MiFID II Recording Obligations: Requirements, Penalties and Compliance Guide
In 2024, European securities regulators imposed MiFID II penalties totaling over EUR 44.5 million: a 143% increase from the previous year, according to the ESMA Annual Sanctions Report. For investment firms, asset managers, and broker-dealers, the recording of client communications has shifted from a back-office task to one of the most actively enforced regulatory requirements in both Europe and the United States.
The challenge starts with the regulation itself. Article 16(7) of the MiFID II Directive (2014/65/EU) requires investment firms to record all telephone conversations and electronic communications related to client orders and transactions. But the proliferation of digital channels: video calls, chat applications, instant messaging: has made compliance far more complex than when recording fixed-line phone calls was sufficient. Traditional recording systems, in most cases, fail to meet the immutability and accessibility requirements that regulators demand.
What follows covers the legal framework, the cost of non-compliance, where the hidden risks lie, and how to build a defensible recording system.
What MiFID II requires for communication recording
The recording obligation is not a recommendation. It is a binding requirement for all investment firms authorized within the European Economic Area, with direct sanctions for non-compliance.
Article 16(7): the recording obligation
Article 16(7) of Directive 2014/65/EU requires investment firms to record all telephone conversations and electronic communications relating to the reception, transmission, and execution of client orders, as well as dealings on own account. The obligation applies even when the communication does not result in a completed transaction.
The scope is broad. The provision covers phone calls, video calls, emails, chat messages, and any form of electronic communication where investment services are discussed. Firms must also notify clients, both new and existing, that communications will be recorded. Without this prior notification, the firm cannot provide investment services by telephone.
Delegated Regulation 2017/565: technical requirements for records
Article 76 of Delegated Regulation (EU) 2017/565 translates the obligation into specific technical requirements. Communication records must be tamper-proof (no possibility to alter, delete, or overwrite recordings after capture), accessible to regulators at any time, traceable for every access and copy, and retained for a minimum of 5 years, with possible extension to 7 years at the request of the competent authority.
In practice, these requirements rule out traditional archiving systems. Files stored on corporate servers or recordings from standard video conferencing platforms do not guarantee either immutability or access traceability.
Which communications must be recorded
The scope is defined by the combination of Article 16(7) MiFID II and Article 76 of the Delegated Regulation.
| Communication type | Recording requirement | Specific requirements |
|---|---|---|
| Order-related phone calls | Mandatory | Full recording, prior client notification |
| Advisory video calls | Mandatory | Audio + video, context metadata, participant identity |
| Transaction-related emails | Mandatory | Full retention, including attachments |
| Chat and instant messaging | Mandatory | Full content, timestamp, sender identity |
| In-person meetings | Written record | Minutes or notes documenting meeting content |
| Fax or postal orders | Retention | Archive of original document with certified date |
Penalties for non-compliance with MiFID II recording obligations
The enforcement data from the past two years leaves no room for ambiguity. Regulators in Europe and the United States are imposing penalties on communication recording failures with amounts that, in the most severe cases, reach hundreds of millions of dollars.
ESMA sanctions in Europe: 2024 data
According to the ESMA consolidated sanctions report for 2024, national competent authorities across the 30 EEA states issued over 970 sanctions in 2024 for an aggregate amount exceeding EUR 100 million. Of these, 189 administrative pecuniary sanctions specifically concerned MiFID II and MiFIR violations, totaling an estimated EUR 44.5 million.
| Jurisdiction | Sanctions 2024 | Notes |
|---|---|---|
| Germany (BaFin) | Single record fine of EUR 12.75 million | Art. 17(1) violation, algorithmic trading |
| France (AMF) | Highest amounts in Europe | Enforcement on organizational and recording obligations |
| EEA (total) | 189 sanctions exceeding EUR 44.5M | +143% vs 2023 |
| USA (SEC + FINRA) | Over $3 billion since 2021 | Off-channel communications on WhatsApp, iMessage, Signal |
SEC off-channel communications: over $3 billion in fines since 2021
The SEC has conducted an unprecedented enforcement campaign on off-channel communications since 2021. Fines for use of unauthorized channels (WhatsApp, iMessage, Signal, personal text messages) have exceeded $3 billion, involving over 100 financial firms.
In 2024 alone, the SEC sanctioned dozens of firms for a combined total exceeding $600 million. Key enforcement actions included 26 firms fined $392.75 million in August (including Raymond James, Edward Jones, LPL, and Osaic), and 16 firms for $81 million in February. In January 2025, another 12 broker-dealers were sanctioned for $63 million.
The pattern is consistent: employees and advisors using personal messaging apps to communicate with clients, bypassing the firm's official recording systems. Regulators consider this a fundamental recordkeeping failure.
FINRA enforcement: parallel action on broker-dealer communications
FINRA has pursued its own enforcement track alongside the SEC. Under FINRA Rule 3110 (Supervision) and Rule 4511 (General Requirements for Books and Records), broker-dealers must establish and maintain systems to capture, retain, and supervise all business-related communications.
FINRA's 2024 Examination Priorities explicitly flagged off-channel communications as a top supervisory concern. The regulator has imposed fines and suspensions on firms and individuals who failed to preserve or supervise electronic communications on unapproved platforms. Several enforcement actions in 2024 targeted firms where supervisory systems did not extend to platforms employees were actually using: a gap that FINRA treats as a systemic supervision failure, not an individual compliance lapse.
For firms operating in both the EU and US markets, the overlap between MiFID II Article 16(7) and SEC/FINRA recordkeeping requirements creates a dual compliance obligation. A recording system that satisfies one regime but not the other exposes the firm on both sides of the Atlantic.
Off-channel communications: the hidden compliance risk
Off-channel communications represent the most critical vulnerability in MiFID II compliance. This is not a US-only phenomenon: the risk is identical for European intermediaries, and national regulators are adopting the same enforcement approach as the SEC.
What are off-channel communications
Off-channel communications are business communications related to investment services that occur on channels not monitored or recorded by the firm. An advisor sending a WhatsApp message to a client about an order. A portfolio manager confirming a trade via SMS. An analyst sharing recommendations on Telegram. These are all communications that fall outside the mandatory recording perimeter.
The issue is not the channel itself, but the absence of recording. MiFID II does not prescribe which platforms to use: it requires that all relevant communications be recorded, stored immutably, and made accessible to regulators. If a firm allows (or fails to prevent) the use of unmonitored channels, the liability for the violation belongs to the firm.
How to map and control communication channels
Addressing off-channel risk requires action on multiple levels. The first step is a complete inventory of every channel used by personnel to communicate with clients, including informal ones. Then firms need clear policies defining which channels are authorized, backed by technical controls that restrict unauthorized ones. If a channel is necessary for business, such as video calls on third-party platforms, it must be integrated into the recording system with immutability guarantees. Finally, periodic audits to verify that policies are actually being followed.
How to certify communications with legal validity for MiFID II compliance
Recording alone is not enough. The requirements of Article 76 of the Delegated Regulation demand tamper-proof archives, with traceability for every access and guaranteed retention for 5 to 7 years. Certifying communications with legal validity is the only way to meet these requirements.
Why recording alone is not enough: the immutability requirement
A recording on Zoom, Teams, or Meet is a recording. But does it satisfy the requirements of Article 76? In most cases, no. Standard video conferencing platforms allow files to be downloaded, modified, and re-uploaded. They do not guarantee a verifiable chain of custody. They do not apply qualified timestamps. They do not produce evidence that holds up under regulatory scrutiny.
The immutability requirement means the recording must be crystallized at the moment of capture: date, time, participant identities, and content must become unalterable and independently verifiable. This is the difference between a simple recording and a certified communication with legal evidentiary value.
TrueScreen, the Data Authenticity Platform, addresses the problem at its source: it captures and certifies communications at the moment they occur, applying digital signatures and qualified timestamps compliant with the eIDAS Regulation. The recording is not simply archived but transformed into legally binding data. The chain of custody is verifiable and satisfies the requirements of Article 76 of Delegated Regulation 2017/565.
Certifying video advisory calls
Financial advisory sessions conducted via video call are among the communications most exposed to dispute risk. A client who contests the recommendations received, a regulator who demands proof that disclosure obligations were met: without a certified recording, the investment firm is defenseless.
TrueScreen certifies video calls with MiFID II compliance by capturing audio and video content with immutable context metadata. Participant identities, session date and time, duration, and content are fixed with digital signatures and qualified timestamps. The process is transparent and has no impact on the financial advisor's workflow.
The same approach applies to certified contact center communications: phone calls, chats, emails, and video calls between clients and operators are certified at source, eliminating the "word against word" risk and fulfilling MiFID II archiving obligations.
eIDAS digital signatures as a compliance standard
The eIDAS Regulation (EU Regulation 910/2014) is the legal framework governing digital signatures and timestamps with legal validity across the European Union. The advanced electronic signature compliant with the eIDAS Regulation ensures the identification of the signatory and the integrity of the signed document.
For MiFID II compliance, the combination of digital signatures and qualified timestamps produces records that satisfy Article 76 of the Delegated Regulation. Specifically: any subsequent modification is detectable and invalidates the certification; the qualified timestamp provides legal certainty of the recording moment; participant identities are verifiable through the digital signature; certified records are designed for long-term retention of 5 to 7 years and beyond.
MiFID II compliance checklist for communication recording
Achieving compliance requires action on multiple levels: regulatory, technological, and organizational. These are the operational steps to build a recording system that meets Article 16(7) MiFID II requirements.
- Map all communication channels: inventory every channel used by staff to interact with clients, including informal channels and personal devices
- Verify immutability requirements: for each channel, determine whether the recording system guarantees tamper-proof archives compliant with Article 76 of Delegated Regulation 2017/565
- Implement certification at source: adopt solutions that apply digital signatures and qualified timestamps at the moment of capture, not during subsequent archiving
- Define and enforce anti off-channel policies: establish which channels are authorized, implement technical controls, and monitor compliance
- Notify clients: ensure every client, new and existing, is informed about communication recording before investment services are provided
- Configure 5 to 7 year retention: ensure records are retained for the minimum 5-year period, with the ability to extend to 7 years at the regulator's request
- Guarantee regulator access: establish procedures to provide records promptly and in a usable format
- Conduct periodic audits: regularly verify archive integrity, policy effectiveness, and channel coverage, including record retrieval testing
