Designing Bidirectional Video Consultation Platforms for Financial Advisory Services

How-To-Articles
1

Designing Bidirectional Video Consultation Platforms for Financial Advisory Services

What This Guide Covers

This guide details the architectural implementation of secure, bidirectional video consultation workflows within Genesys Cloud CX and NICE CXone for regulated financial advisory services. You will configure encrypted media paths, integrate identity proofing via API, and enforce audit-ready session logging that satisfies PCI-DSS and FINRA compliance requirements. The final architecture provides a seamless handoff from digital channel to secure video with zero data leakage.

Prerequisites, Roles & Licensing

Genesys Cloud CX

  • Licensing: CX 2 (minimum for Video Conferencing) or CX 3 (recommended for advanced WEM and Speech Analytics).
  • Permissions:
    • Telephony > Trunk > Edit
    • Architect > Flow > Edit
    • Video Conferencing > Meeting > Manage
    • User Management > Role > Edit
  • OAuth Scopes: video:meeting:manage, users:read, architect:flow:edit.
  • External Dependencies: AWS KMS (for custom key management), Active Directory/LDAP (for identity validation), and a compliant screen-sharing middleware if required for document review.

NICE CXone

  • Licensing: CXone Engagement (Video add-on required).
  • Permissions:
    • Telephony > Trunk > Edit
    • Studio > Flow > Edit
    • Video > Meeting > Manage
    • Administration > User > Edit
  • OAuth Scopes: video.meeting.manage, users.read, studio.flow.edit.
  • External Dependencies: Azure Key Vault (for encryption key management), Identity Provider (SAML/OIDC), and compliant content moderation service.

The Implementation Deep-Dive

1. Establishing the Secure Media Path and Network Architecture

Financial advisory video is not standard web conferencing. The primary architectural constraint is data residency and encryption at rest and in transit. Standard WebRTC media flows through cloud edge nodes, but regulatory bodies often require that PII (Personally Identifiable Information) visible on screen or spoken in audio does not persist in unencrypted caches or third-party recording buckets without explicit consent and key separation.

The Architectural Decision:
We bypass the default “record to cloud blob” pattern for sensitive sessions. Instead, we implement a Live Transcription and Metadata-Only Recording strategy, or we route media to a customer-owned S3 bucket using Private Link (Genesys) or VNet Integration (CXone) with customer-managed encryption keys (CMEK).

Genesys Cloud CX Configuration

  1. Trunk Configuration: Ensure your Genesys Cloud instance is deployed in a region that matches your data residency requirements (e.g., AWS US-East-1 for US-based advisors).
  2. Video Meeting Profile:
    • Navigate to Admin > Video Conferencing > Meeting Profiles.
    • Create a new profile named Fin_Adv_Secure_Video.
    • Recording Settings: Disable “Cloud Recording”. Enable “Live Transcript” only if you have a downstream NLP pipeline that ingests the transcript stream via Webhook for immediate redaction.
    • Screen Sharing: Enable “Allow Screen Sharing”. Set “Screen Share Quality” to High (1080p) for document clarity, but note the bandwidth impact.

NICE CXone Configuration

  1. Telephony Trunk: Verify your SIP trunk supports SRTP (Secure Real-time Transport Protocol). While WebRTC is TLS-encrypted, ensuring the underlying PSTN gateway (if used for fallback) uses SRTP is critical for mixed-mode sessions.
  2. Video Profile:
    • Navigate to Administration > Video > Profiles.
    • Create Fin_Adv_Secure_Video.
    • Recording: Disable “Automatic Recording”. Enable “Participant Consent Required for Recording”. This is a legal requirement in many jurisdictions for financial advice.

The Trap: Ignoring Bandwidth Asymmetry
Financial clients often join from mobile devices on 4G/5G networks with asymmetric bandwidth (low upload, high download). If you force 1080p video on the client side, packet loss increases, causing jitter and freezing.

  • The Fix: Configure the video profile to use Adaptive Bitrate. In Genesys, this is default, but you must ensure the “Max Video Resolution” is not hardcoded to 1080p for mobile agents. Set the advisor’s desktop client to 1080p and the client’s mobile/web client to auto-negotiate down to 480p if bandwidth drops below 1.5 Mbps.

2. Identity Proofing and Session Initiation via API

You cannot simply generate a meeting link and email it. Financial advice requires Know Your Customer (KYC) verification before the video session begins. The workflow must be: Authenticate → Verify Identity → Generate Secure Meeting → Join.

The Architectural Decision:
We use the platform’s Video API to generate a meeting dynamically only after successful authentication. This prevents “link hopping” and ensures the meeting ID is tied to a specific, verified user session.

Genesys Cloud CX Implementation

  1. OAuth Application: Create an OAuth app with the scope video:meeting:manage.
  2. API Payload:
    Use the POST /api/v2/video/meetings endpoint.
POST /api/v2/video/meetings
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "name": "Financial Consultation - Client ID: 88291",
  "start": "2023-10-27T14:00:00.000Z",
  "end": "2023-10-27T14:30:00.000Z",
  "recordingType": "NONE",
  "participants": [
    {
      "userId": "advisor-user-id-123",
      "role": "MODERATOR",
      "joinUrl": "https://<instance-url>/video/join/meeting-id-xyz"
    },
    {
      "userId": "client-user-id-456",
      "role": "PARTICIPANT",
      "joinUrl": "https://<instance-url>/video/join/meeting-id-xyz"
    }
  ],
  "metadata": {
    "clientAccountId": "88291",
    "sessionType": "KYC_VERIFIED"
  }
}
  1. Architect Flow Integration:
    • In Genesys Architect, use the Make REST Request block to call this endpoint.
    • Map the joinUrl for the client to a subsequent Send SMS or Send Email block.
    • Critical: Do not store the joinUrl in a plain-text database. Use a short-lived token or direct the user to a secure portal where the URL is generated on-demand.

NICE CXone Implementation

  1. Studio Flow:
    • Use the Invoke Web Service block to call the CXone Video API.
    • Endpoint: POST /api/v2/video/meetings.
  2. Payload Structure:
{
  "name": "Advisory Session - Ref: 99201",
  "startTime": "2023-10-27T14:00:00.000Z",
  "durationMinutes": 30,
  "participants": [
    {
      "userId": "advisor-cxone-id",
      "role": "HOST"
    },
    {
      "userId": "client-cxone-id",
      "role": "GUEST"
    }
  ],
  "properties": {
    "complianceTag": "FINRA_REG_T",
    "auditId": "99201"
  }
}

The Trap: Token Expiration and Meeting Start Time
A common misconfiguration is setting the meeting start time too far in the future. Genesys and CXone meetings typically have a “join window” (e.g., 15 minutes before start time). If the client arrives early, they are locked out. If the advisor is late, the meeting may auto-expire.

  • The Fix: Set the start time to Current Time + 2 minutes after identity verification. Use the Delay block in Architect/Studio to hold the flow for 2 minutes, allowing the client to receive the link and open the browser, then generate the meeting. This ensures the “green light” is on when they click.

3. Enforcing Compliance: Recording, Consent, and Redaction

Financial regulations (like FINRA 4511 in the US or MiFID II in Europe) often require recording of advice sessions. However, recording video of a client’s home environment raises massive privacy concerns.

The Architectural Decision:
We implement Audio-Only Recording with Video Transcription as the default for compliance. If video recording is legally mandated, we must overlay a “REC” indicator and obtain explicit verbal consent, logged via Speech Analytics.

Genesys Cloud CX: Speech Analytics for Consent Detection

  1. Enable Live Speech Analytics:
    • Navigate to Admin > Speech Analytics > Live Speech Analytics.
    • Enable for the Fin_Adv_Secure_Video queue.
  2. Create a Compliance Topic:
    • Create a topic named “Recording Consent”.
    • Add phrases: “Do you consent to this call being recorded?”, “I agree to be recorded.”
  3. Architect Flow Logic:
    • Use the Speech Analytics block to check for the “Recording Consent” topic match.
    • If confidence > 0.8, proceed to video.
    • If confidence < 0.8, route to a manual confirmation step or terminate the session.

NICE CXone: Interaction Recording Policy

  1. Policy Configuration:
    • Navigate to Administration > Interaction Recording > Policies.
    • Create a policy Fin_Adv_No_Video_Record.
    • Set “Record Audio”: Yes.
    • Set “Record Video”: No.
    • Set “Transcribe Audio”: Yes (using NICE Dialogue Intelligence).
  2. Studio Implementation:
    • In the Studio flow, before the Start Video Meeting block, add a Play Prompt block: “This session will be recorded for quality and compliance purposes. Please state ‘I consent’ to continue.”
    • Use the Transcribe block to capture the client’s response.
    • Add a Decision block: If transcript contains “consent”, proceed. Else, Hang Up.

The Trap: Silent Failures in Transcription
Transcription engines can fail on accented speech or background noise. A silent failure means the compliance check passes (because the system didn’t hear “no consent”) or fails (because it didn’t hear “yes consent”).

  • The Fix: Implement a Fallback Timeout. If the transcription confidence is low, do not guess. Route to a human supervisor or require a digital signature click on the client’s screen (via a secure web portal) before the video session begins. This shifts the burden from speech recognition to explicit UI action.

4. Screen Sharing for Document Review with Data Loss Prevention (DLP)

Advisors need to show portfolio documents. Clients may share their screen to show errors. Unrestricted screen sharing is a DLP risk.

The Architectural Decision:
Restrict screen sharing to “Application Window” only, not “Entire Screen”. This prevents the client from accidentally showing their desktop icons, email notifications, or other sensitive apps.

Genesys Cloud CX

  1. Meeting Profile:
    • In Fin_Adv_Secure_Video, under Screen Sharing, set “Allowed Source” to Application Window.
    • Disable “Entire Screen” and “Browser Tab” if possible (note: Genesys may not granularly control browser tabs in all browsers, so rely on agent training and UI cues).
  2. Agent Desktop:
    • Configure the Agent Desktop to show a warning banner when screen sharing is initiated: “Ensure no PII is visible in the shared window.”

NICE CXone

  1. Video Profile:
    • Set “Screen Share Mode” to Specific Application.
    • Enable “Screen Share Annotation” for advisors to highlight documents, but disable “Whiteboard” if it is not needed, reducing the attack surface.

The Trap: Browser Notification Leaks
Even with “Application Window” sharing, if the advisor shares their browser window, browser notifications (Gmail, Slack) can pop up and be captured.

  • The Fix: Enforce Do Not Disturb (DND) mode on the advisor’s machine during video sessions. Integrate with endpoint management tools (Intune, Jamf) to push a DND state when the agent logs into the CX platform for a video session. Alternatively, use a dedicated “Video Workstation” profile with notifications disabled.

Validation, Edge Cases & Troubleshooting

Edge Case 1: The “Black Screen” on Client-Side Mobile Devices

  • The Failure Condition: The client joins on iOS Safari or Android Chrome. The advisor sees video, but the client sees a black screen or the advisor sees black.
  • The Root Cause: Mobile browsers require explicit user permission for camera/mic access. If the meeting link is opened via SMS, the browser may block the media request due to “insecure context” if the link is HTTP (not HTTPS) or if the site lacks a valid TLS certificate. Additionally, iOS Safari often requires the user to tap the video element to start the stream.
  • The Solution:
    1. Ensure all meeting links are https://.
    2. Add a Pre-Join Page (if using custom UI) or rely on the platform’s native pre-join screen which explicitly asks for permissions.
    3. In the Architect/Studio flow, send an SMS with a clear instruction: “Click the link, then tap ‘Allow’ when asked for camera access.”

Edge Case 2: Audio Echo and Feedback Loops

  • The Failure Condition: The client hears their own voice echoed back, causing the session to become unintelligible.
  • The Root Cause: The client is using a mobile device with the speakerphone on, while the microphone is picking up the speaker output. This is common when clients are not wearing headphones.
  • The Solution:
    1. Client-Side Mitigation: In the pre-join screen, add a prominent warning: “Please use headphones to avoid echo.”
    2. Platform-Side Mitigation: Enable Echo Cancellation in the Video Meeting Profile. Both Genesys and CXone have server-side echo cancellation, but it is less effective than client-side.
    3. Architect Flow: If the Speech Analytics engine detects “echo” or “feedback” patterns (high frequency noise), trigger a soft alert to the advisor to ask the client to use headphones.

Edge Case 3: Session Timeout Due to Inactivity

  • The Failure Condition: The video session drops after 5 minutes of silence (e.g., while the advisor is reviewing a document).
  • The Root Cause: The platform’s heartbeat or keep-alive mechanism interprets lack of media packets as a disconnect. This is rare in modern WebRTC but can happen if the client’s device goes to sleep.
  • The Solution:
    1. Configure the Idle Timeout in the Video Meeting Profile to be longer than the typical document review time (e.g., 15 minutes).
    2. Instruct advisors to keep a low-volume background tone or occasional verbal check-in (“Can you still see me?”) to keep the media stream active.

Edge Case 4: Cross-Region Latency for Global Clients

  • The Failure Condition: An advisor in New York consults with a client in London. Video is laggy, and lip-sync is off.
  • The Root Cause: The media is routed through a single edge node that is far from one of the participants.
  • The Solution:
    1. Genesys: Ensure you are using Global Routing. Genesys Cloud automatically routes media to the nearest edge. Verify that the client’s IP resolves to a local edge node in the Genesys logs.
    2. CXone: Check the Media Region settings. Ensure the meeting is hosted in a region that minimizes latency for both parties, or use CXone’s global media fabric to optimize the path.
    3. Fallback: If latency exceeds 500ms, switch to audio-only mode automatically. Implement this via a Condition in the Architect/Studio flow that checks the client’s reported latency (via API) and downgrades the video quality.

Official References