The banking and insurance industries are subject to some of the world’s most stringent and prescriptive records retention requirements. And it is getting more challenging every day, particularly for voice data.
In each country, there are multiple levels of regulations; in the US, for example, you have individual states AND the Federal government. This is compounded for international companies. Further, there are also industry-specific privacy and recording standards.
Here are some of the regulations that XOVOX has helped organizations comply with over the past two decades.
| Regulation | Jurisdiction | Industry | Record Type | Requirements | ||||
|---|---|---|---|---|---|---|---|---|
| Dodd-Frank | USA | Financial Services | All records that relate to swaps | Five years retention | ||||
| ECPA (Electronic Communications Privacy Act) | USA | All | Electronic communications, which includes voice recordings | Strict requirements when preserving and disclosing voice recordings | ||||
| FINRA (Financial Industry Regulatory Authority) | USA | Financial Services | Electronic communications, including voice recordings, for broker-dealers and other financial institutions | Various rules governing the retention and supervision of electronic communications | ||||
| FTC Act (Federal Trade Commission Act) | USA | All | Voice recordings that involve consumer interactions | Compliance with various consumer privacy and data security requirements | ||||
| HIPAA (Health Insurance Portability and Accountability Act) | USA | Healthcare | Voice recordings containing protected health information (PHI) | Strict requirements for storage, access, and disclosure | ||||
| Sarbanes-Oxley Act (SOX) | USA | All publicly listed corporations | All records related to financial transactions, which includes voice recordings related to financial reporting | Seven years retention | ||||
| SEC 17a-4 | USA | Financial Services | Broker-dealer voice recordings | Retention of three years total, with first two years in an easily accessible location | ||||
| CCPA (California Consumer Privacy Act) | USA | All business collecting personal information on California residents | Personal information, which may include voice recordings | Compliance with data subject access requests (DSARs) and deletion requests related to voice recordings; ensure secure storage and retrieval | ||||
| FCA (Financial Conduct Authority) | UK | Financial Services | Recorded telephone conversations | Six months retention | ||||
| FSC (Financial Services Commission) | S. Korea | Financial Services | Voice recordings related to trading of financial investment instruments | Ten years retention | ||||
| PCI DSS (Payment Card Industry Data Security Standard) | Global | Any company collecting or processing credit card information | Voice recordings which capture credit card information during customer interactions | Strict requirements for secure storage and handling | ||||
| GDPR (General Data Protection Regulation) | EU | All businesses that collect personal information on EU residents | Voice recordings containing personal data | Strict requirements for handling, including the right to erasure and data subject access requests (DSARs) | ||||
| MiFID II (Markets in Financial Instruments Directive) | EU | Financial Services | Transaction-related voice recordings and electronic communications | Retention of at least five years | ||||
| NAFR (National Administration of Financial Regulation, formerly CBRC) | China | Financial Services | Sound recordings relating to sales of wealth management products | Various rules governing the retention of transaction records | ||||
| ASIC (Australian Securities and Investment Commission) | Australia | Financial Services | All relevant electronic and telephone communication records | Seven years retention | ||||
