Call Recording for Insurance: Compliance Requirements

If you work in insurance and make sales calls, you are almost certainly required to record them. But recording calls is only the beginning. The regulatory requirements around how you record, store, access, and manage those recordings are detailed, and getting them wrong carries serious consequences.

This guide breaks down the practical compliance requirements for insurance call recording in the UK, covering FCA rules, GDPR overlap, consent mechanisms, data retention, audit trails, and how modern call intelligence tools can help you stay compliant without drowning in manual processes.

Why Insurance Call Recording Is Non-Negotiable

Insurance call recording is not a nice-to-have. It is a regulatory requirement driven by consumer protection principles. The Financial Conduct Authority (FCA) mandates call recording for insurance firms to ensure:

Fair treatment of customers -- recordings provide evidence that customers were treated honestly and given adequate information per call recording compliance standards
Suitability of advice -- if a complaint arises, the recording proves whether the recommendation matched the customer's stated needs
Transparency -- customers should be able to access records of what was discussed and agreed
Market integrity -- recordings deter and expose mis-selling practices

The consequences of non-compliance are not theoretical. The FCA has issued fines in the millions for failures related to call recording, record-keeping, and mis-selling. Beyond fines, firms can face restrictions on their permissions, mandatory remediation programmes, and reputational damage that erodes customer trust.

FCA Requirements for Insurance Call Recording

The FCA's requirements for call recording sit within a broader framework of conduct rules, record-keeping obligations, and systems and controls requirements.

Who Needs to Record

If your firm is authorised by the FCA and conducts insurance business over the phone, you are required to record those calls. This includes:

Insurance intermediaries -- brokers, agents, and managing general agents
Insurance companies conducting direct sales
Claims handlers where calls relate to policy terms, coverage decisions, or settlements
Firms arranging insurance even if they are not the primary insurer

The requirement covers all calls where insurance is discussed, advised on, or transacted -- not just the final sale call.

What Must Be Recorded

The FCA expects firms to record:

Sales calls -- from initial contact through to policy inception
Advisory calls -- any call where a recommendation is made
Claims calls -- particularly where coverage decisions are discussed
Complaint calls -- essential for dispute resolution
Renewal calls -- where policy terms or cover changes are discussed

In practice, most firms find it simpler and safer to record all calls rather than trying to determine in real time which calls are subject to recording requirements. Selective recording creates gaps that are difficult to justify to regulators.

Quality of Recording

The recording must be of sufficient quality to be intelligible. This sounds obvious, but it has practical implications:

Audio quality must be clear enough to understand what was said by both parties
Complete recording -- calls must be captured from start to finish, not partially
Identifiable -- it must be possible to link a recording to a specific customer, date, and agent
Accessible -- recordings must be retrievable in a reasonable timeframe when requested

Call recordings contain personal data. That means GDPR applies alongside FCA requirements, and the two frameworks interact in ways that firms often find confusing.

Lawful Basis for Recording

Under GDPR, you need a lawful basis to process personal data, which includes recording calls. For insurance firms, the most common bases are:

Legal obligation (Article 6(1)(c)) -- You are required by FCA rules to record calls. This is the strongest and most straightforward basis for insurance firms.

Legitimate interests (Article 6(1)(f)) -- Quality assurance, training, and fraud prevention. This basis requires a legitimate interests assessment (LIA) to demonstrate that your interests do not override the individual's rights.

Consent (Article 6(1)(a)) -- While consent can be used, it is generally not the best primary basis for insurance call recording because consent must be freely given and withdrawable. If someone withdraws consent but you are required to record under FCA rules, you have a conflict. Use legal obligation as your primary basis and consent as a supplementary mechanism.

Many firms use a consent-based approach out of habit ("This call may be recorded for training and quality purposes"). While this statement is useful for transparency, relying on consent as your sole lawful basis creates problems:

Withdrawability -- if a customer says "I don't consent to being recorded," you cannot simply stop recording and continue the call if FCA requires you to record it
Freely given -- if the customer has no real choice about whether the call is recorded, the consent is arguably not freely given

The better approach is to inform the customer that the call is being recorded as a regulatory requirement and that the recording will be handled in accordance with your privacy policy. This is transparent without creating the implication that recording is optional.

Customers have GDPR rights in relation to their call recordings:

Right of access (Article 15) -- Customers can request a copy of their call recordings. You must provide this within one month.

Right to erasure (Article 17) -- Customers can request deletion of their recordings. However, this right does not apply where processing is necessary for compliance with a legal obligation (i.e., FCA requirements). You can retain recordings for the regulatory retention period even if a customer requests erasure.

Right to restriction (Article 18) -- In certain circumstances, customers can request that you restrict processing of their recordings (e.g., while a complaint is being resolved).

Right to be informed (Articles 13-14) -- Customers must be told that calls are being recorded, why, how long recordings are kept, and their rights in relation to those recordings. This is typically covered in your privacy notice and the recording announcement at the start of the call.

Even when legal obligation is your primary lawful basis, you still need effective consent mechanisms for transparency and trust.

The Pre-Call Announcement

Every recorded call should begin with a clear announcement. Here is a compliant example:

"Before we continue, I need to let you know that this call is being recorded. We record calls as required by the Financial Conduct Authority for regulatory purposes, and for quality assurance and training. The recording will be stored securely and retained in accordance with our data retention policy. Our full privacy notice is available on our website at [URL]. Are you happy to proceed?"

Key elements:

Clear statement that the call is being recorded
Why -- regulatory requirement, quality assurance
How long -- reference to retention policy
Where to find more information -- privacy notice
Acknowledgment -- asking if they are happy to proceed

Handling Refusal

If a customer objects to being recorded:

"I understand your concern. Unfortunately, as an FCA-regulated firm, we are required to record this call for your protection and ours. If you prefer not to continue by phone, I can offer you [alternative channel -- email, written correspondence, in-person meeting]. Which would you prefer?"

This approach is transparent, compliant, and offers a genuine alternative.

Maintain a log of consent for each call. Modern VoIP systems and call intelligence platforms can automate this by timestamping the consent moment within each recording, making it easy to demonstrate compliance during audits.

Data Retention: How Long to Keep Recordings

Data retention is where FCA requirements and GDPR principles create the most tension. FCA expects you to keep records. GDPR says you should not keep personal data longer than necessary.

FCA Retention Requirements

The FCA does not prescribe a single retention period for all call recordings, but the general guidance and industry practice is:

Call Type	Recommended Retention
Sales/advisory calls	Minimum 5 years from end of relationship
Claims calls	Duration of claim + 6 years
Complaint calls	5 years from resolution
General enquiries	3 years minimum

The 5-year minimum for sales calls aligns with the FCA's expectation that firms should be able to evidence conduct over the lifetime of a customer relationship plus a reasonable buffer for complaints and disputes.

GDPR requires that personal data is not kept longer than necessary. For insurance call recordings, this means:

Retain for as long as the regulatory requirement mandates -- this is your legitimate basis
Delete when the retention period expires -- do not keep recordings indefinitely
Document your retention policy -- be specific about how long different types of recordings are kept and why
Apply the policy consistently -- automated deletion at the end of retention periods is far more reliable than manual processes

Practical Retention Policy

A practical policy for insurance firms:

Record all calls as a default
Retain sales and advisory recordings for 5 years from the end of the customer relationship or policy term, whichever is later
Retain claims recordings for the duration of the claim plus 6 years
Retain complaint recordings for 5 years from complaint resolution
Automatically delete recordings when their retention period expires
Document the policy and make it available to customers in your privacy notice

Audit Trails: Proving Compliance

Having recordings is necessary but not sufficient. You also need to demonstrate that your recording and retention practices are compliant. This is where audit trails come in.

What an Audit Trail Should Include

For each call recording:

Date and time of the call
Duration
Agent/employee who conducted the call
Customer identification -- name, policy number, or other identifier
Call type -- sales, claims, complaint, etc.
Consent record -- timestamp of when the recording announcement was made
Retention category -- which retention rule applies
Scheduled deletion date -- when the recording will be automatically deleted
Access log -- who has accessed the recording and when

Access Controls

Not everyone in your firm should have access to all recordings. Implement role-based access controls:

Agents -- access to their own recordings for review and development
Team managers -- access to their team's recordings for coaching and quality assurance
Compliance officers -- broad access for monitoring and audit purposes
HR -- access only when required for specific investigations
Customers -- access to their own recordings via subject access requests

Every access should be logged. This protects both the firm and the individuals whose calls are recorded.

Regular Compliance Audits

Conduct periodic audits of your call recording practices:

Monthly -- sample check that all calls are being recorded completely and clearly
Quarterly -- review retention practices, check that expired recordings are being deleted
Annually -- full compliance review including consent mechanisms, privacy notices, access controls, and retention policy

For a broader view of how GDPR affects call recording across industries, see our GDPR call recording guide.

How AI Helps With Compliance Monitoring

Manual compliance monitoring has a fundamental scaling problem. A compliance officer can review perhaps 20-30 calls per day in detail using traditional call scoring methods. If your team makes 200 calls a day, that is a 10-15% sample at best. The other 85-90% go unreviewed.

AI-powered call intelligence changes this equation by analysing every call automatically.

Automated Compliance Checks

AI can monitor every call for:

Opening compliance:

Was the recording announcement made?
Did the agent identify themselves and the firm?
Was the purpose of the call stated?

Disclosure compliance:

Were policy exclusions mentioned?
Were excesses and limitations explained?
Were material terms communicated clearly?

Conduct compliance:

Was there evidence of pressure selling?
Did the agent give the customer adequate time to consider?
Was the recommendation suitable based on the stated needs?

Record completeness:

Was the full call captured?
Is the audio quality sufficient?
Are all metadata fields populated?

Risk-Based Prioritisation

Rather than reviewing random samples, AI can flag the calls most likely to have compliance issues. This means your compliance team spends their time reviewing the calls that actually need attention rather than listening to hundreds of compliant calls to find the one that is not.

Trend Detection

AI can identify patterns that individual call reviews miss:

An agent whose compliance scores are declining over time
A particular product or script that consistently triggers compliance flags
Seasonal patterns in complaint-related calls
Systemic issues in how exclusions are communicated

These insights allow you to address problems proactively rather than waiting for a customer complaint or regulatory inquiry to surface them.

Compliance Reporting

Automated analysis generates the documentation that regulators expect to see:

Percentage of calls with compliant openings
Average disclosure completeness scores
Trend reports showing compliance improvements over time
Exception reports highlighting calls that need human review

This reporting is invaluable during FCA visits and audits. It demonstrates not just that you have a compliance framework, but that it is actively monitored and continuously improved.

Building a Compliant Call Recording System

If you are building or upgrading your insurance call recording infrastructure, here is a practical checklist:

Technical Requirements

All calls recorded automatically (no selective recording)
Recordings stored securely with encryption at rest and in transit
Audio quality meets intelligibility standards
Recordings linked to customer records and call metadata
Automated retention management with scheduled deletion
Role-based access controls with access logging
Backup and disaster recovery for recording storage

Process Requirements

Written data retention policy specifying periods by call type
Consent mechanism with compliant announcement script
Process for handling recording refusals
Subject access request process for providing recordings to customers
Regular compliance audit schedule (monthly, quarterly, annual)
Incident response process for recording failures or breaches

Documentation Requirements

Privacy notice covering call recording practices
Legitimate interests assessment (if using Article 6(1)(f))
Data protection impact assessment (DPIA) for call recording
Staff training records on call recording compliance
Audit trail specifications and retention

Common Compliance Mistakes

As discussed above, consent is not the strongest lawful basis for regulatory call recording. Use legal obligation as your primary basis.

Mistake 2: Inconsistent Recording

Some firms record sales calls but not claims calls, or record inbound but not outbound calls. This creates gaps that are hard to justify. Record everything.

Mistake 3: No Retention Policy

Keeping recordings indefinitely violates GDPR minimisation. Not keeping them long enough violates FCA expectations. You need a documented policy that balances both.

Mistake 4: Inadequate Access Controls

Everyone in the office can access all recordings. This violates both GDPR and good security practice. Implement role-based access with logging.

Mistake 5: Manual-Only Compliance Monitoring

Reviewing a small random sample of calls creates a false sense of compliance. Automated monitoring through call analytics tools catches what manual sampling misses.

Treating FCA compliance and GDPR compliance as separate workstreams leads to conflicts and gaps. They are interrelated and should be managed together.

Getting Started

If you are reviewing or upgrading your insurance call recording compliance:

Audit your current setup -- are all calls being recorded? Is the quality adequate? Is retention managed?
Document your lawful basis -- make sure you have a clear legal basis for recording that accounts for both FCA and GDPR
Review your consent mechanism -- is your recording announcement compliant and clear?
Check your retention policy -- are recordings being kept for the right duration and deleted when they should be?
Assess your monitoring -- how much of your call volume is actually reviewed for compliance?

For insurance teams using Aircall or Ringover, Coldread provides automated compliance monitoring alongside call analytics and intelligence. Every call is transcribed and analysed, giving your compliance team full visibility without the manual burden. Plans start at $29/month -- no per-seat pricing, no annual contracts.

Related reading: