Regulation |
|
Jurisdiction |
|
Industry |
|
Record Type |
|
Requirements |
|
Dodd-Frank |
|
USA |
|
Financial Services |
|
All records that relate to swaps |
|
Five years retention |
ECPA (Electronic Communications Privacy Act) |
|
USA |
|
All |
|
Electronic communications, which includes voice recordings |
|
Strict requirements when preserving and disclosing voice recordings |
FINRA (Financial Industry Regulatory Authority) |
|
USA |
|
Financial Services |
|
Electronic communications, including voice recordings, for broker-dealers and other financial institutions |
|
Various rules governing the retention and supervision of electronic communications |
FTC Act (Federal Trade Commission Act) |
|
USA |
|
All |
|
Voice recordings that involve consumer interactions |
|
Compliance with various consumer privacy and data security requirements |
HIPAA (Health Insurance Portability and Accountability Act) |
|
USA |
|
Healthcare |
|
Voice recordings containing protected health information (PHI) |
|
Strict requirements for storage, access, and disclosure |
Sarbanes-Oxley Act (SOX) |
|
USA |
|
All publicly listed corporations |
|
All records related to financial transactions, which includes voice recordings related to financial reporting |
|
Seven years retention |
SEC 17a-4 |
|
USA |
|
Financial Services |
|
Broker-dealer voice recordings |
|
Retention of three years total, with first two years in an easily accessible location |
CCPA (California Consumer Privacy Act) |
|
USA |
|
All business collecting personal information on California residents |
|
Personal information, which may include voice recordings |
|
Compliance with data subject access requests (DSARs) and deletion requests related to voice recordings; ensure secure storage and retrieval |
FCA (Financial Conduct Authority) |
|
UK |
|
Financial Services |
|
Recorded telephone conversations |
|
Six months retention |
FSC (Financial Services Commission) |
|
S. Korea |
|
Financial Services |
|
Voice recordings related to trading of financial investment instruments |
|
Ten years retention |
PCI DSS (Payment Card Industry Data Security Standard) |
|
Global |
|
Any company collecting or processing credit card information |
|
Voice recordings which capture credit card information during customer interactions |
|
Strict requirements for secure storage and handling |
GDPR (General Data Protection Regulation) |
|
EU |
|
All businesses that collect personal information on EU residents |
|
Voice recordings containing personal data |
|
Strict requirements for handling, including the right to erasure and data subject access requests (DSARs) |
MiFID II (Markets in Financial Instruments Directive) |
|
EU |
|
Financial Services |
|
Transaction-related voice recordings and electronic communications |
|
Retention of at least five years |
NAFR (National Administration of Financial Regulation, formerly CBRC) |
|
China |
|
Financial Services |
|
Sound recordings relating to sales of wealth management products |
|
Various rules governing the retention of transaction records |
ASIC (Australian Securities and Investment Commission) |
|
Australia |
|
Financial Services |
|
All relevant electronic and telephone communication records |
|
Seven years retention |