The European Securities and Markets Authority (ESMA), alongside the European
Commission, is responsible for developing technical standards to implement legislation.
MiFID II requires that anyone involved in giving financial service and/or advice that leads to, or may lead to, a transaction,
must record their conversation – including mobile – and securely store these records. Financial service providers are expected
to retain, capture and maintain all communication between sellers, buyers and investment mediators. Records will have to be
kept for a minimum of 5 years. All records should be available and cannot be modified nor deleted. All records should be kept
even if they have not lead to a transaction. According to the Boston Consulting Group, preparing for implementation could
cost firms $2bn during 2017 alone.
Objectives
• To make European markets safer, more transparent and more efficient.
• To restore investor confidence following the financial crisis.
• To move a significant part of over-the-counter trading onto regulated trading venues.
• To increase competition across financial markets
• To align regulation across the European Union in certain areas
• To serve as a cornerstone of European Union efforts to create a single financial market that could rival the US capital
markets
Scope
The directive applies to firms engaged in the marketing of financial instruments that are listed on European Union based
exchanges. More specifically, this applies to banks, fund managers, exchanges, trading venues, high-frequency traders,
brokers, pension funds, hedge funds and retail investors. Currently the United Kingdom is a member of the European Union
and a signatory to MiFID II. If a US-based firm conducts business with banks located in the European Union they also must
comply with European regulations (such as MiFID II). On top of the broader regulations, different countries also have their
own retention requirements, and this further adds to the complexity. US fund managers must pay attention to MiFID II if they
have clients in EU, and if they have a manager or distributor affiliates in the EU and to the extent they trade in EU markets.
15 | Copyright © 2018 NICE Ltd. All rights reservedMiFID II Important provisions MiFID II requires firms to keep records of telephone calls and other electronic communications when the firms deal on their own account or receive and transmit and/or execute client orders. The obligation also extends to calls and emails where a transaction is intended to take place but does not actually occur. The obligation extends to calls and emails involving equipment provided to, or authorized for the use of, employees and contractors of the firm. Firms must inform new and existing clients that telephone calls which will (or may) result in transactions will be recorded. This notification may be made once, before investment services are provided to the client. Firms must take all reasonable steps to prevent employees or contractors from receiving client orders via their own cell phones or other electronic devices that are not recorded by the firm. The records must be kept for five years but, if requested by an NCA, may be kept for up to seven years. They should be made available to clients on request. Firms should have a policy on the recording of telephone conversations and electronic communications which should identify which conversations and communications are in scope. The records must be kept in a medium that facilitates access by a national competent authority (“NCA”). The firm should comply on a “technology- neutral” basis, so that its procedures can be updated to reflect the use of innovative technologies. Firms should periodically monitor their records to ensure compliance Records of telephone conversations and email communication should be in a durable medium which prevents the record from being manipulated or altered. The recording requirement also applies to entities authorized under other EU legislation, specifically investment banks, private banks, asset managers, custodial services providers, retail banks, broker-dealers, financial advisers and market infrastructure providers. It will apply to all firms that fall within the current MiFID, as well as some that are affected by expansion of the scope of MiFID. Penalties Penalties are set by the regulatory agencies in each country. The UK agency, Financial Conduct Authority, has charged a £1.50 fine per line of incorrect or non- reported data. If one considers that every day, millions of transactions are reported by hundreds of trading venues, for thousands of different financial instruments, the potential for individual company fines of tens of millions of dollars is very real. Also consider that more transactions will be subject to regulation under MiFID II than in the past under MiFID, and potential fines are even larger than in the past. 16 | Copyright © 2018 NICE Ltd. All rights reserved
MiFID II
What Contact Centers can do
All incoming calls from clients or trading Associates should be automatically answered with a message that the call may be
recorded. Outbound calls from sales reps and others seeking to sell financial instruments should be trained to advise that the
call may be recorded in compliance with MiFID regulations.
Recording platforms must be upgraded or replaced to have at least the following capabilities:
• Capture both voice and electronic communications
• Easily searchable
• Extensible so all departments or individuals that promote, sell, or execute financial instruments
• Must be built on a flexible architecture that accommodates changes.
• Sufficient to capture and store vast volumes of communications and transactions.
• Capable of recording voice and data conversations originating from mobile devices which are the property of trading
companies or their suppliers.
• End-to-end multimedia encryption capability
Regularly monitor stored interactions to assure that the notification about recording is accurately recited and help assure that
the privacy provisions of GDPR are observed. Establish and maintain controls to assure that recordings are stored for at least
five years in a durable medium.
17 | Copyright © 2018 NICE Ltd. All rights reservedHealth Insurance Portability and
Accountability Act (HIPAA)
– Privacy Rule -
Background
The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement requirements of the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Under HIPAA, healthcare companies must comply
with extensive rules and regulations regarding the dissemination and transmittal of personal patient information. The Privacy
Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by
organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to
understand and control how their health information is used.
The Office for Civil Rights within the Department of Health and Human Services has responsibility for implementing and
enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. The HIPAA Privacy
Rule regulates the use and disclosure of protected health information (PHI) held by “covered entities” (generally, health care
clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain
transactions).
Objective
Assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public’s health and well-being.
Terms
Protected Health Information (PHI). The Privacy Rule protects all “individually identifiable health information” held or
transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy
Rule calls this information “protected health information. Individually identifiable health information includes:
• The individual’s past, present or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual,
• And that identifies the individual for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social
Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its
capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and
Privacy Act, 20 U.S.C. §1232g.
Business Associate In general, a business associate is a person or organization, other than a member of a covered entity’s
workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that
involve the use or disclosure of individually identifiable health information.
Business Associate Contract. When a covered entity uses a contractor or other non- workforce member to perform
“business associate” services or activities, the Rule requires that the covered entity include certain protections for the
information in a business associate agreement. In the business associate contract, a covered entity must impose specified
written safeguards on the individually identifiable health information used or disclosed by its business associates.
18 | Copyright © 2018 NICE Ltd. All rights reservedHIPAA Scope The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Health Plans. Individual and group plans that provide or pay the cost of medical care are covered entities.4 Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health Care Providers. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.6 Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. Health Care Clearinghouses. These are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information.8 Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions. Pertinent provisions A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. Under HIPAA rules and regulations, call centers need to incorporate secure voice and data processing as well as encrypted data record storage to enhance call monitoring, tracking, data management and reporting. Call centers must now ensure that all CSRs are appropriately trained to protect the confidentiality of patient’s medical records and payment histories. HIPAA-compliant call centers must ensure that recording and monitoring platforms integrate screen and voice data to protect confidential patient information without compromising the training and evaluation of its CSRs’ performances. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action. A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances 19 | Copyright © 2018 NICE Ltd. All rights reserved
HIPAA Patients have the right to decide how their health care information is used. Therefore, a patient must sign a release of information before it can be shared outside of the doctor-patient setting. Once the health care professional has information from a patient, they are required to follow certain guidelines to protect it. Wrongful disclosure or misuse of medical information is prohibited and could subject a medical professional to fines and/or imprisonment. Penalties Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The four categories used for the penalty structure are as follows: Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation Category 1: Minimum fine of $100 per violation up to $50,000 Category 2: Minimum fine of $1,000 per violation up to $50,000 Category 3: Minimum fine of $10,000 per violation up to $50,000 Category 4: Minimum fine of $50,000 per violation The maximum fine per violation category, per year, is $1,500,000. In addition to civil financial penalties for HIPAA violations, criminal charges can be filed against the individual(s) responsible for a breach of PHI. 20 | Copyright © 2018 NICE Ltd. All rights reserved
HIPAA Importance to Contact Centers In house contact centers for covered entities (e.g., providers, insurers, etc.) and business associates (collectors, outsourcers, billing companies, etc.) should have strict controls over customer data bases. Non-authorized personnel should not have access to information about the health condition of specific individuals. Healthcare organizations should avoid engaging the services of a third-party call center unless it can be independently verified the call center is communicating ePHI in compliance with HIPAA. Service provider contact centers and business associates that are HIPAA compliant should require their employees to attend training seminars and to stay up-to-date with any changes to the regulations. Encrypt all PHI: Encrypting PHI essentially devalues it to hackers because it renders the data completely unusable without a key to unlock it. Encryption is not required by HIPAA but is considered a best practice that all healthcare organizations should enforce. Avoid recording sensitive information: One of the easiest ways to prevent a theft of data is to not record PHI over the phone in the first place. Set a policy requiring agents to turn off call recording when collecting payment information over the phone to avoid storing it in your database. A more reliable method is to upgrade or replace recording software that does not mask or pause the entry of sensitive data. HIPAA-compliant call centers must ensure that recording and monitoring platforms integrate screen and voice data to protect confidential patient information without compromising the training and evaluation of its CSRs’ performances 21 | Copyright © 2018 NICE Ltd. All rights reserved
Telemarketing Sales Rule
TSR
Background
Enacted by Congress in 1994, the Telemarketing and Consumer Fraud and Abuse Prevention Act directed the Federal
Trade Commission (FTC) to issue a rule defining and prohibiting deceptive and abusive telemarketing acts or practices. The
original Telemarketing Sales Rule (TSR) was enacted in 1995 and has been amended several times; in 2003 to establish the
Do-Not-Call registry, in 2008 to address prerecorded messages in telemarketing calls, in 2010 to address deceptive and
abusive practices associated with debt relief services, and in 2015 to prohibit the use of remotely created payment orders and
checks, cash-to-cash money transfers, and cash reload mechanisms.
The TSR requires telemarketers to make certain disclosures to consumers and prohibits material misrepresentations. In
addition to the federal Telemarketing Sales Rule individual states may have their own requirements for telemarketing
Intent
The Consumer Fraud and Abuse Prevention Act (‘‘Telemarketing Act’’) targets deceptive or abusive telemarketing practices,
by issuing a rule that prohibits deceptive and abusive telemarketing practices.
Terms
• Telemarketing is a plan, program, or campaign to induce the purchase of goods or services or charitable contribution
involving more than one interstate call.
• Material Information is information that would likely affect a person’s choice of goods or services or the person’s
decision to make a material contribution.
• Clear and Conspicuous - When disclosures are oral, “clear and conspicuous” means at an understandable speed
and pace, and in the same language(s)and in the same tone and volume as the sales offer(s) so that ordinary consumers
can easily hear and understand it. When making outbound calls, a telemarketer must promptly disclose certain types of
information to consumers orally in the sales presentation.
• Express Verifiable Authorization is required when payment is made by methods other than a credit card, debit card,
money order, or mailed checks. Authorization is considered verifiable if it is stored as an audio recording.
22 | Copyright © 2018 NICE Ltd. All rights reservedTSR
Scope
The TSR applies to any firm or individual, foreign or domestic, that engages in interstate telemarketing (as defined) unless
specifically excluded. These include:
• Telefunders: third-party telemarketing firms that are engaged by nonprofits for fundraising.
• Third-party telemarketing organizations retained by organizations that would’ve otherwise been exempt if they were
conducting their own telemarketing
• Insurance related businesses to the extent that telemarketing activities of such businesses are not regulated by state law.
Attempts to upsell a customer who was not been calling in response to a solicitation; for example, the request for a service
connection. Up selling is subject to the TSR even if the initial call was exempt, such as response to media advertising.
Exemptions include banks and federal credit unions, common carriers, security dealers and related financial service
organizations - all of which are covered by separate legislation. Also exempted are unsolicited calls from consumers, calls
placed in response to a catalog or general media advertising, and most business to business calls.
Pertinent provisions
The TSR requires that a telemarketer making an outbound sales call must promptly, truthfully, clearly and conspicuously
disclose the following before any sales proposal is given:
• The identity of the seller
• That the purpose of the call is to sell goods or services
• The nature of the goods or services being offered
• In the case of a prize promotion that no purchase or payment is necessary to participate
Disclosures are not required when a seller makes calls to welcome new customers and asks whether they are satisfied with
goods or services they recently purchased. If the seller doesn’t plan to sell anything to these customers during any of these
calls, the four oral disclosures are not required.
If the called party wishes to proceed with an order the seller or telemarketer must disclose the following material information
before the customer pays for the goods or services:
• Cost and quantity- including any detail such as shipping cost and terms of installment agreement.
• Any material limitations or restrictions - such as policies for refunds, cancellations, and exchanges.
• In the case of an offer of a credit card any requirement to make a deposit must be disclosed.
Oral disclosures must be” clear and conspicuous” and must be revealed before the consumer pays. The TSR prohibits
sellers and telemarketers from making false or misleading statements to induce anyone to pay for goods or services or make
a charitable contribution. The TSR requires “express verifiable authorization” when the payment is made by methods other
than a credit card, debit card, conventional checks, postal money order, cash, gift certificates, or direct billing. Among other
methods, authorization is considered verifiable if the seller obtains and audio recording of customer consent.
23 | Copyright © 2018 NICE Ltd. All rights reservedTSR
When the seller is using pre-acquired account information to execute payment, they must obtain from the customer at least
the last four digits of the account number to be charged. Any audio recording of an oral authorization payment must clearly
demonstrate that the consumer has received each of eight specific pieces of information about the transaction and that the
consumer has authorized that funds be taken from (or charged to) his or her account based on the required disclosures by
the seller or telemarketer:
• The goods and services being purchased, or the charitable contribution for which payment authorization is sought.
• The number of debits, charges, or payments (if more than one).
• The date the debits, charges, or payments will be submitted for payment.
• The amount of the debits, charges, or payments.
• The customer or donor’s name.
• The customer or donor’s billing information, identified in specific enough terms that the consumer understands which
account will be used to collect payment for the transaction.
• A telephone number that is answered during normal business hours by someone who can answer the consumer’s
questions.
• The date of the consumer’s oral authorization
For audio recordings for transactions where sellers and telemarketers have pre-acquired account information and are offering
goods or services on a free-to-pay conversion basis, the entire telemarketing transaction must be recorded on audio. Also,
the audio recording must capture the material terms provided to the consumer, as well as the context and way the offer is
presented. In a single-transaction call, this means taping the entire call; in a multi-purpose call it means recording the entirety
of each transaction using pre-acquired account information coupled with a free-to-pay conversion offer. In a multi-purpose
call, it means recording the entirety of each transaction using pre-acquired account information coupled with a free-to-pay
conversion offer.
When pre-acquired account information is used but the offer does not include a free-to-pay conversion feature, the seller
must:
• Obtain the customer or donor’s express agreement to be charged for the goods or services and to be charged using the
account number the seller or telemarketer has identified.
• At a minimum, sellers and telemarketers must identify the account to be charged with enough specificity for the customer
or donor to understand.
The TSR also requires that the audio recording of the oral authorization must be made available upon request to the customer
or donor, as well as to the customer or donor’s bank or other billing entity.
The following records must be maintained for two years from the date that the record is produced:
• Advertising and promotional materials
• Information about prize recipients
• Sales records
• Employee records
• All verifiable authorizations or records of express informed consent or express agreement.
24 | Copyright © 2018 NICE Ltd. All rights reservedTSR If authorization is by audio recording, a copy of the recording must be maintained. While the recording may be retained in any format, it must include all the information that must be disclosed to the consumer, as well as the consumer’s oral authorization. Sellers and telemarketers may maintain the records in any manner, format or place that you keep such records in the ordinary course of business, including in electronic storage. Billing information in specific enough terms that the consumer understands what account will be used to collect payment for the transaction. For example, reciting the account and amount to be charged on a specific date. Also, most states have more general consumer protection statutes which govern all consumer transactions with residents of those states. Those consumer protection laws prohibit a variety of fraudulent and unfair trade practices. Some states require telemarketers to apply for and obtain a state telemarketing license or telemarketing bond before they can call into or out of their state. Penalties Companies that violate the Rule are subject to fines of up to $11,000 per violation. There are more severe penalties for violations of the Do-Not-Call Provisions. State attorneys general or any other officer authorized by the state to bring actions on behalf of its residents may bring actions by the states. Private citizens may bring an action to enforce the TSR if they have suffered $50,000 or more in actual damages. Importance to Contact Centers Contact centers should record all voice and screen interactions that involve actual telephone sales or sales attempts. The TSR applies to all individuals that use the telephone for making sales propositions. Organizations should extend compliance training, appropriate scripting, and interaction recording to all employees who use the telephone for making sales propositions. This would include sales representatives as well as telemarketers and customer service representatives tasked with revenue generation. All interaction recordings must be easily searchable using available metadata. This is to help settle disputes and to comply with customer requests for copies of the recording. To prevent errors and help assure compliance, telemarketers and other sellers should be provided with precise scripts which provide mandated details. Contact centers engaged in telemarketing should check if the states in which they operate require licenses or bonds. When retaining third-party call centers, it is incumbent upon the client to assure that the outsourcer complies with TSR requirements. It is a violation of the TSR to substantially assist a seller or telemarketer while knowing — or consciously avoiding knowing — that the seller or telemarketer is violating the TSR. Many telemarketers operate from their home offices. Employers should assure that these calls are recorded and secured from unauthorized access. 25 | Copyright © 2018 NICE Ltd. All rights reserved
You can also read
