rl-docs-hub

Home · Apps · rl-bank-mvp · PBX IVR / Call Script

---

PBX IVR / Call Script

Purpose

Document the fake-bank PBX call-menu / IVR scripting rule so the product, PBX, and operations workstreams all use the same safety posture.

This bank is a fake bank / experimentation / hobbyist system, so the voice experience must avoid creating confusion for external callers and must avoid encouraging disclosure of real banking or sensitive personal information.

Core rule

There are two script variants for PBX IVR and live call-menu flows:

1. Authorised / internal caller variant
   • For trusted, pre-authorised internal flows only.
   • This variant may omit the fake-bank disclaimer when the caller context is already controlled and understood.
2. External / all other caller variant
   • For every other caller, including public numbers, unknown callers, non-internal flows, demos, tests, and any situation where caller trust or context is not explicitly established.
   • This variant must include an explicit disclaimer that the system is a fake bank, used for experimentation / hobbyist purposes, and is not a real bank.

Disclaimer policy

When the disclaimer is required

Use the explicit disclaimer on:

• all external/public phone numbers
• any inbound number reachable by people outside the authorised internal group
• demo lines and test lines that are not fully access-controlled
• fallback flows where caller identity cannot be confidently classified as authorised/internal

What the disclaimer must communicate

The external/public variant should clearly communicate that:

• the caller has reached a fake bank experience
• the system is for experimentation, testing, or hobbyist use
• the caller should not share real banking information
• the caller should not share sensitive personal information

At minimum, the script should discourage disclosure of:

• real account numbers
• real card numbers
• real PINs, OTPs, passwords, or security answers
• NRIC/passport/national ID details
• real addresses, full date of birth, or other sensitive personally identifiable information

Suggested script shape

Variant A — authorised / internal callers

Use only for controlled internal numbers or other strongly verified authorised contexts.

Example shape:

Welcome to the bank PBX test environment. Please choose from the internal options menu.

Notes:

• keep this variant clearly scoped to internal/trusted usage
• do not expose this wording on public/external entry points

Variant B — external / public callers

Example shape:

Welcome. This is a fake bank system used for experimentation and hobbyist testing. This is not a real bank. Please do not share any real banking details or sensitive personal information on this call. If you understand, continue with the menu options.

Recommended follow-up reminders:

• repeat a shorter warning before any flow that asks for identifiers
• prefer fake/demo identifiers where input is needed
• offer a safe exit option back to the main menu or hang-up

Routing and numbering guidance

• Public/external numbers must use the disclaimer-bearing variant by default.
• Internal-only numbers may use the internal variant only when access is controlled and the user population is explicitly authorised.
• If there is any doubt about caller classification, route to the external/public disclaimer variant.
• Do not reuse a public DID for an undisclaimed “real-bank sounding” flow.

Data-handling guidance for PBX flows

Even in a fake-bank environment:

• prefer fake/demo account references instead of real-looking regulated data
• avoid collecting real secrets, credentials, payment data, or sensitive PII over voice or keypad input
• where input collection is necessary for demos, use clearly fake placeholder formats and document them as such
• logs, recordings, and transcripts should be treated carefully because callers may still overshare despite warnings

Product and operational implication

This rule should be reflected consistently across:

• PBX IVR scripts
• call-menu prompts
• operator/live-agent opening scripts for public-facing fake-bank lines
• demo/test documentation
• future telephony automation or voice-bot flows

Decision summary

The fake bank may support a realistic PBX experience, but realism does not override the disclaimer rule.

The standing policy is:

• authorised/internal callers may use a no-disclaimer internal script variant
• all other callers must hear an explicit fake-bank / experimentation / hobbyist disclaimer
• external/public numbers should carry the disclaimer
• callers should be told not to share real banking or sensitive personal information