Deploying an Offshore SaaS Recording Solution for Microsoft Teams

What You Need to Know to Ensure Compliance with Territory-Specific Regulations


Blog Post by Paul Cottee on 17 August 2021 in category Communication Compliance

Today, the number of regulated employees working from remote locations is considerably higher than it has ever been. This has caused the adoption of Microsoft Teams – and its embedded collaboration tools which span phone, video, chat and beyond – to grow exponentially. As with all regulated employee conversations, MS Teams’ communications must also be recorded (under PCI DSS, Dodd-Frank, MiFID II, and other laws and regulations). The problem is – many traditional recording solutions are only able to capture voice. If your firm is considering MS Teams, or has already deployed it, you will need a new omnichannel communication capture and archiving solution to remain compliant.

NICE Recording for Microsoft Teams was the first such solution to be certified by Microsoft and can be deployed as a fully managed cloud solution or an on-prem solution. If your firm is interested in going the fully-managed cloud route but you’re concerned about local regulations regarding use of offshore Software as a Service (SaaS) Solutions, there are regulatory considerations you need to be aware of, which vary by territory. We discuss the most pressing questions related to this topic below:

1. Can our employees’ conversations be recorded?

In most cases, yes; that said, in many territories some form of consent will be required from at least one of the parties to the conversation. This can usually be achieved by an appropriate disclosure, such as a clause in an employment contract or customer agreement. Some territories are less clear with respect to recording conversations (as opposed to other forms of employee personal data), but good practice still appears to be to obtain consent up-front. Note, some territories (for example, the UK) mandate that certain communications (such as those around a financial markets’ transaction) are recorded and retained, obviating the need for employee or customer consent with respect to recording relevant communications.

2. Can we send recording data to our data centre and surveillance function, both of which are offshore?

Similar to my answer above, in most cases the answer is yes, with caveats. Many territories require the subject’s consent. Others permit transfer to territories with ‘equivalent’ or ‘appropriate’ controls over personal data. Still others allow transfer subject to an official license, permit or notification. Again, obtaining an employee’s consent via the employment contract is usually a good first step. The bottom line is – it’s important to look at the specific requirements for your territory if you’re considering deploying an offshore SaaS recording solution for Microsoft Teams. Check out NICE’s Compliance Recording Cloud Outsourcing Regulations by Territory Information Sheet to see a territory-by-territory breakdown of requirements.

3. What about firms located in multiple territories?

For firms with operations in multiple territories, it can get a bit more complicated. Consider for a moment the recorded communications of a firm with traders employed in Singapore, London, and New York. The traders’ communication recording files are sent to a data centre in Bangalore for storage and perhaps a level of processing (for example, automated searching for key words or phrases in the communications). The resulting data are then accessed and examined by a surveillance officer in Toronto (or perhaps automatically sent to a server in Toronto where the analyst subsequently accesses it). In this case:

  • The traders’ business communications are required to be recorded by their local regulators (hence no specific consent required from the traders).
  • As the recorded communications (which constitute employee personal data) are sent to India for storage & processing, it would be a good practice to obtain prior consent from the traders through their employment contracts.
  • Since the processed data files are accessed by an analyst in Canada (or sent to Canada), again it’s a good practice to obtain prior consent from the traders, although (for the UK employee) this would likely be permitted anyway given Canada’s standing as an ‘adequate territory’ for UK personal data transfer purposes.

In summary, in most territories, employee communications can be recorded, and recording data can be sent and accessed offshore. In some territories, regulated employee conversations must be recorded under law. In a world where many financial services firms are still allowing regulated employees to work from home, and are heavily reliant on Microsoft Teams, having a reliable recording solution is a necessity.

Effective omnichannel recording not only protects firms from reputational and regulatory risks, but also empowers business insights derived from customer interactions. NICE Recording for Microsoft Teams provides complete recording coverage for all Microsoft Teams-based communications (regardless of their modality), all call scenarios, and federated Teams’ systems as well, ensuring global regulatory compliance and delivering value from all communications.

If you have questions or concerns regarding the use of an offshore SaaS recording solution, reach out to me at Paul.Cottee@nice.com.