Financial Services & PCI DSS
Banks, NBFCs, insurance companies, fintech platforms, and payment processors operate under strict regulatory frameworks. This page covers the controls Converse provides for financial services deployments.
PCI DSS — Cardholder data
Common financial services use cases
Collections & recovery
Automated EMI reminders, overdue payment follow-ups, settlement offer flows.
Account servicing
Balance inquiries, statement requests, address updates, account activation.
Insurance
Claim status updates, premium reminders, policy renewal outreach.
KYC & onboarding
Document collection prompts, verification status updates, appointment scheduling.
Fraud alerts
Outbound alerts for suspicious transactions, confirmation calls.
Customer surveys
Post-transaction NPS, product satisfaction surveys.
Call recording for audit & dispute resolution
Financial regulators (RBI, SEBI, FCA, SEC) often require retaining records of customer communications. Enable Call Recording in Settings → Security:
- All calls are recorded and stored with encryption.
- Recordings are accessible to Admin and Owner roles.
- Configurable retention periods — set to match your regulatory requirement (commonly 7 years for financial records).
- Recordings can be exported via API for archival in your own storage.
Tamper-evident audit trail
For SOC 2, ISO 27001, or regulatory examinations, the audit log provides:
- Every configuration change to agents, flows, and channels with before/after values.
- All logins, failed login attempts, and API key usage.
- Campaign creation, modification, start, and stop events.
- Who accessed which call transcripts and when.
- The log is append-only — no user can delete or modify entries.
Collections compliance (India / RBI)
For collections outreach in India, the RBI's Fair Practices Code and TRAI DND regulations impose specific requirements. Configure your campaigns and agents accordingly:
- Calling hours: Set campaign schedule to 8am–7pm only (TRAI guidelines).
- Agent identification: The agent must identify itself as an automated system and state the calling party at the start of every call. Configure this in the agent system prompt and opening Speak node.
- Opt-out handling: Contacts who say "remove me", "do not call", or equivalent are automatically marked as do_not_call by the AI and excluded from future campaigns.
- No harassment: System prompts must explicitly prohibit threatening language, repeated calling, and calling outside permitted hours. The AI follows these instructions strictly.
- Contact information: The agent must be able to provide a callback number or official contact if requested. Configure this via the agent's knowledge base.
Data handling for financial records
- Account numbers: Enable PHI Protection to prevent full account numbers from being stored in transcripts (stored as
[ACCOUNT]). - Do not collect CVV/PIN: Never configure a Collect Data node to ask for card CVV, PIN, or OTP. Transfer to a PCI-compliant system for payment capture.
- Sensitive variable scope: When injecting account data as variables (e.g.,
{{balance_due}}), ensure it comes from your secure API at call start — not from the transcript of a previous turn.
Recommended financial services configuration
Enable Call Recording with appropriate retention period (7 years is common)
Enable Tamper-evident Audit Log
Configure campaigns to call only between 8am–7pm in the contact's timezone
System prompt must include: "You are an automated AI. Always identify yourself as such."
System prompt must prohibit: threats, repeated calling, collection of card/PIN/CVV
Use PHI Protection to redact account numbers from stored transcripts
Never use Collect Data nodes to request CVV, PIN, or OTP — transfer to payment IVR
Configure "do not call" opt-out words in campaign interest keywords
Enable MFA for all users who can access call recordings or transcripts
Set data retention policies to match your regulatory minimum retention requirement
