Case study
A new approach to archiving customer call recordings – securely, efficiently and economically
Case study
A new approach to archiving customer call recordings – securely, efficiently and economically
Summary
Many organisations record their business phone calls for a variety of reasons including quality monitoring and training, or to satisfy one or more (occasionally competing) regulatory requirements. If you’re a bank, this list of regulations and compliance requirements gets pretty big.
For our client (a high street bank), the ability to archive, store and retrieve call recording data in a secure and compliant manner was not a luxury, but a fundamental business requirement.
Against a backdrop of increasingly stringent data protection regulations, any organisation that fails to take its obligations in this area seriously is not only risking the safety of its customers’ most sensitive information, but also gambling with its own business reputation and risking sizable fines.
We helped the bank ensure that its archive call recordings were maintained securely, easy to search for / play back, and purged at the correct time. In the bargain, we also massively reduced its storage costs.
Highlights
Long-term storage of call recordings is for many, a legal requirement. By migrating them to a secure, managed cloud infrastructure and away from tapes or central storage vaults, our major high street client could achieve multiple benefits:
Remove the risk associated with recordings stored on degrading tape media and ‘end of life’ proprietary playback platforms
Mitigate risk by purging recordings according to their retention policy
Reduce costs associated with storage, time consuming retrieval, and fines if unable to access specific recordings when required
Manage recordings easily: instant search/playback, retention/litigation hold, user access controls, playlists of multiple recordings, MI and more
Maintain regulatory compliance
Summary
Many organisations record their business phone calls for a variety of reasons including quality monitoring and training, or to satisfy one or more (occasionally competing) regulatory requirements. If you’re a bank, this list of regulations and compliance requirements gets pretty big.
For our client (a high street bank), the ability to archive, store and retrieve call recording data in a secure and compliant manner was not a luxury, but a fundamental business requirement.
Against a backdrop of increasingly stringent data protection regulations, any organisation that fails to take its obligations in this area seriously is not only risking the safety of its customers’ most sensitive information, but also gambling with its own business reputation and risking sizable fines.
We helped the bank ensure that its archive call recordings were maintained securely, easy to search for / play back, and purged at the correct time. In the bargain, we also massively reduced its storage costs.
Highlights
Long-term storage of call recordings is for many, a legal requirement. By migrating them to a secure, managed cloud infrastructure and away from tapes or central storage vaults, our major high street client could achieve multiple benefits:
Remove the risk associated with recordings stored on degrading tape media and ‘end of life’ proprietary playback platforms
Mitigate risk by purging recordings according to their retention policy
Reduce costs associated with storage, time consuming retrieval, and fines if unable to access specific recordings when required
Manage recordings easily: instant search/playback, retention/litigation hold, user access controls, playlists of multiple recordings, MI and more
Maintain regulatory compliance
So, first you have to find the correct storage location, then the right tape (hoping it’s been labelled correctly/at all), then find a player that’s old and no longer supported and get it to play back. You might also need to do that multiple times if a case spans several calls.
Very quickly you realise that a new approach is needed.
In short, the challenges the bank faced were…
Regulatory and security
- Banks can be required to retain call recordings for years
- Various (sometimes competing) regulations control access, retention periods
- Recordings must be stored securely and with tightly controlled/audited access
– Calls containing cardholder data must be maintained in line with PCI DSS controls, meaning restricted access and even tighter controls - Recordings must be accessible quickly to support any legal proceedings – with fines imposed if recordings cannot be located in time
Operational
- Multiple contact centre locations with a variety of tape formats and versions meant that without detailed, ongoing cataloguing, tape archives could become black holes for individual call recordings. Retrieval of multiple recordings for evidence in litigation amplifies the effort and complexity
- High cost of storage/maintenance of old equipment
- Lack of fine-controlled user access usually meant locking things away/severely restricting access
Technology
- Older versions of hardware and software become unsupported (classified as ‘end of life’) meaning recordings made years ago are hard to play back.
- Tapes degrade over time even if kept in the best conditions (many aren’t), meaning that even if the tape is located, sometimes it isn’t able to play
- Central vault storage will also be ‘end of lifed’ as technology is updated creating a similar problem – long-term storage is usually on (degrading) tape media anyway and so playback is not always possible.
While we did all of that, we also made sure that:
- All original call metadata was retained and augmented with additional details to enhance future searching
- Recordings were encrypted at the start of the digitisation process meaning that only the bank could access them
With projects involving older (and proprietary) technology, you might come up against some challenges along the way. Here are some things to watch out for:
- Whether your call data is stored on tape, written directly from the recorder, or vault storage such as Enterprise Vault or EMC, it’s likely that you will require specialists to extract the data
- Prepare for the likelihood that a certain percentage of data may not be readable – there are many things that can impact this and many specialists will have ways to extract data despite certain faults, but some tapes simply will not be read
- If recordings are encrypted (by the proprietary vendor) it may make it tricky to access them in bulk without their help
- It’s not easy to find all required skills in one vendor – so take a team approach
ContactPartners provided a fully managed service for retrieval of call recording data from both tape and central vault storage as well as long-term storage of the recordings, together with a secure, hosted portal for search/playback of the recordings.
Managing storage, access, playback & purging
- Recordings were retrieved from tape/vault storage and relocated to a secure cloud infrastructure, encrypted using the bank’s cryptographic key, and stored in their original format
– Meaning they were non-degrading and could now be preserved indefinitely - Users access recordings (search and playback) via a secure SaaS application using a standard Internet browser
- Retention period/purge date can be set for each recording (manually by certain users or automatically by inference from call metadata) meaning that risks are mitigated as soon as possible
- Users can be restricted to the recordings they need access to, either due to the call type (e.g. PCI DSS user restrictions) or perhaps the sites calls were recorded for
- The ability to tag a specific section of a call and add a comment, or create a ‘playlist’ of multiple calls can be really useful for coaching or when presenting evidence
- User with relevant access rights can also redact sections of a call, if it is found to contain cardholder data for example, thereby making a clean copy to use for coaching/training
Security
- Call recording files are stored encrypted and only unencrypted as they are retrieved – only the bank can play them back, we don’t even have access to them!
- Recordings are decrypted on the fly and streamed
- Access is controlled by user login (or Single Sign On) as well as locked down by IP address
- A full audit trail of user access and playback is maintained for compliance purposes
- Users can be ‘velocity limited’ if required (meaning they can only listen to a maximum number of recordings in a given period – useful for PCI DSS controls)
- The recordings are stored in a highly compliant platform with several accreditations:
– PCI DSS Version 3 Level 1, BS10008, ISO27001
The project has achieved several goals relating to the management of legacy data.
Risk reduction
- Calls are stored securely in a non-degrading medium and will be available for playback for decades to come, eliminating and risks relating to tape decay or manufacturer software/hardware upgrades
- Recordings that are no longer required due to regulation are purged monthly, further reducing risk
- Destruction Hold Orders (DHOs) can be applied at individual recording level, meaning that other calls that would have been on the same tape can be purged at their retention date as normal
- Calls are stored in adherence with relevant compliance requirements
- Risks of a data breach are greatly reduced by calls being stored encrypted in a secure location
- Tight access controls limit who has access to recordings, together with an audit of their activity
- Redaction of sensitive sections of the call reduces risk when playback is required
Cost reduction
- Fines applied when recordings are not located in a timely manner are eliminated
- Storage costs are massively reduced. Our estimates puts this at a reduction of over 90% on monthly storage fees (c.£15m/yr cost savings for this project, and rising as more data is migrated)
- The time (and therefore cost) to retrieve recordings is all but eliminated
Doing the right thing
Ultimately, the maintenance of a record of conversations, and the ability to locate evidence quickly, instils trust and confidence in the bank’s customers – and that’s a big deal.
So, first you have to find the correct storage location, then the right tape (hoping it’s been labelled correctly/at all), then find a player that’s old and no longer supported and get it to play back. You might also need to do that multiple times if a case spans several calls.
Very quickly you realise that a new approach is needed.
In short, the challenges the bank faced were…
Regulatory and security
- Banks can be required to retain call recordings for years
- Various (sometimes competing) regulations control access, retention periods
- Recordings must be stored securely and with tightly controlled/audited access
– Calls containing cardholder data must be maintained in line with PCI DSS controls, meaning restricted access and even tighter controls - Recordings must be accessible quickly to support any legal proceedings – with fines imposed if recordings cannot be located in time
Operational
- Multiple contact centre locations with a variety of tape formats and versions meant that without detailed, ongoing cataloguing, tape archives could become black holes for individual call recordings. Retrieval of multiple recordings for evidence in litigation amplifies the effort and complexity
- High cost of storage/maintenance of old equipment
- Lack of fine-controlled user access usually meant locking things away/severely restricting access
Technology
- Older versions of hardware and software become unsupported (classified as ‘end of life’) meaning recordings made years ago are hard to play back.
- Tapes degrade over time even if kept in the best conditions (many aren’t), meaning that even if the tape is located, sometimes it isn’t able to play
- Central vault storage will also be ‘end of lifed’ as technology is updated creating a similar problem – long-term storage is usually on (degrading) tape media anyway and so playback is not always possible.
Impressed with previous SaaS applications provided by ContactPartners (particularly, some nifty call recording search/playback capabilities), and after a stringent vendor selection/RFP process, the bank chose to work with us again to completely rethink its approach to legacy call data. Along with support from specialist partners, we led the task of migrating the bank’s archive call recordings to the cloud.
While we did all of that, we also made sure that:
- All original call metadata was retained and augmented with additional details to enhance future searching
- Recordings were encrypted at the start of the digitisation process meaning that only the bank could access them
With projects involving older (and proprietary) technology, you might come up against some challenges along the way. Here are some things to watch out for:
- Whether your call data is stored on tape, written directly from the recorder, or vault storage such as Enterprise Vault or EMC, it’s likely that you will require specialists to extract the data
- Prepare for the likelihood that a certain percentage of data may not be readable – there are many things that can impact this and many specialists will have ways to extract data despite certain faults, but some tapes simply will not be read
- If recordings are encrypted (by the proprietary vendor) it may make it tricky to access them in bulk without their help
- It’s not easy to find all required skills in one vendor – so take a team approach
ContactPartners provided a fully managed service for retrieval of call recording data from both tape and central vault storage as well as long-term storage of the recordings, together with a secure, hosted portal for search/playback of the recordings.
Managing storage, access, playback & purging
- Recordings were retrieved from tape/vault storage and relocated to a secure cloud infrastructure, encrypted using the bank’s cryptographic key, and stored in their original format
– Meaning they were non-degrading and could now be preserved indefinitely - Users access recordings (search and playback) via a secure SaaS application using a standard Internet browser
- Retention period/purge date can be set for each recording (manually by certain users or automatically by inference from call metadata) meaning that risks are mitigated as soon as possible
- Users can be restricted to the recordings they need access to, either due to the call type (e.g. PCI DSS user restrictions) or perhaps the sites calls were recorded for
- The ability to tag a specific section of a call and add a comment, or create a ‘playlist’ of multiple calls can be really useful for coaching or when presenting evidence
- User with relevant access rights can also redact sections of a call, if it is found to contain cardholder data for example, thereby making a clean copy to use for coaching/training
Security
- Call recording files are stored encrypted and only unencrypted as they are retrieved – only the bank can play them back, we don’t even have access to them!
- Recordings are decrypted on the fly and streamed
- Access is controlled by user login (or Single Sign On) as well as locked down by IP address
- A full audit trail of user access and playback is maintained for compliance purposes
- Users can be ‘velocity limited’ if required (meaning they can only listen to a maximum number of recordings in a given period – useful for PCI DSS controls)
- The recordings are stored in a highly compliant platform with several accreditations:
– PCI DSS Version 3 Level 1, BS10008, ISO27001
The project has achieved several goals relating to the management of legacy data.
Risk reduction
- Calls are stored securely in a non-degrading medium and will be available for playback for decades to come, eliminating and risks relating to tape decay or manufacturer software/hardware upgrades
- Recordings that are no longer required due to regulation are purged monthly, further reducing risk
- Destruction Hold Orders (DHOs) can be applied at individual recording level, meaning that other calls that would have been on the same tape can be purged at their retention date as normal
- Calls are stored in adherence with relevant compliance requirements
- Risks of a data breach are greatly reduced by calls being stored encrypted in a secure location
- Tight access controls limit who has access to recordings, together with an audit of their activity
- Redaction of sensitive sections of the call reduces risk when playback is required
Cost reduction
- Fines applied when recordings are not located in a timely manner are eliminated
- Storage costs are massively reduced. Our estimates puts this at a reduction of over 90% on monthly storage fees (c.£15m/yr cost savings for this project, and rising as more data is migrated)
- The time (and therefore cost) to retrieve recordings is all but eliminated
Doing the right thing
Ultimately, the maintenance of a record of conversations, and the ability to locate evidence quickly, instils trust and confidence in the bank’s customers – and that’s a big deal.
Here’s the thing:
We can’t release the name of this major UK retail bank because the organisation has a strict non-endorsement policy. We can tell you that we’re delighted and privileged to count them as a longstanding client, and we are pleased to be able to share the details of this successful project with their approval.