SBP Directs Banks to Ensure Confidentiality of Customers’ Data

State Bank of Pakistan (SBP) directed banks to ensure confidentiality of consumers’ data and required the banks to put in place adequate controls at their call centers, including but not limited to continuous CCTV vigilance, physical entry and exit checks, non-accessibility to portable devices or cell phones, controlled accessibility to printers, emails, etc.

Call centers are rapidly becoming customers’ top choice to communicate with their banks. Over time, the use of call centers by customers to seek information, guidance, and redressal of complaints from their banks has increased significantly. On the other hand, technological advancements are helping the banks to provide self-banking solutions through call centers.

The growing importance of call centers in the bank-customer relationship makes it imperative for the banks to efficiently manage their call centers for enhanced customer experience. Recently, SBP conducted a thematic review of the call center management at banks. In the light of the findings, it has issued today regulatory instructions to banks on call center management.

SBP has issued guidelines for call centers of the banks to standardize the variant practices for its management and to improve its efficiency
for better facilitation to the customers.

Confidentiality of Customers’ Data

To ensure confidentiality of consumers’ data, banks will put in place adequate controls at their call centers, including but not limited to continuous CCTV vigilance, physical entry and exit checks, non-accessibility to portable devices or cell phones, controlled accessibility to printers, emails, etc.

Banks are advised to devise an appropriate mechanism to allow their call center staff access to customers’ data on a “Need-to-Know” basis, i.e., restricted to the customers contacting the call center. Proper logs of this access to customer’s information should be maintained and periodically monitored, preferably through automated/ artificial intelligent surveillance.

Banks should ensure masking of the Credit or Debit card numbers so that the call agents could only view the last four digits of the cards. Similarly, appropriate controls must be devised to provide only basic/ limited/ non-financial data to outbound teams.

Policy & Oversight

Banks should have a comprehensive policy and Standard Operating Procedures (SOPs) on call center management duly approved by their Board of Directors and CEO, respectively.

Banks that have outsourced their call centers will ensure compliance with the SBP’s existing instructions on outsourcing. Further, they will also ensure that the confidentiality of the customers’ data is sufficiently protected through appropriate oversight and security clauses in the contract. Besides, the supervision function like quality assurance checks of call center should not be outsourced.

Call centers must have an independent reporting line to avoid conflict of interest. In addition to a senior officer heading the function of call centers, banks will ensure periodic reporting on the performance of call centers to a senior level management committee at least quarterly. It should be explicitly made part of the Term of References (TORs) of the committee to monitor the overall service quality and performance of call centers.

Banks should also ensure that the minutes of the committee’s meetings are recorded along with the status of implementation of decisions taken, and the same should be made available for review of the SBP inspection team.

Ease of Lodgment/ Convenience/Fairness

All banks are encouraged to deploy toll-free numbers for their call centers. It should be ensured that call center numbers are displayed prominently on banks’ websites and notice boards in branches. In case of more than one call center number, banks will mention the line of business or product in front of each number for convenience so that only the relevant number may be dialed by the customers.

The banks should also conduct consumer testing/consumer recalls at least on an annual basis to assess customer awareness regarding call centers and take actions for improvement where required.

Measures should be taken to reduce the call wait time as much as possible to avoid inconvenience to the customers. Banks should develop internal standards/Key Performance Indicators (KPIs) regarding the call wait time for different types of calls. The performance, in this respect, should be monitored by the management level committee referred above in para C through regular reporting. However, the call wait time for card lost/card stolen/card block requests should not be more than one minute.

‘Card lost/ Card stolen/ Card Block’ request should be the first option on the IVR menu after the call connects to the call centers of the banks. Further, the customers should also be provided with an automated option for blocking cards/accounts/digital channels (preferably through TPIN).

Besides, the banks are encouraged to introduce IVR options for regional languages while ensuring the availability of appropriate resources for such options.

The banks should ensure that call agents do not refuse to lodge the complaints of the customers/callers. It should also be ensured that a complaint number is provided to all complainants through SMS/ email.

Banks should adopt appropriate call management tools/functionality, including but not limited to self-banking options, queue management, etc. It is encouraged that the callers/ customers are apprised of their number/ order in the call queue with the option of call back.

Further, it should be ensured that all call centers have feedback options and the caller/ customer are adequately informed and encouraged to provide their feedback through the given option. Banks should ensure that the consumers are explicitly informed about their calls being recorded at the call center. Banks will not market their products/ services except on toll-free numbers. The banks are encouraged to play awareness messages during the call wait time.

Banks should ensure that the complaints received through the call center are properly recorded in the Complaint Management System (CMS), preferably through appropriate automation.

Call Center Resources

Banks should have adequate IT controls, contingency, and disaster recovery set-ups for their call centers. Banks should ensure that their call centers are adequately staffed. Further, it should also be ensured that the call center staff is adequately trained, particularly on digital fraud management, relevant policies and initiatives of banks, and query and complaint handling.

Further, the impact assessment of such training should also be conducted by banks for improvements in future training. All inbound and outbound calls at the call centers will be recorded. The recordings will at least be retained for one year. However, for digital transactions and customers’ consent to be obtained in specific instances, banks will comply with the relevant/ applicable rules and regulations. The custodian of these call recordings and archival/retrieval mechanism may explicitly be developed and monitored while ensuring that only relevant officials have access to such records.

Further, the role of call centers in the complaint handling function should also be reflected in the KPIs of the call center staff and adequately covered in the respective policy. Banks should also assess the performance of their call centers through monitoring tools like mystery calls, customers’ feedback and call center own staff’s feedback, at least once a year. Service quality and data confidentiality of call center should also be assessed/reviewed annually by the banks’ internal audit function.

Further, banks should ensure that Turn Around Times (TATs) of their call center, especially related to blocking of cards and lodgment of complaints are monitored on regular basis.

Banks are required to comply with SBP instructions by June 30, 2021.

The post SBP Directs Banks to Ensure Confidentiality of Customers’ Data appeared first on .