The ‘Anglo’ tapes issue has brought some of the more dramatic consequences of ‘callrecording’ to the fore. Most banks, as well as some other financial services providers, operate automated telephone recording systems for customer service desks and when transacting customer business by phone.
Access to telephone records may arise in a number of ways, which financial services organisations should be aware of so that they can structure their systems with this in mind to comply with all applicable laws and regulations.
Below is an overview of the requirements relating to call-recording as well as some other implications financial services providers should bear in mind.
Customer Protection Code
Call-recording has become accepted practice over the years and this practice has been acknowledged by the Central Bank of Ireland (the “Central Bank”) in the Consumer Protection Code, 2012 (the “CPC”).
For financial services providers interacting with consumers, telephone contact must only be made in accordance with the CPC and when doing so, the relevant entity must, amongst other things, immediately inform the consumer that the call is being recorded, if this is the case.
Financial Services Ombudsman (the “FSO”)
Where regulated financial services providers do not record telephone calls with customers, they may be at a disadvantage where a customer makes a complaint to the FSO relating to a product or service sold over the telephone.
The 2007 Annual Report of the FSO encourages call-recording by financial services providers with the then Financial Services Ombudsman, Joe Meade, noting that when:
“dealing with a complaint that hinges on contractual commitments entered into by telephone, [he] would be disposed to find in favour of a Complainant where the Provider could not provide the necessary evidence to rebut the claim being made. It would therefore be in the interests of the Providers to consider retaining appropriate records - including, where necessary, ‘phone recordings relating to such contractual commitments - for the period within which a person can complain to me i.e. six years.”
The 2007 Annual Report of the FSO also states that the Data Protection Commissioner (the “DPC”) was consulted by the FSO and that the DPC did not see any difficulty with financial services providers retaining personal data including telephone records in such circumstances. The DPC pointed out that it would be important that financial services providers comply with their other obligations under data protection legislation as discussed below.
Data Protection Rights
Under the Data Protection Acts 1998 and 2003 (the “DPA”), it is accepted that there can be a legitimate business interest basis for call-recording in business critical areas, provided that callers be clearly informed that the recording is taking place. The caller can then choose to continue or terminate the call.
The DPA (s.4) entitles individuals to access his/her personal data held by a data controller, i.e. financial services providers. An individual could, for example, be a bank employee or customer. On request, the individual is entitled to receive ‘in an intelligible form’ (i.e. a form that is capable of being understood) his/her “personal data”.
Data controllers are obliged to search all of their electronic systems including audio recordings and relevant paper-based filing systems for his/her personal data.
“Personal data” means any data relating to a living individual who is identifiable from the data or from the data in conjunction with other information that is in, or is likely to come into, the data controller’s possession. This encompasses a wide range of information, such as name, address, date of birth, passport number, credit card number, last time/place credit card used, geographical location and bank account details.
In 2002, the DPC considered a complaint by an individual who stated that, in the course of her employment for a particular company, she received a call from one of the major international banking organisations based in Ireland. During the call, she heard ‘pips’ on the line and, on enquiring, was informed that the call was being recorded but no explanation for the recording was given by the person representing the bank.
The bank stated that, in line with industry practice, it operated an automated call recording system. The recording system listed details of particular calls made at a particular time, to or from a particular telephone number. The bank initially disputed whether the recordings contained data relating to an ‘identifiable individual’. However, the DPC found that the bank could identify the individual by accessing the recording system and using this in conjunction with other data it held.
Accordingly, where a financial services provider uses a call-recording system and can identify individual callers, such recordings will fall within the scope of the DPA and be accessible under s.4. Access to the recordings can be provided in audio or transcript format, subject to certain limited exceptions, in particular, the need to protect third party personal data from disclosure without consent e.g. by redacting the transcript appropriately.
The right of access to information in litigation is far more extensive than that under the DPA; it is not restricted solely to the requester’s own personal data.
Discovery can be ordered by the court of any documents that are in the possession, power or procurement of a party “relating to any matter in question therein”. Discovery is also available for “electronically stored information” (‘ESI’). ESI includes data held on computer, voicemail, SMS text message, email, Blackberry-type devices, mobile telephones, CDs, DVDs, back-up tapes and other digital media. Therefore, financial services organisations should be aware that call-recordings could become important evidence in litigation disputes. A few examples have been highlighted by the media in criminal trials.
The costs of discovering ESI in commercial litigation are invariably substantial, which can pose a threat to the viability of the litigation. In order to help defray such costs in advance, organisations should consider managing their ESI, bearing possible future litigation in mind. For further advice in this regard, please contact us.
Criminal Investigations and State Investigations/Inquiries
A wide range of regulatory and other authorities are empowered to investigate and prosecute corporate conduct in Ireland, including An Garda Síochána, the Garda Bureau of Fraud Investigation, the Central Bank, the Director of Public Prosecutions (the “DPP”), the Director of Corporate Enforcement (the “DCE”), the Revenue Commissioners and the Competition Authority.
The DCE is responsible for investigating company law offences with wide investigative powers under the Company Law Enforcement Act 2001, including, by search warrant, to enter and search premises, compel the production of information and seize and retain anything of material importance.
Similarly, the Competition Authority has extensive investigative powers under Competition Acts 2002-2012, including, in particular, to carry out dawn raids on any premises where it has reasonable grounds to believe that records relating to a competition law offence are being kept.
The Central Bank can also carry out inspections of regulated financial services providers. It has broad powers to enter premises, take documents, and compel the production of information and documents pursuant to various pieces of legislation, as well as the power to issue sanctions pursuant to its Administrative Sanctions Procedure.
Clearly, the above powers could encompass the seizure, retention and examination of call-recordings by the DCE, the Competition Authority and the Central Bank.
Furthermore, the Commissions of Investigation Act 2004 contains extensive provisions in relation to discovery, which allow the Commission to obtain access to documentation held by “any person” which is of relevance to its investigation. This could include call-recordings.
The new Houses of the Oireachtas (Inquiries, Privileges and Procedures) Act, 2013 also includes powers allowing committees established pursuant to this act to request documents and records as necessary for an inquiry. The definition of “document” is very broad and includes callrecordings.
Freedom of Information (“FOI”)
Finally, it may be useful to add a word about FOI. Generally, financial services providers do not fall under the FOI regime, as they are not “public bodies” under the Freedom of Information Acts 1997-2003 (the “FOI Acts”). However, it is not completely irrelevant.
First, any records, including audio recordings, of a financial services provider which are held by a public body that is subject to FOI could fall to be released if they come within the scope of an FOI request. The Revenue Commissioners, the DCE and the Competition Authority are all subject to FOI to varying degrees. Public bodies are not always under an obligation to consult with third parties where they propose to release information relating to those third parties under FOI. Therefore, financial services providers should always take care to mark confidential and/or commercially sensitive information as such before submitting it to an ‘FOI-able’ body, in order to increase the possibility of consultation prior to releasing the information concerned.
Currently, the Central Bank is not subject to the FOI Acts. However, the Freedom of Information Bill 2013, published in July 2013, proposes to include the Central Bank as a “partially included” agency, meaning that it will be subject to FOI, other than in relation to certain specified records. These include records which are prohibited from disclosure under the Rome Treaty, the ECSB Statute or any of the Supervisory Directives within the meaning of the Central Bank Act 1942, certain personal information and confidential financial, commercial or regulatory information of persons regulated by the Central Bank.
The Bill also proposes that the NTMA, NAMA, the National Pensions Reserve Fund Commission and the National Development Finance Agency will be “partially included agencies” subject to FOI other than in relation to certain specified records.
Financial services organisations will therefore wish to monitor developments in relation to the Bill in this regard. The Bill is available here.
In 2009, the Central Bank issued a consultation paper proposing to introduce mandatory call-recording of client orders for investment firms authorised pursuant to Regulation 40(6) of the European Communities (Markets in Financial Instruments Directive) Regulations, S.I 60 of 2007 (the “MiFID Regulations”). The MiFID Regulations also apply to banks when providing investment services. The Central Bank postponed its consideration of this proposal pending a European Commission review of MiFID and consideration by the Committee of European Securities Regulator (“CESR”) of new unified regulations on callrecordings and electronic communications.
As part of its findings, CESR (which is now ESMA) recommended to the European Commission that MiFID firms record all telephone conversations, including those on mobile phones, and electronic communications when:
- receiving orders;
- transmitting orders to entities that are not subject to the MiFID recording requirement; and
- concluding a transaction either by executing a client’s order or dealing on own account.
The changes have yet to be approved by the European Commission or the Parliament and accordingly, the Central Bank has not issued any formal requirements or recommendations in respect of telephone conversation recording.
However, it is currently proposed that MiFID II will introduce mandatory recording. The draft text of MiFID II introduces a requirement to record client orders covering the services of receipt and transmission of orders and execution of orders and transactions concluded when dealing on own account in all financial instruments. The obligation applies to all forms of telephone conversation and electronic communications and the draft directive proposes a minimum retention period of 3 years. MiFID II is not expected to be implemented by Member States until 2015.
Currently, financial services providers are not required by law to record telephone conversations. This may change for investment firms in the future.
In the meantime, in line with industry practice in Ireland, most financial services providers do record calls. Such recordings will be a valuable asset when dealing with consumer complaints to the FSO.
However, as highlighted in this article, the practice of call-recording triggers many compliance requirements and (unexpected) legal implications, such as the right of access, which financial service providers must bear in mind.