Jump to main content
Blog

Legal requirements for archiving in the financial sector

Cloud, Compliance, Financial Services

In the last 20 years, more and more customers have turned towards banking and finance networks thus influencing the way that banking data is managed. On the downside, financial scandals as well as cases of cybercrime and money laundering have become more frequent, too. As a consequence, the last years have seen a number of new directives or the amendment of existing ones that aim at facilitating tracking transactions. But what does this imply for the retention periods of recorded calls? What exactly happens with the data - from the call to the archive?

Impact of MiFID II and other regulations on archiving in the financial sector

A variety of directives and regulations that have been passed in the last years directly affect recording and archiving of customer interactions in the financial sector. One of them is the second financial market amendment regulation (MiFID II) which implements the European Markets in Financial Instruments Directive in German law. MiFID II has tightened the regulations of 2007’s MiFID I and added new rules that had not been defined previously. The aim was above all to strengthen investor protection and to increase the transparency of financial markets.

Since 2018 banks, liability umbrellas, and asset managers with a BaFin license according to § 32 of the German Banking Act (KWG) are required according to MiFID II art. 16 para. 7 to keep records of phone or video consultations as well as of any related electronic communication in an evidence-proof way: Revision-proof archiving means that the stored data is protected against post-processing and that archives cannot be manipulated. At the same time, archiving must be traceable and the information easy to find, tamper-proof and impossible to be changed. The recordings must be kept for five years. The period begins when creating the recording. Upon request of the supervisory authority, this period can be extended to seven years.

Another important regulation for archiving and retention of electronic communication is Dodd-Frank Act (Dodd-Frank Wall Street Reform and Consumer Protection Act). The Dodd-Frank Act is a United States federal law which has been passed as a reaction to the 2007 financial crisis. The aim of the Dodd-Frank Act is to promote the financial stability of the US financial market by improving accountability and transparency. It obligates companies to retain the recordings of all business activities of the location including a complete audit trail in a format defined by the responsible supervisory authority for a minimum of 5 years.

Retention obligation vs. deletion obligation

For the European General Data Protection Regulation (DSGVO) legally compliant retention but at the same time also the deletion of personal data are central aspects. As a result, processing and storage of data may only take place for the time justified by the dedicated purpose. Nevertheless, the retention obligations mentioned above must still be observed. As a rule: Legally stipulated retention periods precede deletion obligations form data protection regulations. Personal data thus must not be deleted as long as legal retention periods apply for it. Once the stipulated retention period has passed, personal data must be deleted.

Since deletion of data - especially in the financial sector - was supposed to be avoided at all costs in the past, recording systems consequently did not offer any option for manually deleting data. To comply with the directive, systems had to be modified accordingly. Individual function rights now ensure that only users with the respective authorization can delete data. And specific deletion times (time to live) which are defined while recording is configured to contribute to reliable, legally compliant data management, too.

Compliance: make or break

Especially in the financial industry, the content of customer interactions is usually highly sensitive and strictly confidential. Therefore, recording and archiving solutions that meet strict regulations and guarantee data integrity, availability, and data protection in the long run are a must. Specialized software providers like ASC offer banks and other financial service companies fail-safe systems to cater to these requirements. In contrast to other recording systems, ASC’s software guarantees more safety and finer granulation in terms of defining retention and deletion periods for data. Data streams from customer interactions (telephony, video telephony, video consultation, screen, chat) are captured, encrypted and transmitted to the ASC recording system where they are saved.

Data can be processed in different manners there. This is a must since every system and every PBX reacts differently. To be able to record every call, tailor-made integrations for the PBXs of the different vendors are required. This then enables the ASC software to capture the calls as well as additional data such as customer ID or transaction ID which allow identifying the calls. By saving this data for every call, recordings can be searched for and retrieved more efficiently. To guarantee secure handling of sensitive data, ASC deploys a dedicated data format which cannot be decoded anywhere else but in ASC replay applications. And within the replay applications, individual authorization concepts further restrict handling. Unauthorized access to data is thus excluded.

Managing data safely when working remotely

Working from home has seen a massive uplift in the last year of the pandemic. Therefore, companies are looking for solutions to enable their employees to work remotely without having to change familiar processes. But especially for employees from the financial services industry this is no easy feat: Customer consultation often is impossible from home as the means for the indispensable recording of a call is only available at office. In case of VPN access, a secure and reliable connection to the corporate network is required. A factor that not everyone can count on.

This is the reason why the financial sector now also frequently opts for cloud solutions to enable access from all around the globe. ASC has developed a flexible and quickly deployable cloud solution.

Recording and archiving made easy: The consultant calls the customer or vice versa: If the call is subject to a recording obligation, the consultant integrates the cloud recording system (3-way conference) by means of the dedicated phone number. Additionally, there is an option to pause and resume the recording of the call by pressing a dedicated key. As soon as a recording is initiated, the automated message “Your call is being recorded” is replayed. When the call is over, the relevant recording is saved in the ASC neo cloud in an evidence- and tamper-proof way as well as in compliance with the applicable directives; subsequently, it can be searched for and replayed as required.

Recording and archiving solutions for safe digital communication

In times like these when more and more aspects of life are taken online and digital transformation is moving as swiftly as never before, the protection of personal sensitive data is more important than ever. Especially in the banking industry, digital transformation makes itself felt. Branch offices are closed down, processes are digitized, and consultation calls take place online instead of in person. Qualified recording and archiving solutions guarantee secure and legally compliant digital processing and archiving of data. In addition to safeguarding data, these solutions also facilitate work for employees in the financial services industry. They allow them to focus on offering their customers personal contact and quick and reliable service.

Martin Komm
Product Manager

Martin Komm is Product Manager at ASC. He is responsible for the further development of the recording solutions based on customer requirements and new legal regulations in the target markets of ASC specifically in the finance sector. In close cooperation with Sales and R&D, he implements groundbreaking new technologies in ASC’s products. Working as a Technical Trainer at ASC Academy, he makes sure to incorporate service topics and intuitive user interfaces in the development of the products, too.