MiFID II Recording Requirements: The Definitive 2026 Guide

TL;DR — MiFID II requires investment firms to record telephone conversations and electronic communications that relate (or are intended to relate) to in-scope client orders, retain them for at least five years, and produce them in a usable form on supervisory request. The hardest parts are not the headline rules but the operational edges: mobile and personal devices, off-channel chat, off-shore desks, and the growing divergence between the EU and the UK's SYSC 10A regime.

Table of contents

• What the regulation actually says
• Why it matters now
• Scope: order-flow versus relevant conversations
• Retention periods and retrievability
• Mobile, BYOD and off-channel communications
• EU versus UK divergence post-Brexit
• Three recent enforcement examples
• A 10-item MiFID II recording controls checklist
• How leading firms automate this with Sedric
• FAQ

What the regulation actually says

The primary obligation is in Article 16(7) of MiFID II (Directive 2014/65/EU). Investment firms must:

"...take all reasonable steps to record relevant telephone conversations and electronic communications, made with, sent from or received by equipment provided by the investment firm to an employee or contractor, or the use of which by an employee or contractor has been accepted or permitted by the investment firm."

The detail is built out in Articles 76 of Commission Delegated Regulation (EU) 2017/565. Recordings must be retained for at least five years and, where the competent authority requests, up to seven years. They must be accessible to clients on request, stored in a durable medium, and protected against unauthorised alteration.

For UK firms, the rules were onshored at exit day and now sit in the FCA Handbook at SYSC 10A and in the UK MiFID Org Regulation. The structure mirrors the EU regime, but the FCA has signalled its own enforcement priorities and has scope to diverge further over the medium term.

The plain-English version: if a conversation or message could lead to a trade in MiFID-scope instruments, record it, keep it for five years, and be able to find and produce it intact.

Why it matters now

Three pressures have pushed MiFID recording back to the top of the supervisory agenda.

Cross-border enforcement. ESMA's 2025 common supervisory action on MiFID II investor protection put recording and record-keeping in the top three findings. National competent authorities including BaFin (Germany), AMF (France), AFM (Netherlands), CSSF (Luxembourg) and Banca d'Italia issued public statements on inadequate recording of mobile and chat communications.

Off-channel communications fines spillover. The US SEC's $2bn+ in penalties for off-channel communications since 2022 (WhatsApp, iMessage, personal email) prompted EU regulators to ask whether the same gaps exist on their watch. The answer, generally, is yes — particularly at firms with US affiliates and shared trader populations.

Hybrid working as a permanent state. Mobile and home-working communications are no longer pandemic exceptions. ESMA's 2024 statement on remote and hybrid working made clear that firms cannot rely on policy alone — the controls must demonstrably work.

The consequence for an MLRO or Head of Compliance at an EU or UK investment firm is that "we have a recording policy" is no longer a defensible answer. Supervisors expect demonstrable coverage across channels and devices, retrievability under realistic load, and continuous testing.

Scope: order-flow versus relevant conversations

The most-asked question in MiFID II recording is "what exactly do we have to record?"

Order-flow communications. Any communication that constitutes a client order is in scope without qualification. This includes voice instructions on dealer lines, RFQs on chat platforms, and internal orders placed by relationship managers to trading desks.

Relevant conversations. Article 16(7) extends to communications "intended to result in" transactions in MiFID-scope instruments. The "intended to result in" test is broader than many firms recognise. ESMA Q&A on investor protection (Section 3, Q&A 11) confirms that the relevant test is whether the conversation could plausibly lead to a transaction, not whether it actually does.

In practice this captures: - Pre-trade chat between salespeople and clients discussing pricing, structures or market colour. - Internal calls between RMs and trading desks about pricing for a specific client. - Communications with prospective clients that move beyond pure marketing into product-specific discussion. - Communications about portfolio rebalancing where the firm has discretionary authority.

What it does not capture is purely general marketing communications, internal compliance discussions, and HR matters — provided you can demonstrate this with clean control over which devices, lines and tools are used for what.

Persons in scope. Article 16(7) applies to employees and contractors. Where an external salesperson, introducer or tied agent has access to firm-provided devices or communicates through firm-permitted channels, they are within scope. This is a recurring audit finding for firms with extensive external broker networks.

Retention periods and retrievability

Three retention obligations sit alongside each other.

Five-year minimum. All recordings must be retained for at least five years from the date of the communication.

Seven-year potential extension. Where the competent authority requests, retention extends to up to seven years for specific records.

Longer where another regime applies. GDPR's data minimisation principle pulls in one direction; MAR's market abuse reconstruction obligation can pull in the other. Where there is a STOR or an open investigation, recordings must be preserved beyond the standard period.

Retention is the easy part. Retrievability is where firms fail. ESMA has been explicit that the standard is not just storage but the ability to reconstruct an order or a conversation chain in a reasonable time. Common audit findings:

• Voice recordings retrievable only by call ID, not by participant, instrument or timeframe.
• Chat archives that index by user but cannot reconstruct a multi-party conversation thread.
• Cross-channel reconstruction (e.g. a voice call referenced in a follow-up chat) that requires manual stitching.
• Search performance that degrades sharply past two years of archive depth.
• Disaster recovery setups where recordings are retained but the search index is not.

A useful diagnostic: pick three random orders from 18 months ago and reconstruct the full pre-trade conversation across all channels. If it takes a person more than a working day, the firm has a retrievability problem.

Mobile, BYOD and off-channel communications

This is where most of 2024–2026's enforcement activity sits.

The two-route choice. Firms have to choose between two operating models: ban personal devices for in-scope conversations and enforce that ban, or permit personal devices and bring them inside the recording perimeter. ESMA's view, repeated in multiple Q&As, is that a written policy banning personal device use is not sufficient on its own — the firm must demonstrate the ban operates in practice.

Recording on mobile. Compliant approaches include carrier-level recording (where supported), separate recorded SIMs for business use, containerised business apps with recorded telephony, and dedicated recorded mobile clients for chat and voice. Each has trade-offs. Carrier recording is reliable but jurisdictionally patchy. Containerised apps are robust but require user adoption discipline.

Chat and messaging. WhatsApp, Signal, Telegram, iMessage and Snapchat have all featured in enforcement actions in the EU and UK. The compliant pathway is either to prohibit the channel for business communications (with technical and supervisory controls to enforce) or to bring it inside a captured perimeter via authorised, recorded messaging platforms.

Internal collaboration tools. Microsoft Teams, Slack, Zoom and Bloomberg chat are typically inside the perimeter, but the recording configurations are not always set correctly out-of-the-box. Specifically: - Teams DMs and channels need explicit retention policies. - Slack DMs require enterprise-grade retention and export configurations. - Zoom and Teams meetings recording must cover both audio and any chat panel.

Detection of off-channel use. Several EU regulators (notably BaFin) now ask firms to demonstrate active detection of off-channel use, not just passive policy. Network-level telemetry, attestation surveys with sample audit, and chat-content monitoring for references to off-channel communications ("let's take this to WhatsApp") are all valid components. The Sedric platform applies content surveillance to detect such references in real time, with flagged conversations escalated to the conduct team.

For the underlying Article 16(7) deep-dive, see our Article 16 MiFID II communications guide.

EU versus UK divergence post-Brexit

Post-Brexit the UK has onshored MiFID II at exit day and gradually adjusted it. For recording specifically the position is:

UK SYSC 10A. The substantive recording obligations sit in SYSC 10A.1 of the FCA Handbook. The five-year minimum retention, the channel scope, and the relevance test mirror the EU. SYSC 10A.1.6R defines the relevant person scope.

The portfolio managers carve-out. The FCA preserved (and slightly clarified) the limited exception for certain portfolio management firms from the recording obligation, where they instead make a contemporaneous written note of the conversation. The exception is narrow and is regularly tested by FCA supervisors — most firms find that the cost of operating the exception (the note discipline) exceeds the cost of recording.

Wholesale Markets Review. The UK's Wholesale Markets Review and the Financial Services and Markets Act 2023 give HM Treasury and the FCA powers to revoke and replace onshored MiFID rules. The FCA's 2024 policy statements on MiFID II conduct have so far been more about clarification than divergence, but the direction of travel is towards a more principles-based UK regime over the medium term.

EU evolution. On the EU side, the MiFIR Review (Regulation (EU) 2024/791) is the most significant recent change, focused on transparency and consolidated tape rather than recording. ESMA's ongoing Q&As on Article 16(7) continue to harden the scope around mobile and chat, with the most recent updates in 2025 explicitly addressing AI-generated content and voice-cloning risks.

Operational consequence for cross-border firms. A firm that operates a single global recording perimeter on the EU rule does not have a UK problem. A firm that has been operating on the assumption that the UK is "lighter" generally does. The retrievability and supervision standards are now functionally similar; expecting otherwise is the risk.

Three recent enforcement examples

EU investment firm, BaFin, 2024. A multi-million-euro penalty against a Germany-headquartered investment firm for failures in recording and retaining electronic communications relating to client orders, including chat communications routed through unapproved messaging applications. The supervisory action highlighted gaps in the firm's detection of off-channel communications and inadequate testing of recording integrity.

UK broker-dealer, FCA enforcement, 2025. A six-figure financial penalty against a UK MiFID firm where SYSC 10A failures included lapsed mobile recording on a population of relationship managers, an outdated retention policy that did not reflect MAR preservation requirements, and inability to retrieve specific conversations within the supervisory deadline.

Pan-European bank, multi-jurisdiction action, 2024–2025. A global bank settled with multiple EU regulators following identification of off-channel WhatsApp use by trading and sales staff. The settlement required remediation plans including device controls, attestations, surveillance enhancements, and senior management accountability.

A 10-item MiFID II recording controls checklist

1. Channel inventory. Documented list of every voice, chat and messaging channel in use across the firm, mapped to "in scope" or "out of scope" with the basis for the determination.
2. Person scope. Definitive list of employees and contractors in scope, including externals with firm-provided devices and tied agents.
3. Device controls. Either enforced ban on personal devices for in-scope conversations with technical controls, or recorded business use on personal devices with attestation and audit.
4. Coverage testing. Quarterly test that randomly samples conversations across channels and verifies the recording exists, is retrievable and is intact.
5. Retrievability SLA. Defined and tested SLA for producing a reconstructed conversation chain within supervisory deadlines.
6. Retention. Five-year minimum, seven-year on request, MAR-preservation override for STOR-related material.
7. Off-channel detection. Active monitoring for references to off-channel communications, with escalation and remediation workflow.
8. Cross-channel reconstruction. Demonstrated ability to stitch voice, chat and email by participant, instrument and timeframe.
9. Client transparency. Process for advising clients that communications will be recorded and for providing copies on request within the regulatory timeframe.
10. Governance. SMF or equivalent senior manager owner; annual board-level report; documented testing programme.

How leading firms automate this with Sedric

The MiFID II recording obligation is operationally heavy because it spans voice, chat, email and increasingly meeting platforms across distributed teams. Coverage gaps are usually not policy failures — they are detection failures.

Sedric ingests communications across in-scope channels and applies real-time content surveillance to detect both substantive issues (mis-selling, suitability gaps, MAR-relevant content) and meta issues (references to off-channel use, recording-quality failures, retention-policy breaches). Each flag is linked to the relevant rule reference — Article 16(7), Article 76 of Reg (EU) 2017/565, SYSC 10A.1.6R, or the applicable MAR article — so a reviewer sees not just the alert but the regulatory basis. Overrides are logged with reasoning.

The result for the MLRO is twofold. First, the firm can demonstrate active detection of off-channel use, which is the headline supervisory expectation. Second, when the regulator asks for a reconstruction of a specific order or client conversation, the work is already done — the audit trail is built as part of normal review, not retrieved retrospectively from siloed archives. This is what we mean by real-time guardrails rather than retrospective archive. For a comparison of the legacy archive-and-supervise model versus modern AI-native approaches, see our Smarsh alternatives post.

If you would like to see Sedric applied to a slice of your own recorded comms, book a demo at sedric.ai.

FAQ

What is the minimum retention period under MiFID II recording requirements? Five years, extendable to seven on competent authority request. Other regimes (MAR, GDPR, AML) may extend or constrain this further.

Do I have to record internal calls? Yes, where they relate to client orders or transactions in MiFID-scope instruments. Internal pricing discussions, RM-to-desk calls, and internal allocation discussions are typically in scope.

Does Article 16(7) apply to all financial instruments? It applies to communications relating to transactions in financial instruments within MiFID II scope, which is broad — including transferable securities, derivatives and structured products. Non-MiFID assets (e.g. cash deposits, mortgages, pure insurance) are not in scope under Article 16(7), though other regimes may impose recording obligations.

Can portfolio managers rely on a recording exemption? The UK preserves a narrow exception for certain portfolio managers who maintain contemporaneous written records of conversations. The EU does not provide an equivalent general exemption. The cost of operating the exception usually exceeds the cost of recording.

Are video meetings (Teams, Zoom) in scope? Yes, where the audio content relates to in-scope client business. Recordings must cover audio and any chat panel content.

How does MiFID II recording interact with MAR surveillance? The recording obligation creates the data; MAR surveillance interrogates it for market abuse indicators. The two regimes are complementary. See our market abuse regulation surveillance guide.

Has the UK diverged significantly from the EU on recording post-Brexit? Not yet. SYSC 10A onshores Article 16(7) substantially intact. Both regulators are tightening practice expectations in parallel.

See it on your own data

Book a 30-minute demo with Sedric and we will run the platform against a sample of your recorded communications — voice, chat or meeting transcripts. You will see exactly how Article 16(7) and SYSC 10A obligations map to alerts, how each flag is linked to its rule reference, and how a typical week of reviewer workflow looks. Sessions usually take a fortnight to schedule. Request one at sedric.ai.