Voice Recording and MIFID II

Discussion in 'Ideas' started by cel, Jul 3, 2017.

Voice Recording and MIFID II 5 5 2votes
5/5, 2 votes

?

Do you would have a more flexible and secure voice recording

  1. Yes

    100.0%
  2. No

    0 vote(s)
    0.0%
  1. cel

    cel

    Joined:
    Jul 15, 2015
    Messages:
    34
    Likes Received:
    17
    Hello

    in order to the new European regulation MIFID II (Markets in Financial Instruments Directive), calls should be recorded. Therefore it would be good to extend the voice recording feature in the way that;

    • Forwarded calls are recorded If a call hits an extension, which has “Record All Calls” active that call, should be recorded even then it travels over SIP trunk or to a none recorded extension.
    • Flexibility in setting Recording for Trunks, Users, type of Calls, there should be a method to all more choices for voice recording to protect the privacy of the user. Instead of all calls, it should record only ring group, queue calls or certain incoming call rules
    • Adding a recorded announcement in front of the call to notify the caller that the conversation is recorded
    • Make sure that the wave files can not be modified
    • Encrypt the wave files
    • control the access to the recordings, optional 4 eyes principe
    Regards
     
  2. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    Hi Thanks for this feedback - very good features to take into consideration.

    I suggest you check my comments below and open some as ideas. Some of them are good..

    Point 1 This should work. It is already like this - if you are unable to reproduce this behavior then we can open a bug report. Bxfer, Attxfer and forwarding all record at the end. The described scenario works and it is not an issue.
    Point 2 is valid.. Open in ideas.
    Point 3 - You can do this in your DR and Queue announcements - just like all the banks out there do.
    Point 4 and 5 are the same. If we encrypt the wav files, then automatically they cannot be tampered with. (But then you have a problem playing them if you do not have the key). This needs more thought. If we do this, no more click and play from browsers... open in ideas. However the recordings should be stored safely. I mean are you worried that some admin can change the content of the recording?
    Point 6 Control access to recording - we have basic control. Users can see or not see recordings in their client. And Admins / hosting admins can give granularity access to their assistant admins deciding whether or not to see recordings in the management console sessions.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. voiptoys

    voiptoys Member

    Joined:
    Feb 13, 2013
    Messages:
    493
    Likes Received:
    81
    We address some of your concerns with our 3CX Recording Manager. For example, we can archive recordings and thus move them out of visibility by 3CX. This is important to manage who has access to the recordings. We control access to recordings based on extension group membership. Managers of an extension group can see recordings made by members of their group, but nothing else. Non-managers can only see/listen to their own personal recordings. We currently convert the recordings to MP3 to save space (1/2 the original size) and for compatibility with some devices that cannot play wav files. It would be fairly simple to add encryption, but as Nicky pointed out, it would require some method of playing the encrypted recordings. My thought is that we would temporarily dencrypt the audio stream in memory on the server side so the browser could play the recording. We also add the ability to add notes to a recording, as well as enable managers to score how the agent handled the call. We currently allow you to forward calls to others through our web portal. It would not be particularly difficult for us to add the ability to include an introduction to the recording prior to forwarding it to someone else. It seems to me that Nicky's suggestion to add an intro prompt to the queue about recording the call is reasonable, or you could do it in other places by sending calls to a Digital Receptionist that plays the announcement, then forwards the call to the desired location. I've often pondered whether we could "barge-in" to recorded calls to periodically play a beep indicating that the call is being recorded. We could also dynamically change what calls are recorded by monitoring the origin of the call and selectively turning off / on recording. If you would like to discuss your needs further, I'm sure we can help with all your concerns.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Valentin Studer likes this.
  4. sheuser

    Joined:
    Jan 25, 2018
    Messages:
    3
    Likes Received:
    1
    Hello,

    Currently recordings are not set per Queue, but per extension.
    https://www.3cx.com/community/threads/selective-listen-record-calls.52041/

    So the customer doesn't have an option to "please press the button 1 to allow recording or press the button 2 to forbid that". Recording either works for all calls, or for no calls or can be manually activated call-by-call by the agent, which is not handy and doesn't really go inline with GDPR.
    GDPR requires to get a specific and informed customer's consent in a way of doing something (like pressing the specific button on the phone to _allow_ the recording), not just listening to the text and holding the line.

    Hope this helps.
     
    Valentin Studer likes this.
  5. voiptoys

    voiptoys Member

    Joined:
    Feb 13, 2013
    Messages:
    493
    Likes Received:
    81
    Perhaps you could send callers first to a Digital Receptionist that says something like "we record all calls for quality reasons, if you would like to opt-out of recordings, press 1". If they don't press 1 within a couple of seconds you send them to the "recorded queue", and if they do press 1 you send them to the "non-recorded queue". The next task is to write a windows service that monitors for queue calls and turns recording on for the agent's extension that took the recorded call, and off for those calls that come through the non-recorded queue... in other words dynamically turn on / off recording for an extension based on the origin of the call. This can be done if you need help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Valentin Studer likes this.
  6. sheuser

    Joined:
    Jan 25, 2018
    Messages:
    3
    Likes Received:
    1
    Hello,

    Thank you for your reply.

    There is the main issue with GDPR and 3cx recordings: according to GDPR customers have to "make an action" in order to opt-IN/agree to the recording instead of "make an action (press the button) to opt-OUT".
     
  7. voiptoys

    voiptoys Member

    Joined:
    Feb 13, 2013
    Messages:
    493
    Likes Received:
    81
    OK, the offered suggestion is easily changed to give them a choice. "To allow us to record your call for quality purposes, press 1. To opt-out of recording, press 2". Then the rest of my suggestion works the same. We can turn on / off recording for a given call using the Call Control API and a Windows service that evaluates which calls should be recorded, and which cannot.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. curatrix_pl

    Joined:
    May 1, 2018
    Messages:
    1
    Likes Received:
    0
    I think the context of GDPR has been mis-interpreted here...

    GDPR opt-in is about information being used to contact the user. In the instance where an organisation is bound to MIFID II (or similar legislation), call recording is mandatory for the company protection (such as where financial advice may be given) and as such should supercede GDPR.

    If the data in the call was then being used to target the user (such as targetted marketing campaigns, etc., if the user hadn't opted in), then this would be in breach of GDPR. GDPR is more about protection and processing of data within an organisation than it is about 'opt-in to communications'.

    Recording of all calls is allowed within GDPR as long as you have the company policies and processes around how the data is used, and the ability to report on breaches to the data (such as non-permitted user access and disclosure of information).