UK Recording “Bring Your Own Device” Calls – or Not?

A discussion about the complexities of recording a phone the trading firm does not own – and understanding IP2016 better

UK Recording “Bring Your Own Device” Calls – or Not?

by Robert Powell, Director of Compliance, IPC 

With MiFID II approaching, more and more customers are asking about mobile recording and how they can achieve it. Many banks have moved to a “bring your own device” (BYOD) model where employees pay for both the mobile phone and the calls. Employees are then able to claim an allowance or expenses for calls made for business purposes; thereby lowering a firms cost.

Let’s discuss the specifics of recording calls for a UK-based individual from a personal device – using an application or service – which the financial firm does not own.

Baseline information: Telephone recording or “intercepts” are governed primarily by the Investigatory Powers Act 2016 (IP2016). This act was brought in response to an independent review of powers available to intercept communications published in 2015. It seeks to clarify the use of intercepts by government authorities and to clarify some other elements of the law. The European Court of Justice declared that surveillance on a mass scale is unlawful and some commentators reported that this might affect the Investigatory Powers Act. However, in practice, the Act appears to be fully implemented and is the basis for legal call recording and intercepts in the United Kingdom.

One of the main focuses of IP2016 is to describe what is lawful and what is not lawful in terms of interception communications with attention given to telephone calls made on public and private telephone systems. For this example, I will assume the calls are being made on a public telephone system.

Use Case: If you imagine the simplest situation – where an employee makes a call from within the UK using a device they have paid for on a mobile service plan they have contracted directly with the telephone operator for and the call is recorded by their employer – then the law in this case is relatively simple.

First, we should look at section 6 of IP2016. Section 6 handles lawful authority (see reference below). It is clear from this section that the employer does not have lawful authority to record any calls.

Second, we should look at section 44 which handles consent of the participants. The section is clear that if you only have one individual’s consent to record a call; then you will also require authorization under the Regulatory Powers Act 2000 (or equivalent in Scotland), which means you need a home office or police document to make the recording legal. Getting the consent of all the individuals on a call is possible, but there is an inherent risk that consent might be missed and that the notification of recording would significantly interfere with the ability of a call to take place. In an environment where user experience and time are very important, most firms are shying away from using announcements on recorded mobile phones.

Next, we should also look at the provisions of section 47 that provide for businesses to record for monitoring and record-keeping purposes.

While this section grants limited ability for businesses to record calls if the Secretary of State has required it by regulations (i.e. the financial markets regulations in the FCA SYSC rules), it specifically prevents a firm from recording any communications unless they are carried out on apparatus or services provided by or to the person carrying on the relevant firm activities.

Finally, what about using an application to allow the user to make and receive calls on a business number? It is clear the device’s owner and who is paying for the service are critical elements in determining who has authority to record a call. If the user owns the device and pays for the service, then another person cannot legally record the calls made on that device without breaking the IP2016 Act.

In conclusion, the current law in the United Kingdom prevents a firm from legally recording any conversations on a device that they themselves do not own. BYOD will not be an acceptable route for the recording of financial markets calls for the purpose of MiFID II. If you add in the possibility of a user making a call outside of the UK or roaming on a non-UK network, additional complexity could be introduced that makes the recoding of calls even less likely to be permitted.

The penalties for unlawfully recording a call are up to £50,000 and civil liability can also attach to anyone unlawfully recording calls.

For firms that want to record their employees phone calls my advice would be to:

a) own the equipment and service that calls are made on.

b) make sure that calls are routed through jurisdictions that they are comfortable with.

Mobile operators provide the best quality and most reliable solutions available. Understanding these issues and guidelines will certainly help mitigate compliance risks.