ADR-021: Call recording, transcription, and CRM attachment¶
| Status | Accepted |
| Date | 2026-04-10 |
| Deciders | CTO, CCO, Head of Operations |
| Affects repos | bank-app, bank-risk-platform |
Status¶
Accepted — 2026-04-10
Context¶
Agent calls with customers need to be recorded for regulatory compliance (conduct obligations, dispute evidence), quality assurance, and training. Call recording in banking is both a powerful operational tool and a heavily regulated activity. The design must address consent mechanics, real-time transcription, AI summarisation, PII redaction, secure storage, and clean attachment to the CRM record — with an immutable audit trail throughout.
Poorly designed call recording creates compliance risk (consent not properly obtained), operational cost (agents manually writing call notes), and missed intelligence (call content never analysed). Well designed, it becomes a competitive advantage — agents stop taking notes, compliance QA becomes automated, and the call corpus becomes a searchable intelligence asset.
Decision¶
Consent captured before recording opens. Real-time streaming STT with speaker diarisation. PII redacted from transcript before storage. AI summary (Snowflake Cortex) generated within 2 minutes of call end, attached to CRM record automatically. Call corpus stored in Snowflake for compliance QA and analytics.
Consent is the first engineering problem¶
Both NZ (Privacy Act 2020) and AU (Telecommunications Interception Act) require explicit consent before a call is recorded. The consent script must be delivered and acknowledged before the recording system opens the audio stream — not after.
Consent flow¶
- Agent connects to call
- System delivers standard consent script: "This call may be recorded for quality and compliance purposes. Do you consent to being recorded?"
- Customer responds
- Consent response is written to an immutable audit log with timestamp, agent ID, and call reference
- If consent given: recording system activates and audio stream opens
- If consent declined: recording system never activates; declination is logged
The consent gate is an architectural constraint, not a policy document. If the recording system cannot verify that consent was given before the call reference, the audio stream does not open. This is MOD-049 (consent capture) applied to the call channel.
Staff recording obligations¶
NZ and AU both have different obligations for recording calls with staff consent. Staff consent is typically handled through employment contracts. The agent console must make clear when a call is being recorded.
Real-time transcription¶
AWS Transcribe Streaming or Deepgram both provide streaming speech-to-text with speaker diarisation — they distinguish Agent from Customer in real time and produce a clean dual-track transcript as the call happens.
The agent sees the transcript building in front of them on their screen during the call. This changes the agent experience fundamentally: - No need to ask customers to repeat themselves - Reference numbers and account details captured in the transcript immediately - AI assist panel surfaces suggested responses, compliance alerts, and disclosure prompts in real time
Real-time compliance assist¶
The AI assist panel monitors the live transcript for: - Required disclosures not yet delivered (rate disclosure, fee disclosure, complaints process) - Product claims that require substantiation - Vulnerability indicators in the customer's language - Escalation triggers (threats, distress signals)
If an agent is about to end a call without delivering a required disclosure, the system flags it. This is not a hard gate on the call — it is an alert to the agent. The agent can acknowledge and deliver the disclosure, or mark it as not applicable. Either way, the decision is logged.
PII redaction¶
Customers sometimes read card numbers, account numbers, passwords, or tax file numbers aloud. The transcript pipeline must detect and redact these patterns before the text is stored.
AWS Transcribe has built-in PII redaction that handles common patterns (credit card numbers, phone numbers, social security numbers, names). This runs on the transcript stream in real time. Redacted text is replaced with [REDACTED] placeholders in the stored transcript.
Important: The audio recording itself is not redacted — it is encrypted, access-controlled, and retained per the retention policy. The transcript, which is more broadly accessible (searchable by agents, queryable by compliance), must have sensitive patterns stripped. The audio is the legal record; the transcript is the operational record.
AI summary (Snowflake Cortex)¶
Within 2 minutes of a call ending, Snowflake Cortex processes the transcript and produces a structured summary:
{
"call_reason": "Transaction dispute — BP Connect NZD 76.00 not recognised",
"outcome": "Dispute lodged. Reference TXN-928374-NZ. Provisional credit approved.",
"action_items": [
"Dispute case created and assigned to Sarah M.",
"Customer to receive update within 5 business days"
],
"compliance_check": {
"required_disclosures_delivered": true,
"complaints_process_mentioned": false
},
"sentiment": "Frustrated at start, satisfied at close",
"topics": ["dispute", "transaction", "card", "provisional credit"],
"duration_seconds": 284
}
This summary is stored in Snowflake and served to the CRM interaction timeline via the Snowflake read API (ADR-038 Tier 3). The agent never types call notes — the AI produces them. Action items extracted from the summary that require operational follow-up (e.g. case creation, escalation) are published to Neon via the ADR-036 decision inbox as Tier 2 decisions. The summary itself — the human-readable record of the call — is never written to Postgres for display purposes; it is served from Snowflake on demand.
Prompt design principles¶
The Cortex prompt for the summary must be carefully designed to: - Produce a consistent JSON structure regardless of call type - Identify action items with enough specificity to be actionable (not "follow up" but "send rate change letter within 5 business days") - Flag compliance checks without making false positives (disclosure check should be based on call content, not keywords) - Handle multi-language calls gracefully (NZ and AU have significant non-English speaking populations)
The prompt is stored in the wiki and version-controlled. Changes to the prompt are treated as model changes — they go through the champion/challenger evaluation process (DT-005).
Storage and retention¶
| Data type | Storage | Retention | Access |
|---|---|---|---|
| Audio recording | S3 encrypted | 7 years | Compliance, legal, senior management only via PAM session |
| Transcript (with PII redacted) | Snowflake | 7 years | Compliance, QA, analytics; agents can read their own calls |
| AI summary | Snowflake | 7 years | All back office roles with customer access — served via read API |
| Consent log | Postgres (append-only) | Permanent | Audit, legal |
| Agent action log | Postgres (append-only) | 7 years | Audit, legal |
The retention periods are driven by the NZ Limitation Act 2010 (6 years for civil claims, 7 for good measure), AU Limitation of Actions Act (also 6 years), and the RBNZ/APRA expectation of records availability for supervisory examination.
Snowflake as institutional intelligence¶
Every transcript lands in a Snowflake table. Over time this becomes a searchable corpus that reveals:
What customers are actually calling about: Not what agents report, not what categories agents select — the actual words customers use. If customers are calling about a feature that doesn't exist, or a fee they don't understand, or a process that confuses them, the transcript corpus detects it before it becomes a complaints trend.
Agent disclosure compliance rate: Which agents are consistently delivering required disclosures? Which are not? The QA team stops manually sampling calls and instead reviews an AI-scored queue sorted by compliance risk. Regulators who ask "can you demonstrate your agents are delivering required disclosures" get a Snowflake query result, not a stack of randomly sampled recordings.
Product complaint emerging signals: A spike in calls mentioning a specific product feature or fee is an early warning signal — before customers escalate to formal complaints, before the pattern reaches the Board risk report. The transcript analytics surface it while there is still time to act.
Training effectiveness: Call transcript quality scores improve predictably with training interventions. The corpus is the evidence that training works.
Principles alignment¶
| Principle | Assessment | Notes |
|---|---|---|
| AP-001 KISS | ✓ | AWS Transcribe does the heavy lifting; no custom STT infrastructure |
| AP-002 Data governance | ✓ | PII redacted before storage; retention periods defined; access controlled |
| AP-003 Compliance | ✓ | Consent gate before recording; audit trail of every call and decision |
| AP-004 Security | ✓ | Audio encrypted at rest; transcript access role-controlled; PAM for audio access |
| AP-005 Customer driven | ✓ | Agent reads transcript live — better, faster service for the customer |
Perspectives¶
| Perspective | Assessment | Notes |
|---|---|---|
| Regulatory | ✓ | Consent-first design; immutable audit trail; disclosure compliance tracking |
| Security | ✓ | PII redaction; encrypted audio; role-scoped transcript access |
| Support & Maintenance | ✓ | No manual call notes; automated QA scoring reduces sampling burden |
| Capability | ✓ | Transcript corpus becomes institutional intelligence asset over time |
| Resource | ~ | Cortex prompt engineering and QA scoring rubric design require specialist input |
See perspectives.md for how to use these evaluation lenses.
Relevant viewpoints¶
- Functional viewpoint — Agent call console; consent gate flow; live transcript panel; AI summary in CRM timeline
- System viewpoint — AWS Transcribe streaming → PII redaction → Snowflake → Cortex summary → Snowflake CRM table → read API → back office CRM timeline; operational action items → ADR-036 decision inbox → Neon
- Information viewpoint — Transcript schema; summary JSON structure; consent log; retention policy table
- Security viewpoint — Audio encryption; transcript PII redaction; access tiers by role
- Operational viewpoint — Transcript QA queue; compliance scoring dashboard; emerging signal alerts
See viewpoints.md for guidance on producing these viewpoints.
Signoff record¶
| Date | Name | Role | Status |
|---|---|---|---|
| 2026-04-10 | Ross Millen | CTO | Approved |
| 2026-04-10 | Ross Millen | Head of Architecture | Approved |
| 2026-04-10 | Ross Millen | Head of Data | Approved |
Capabilities¶
| Capability | Description | Relationship |
|---|---|---|
| CAP-025 | Automated regulatory reporting pipeline | governed — agent disclosure compliance scoring feeds quality assurance reporting |
| CAP-029 | Immutable audit log | enabled — consent log is append-only in Postgres |
| CAP-050 | In-app customer support (chat + voice) | enabled — call recording, live transcription, and AI summary are the agent infrastructure |
| CAP-105 | Communication audit trail | enabled — consent log, transcript, AI summary, and agent action log retained 7 years |
| CAP-130 | Agent assist panel (real-time compliance coaching) | enabled — real-time transcript monitoring alerts agents to missing disclosures |
Related decisions¶
| ADR | Title | Relationship |
|---|---|---|
| ADR-002 | Snowflake as the analytics and risk compute platform | Snowflake Cortex generates AI summary; transcript corpus lives in Snowflake |
| ADR-011 | CRM approach — embedded in front end or external platform | call summaries attach to CRM interaction timeline |
| ADR-028 | Document storage — S3 and Postgres metadata | call recordings stored in S3 under the document storage ADR |
All ADRs
Compiled 2026-05-22 from source/entities/adrs/ADR-021.yaml