Article 16 MiFID II Communications: A Practitioner Deep-Dive

TL;DR — Article 16 of MiFID II sets the organisational requirements for investment firms. The communications obligations in Article 16(7), built out by Article 76 of Regulation (EU) 2017/565, are the part most likely to be tested in a supervisory visit. This piece walks through exactly what Article 16(7) requires, who and what is in scope, what good record-keeping looks like in practice, and the audit findings that recur across EU and UK supervisors.

Table of contents

• What Article 16 actually says
• Why Article 16(7) matters in 2026
• Scope: channels, persons and conversations
• Record-keeping standards under Article 76
• Retrievability: the practical test that fails firms
• Common audit findings
• Three recent enforcement examples
• Article 16(7) controls checklist
• How leading firms automate this with Sedric
• FAQ

What Article 16 actually says

Article 16 of MiFID II (Directive 2014/65/EU) sets the general organisational requirements for investment firms. Sub-paragraphs cover compliance arrangements, conflicts of interest, outsourcing, business continuity and several other topics. For communications, the load-bearing provisions are 16(6) and 16(7).

Article 16(6) requires firms to "arrange for records to be kept of all services, activities and transactions undertaken by it which shall be sufficient to enable the competent authority to fulfil its supervisory tasks."

Article 16(7) zooms in on telephone and electronic communications:

"Records shall include the recording of telephone conversations or electronic communications relating, at least, to transactions concluded when dealing on own account and the provision of client order services that relate to the reception, transmission and execution of client orders. Such telephone conversations and electronic communications shall also include those that are intended to result in transactions concluded when dealing on own account or in the provision of client order services that relate to the reception, transmission and execution of client orders, even if those conversations or communications do not result in the conclusion of such transactions or in the provision of client order services."

The phrase "intended to result in" is the critical scoping language. It pushes the obligation upstream from the order itself to any pre-trade communication that could plausibly lead to a transaction.

The detailed mechanics are in Article 76 of Commission Delegated Regulation (EU) 2017/565: durable medium, retention, accessibility, integrity, client-on-request access, and recording on firm-provided or firm-permitted devices.

For the UK, Article 16(7) is onshored at SYSC 10A.1 of the FCA Handbook. The substantive scope and standards mirror the EU position.

Why Article 16(7) matters in 2026

Article 16(7) is one of the few MiFID provisions that delivers a binary pass/fail on day one of a supervisory review. Either the recording exists and can be produced or it cannot. There is no judgement, no proportionality, no mitigating circumstance. That makes it the favourite question for joint supervisory teams and a frequent finding in ESMA's common supervisory actions.

Three current dynamics raise the stakes:

Off-channel comms enforcement, EU edition. Following the US SEC's WhatsApp settlements, EU national competent authorities — BaFin, AMF, AFM, CSSF — opened thematic reviews of off-channel communications. Findings from 2024–2025 show widespread but uneven exposure.

Hybrid working consolidation. ESMA's 2024 statement on remote and hybrid working frames recording controls as a permanent rather than transitional requirement. Compliance arrangements that worked in office-only environments are not sufficient.

MiFIR Review and consolidated tape. The MiFIR Review and the post-trade consolidated tape are pulling regulators' attention to the integrity of the underlying transaction record. Article 16(7) recordings are part of that integrity chain.

For an MLRO at an EU or UK investment firm, Article 16(7) is operationally one of the highest-risk-of-failure provisions in the rulebook, because the failure mode is silent — a control breaks and there is no immediate signal until the data is requested.

Scope: channels, persons and conversations

Article 16(7) has three scoping dimensions and firms typically misread at least one of them.

Channels

Article 16(7) applies to "telephone conversations or electronic communications." Recital 57 of MiFID II and ESMA's investor protection Q&As have interpreted this broadly:

• Voice. Fixed-line, mobile, soft-phone and VOIP. Includes voicemail where the content relates to an in-scope conversation.
• Email. Both internal and external where the content meets the relevance test.
• Chat. Bloomberg chat, Refinitiv Messenger, ICE Chat, Microsoft Teams chat, Slack and similar enterprise platforms.
• Consumer messaging. WhatsApp, Signal, iMessage, Telegram, Snapchat — only inside scope where the firm has permitted use of the channel, which is the operational core of the off-channel issue.
• Meeting platforms. Teams, Zoom, Webex video calls and chat panels.
• In-app messaging. Trading-app chat features, fintech messaging features, etc.

The test is not the channel's purpose — it is whether the channel is used for in-scope communications.

Persons

Article 16(7) applies to communications made with, sent from or received by equipment provided by the firm or whose use the firm has accepted or permitted, by employees or contractors.

In practice that means: - Employees of the investment firm. - Contractors and consultants acting on the firm's behalf. - Tied agents and appointed representatives to the extent they communicate using firm-provided or firm-permitted equipment. - Externals (introducers, off-shore desks, partner firms) where the same condition applies.

The "permitted" language is what catches firms out. Tolerating personal device use for business is the same as permitting it for Article 16(7) purposes. Firms cannot rely on a written policy banning a channel if practice diverges from policy and the firm knows or should have known.

Conversations

The "intended to result in" test means in scope:

• Client orders and instructions, full stop.
• Pre-trade discussions: pricing, structures, market colour, RFQs.
• Internal pricing discussions where a specific client transaction is contemplated.
• RM-to-desk conversations about specific client situations.
• Portfolio review calls where rebalancing may follow.
• Onboarding conversations where product specifics are discussed.

Out of scope:

• Pure marketing communications (covered by other rules — see our MiCA marketing communication rules for the cryptoasset equivalent).
• General internal compliance and policy discussions.
• HR and administrative communications.

The line moves with context. A "market colour" call that drifts into specific client transaction discussion becomes in-scope mid-conversation. Compliance arrangements need to handle the boundary, not just the obvious case.

Record-keeping standards under Article 76

Article 76 of Reg (EU) 2017/565 sets six discrete standards.

Durable medium. Storage must allow accurate reproduction and prevent unauthorised modification. WORM (write once, read many) or equivalent immutable storage is the practical norm.

Retention period. Five years from the date of the communication, extendable to seven years where the competent authority requests it. Other regimes (MAR, AML, GDPR) may extend or override.

Accessibility. Clients have a right to a copy of the recording on request, in the language they have a business relationship in.

Quality and integrity. Recordings must be of sufficient quality to be intelligible. Integrity controls — checksumming, chain of custody, tamper-evidence — must demonstrate the recording has not been altered.

Protection from loss. Backup, business continuity and disaster recovery must cover recordings to the same standard as other critical records.

Periodic monitoring. The firm must monitor compliance with the recording requirement on an ongoing basis. This is the basis for the testing programme most firms operate (or should operate).

Practical points that often fail:

• "Sufficient quality" applies to noisy environments. Trading floor recordings that are unintelligible because of background noise have failed quality tests in supervisory reviews.
• Integrity controls have to extend to the search and retrieval layer, not just storage. A pristine WORM archive with a corrupted index is not compliant in practice.
• Recordings stored by a cloud provider remain the firm's responsibility. DORA's ICT third-party risk regime now overlays this — see our DORA implementation checklist.

Retrievability: the practical test that fails firms

Article 76's "accessibility" requirement is operationalised by supervisors as a retrievability test. The standard is broadly: the firm must be able to produce a complete reconstruction of an order or in-scope conversation, across channels, within a reasonable supervisory deadline.

A reasonable test:

1. Pick three random transactions from 18 months ago in different asset classes.
2. Ask compliance to produce, by end of next business day, every in-scope communication associated with each transaction across all channels.
3. Score the output on completeness (every channel covered), accuracy (no false positives, no false negatives), and time-to-produce.

Failure modes:

• Voice and chat archived in different systems with no common identifier. A reviewer has to know both the call ID and the chat user to assemble the chain.
• Indexing only by participant, not by instrument or order ID. A reviewer cannot start from the transaction and find the conversation.
• Retention applied at the system level but not at the conversation level — partial threads where one participant's chat is retained but the other's is not.
• Cross-channel references (e.g. "as I said on the phone earlier") that the search layer cannot follow.
• Cloud archives that meter retrieval by volume, creating real cost pressure to under-retrieve.

The Sedric platform models conversations as cross-channel objects keyed to instrument, participant, time and order context. A reviewer starts from a transaction or alert and pulls the full conversation, regardless of channel.

Common audit findings

Across recent ESMA and NCA findings, the recurring Article 16(7) audit issues are:

1. Off-channel use not detected. Firms know it happens but have no active detection. Policy ban with no enforcement is treated as no control.
2. Recording coverage gaps. Specific populations (e.g. junior traders, contractors, off-shore desks) left out of the recording perimeter.
3. Recording quality. Recordings exist but are unintelligible or truncated.
4. Retrievability. Recordings retained but cannot be produced as a coherent chain within the supervisor's deadline.
5. Cross-channel reconstruction. Voice and chat treated as separate archives with no stitching.
6. Retention errors. Standard five-year retention applied but MAR preservation override missed, leading to deletion of investigation-relevant material.
7. Third-party communications. Tied agents, introducers and joint venture partners excluded from the perimeter without scoping analysis.
8. Periodic monitoring. No documented evidence of the periodic monitoring Article 76 requires.
9. Senior accountability. Article 16(7) ownership not mapped to an SMF or equivalent senior manager.
10. Client request handling. No documented process for handling client requests for recordings, which is a discrete Article 76 obligation.

Three recent enforcement examples

Germany, BaFin action, 2024. A multi-million-euro penalty against an investment firm for systemic failures in recording and retention of chat communications relating to client orders. BaFin specifically cited inadequate detection of off-channel WhatsApp use and weak periodic monitoring.

Luxembourg, CSSF supervisory letter, 2025. A CSSF letter to industry following a thematic review of MiFID II recording. The letter identified pervasive weaknesses in cross-channel reconstruction and mandated a remediation programme with attestation at senior management level.

UK, FCA enforcement, 2025. A six-figure financial penalty against a UK MiFID firm under SYSC 10A. The findings included lapsed mobile recording on a population of relationship managers, retention policy errors, and inability to produce coherent conversation chains for a sample of transactions.

Article 16(7) controls checklist

Use this as the spine of your annual Article 16(7) attestation.

1. Channel inventory and scope. Every channel in use mapped to in-scope or out-of-scope with the basis.
2. Person scope. Definitive list including externals, tied agents, contractors.
3. Device perimeter. Either enforced ban on personal devices for in-scope conversations or compliant inclusion in the recording perimeter.
4. Coverage testing. Documented quarterly testing across channels, with results and remediation tracked.
5. Retrievability test. Documented annual test pulling random transactions and reconstructing across channels within a defined SLA.
6. Recording quality. Sampling for quality and intelligibility, with remediation for high-noise environments.
7. Integrity controls. Tamper-evidence at storage and index level, with periodic verification.
8. Retention. Five-year minimum, seven-year on request, MAR preservation override, GDPR alignment.
9. Client request process. Documented workflow for client-requested recordings within Article 76 timeframes.
10. Off-channel detection. Active content surveillance for references to off-channel use, with escalation.
11. Periodic monitoring. Documented evidence of the Article 76 ongoing monitoring obligation.
12. Senior accountability. Article 16(7) owned by an identified SMF or equivalent senior manager, with an annual report.

How leading firms automate this with Sedric

Article 16(7) is the kind of obligation where the headline rule is simple and the operational reality is messy. The mess is not in storage — most firms have invested in archiving — but in the surveillance, reconstruction and detection layers on top.

Sedric ingests in-scope communications across voice, chat, email and meeting platforms, applies real-time content surveillance, and indexes conversations as cross-channel objects keyed to instrument, participant and time. Each alert is linked to the underlying rule reference — Article 16(7), Article 76 of Reg (EU) 2017/565, SYSC 10A.1.6R, the relevant MAR article, or the firm's own policy — so a reviewer sees not just the flag but the basis. Overrides are logged with reasoning. The output is two things at once: a continuous real-time conduct surveillance signal, and an audit-ready reconstruction capability for any specific transaction or client.

For firms running a baseline before their next supervisory cycle, the Sedric Marketing Comms Audit ingests up to 10 recent communications samples and returns a scored report against MiFID II Article 16(7), MAR and Consumer Duty rule sets. Each finding is linked to the rule reference so the output is usable as a remediation plan, not a generic scorecard.

FAQ

What is the difference between Article 16(6) and Article 16(7) MiFID II? Article 16(6) is the general record-keeping obligation across services, activities and transactions. Article 16(7) is the specific obligation to record telephone conversations and electronic communications that relate or are intended to relate to in-scope orders.

Does Article 16(7) apply to discretionary portfolio managers? Yes for the underlying communications obligations. The UK preserves a narrow exception for some portfolio managers who substitute contemporaneous written notes for recordings. The EU does not provide an equivalent general exemption.

Are WhatsApp messages within Article 16(7) scope? Where the firm permits or tolerates the use of WhatsApp for in-scope business, yes. A written ban with no enforcement is not sufficient to take a channel out of scope.

What is the minimum retention period under Article 76? Five years, extendable to seven on competent authority request. MAR preservation and ongoing investigations may extend this further.

Can I rely on the cloud provider's retention guarantees? Storage with a cloud provider is permitted but the regulatory responsibility remains the firm's. DORA's ICT third-party risk regime adds further obligations on monitoring and contracting.

Is internal compliance training in scope of Article 16(7)? Generally no, provided the training is not used as a vehicle to discuss specific client transactions. Where pre-trade discussion happens inside what is nominally training, it becomes in scope.

How does Article 16(7) interact with MAR? Article 16(7) creates the data; MAR surveillance interrogates it for market abuse indicators. The same recordings often satisfy both regimes. See our market abuse regulation surveillance guide.

For wider MiFID II recording context, where should I start? Our MiFID II recording requirements guide covers retention, mobile and BYOD, and EU vs UK divergence in more depth. If you are evaluating alternatives to legacy archive vendors, the Smarsh alternatives post is the starting point.

Run a free Article 16(7) comms audit

Upload up to 10 recent communications samples to the Sedric Marketing Comms Audit and we will return a scored report against Article 16(7), Article 76 record-keeping standards, and the MAR overlay. Each finding is tied to the rule reference, so the report is directly usable in a remediation plan. Two business days to delivery. Start at sedric.ai.