Jump to main content
ASC
Request demo
Blog

MiFID II Directive: Recording Obligations and Retention Periods for Banks

Compliance, Financial Services

MiFID II requires financial institutions to systematically capture and archive customer communications in line with strict regulatory requirements. Here's how to make it work in practice.

Overview

MiFID II: Key Objectives for the Financial Market

Since 2018, the Markets in Financial Instruments Directive II (MiFID II or MIFID 2) has been a binding regulation for banks, insurance companies, and financial institutions in Europe. MiFID II is one of the most important regulations in finance today. The regulation was adopted by the European Union to strengthen investor protection, increase transparency in the markets for financial instruments, and prevent conflicts of interest in securities trading.

A key aspect is the obligation to record customer communications and the specified archiving periods. This ensures that advisory and trading decisions remain traceable at all times and can be proven in a legally compliant manner in the event of an audit.

While our blog post on MiFID III deals with the upcoming changes to the regulation from 2025, the existing requirements from MiFID II remain valid. In this article, we take a detailed look at the basics of legally compliant documentation and archiving. We also show how banks can use AI-supported compliance monitoring to make their processes more efficient, minimize risks, and strengthen their governance in a MiFID-compliant manner.

MiFID II in a Nutshell

The directive has been binding in all EU member states since January 2018. It was initiated by the European Commission, adopted by the Parliament and Council, and specified in guidelines by the European Securities and Markets Authority (ESMA). Enforcement is carried out by national supervisory authorities such as BaFin.

The directive has four main objectives:

  • Strengthen investor protection through transparent advice, comprehensive documentation, and clear information
  • Increasing transparency in capital markets with uniform rules for order execution and reporting requirements
  • Avoiding conflicts of interest in trading securities and derivatives
  • Disclosure of all associated costs and fees so that investors can understand the actual costs of securities transactions

All institutions that offer services in a regulated market must comply with transaction reporting standards. Investment services are affected – banks, brokers, asset managers, insurers with capital market business, and securities trading firms. Violations can be punished with heavy fines of up to five million euros or trading bans.

Recording and Archiving Obligations in Detail

Under Article 16(7) of MiFID II (taping), investment firms are required to record all relevant conversations and electronic communications that relate to client orders or could lead to a transaction. This includes, in particular:

  • Consultations by telephone, video conference, or chat
  • Communication via email, instant messaging, or co-browsing
  • Conversations leading to the conclusion of a transaction or the placement of a client order
  • Changes and cancellations of orders
  • Internal coordination, provided it is related to client orders

All recordings must be stored for at least five years. At the request of supervisory authorities, such as BaFin, this obligation may be extended to seven years. Archiving must be tamper-proof. Every change must be traceable, and the data must be accessible at all times.

Customers must be informed at the beginning of the conversation that a recording is being made. They also have the right to request a copy during the archiving period. If the customer refuses, no advice may be given that relates to the acceptance, transmission, or execution of customer orders.

This is particularly strictly regulated in Germany. According to Section 201 of the German Criminal Code (StGB), the unauthorized recording of conversations is a criminal offence. However, the obligation under MiFID II forms a legal basis. In addition, the Federal Data Protection Act permits processing if it is required or if express consent has been given.

Requirements for MiFID II-Compliant Software

For banks, insurance companies, and financial service providers, compliance with MiFID II requirements in contact centers and customer service is crucial. The right software should meet the following criteria:

  • Omnichannel recording of telephone, video, chat, and email
  • Option for automatic or demand-driven recording
  • Audit-proof data storage for at least five years, up to seven years if required
  • Compliance with compliance requirements with verifiability for internal and external audits
  • Quick provision for investors or supervisory authorities
  • Efficient search and filter functions with clear assignment
  • Audit trails for traceability of changes
  • GDPR compliance and advanced governance features such as multi-client capability and encryption

Implementation

The legal requirements are clear, but implementation is complex. Institutions must ensure that all communication channels are documented in an audit-proof manner.

Omnichannel recording as a basis

With Recording Insights, ASC offers a solution that centrally records, encrypts, and archives telephone calls, video conferences, chats, and mobile communications in an unalterable manner. This enables banks to provide complete evidence at any time.

Integration into Microsoft Teams and other platforms

Recording Insights is certified as a native app for Microsoft Teams and is also approved for the Microsoft Industry Cloud for Financial Services. In addition, other channels such as traditional telephony or Zoom calls can be integrated to achieve true omnichannel coverage.

AI-Supported Compliance Monitoring

Beyond simple archiving, banks can use AI-powered analytics tools to automatically check their communication data for risks. AI Policy Templates allow regulatory requirements from MiFID II and other regulations such as FCA or Dodd-Frank to be mapped directly. This enables risks such as off-channel communication or inappropriate product recommendations to be identified early on and compliance processes to be efficiently automated.

Michael Krause
Vice President Sales Central & Eastern Europe

Michael Krause is Vice President Sales Central & Eastern Europe at ASC Technologies AG. He has been active in the financial environment for many years and renowned institutions among them banks, insurance companies, stock exchanges and other financial service providers in central Europe. His expertise in sales and service management, business development as well as in sales and distribution of IT solutions proves advantageous in his reach of responsibility: operative and strategic sales activities of ASC Technologies AG with partners and final customers in Europe.

Disclaimer

Please note that we do not provide legal advice and that this information cannot replace legal review or consultation.

Man sits at his desk and checks financial documents in the office to ensure financial compliance.

Safe Data Storage for your communication recordings with Microsoft Azure Cloud
EU flags waving in front of a building – Symbolizing data protection and GDPR

How to Navigate the Challenges and Opportunities of the EU Artificial Intelligence Act (EU AI Act)
Financial consultant holds a video conference with her team via Microsoft Teams.

How to Enable Compliance Recording and Analytics Within Microsoft Teams
To the overview of the blog articles
Cookies and data processing

This website uses cookies and similar functions to process end device information and personal data. The processing serves the integration of content, external services and elements of third parties, statistical analysis and personalized advertising. Depending on the service, data may be passed on to third parties in the process. By combining this data with other data, it may be possible to create user profiles.

We need your consent for this. Your consent is voluntary, not required for the use of our website and can be rejected or revoked at any time on the "privacy policy" page.

Further information in the data privacy statement