- MiFID II requires firms to record telephone conversations and electronic communications that relate to the reception, transmission and execution of orders.
- Records of such communications must generally be kept for a period of at least five years, extendable to seven where a competent authority requires it.
- The recording obligation covers communications intended to result in a transaction, even where they do not in fact lead to one.
- Firms must take all reasonable steps to prevent relevant conversations on private or unmonitored equipment that the firm cannot record.
- Recorded communications contain personal data, so they are processed under the UK GDPR and the Data Protection Act 2018 alongside the recording duty.
MiFID II requires investment firms to record all phone and electronic communications about transactions, retain them for at least five years, and configure VoIP so relevant calls cannot be made on unrecorded lines.
Last reviewed: June 2026
What MiFID II requires firms to record
For investment firms, recording a client call is not a courtesy but a legal duty. The Markets in Financial Instruments Directive II, known as MiFID II, requires firms to record telephone conversations and electronic communications that relate to the reception, transmission and execution of client orders, as well as dealing on own account. The obligation is deliberately broad. It captures the full arc of a transaction, from the early conversation that is intended to result in a deal through to the instruction itself, and it applies even when the conversation does not end in a completed trade.
The purpose is to give both the firm and the regulator a reliable, time-stamped account of what was said and agreed. That record supports market integrity, helps resolve disputes about what a client instructed, and provides evidence in any investigation into potential market abuse. Because the duty attaches to the substance of the communication rather than the channel, it applies to landline calls, mobile calls and electronic messages alike, and that channel-neutral scope is exactly why a VoIP deployment needs careful configuration.
Retention and access
Recording is only half of the obligation; the records must then be kept and remain usable. Under MiFID II, records of relevant communications must generally be retained for a period of at least five years, and a competent authority may require them to be kept for up to seven years. Throughout that period the records must be stored in a durable medium that prevents tampering or unauthorised alteration, must be readily accessible to the regulator on request, and must allow the firm to reconstruct each stage of a transaction. A recording that exists but cannot be retrieved or verified does not satisfy the duty.
Retention sits alongside data protection law. Because a recording of a client call contains personal data, it is processed under the UK GDPR and the Data Protection Act 2018, which means the firm needs a lawful basis, appropriate security and controlled access in addition to meeting the MiFID retention period. In practice the two regimes are complementary: the recording duty sets the minimum retention, and data protection law governs how the records are secured and who may access them. Clients should also be informed that relevant calls are recorded before any such service is provided.
MiFID II call recording requirements for financial firms
The table below summarises the core elements an investment firm should build into its telephony and recording arrangements. It is a planning summary, and firms should map each element to their own compliance assessment.
| Requirement | What MiFID II expects |
|---|---|
| Scope of recording | All calls and messages relating to transactions, including those intended to lead to one |
| Retention period | At least five years, up to seven if a competent authority requires |
| Storage integrity | Durable medium preventing tampering or deletion |
| Accessibility | Records readily retrievable for the regulator on request |
| Unmonitored devices | Reasonable steps to prevent relevant talk on equipment the firm cannot record |
| Client notification | Clients informed that relevant communications are recorded |
Configuring VoIP for compliance
Because the recording obligation is channel-neutral, it plainly applies to VoIP calls, and a VoIP platform must be configured so that every line used for transaction-related business captures and stores the conversation automatically. The recording should not depend on a member of staff remembering to start it, since a duty that relies on manual action will eventually be missed. The system should also time-stamp recordings, link them to the relevant transaction or client where possible, and write them to durable storage that prevents later alteration and supports retrieval for the full retention period.
Equally important is closing off the gaps. MiFID II expects firms to take all reasonable steps to prevent relevant conversations taking place on private or unmonitored equipment that the firm cannot record, so policies, staff training and technical controls should steer all transaction-related communication onto recorded channels. Where a client does reach a member of staff on an unrecorded line, the firm should have a defined procedure to move the conversation onto a recorded channel before any instruction is taken. Periodic testing of the recording estate, confirming that calls are captured, stored intact and retrievable, is what turns a configured system into a demonstrably compliant one.
Regulatory expectations and oversight
In the United Kingdom the conduct regime that implements these requirements sits within the rules applying to authorised firms, and a firm should treat recording as a continuous control rather than a one-off setup. The regulator expects records to be complete, accurate and available, and a failure in the recording estate can itself be a compliance breach independent of any underlying market conduct issue. That is why monitoring of the recording system, prompt remediation of any gap, and clear ownership of the control all matter as much as the initial configuration.
Governance ties the technical and legal threads together. A firm should know which lines and channels are in scope, hold a documented policy on recording and retention, train staff on the prohibition of relevant business on unmonitored devices, and keep evidence that its VoIP recording works as intended. Because the records also contain personal data, the firm's data protection controls must run in parallel, securing the recordings and limiting access while the MiFID retention clock runs. Built this way, the recording function protects the firm, its clients and the integrity of the market it operates in.
Frequently Asked Questions
What does MiFID II require for call recording?
MiFID II requires investment firms to record telephone conversations and electronic communications that relate to the reception, transmission and execution of orders, including dealing on own account. The duty extends to communications intended to result in a transaction even if no trade follows. The records must be stored securely and be available to the regulator.
How long must financial services firms keep call recordings?
Records of relevant communications must generally be retained for a period of at least five years, and a competent authority may require them to be kept for up to seven years. Throughout that time they must be stored in a way that prevents tampering and remains readily retrievable. The retention duty runs alongside data protection obligations on how the records are secured.
Does MiFID II apply to VoIP calls?
Yes, because the recording obligation attaches to the substance of the communication rather than the technology used, it applies to VoIP calls just as it does to landline and mobile calls. A VoIP system used for transaction-related business must be configured to record and retain those calls automatically. Relying on manual recording is not a sound basis for compliance.
What if a client calls on an unrecorded line?
Firms are expected to take all reasonable steps to prevent relevant conversations on equipment the firm cannot record. If a client reaches staff on an unrecorded line, the firm should have a procedure to move the conversation onto a recorded channel before any instruction is taken. Policies, training and technical controls should steer transaction-related talk onto recorded lines.
How do I ensure my VoIP system is MiFID II compliant?
The system should record transaction-related calls automatically, time-stamp them, write them to durable tamper-resistant storage and keep them retrievable for the full retention period. Firms should close off unrecorded channels through policy and controls, inform clients that calls are recorded, and test the recording estate periodically. These steps should be mapped to the firm's own compliance assessment.
