MiFID II Call Recording Requirements for Financial Firms
Understand MiFID II call recording obligations, retention periods, and enforcement risks so your financial firm stays compliant and avoids costly penalties.
What MiFID II Means for Your Phone System
The Markets in Financial Instruments Directive II (MiFID II) came into force on January 3, 2018, and its communication recording requirements remain one of the most operationally demanding aspects of financial regulation in Europe. Eight years later, regulators continue to issue fines for non-compliance — the FCA alone levied over 12 million GBP in communication-recording-related penalties in 2025.
For any firm that receives and transmits orders, executes transactions, or provides investment advice within the EU or UK, MiFID II Article 16(7) mandates the recording and retention of all telephone conversations and electronic communications related to — or intended to relate to — client orders and transactions.
This is not optional. It is not limited to trades that actually execute. The phrase "intended to relate to" captures exploratory conversations, price discussions, and even calls where the client decides not to proceed.
The Specific Legal Requirements
What Must Be Recorded
Under MiFID II and the associated delegated regulation (EU 2017/565), firms must record:
- All telephone conversations on business lines used for client-facing activity
- Electronic communications including email, instant messages, and chat platforms
- Mobile communications when used for business purposes, including personal devices under BYOD policies
- Face-to-face meetings where investment advice is given (written minutes required, not audio)
The scope is deliberately broad. ESMA's Q&A guidance (updated through 2025) clarifies that:
- Internal calls between front-office and compliance regarding client orders are in scope
- Calls between the firm and third-party execution venues are in scope
- Voicemail messages are in scope
- Pre-trade and post-trade communications are both captured
Retention Periods
MiFID II establishes these minimum retention periods:
| Communication Type | Minimum Retention | Extended Retention |
|---|---|---|
| Telephone recordings | 5 years | 7 years (at regulator's request) |
| Electronic communications | 5 years | 7 years (at regulator's request) |
| Face-to-face meeting notes | 5 years | 7 years (at regulator's request) |
| Order and transaction records | 5 years | 7 years (at regulator's request) |
The FCA in the UK applies slightly different rules post-Brexit. SYSC 10A requires firms to retain recordings for a minimum of 6 months, but most FCA-regulated firms retain for 5-7 years to align with broader MiFID II standards and to protect themselves in dispute resolution.
Technical Standards for Recordings
The recordings must meet specific quality and accessibility standards:
- Retrievability: Firms must be able to retrieve recordings promptly upon request from regulators. ESMA guidance suggests records should be searchable by date, parties involved, and subject matter.
- Integrity: Recordings must be stored in a format that prevents alteration. Firms must demonstrate chain-of-custody controls.
- Quality: Recordings must be of sufficient quality to be clearly audible and understandable.
- Completeness: The recording system must capture the entire conversation, not just selected portions.
Common Compliance Failures
Failure Mode 1: Gaps in Mobile Recording
The most common compliance gap we see is unrecorded mobile phone usage. When traders or sales agents use personal mobile phones for client calls — even briefly — those conversations fall within MiFID II scope if they relate to orders or transactions.
Solutions include:
- Mobile recording apps that route calls through a recording gateway
- Dual-SIM solutions that separate personal and business calls
- Strict policy enforcement prohibiting business calls on unrecorded devices
- Network-level recording through carrier-based solutions
Failure Mode 2: Incomplete Metadata
Recording the audio is necessary but not sufficient. Regulators expect searchable metadata:
- Caller and recipient identification
- Date and time (with timezone)
- Duration
- Call direction (inbound/outbound)
- Associated client account or reference number
- Agent or trader ID
Without this metadata, firms cannot comply with the "promptly retrievable" requirement, which has triggered enforcement actions even when the audio recordings themselves existed.
See AI Voice Agents Handle Real Calls
Book a free demo or calculate how much you can save with AI voice automation.
Failure Mode 3: Storage and Encryption Gaps
Recordings must be stored in a way that prevents tampering and unauthorized access. Common failures include:
- Storing recordings on local hard drives without backup or encryption
- Using consumer-grade cloud storage without adequate access controls
- Failing to implement write-once-read-many (WORM) storage
- Not encrypting recordings at rest and in transit
Building a Compliant Recording Architecture
Component 1: The Recording Layer
The recording layer must intercept and capture all in-scope communications. For VoIP systems, this typically works through one of three methods:
SIP Forking: The SIP proxy forks each call's media stream to a dedicated recording server. The recording happens at the network level, so agents cannot disable it.
SIPREC (RFC 7865/7866): An industry-standard protocol for session recording. The Session Border Controller (SBC) sends a copy of the media to a Session Recording Server (SRS) using standardized signaling.
Application-Level Recording: The calling platform records within its own application layer. This is the most common approach for cloud-based VoIP platforms like CallSphere, where recording is handled server-side before the media reaches the agent's browser.
Component 2: The Storage Layer
Compliant storage requires:
- WORM storage or equivalent immutability controls (AWS S3 Object Lock, Azure Immutable Blob Storage)
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Geographic data residency compliance (recordings of EU clients should be stored within the EU unless explicit adequacy arrangements exist)
- Automated lifecycle management to enforce retention periods and secure deletion
Component 3: The Retrieval Layer
When a regulator requests recordings — and they will — firms need to produce them quickly:
- Full-text search across call metadata and (where available) speech-to-text transcriptions
- Date range filtering by client, agent, or instrument
- Bulk export capabilities for large-scale regulatory requests
- Audit trails showing who accessed which recordings and when
CallSphere's compliance module is designed around these three layers, providing end-to-end recording, immutable storage, and rapid retrieval without requiring firms to assemble their own infrastructure.
Enforcement Actions and Penalties
Recent FCA Actions
The FCA has taken enforcement action against multiple firms for recording failures:
- 2024: A spread betting firm fined 1.2 million GBP for systematic failures in recording client order communications over a 3-year period
- 2024: A wealth management firm received a public censure for failing to retain electronic communications beyond the minimum period when a dispute arose
- 2025: An FX broker fined 3.8 million GBP for allowing traders to use unrecorded personal devices for client communications
ESMA Coordination
ESMA conducts periodic peer reviews of national competent authorities' supervision of MiFID II recording requirements. The 2025 peer review found that:
- 72% of firms inspected had at least one recording gap
- Mobile communication recording remains the weakest area across all member states
- Smaller firms disproportionately rely on manual processes that create compliance risk
Implementation Checklist
Use this checklist to audit your firm's compliance posture:
- Scope mapping: Have you identified all communication channels used for client-facing activity?
- Recording coverage: Are all identified channels being recorded automatically?
- Mobile policy: Do you have a documented policy for mobile device usage, and is it enforced technically?
- Metadata capture: Are recordings tagged with all required metadata fields?
- Storage compliance: Are recordings stored with WORM/immutability controls and encryption?
- Data residency: Do you know where your recordings are physically stored, and does this comply with GDPR and local data protection laws?
- Retention policy: Are retention periods configured correctly, and is automated deletion working for expired recordings?
- Retrieval testing: Have you tested your ability to produce recordings within the timeframe your regulator expects (typically 24-72 hours)?
- Audit trail: Can you demonstrate who accessed which recordings and when?
- Business continuity: What happens to recording if your primary system fails? Is there a backup?
Frequently Asked Questions
Does MiFID II apply to firms outside the EU that serve EU clients?
Yes. MiFID II's recording obligations apply to any firm providing investment services to clients within the EU/EEA, regardless of where the firm is headquartered. Third-country firms operating under equivalence regimes or reverse solicitation exemptions should consult legal counsel, but the safest approach is to record all communications with EU-based clients. Post-Brexit, UK firms serving EU clients must comply with both MiFID II (for EU activity) and FCA SYSC 10A rules (for UK activity).
Can clients opt out of call recording?
No. Under MiFID II, clients cannot opt out of call recording for communications related to orders and transactions. The recording obligation overrides the client's preference. However, firms must inform clients that calls are being recorded (typically via an automated announcement), and if a client refuses to be recorded, the firm should not proceed with the transaction by phone — it should direct the client to a recorded channel or document the conversation in writing.
How should we handle voice AI and chatbot communications under MiFID II?
ESMA's 2025 guidance on algorithmic and automated communications clarifies that any AI-driven or automated communication that relates to order reception, transmission, or execution falls within the recording scope. This includes voice AI agents, chatbots providing investment information, and automated order confirmation calls. The recording must capture both the AI's output and the client's responses. Firms deploying voice AI should ensure their AI platform produces recordings that meet the same quality and metadata standards as human agent calls.
What is the penalty exposure for non-compliance?
Penalty frameworks vary by jurisdiction. The FCA can impose unlimited fines and has demonstrated willingness to issue seven-figure penalties for recording failures. CySEC penalties can reach up to 1 million EUR per violation, and ESMA can recommend coordinated enforcement across member states. Beyond direct fines, firms face reputational damage, increased regulatory scrutiny, and potential loss of authorization.
Do we need to record internal calls between compliance and trading desks?
Yes, if those calls relate to client orders or transactions. ESMA guidance specifically includes internal communications about client order handling within the recording scope. The practical challenge is distinguishing order-related internal calls from general operational discussions. Most firms address this by recording all calls on trading desk lines and using metadata tagging to classify recordings during or after the call.
CallSphere Team
Expert insights on AI voice agents and customer communication automation.
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.