Converse Logo
Security & Compliance

Financial Services & PCI DSS

Banks, NBFCs, insurance companies, fintech platforms, and payment processors operate under strict regulatory frameworks. This page covers the controls Converse provides for financial services deployments.

PCI DSS — Cardholder data

Never instruct an AI agent to collect full card numbers, CVV codes, or PINs. Converse is not a PCI DSS-certified cardholder data environment. If your use case requires collecting payment card data, use a PCI-compliant payment IVR (like Stripe, PayU, or Razorpay's IVR product) and integrate it as a transfer destination from your Converse flow.

Common financial services use cases

Collections & recovery

Automated EMI reminders, overdue payment follow-ups, settlement offer flows.

Account servicing

Balance inquiries, statement requests, address updates, account activation.

Insurance

Claim status updates, premium reminders, policy renewal outreach.

KYC & onboarding

Document collection prompts, verification status updates, appointment scheduling.

Fraud alerts

Outbound alerts for suspicious transactions, confirmation calls.

Customer surveys

Post-transaction NPS, product satisfaction surveys.

Call recording for audit & dispute resolution

Financial regulators (RBI, SEBI, FCA, SEC) often require retaining records of customer communications. Enable Call Recording in Settings → Security:

Tamper-evident audit trail

For SOC 2, ISO 27001, or regulatory examinations, the audit log provides:

Collections compliance (India / RBI)

For collections outreach in India, the RBI's Fair Practices Code and TRAI DND regulations impose specific requirements. Configure your campaigns and agents accordingly:

Data handling for financial records

Recommended financial services configuration

Enable Call Recording with appropriate retention period (7 years is common)

Enable Tamper-evident Audit Log

Configure campaigns to call only between 8am–7pm in the contact's timezone

System prompt must include: "You are an automated AI. Always identify yourself as such."

System prompt must prohibit: threats, repeated calling, collection of card/PIN/CVV

Use PHI Protection to redact account numbers from stored transcripts

Never use Collect Data nodes to request CVV, PIN, or OTP — transfer to payment IVR

Configure "do not call" opt-out words in campaign interest keywords

Enable MFA for all users who can access call recordings or transcripts

Set data retention policies to match your regulatory minimum retention requirement