Security

MiFID II Video Recording: Compliant Video Calls for Financial Firms

Nina Benkotic
by Nina Benkotic
16 min read
May 7, 2026

Legal disclaimer: This article is for informational purposes only and does not constitute legal advice. Requirements under MiFID II, GDPR, and applicable national regulations vary by firm type, jurisdiction, and activity. Consult qualified legal counsel for guidance specific to your organisation.

In 2024, national competent authorities across the European Economic Area issued 294 sanctions specifically under MiFID II and MiFIR, totalling nearly EUR 44.5 million, according to ESMA's 2024 Annual Sanctions Report. Across all EU financial regulations combined, regulators imposed over 970 sanctions for an aggregate of more than EUR 100 million in the same year. MiFID II/MiFIR was, alongside the Market Abuse Regulation, one of the two most heavily enforced regimes. Many of these enforcement actions involved failures in the recording and retention of client communications. That category now explicitly includes video calls.

Hybrid advisory is no longer a pandemic workaround. It is the default. Wealth managers, investment advisers, and compliance officers are conducting client meetings and advisory sessions on video platforms every day. The regulatory expectation from ESMA, the FCA, and BaFin is that the same discipline applied to telephone recording for years must now extend to every video call where investment services are discussed or provided.

The problem is that most video platforms were not built with this in mind. This article covers what MiFID II actually requires for video recording, how it intersects with GDPR, and what genuinely compliant video infrastructure looks like in practice.

Table of contents

  1. Why financial services need purpose-built video conferencing
  2. MiFID II recording requirements: what the law actually says
  3. GDPR intersection: meeting both obligations
  4. Encryption, integrity, and audit trail requirements
  5. Data retention policies for financial video records
  6. Evaluation checklist: choosing a platform for financial compliance
  7. How Digital Samba meets financial compliance requirements
  8. Integration with financial compliance infrastructure
  9. Platform comparison: Zoom, Teams, Webex, and Digital Samba
  10. FAQ

Why financial services need purpose-built video conferencing

The shift from phone-based advisory to video conferencing has been structural and lasting. Post-COVID hybrid working accelerated a transition already under way, and regulators have adapted their expectations accordingly.

Under MiFID II, video calls qualify as 'electronic communications' for the purposes of the recording obligation in Article 16(7). ESMA has been consistent on this point: the regulatory expectation is not limited to telephone calls. Any communication conducted via a platform that could lead to the provision of investment services or the execution of a transaction is within scope, regardless of the channel used. The scope is narrower than it might first appear, however. Article 16(7) applies specifically to communications relating to client order services (receiving, transmitting, and executing client orders) and to dealings on own account. KYC and AML identity verification calls sit under separate regimes, and internal committee meetings that do not involve receiving or executing client orders are not in scope. Investment-advice-only firms may also qualify for a national-discretion exemption under Article 3 of MiFID II, which can replace the full recording obligation with a contemporaneous-note requirement. Check your specific activity scope with legal counsel before deciding which sessions require the full Article 16(7) regime.

The FCA has applied equivalent requirements in its SYSC 10A framework. UK firms should note that since Brexit, and following the FCA's PS25/13 policy statement in October 2025, the recording rules have been domesticated into the FCA Handbook as a standalone UK regime. The substantive requirements are similar, but the legal basis is now FCA SYSC 10A, not Directive 2014/65/EU directly. Firms with cross-border UK/EU advisory activity face dual-jurisdiction obligations. BaFin applies equivalent standards in Germany.

The non-compliance risks are material and escalating. Fines under MiFID II can reach EUR 5 million or 10 per cent of annual turnover, whichever is higher. Beyond financial penalties, firms face licence revocation, increased supervisory scrutiny, and reputational damage that is hard to put a number on but easy to avoid.

The challenge is that platforms built for general enterprise collaboration (such as Zoom, Microsoft Teams, and Cisco Webex) were not designed to meet these requirements out of the box. Recording is typically user-initiated or scheduling-dependent. Storage defaults may be US-based. Immutability, chain-of-custody logging, and API-driven archival integration are either absent or require significant additional tooling. For firms that need video calls that banking regulators will actually accept, this creates a meaningful gap.

MiFID II recording requirements: what the law actually says

Article 16(7) of Directive 2014/65/EU is the core provision. It requires investment firms to record telephone conversations and electronic communications that relate to transactions concluded when dealing on own account and to the provision of client order services covering the reception, transmission, and execution of orders.

Article 16(7) Subparagraph 2 extends the obligation beyond completed transactions. This is where many firms misunderstand the scope: as ESMA confirmed in Q&A 2416 (answer published June 2025), communications intended to result in the conclusion of transactions must also be recorded, even if no transaction ultimately occurs. The scope covers any conversation that could lead to a transaction, not just those that do.

What must be captured goes beyond a simple audio or video stream:

  • Audio and video streams, combined with any screen share activity
  • Participant identities: name, role, firm affiliation as applicable
  • Start and end timestamps and session duration
  • Session metadata: room or meeting identifier, connection method, participants joined/left events
  • Chat messages exchanged during the session

Retention under Article 16(6) is a minimum of five years, extendable to seven at the request of the competent authority. BaFin, for example, may request the seven-year extension; firms operating in Germany should plan for seven years by default rather than treating the five-year period as a reliable ceiling.

Accessibility requirements mean that recordings must be provided to regulators promptly on request and must remain readable and non-degraded throughout the retention period. Searchability by client name, date, and adviser is an operational expectation, not a nice-to-have.

Firm-controlled recording infrastructure is a firm requirement. ESMA's Q&A guidance is clear that investment firms cannot rely on participants' own devices to capture recordings. The firm must control the recording infrastructure. If a client joins a video call from their own device and records it locally, that recording does not satisfy the firm's obligations under Article 16(7). The firm's platform must independently capture and retain the session.

GDPR intersection: meeting both obligations

The most common question compliance officers face when implementing video recording workflows is how to reconcile MiFID II's mandatory recording obligation with GDPR's principles of consent and data minimisation.

The answer is simpler than it first appears.

  • Lawful basis for recording. GDPR Article 6(1)(c) provides a lawful basis for processing where it's necessary to comply with a legal obligation. MiFID II Article 16(7) is precisely such a legal obligation. Explicit consent from the participant is not required, and should not be relied upon, because consent can be withdrawn. The legal obligation basis is the correct and appropriate one for regulatory recording.
  • Transparency is still mandatory. GDPR Articles 13 and 14 require that data subjects be informed about the processing of their personal data. For video call recordings, this means participants must be told at the start of the session that the call is being recorded and for what purpose. The standard approach is an automated disclosure at session start: "This call is being recorded for regulatory compliance purposes in accordance with MiFID II requirements." This satisfies the GDPR transparency requirement without requiring active consent.
  • Data subject rights in the retention period. Clients can exercise their Article 15 right of access to request a copy of their recording. However, the Article 17 erasure right does not override the MiFID II retention obligation. Where a legal obligation requires data to be retained, the controller is not required to comply with an erasure request. GDPR Article 17(3)(b) makes this explicit. The recording must be kept for the full regulatory period.
  • Retention conflict resolved in MiFID II's favour. GDPR's storage limitation principle requires that personal data is kept no longer than necessary for the purpose for which it was processed. MiFID II's five-to-seven-year retention requirement is the specific legal obligation that defines 'necessary' in this context. MiFID II operates as lex specialis, meaning the more specific rule prevails. Firms should not delete recordings to comply with GDPR if MiFID II requires them to be retained.
  • Cross-border considerations. Where a client is based in a different EU jurisdiction from the adviser, the data residency requirements of both jurisdictions apply. Recordings must be stored within EU infrastructure and, where national law imposes additional requirements (for example, German data localisation requirements for certain regulated activities), those must also be respected.

Encryption, integrity, and audit trail requirements

Regulatory compliance for video recordings is not only about capturing the call. It is also about protecting it against tampering, controlling access, and maintaining a complete chain of custody from creation to deletion.

  • Encryption requirements. Recordings must be protected against unauthorised access (confidentiality) and against alteration (integrity). The regulatory basis for encryption at rest is GDPR Article 32, which requires appropriate technical and organisational measures to protect personal data. AES-256 encryption for stored recordings and backup data is the current industry standard for satisfying this requirement. Article 76 of Commission Delegated Regulation 2017/565 sets the policy and quality framework for recordings, including tamper-proof storage requirements, but the specific encryption standard derives from GDPR Article 32.
  • Integrity verification. A cryptographic hash generated at the point of capture provides a tamper-evident mechanism: if the recording file is subsequently altered, the hash will no longer match. Some regulators interpret the 'non-degraded' requirement as implying append-only or WORM (Write Once Read Many) compliant storage, which prevents both overwriting and deletion before the retention period expires.
  • Audit trail requirements. Every access to a recording must be logged: who accessed it, when, from which system, and for what stated purpose. This chain of custody serves as the evidential record of proper handling throughout the retention lifecycle. The audit log itself must be stored separately from the recordings and must be protected against modification.
  • Chain of custody from creation to deletion. Compliance does not end at the point of capture. Firms must be able to demonstrate continuous, controlled custody of each recording from the moment it's created until it's securely deleted after the retention period. Deletion after the retention period must itself be documented: a deletion timestamp, confirmation that the content was securely destroyed, and a retained metadata record confirming when the recording was created and when it was destroyed.

Data retention policies for financial video records

  • The five-year baseline. Article 16(6) of MiFID II sets a minimum retention period of five years from the date of recording. The retention clock starts at the date the recording is created, not at the date a transaction is completed or an order is executed.

  • Planning for seven years. Competent authorities can extend the retention obligation to seven years on request. BaFin and other national authorities have exercised this option. Any firm under active investigation or supervisory review may face such a request. The safe assumption is to plan for seven-year retention by default.

  • Backup and redundancy. Backup copies of recordings must be geographically separated from the primary store, encrypted using the same standards as primary storage, and regularly tested for restoration. A backup that cannot be successfully restored is not a compliant backup.

  • Secure deletion. After the applicable retention period has elapsed, recordings must be securely deleted, meaning the data must be overwritten so that recovery is impossible. The deletion event must be logged, including the date, the recording identifier, and confirmation that destruction was completed. Metadata records (date, participants, duration, deletion timestamp) should be retained after content deletion as proof of compliant handling throughout the lifecycle.

Evaluation checklist: choosing a platform for financial compliance

Use this checklist as a starting framework when evaluating video platforms for MiFID II compliance in 2026. It is not exhaustive, and your legal team should conduct a full gap assessment against applicable national requirements.

Recording infrastructure

  • Server-side, automatic recording, not user-initiated or dependent on participant action
  • Configurable enforcement per room type, so compliance officers can mandate recording for all client-facing rooms
  • Output includes combined audio, video, and screen share in a durable, non-proprietary format (MP4)

Encryption and integrity

  • AES-256 encryption at rest for all recordings and backups
  • TLS 1.3 / DTLS-SRTP for media streams in transit
  • Tamper-evident storage (cryptographic hash or WORM-compliant)

Access control and audit trail

  • Role-based access control for recording playback, download, and deletion
  • Immutable access logs: who accessed each recording, when, from which system
  • Logs stored separately from production recording storage

Retention and deletion

  • Configurable retention periods (minimum 5 years, up to 7)
  • Secure deletion with documented proof of destruction
  • Metadata retention after content deletion

EU data residency

  • All recordings stored within EU infrastructure
  • No data transferred to third-country infrastructure without adequate safeguards
  • Sub-processors identified, with EU locations confirmed in DPA

Archival integration

  • REST API or webhook-based export to compliance archival systems (NICE, Verint, Global Relay)
  • Session metadata accessible alongside recording content for searchable archive

DPA and compliance documentation

  • GDPR Article 28-compliant Data Processing Agreement available
  • Security whitepaper or equivalent architecture documentation available for regulatory review

How Digital Samba meets financial compliance requirements

We built our platform for enterprise compliance from the ground up. Each requirement in the checklist above maps to a specific, documented feature. Note that platform documentation alone does not substitute for your own legal and technical assessment before treating any solution as compliant for your firm's specific obligations.

  • Recording infrastructure. The Recordings API enables server-side capture that is automatic, policy-driven, and not dependent on any participant action. Compliance officers can configure automatic recording at the room level, ensuring every client-facing session is captured without relying on hosts to initiate recording manually. Output is a combined MP4 file (audio, video, and screen share) accessible via the REST API or the dashboard.
  • Encryption at rest. AES-256 encryption is applied to all stored recordings and backup data, satisfying the GDPR Article 32 requirement for appropriate technical measures. Encryption key management follows a defined cryptography policy.
  • Encryption in transit. TLS 1.3 is the standard for all web traffic (TLS 1.2 minimum), with DTLS-SRTP for media streams (§3.1). HSTS is enforced on all web services.
  • Access control. RBAC with host, moderator, and participant roles is enforced server-side so clients cannot escalate their own permissions (§4.2). Scoped API keys restrict integration access to specific operations. Token authentication per session ensures only pre-authorised participants can join.
  • Audit logging. The platform logs authentication events, API access, administrative actions, and security events (§12). Audit logs are stored separately from production systems.
  • EU data residency. Production infrastructure is hosted in the Netherlands and across multiple EU countries via Scaleway; backup infrastructure is in Germany. No application or session data is stored outside the EU (§9.4). Infrastructure sub-processors include Leaseweb NL, Leaseweb DE, Scaleway, and Exoscale; the full sub-processor list is available in the DPA on request.
  • Backup and recovery. Daily backups with 90-day rolling retention, AES-256 encrypted, geographically separated from Netherlands to Germany (§7.2). Quarterly restoration testing confirms recoverability.
  • Archival integration. The REST API provides programmatic access to recordings, session metadata, and participant data. Firms can export to their own archival or surveillance systems on a scheduled or event-driven basis via webhooks (see integration detail below).
  • On-premises deployment. For firms requiring full infrastructure control (for example, private banks with strict data sovereignty requirements), we offer an on-premises deployment. The customer operates all platform components on their own infrastructure, manages their own encryption keys, and controls data retention independently (§2).
  • E2EE for internal sessions. For board calls, internal strategy discussions, or any session where regulatory recording is not required, E2EE provides maximum confidentiality (§3.3). E2EE disables server-side recording by design, which is the correct architectural choice. Compliance officers can configure per room: E2EE on for internal calls, E2EE off with automatic recording on for client advisory sessions.
  • DPA. Available on request, covering video recording as a processing activity. GDPR Article 28 compliant with all infrastructure providers (§8.2). Contact security@digitalsamba.com to request.

Integration with financial compliance infrastructure

Recording a session is only the first step. For a video platform to fit into a firm's existing compliance stack, it must connect with archival, surveillance, and eDiscovery systems without manual intervention.

Our REST API and webhook events provide that integration layer. Three key webhook events drive compliance workflows: session.started, session.ended, and recording.available. A typical MiFID II-compliant archival pattern works as follows:

  1. The recording.available webhook triggers automatically when a session ends.
  2. The firm's integration layer downloads the recording via REST API.
  3. The file is ingested into the archival system (NICE, Verint, Global Relay, or equivalent).
  4. The archival system confirms successful ingestion.
  5. The recording is optionally removed from Digital Samba's storage, with the archival system now holding the copy of record.

Session metadata (session identifiers, participant lists, timestamps, room configuration) can be combined with CRM data to create a searchable compliance archive that satisfies the MiFID II accessibility requirement: recordings retrievable by client name, date, and adviser. For firms with existing surveillance platforms, this means video recordings sit alongside telephone and chat records in a unified compliance interface, which is exactly the model regulators expect to see.

Platform comparison: Zoom, Teams, Webex, and Digital Samba

Standard enterprise platforms share common limitations that matter for MiFID II compliance. The table below maps each platform against the requirements that matter most for financial services recording obligations.

Requirement Zoom Microsoft Teams Cisco Webex Digital Samba
Server-side automatic recording Partial: admin-enforceable via group policy; bypass via local recording possible Partial: admin-enforceable via meeting policy; gaps for some session types Partial: requires admin configuration Yes: native, server-side, policy-enforced per room (no host action required)
Covers peer-to-peer and unscheduled calls Partial: scheduled sessions only by default No: P2P calls and private chats not captured Partial Yes: all room types configurable
EU-only data residency (native) Partial: US-based by default; EU storage via region settings on paid plans No: requires specific EU tenant setup Yes: full EU data residency (Frankfurt/Amsterdam); EDPS approval July 2023 Yes: Netherlands (production), Germany (backup); no data outside EU
US CLOUD Act exposure Yes: US-incorporated Yes: US-incorporated Partial: EU hosting reduces exposure; sovereign-controls product with EU-based key management (Eviden, Deutsche Telekom) None: EU-headquartered (Spain); no US entity processes recording or session data
AES-256 encryption at rest Yes Yes Yes Yes
End-to-end encryption (E2EE) Optional: disables cloud recording Limited: constrains compliance recording Optional: disables server-side recording Yes: configurable per room (E2EE on for internal, off for recorded client sessions)
Tamper-evident storage / integrity verification Yes, but third-party tooling required Yes, but third-party tooling required Yes, but third-party tooling required Yes, but third-party tooling required
Immutable audit log for recording access Yes, but third-party tooling required Yes, but third-party tooling required Yes, but third-party tooling required Yes, but third-party tooling required
Configurable retention up to 7 years Yes: admin-configurable retention policies Yes: configurable via Microsoft Purview Yes: configurable via Control Hub Yes: customer-controlled deletion via dashboard or API
REST API / webhook for archival export Yes Yes Yes Yes: recording.available webhook event for direct export
On-premises deployment option No No Partial: on-premises gateway in specific configurations Yes: full on-premises deployment with customer-controlled encryption keys
GDPR Article 28 DPA available Yes Yes Yes Yes

Certified compliance recorders such as ASC Technologies, Theta Lake, NICE, Verint, and Global Relay are the established industry approach for extending any video conferencing platform to meet full MiFID II tamper-evidence and audit-grade retention requirements. They are used by many of the largest regulated firms in Europe and recognised by ESMA. The relevant questions for any procurement decision are all-in cost, integration effort, and how cleanly the platform's native capabilities (residency, recording control, API access) integrate with the chosen archive. Evaluate all platforms against your regulatory requirements and with the guidance of qualified legal counsel.

FAQ

Does MiFID II require financial firms to record video calls with clients?

Yes, where the video call relates to the provision of investment services or could lead to a transaction. Article 16(7) of MiFID II requires investment firms to record all telephone conversations and electronic communications in scope, and video calls qualify as electronic communications. ESMA Q&A 2416 (answer published June 2025) confirmed that communications intended to result in transactions must be recorded even if no transaction ultimately occurs. The obligation applies to client order services and dealings on own account. KYC/AML verification calls and internal committee meetings that do not involve receiving or executing client orders are generally not in scope under Article 16(7). The obligation applies to the firm: it must control the recording infrastructure and cannot rely on participants recording calls on their own devices.

How long must video call recordings be retained under MiFID II?

Article 16(6) sets a minimum retention period of five years from the date of recording. Competent authorities can extend this to seven years on request. The retention clock starts from the date of recording, not from the date of any resulting transaction. Given that national authorities including BaFin have exercised the seven-year extension, firms should plan their storage architecture for a seven-year retention horizon as the operational default.

Do clients need to consent to video recording under MiFID II and GDPR?

Explicit consent is not required. The lawful basis for recording is GDPR Article 6(1)(c) (compliance with a legal obligation), which does not require consent. However, informing participants that the call is being recorded remains mandatory under the GDPR transparency principle (Articles 13 and 14). The standard approach is an automated disclosure at session start, informing participants that the call is being recorded for regulatory compliance purposes. Relying on consent would be incorrect, as consent can be withdrawn, which would conflict with the mandatory recording obligation.

Can encrypted video recordings satisfy regulatory audit requirements?

Yes, provided the encryption is implemented correctly and the audit trail is maintained. AES-256 encryption at rest satisfies the confidentiality requirement under GDPR Article 32. Tamper-evident storage through cryptographic hashing at the point of capture, or WORM-compliant storage, satisfies the integrity requirement. The audit trail must document every access to each recording: who accessed it, when, and for what purpose. Encryption alone is not sufficient; chain-of-custody logging is an equally important component of regulatory audit readiness.

What audit trail is needed for compliant video call recordings in financial services?

The audit trail must cover the complete lifecycle of each recording: creation (timestamp, session metadata, participant identities), all access events (who accessed the recording, when, from which system), any administrative actions (retention adjustments, legal holds), and the deletion event after the retention period (date, secure destruction confirmation). The audit log must be stored separately from the recordings and must itself be protected against modification. Metadata records (date, participants, duration, deletion timestamp) should be retained even after the recording content is deleted, as proof of compliant handling throughout the retention lifecycle.

Back to top

 

What compliant video infrastructure looks like in 2026

MiFID II's recording obligations have always extended to video calls. What has changed is the volume of video-based advisory activity now falling within scope, and the intensity of regulatory enforcement being applied to firms that fail to treat video as the regulated communication channel it is.

A consumer-grade video platform with optional recording isn't compliant infrastructure. What MiFID II compliance actually requires in 2026 is server-side automatic recording, encryption with integrity verification, EU data residency, role-based access control, complete audit logging, and API-driven archival integration into your existing compliance stack. That's what we built Digital Samba to provide.

  • Request a demo to see recording, encryption, and compliance features in action.
  • Download our Security Whitepaper for full technical architecture details, including encryption specifications, access control, and sub-processor documentation.
  • Explore the platform's features for a full overview of recording and compliance capabilities.

References

  1. ASC Technologies. (2025, August 5). MiFID II: What financial service providers need to know about call recording under the EU directive.
  2. Association for Financial Markets in Europe (AFME). (2021). Recording requirements for mobile devices, electronic communications and video conferencing.
  3. Digital Samba. (2026). Security whitepaper: Architecture, encryption, and compliance. Digital Samba S.L.
  4. European Parliament and Council of the European Union. (2014). Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments (MiFID II). Official Journal of the European Union.
  5. European Securities and Markets Authority (ESMA). (2020, March 20). ESMA clarifies position on call taping under MiFID II.
  6. European Securities and Markets Authority (ESMA). (2025, June 18). Q&A on MiFID II and MiFIR investor protection and intermediaries topics (ESMA35-43-349). (Q&A 2416 submitted January 2025; answer published June 2025.)
  7. Financial Conduct Authority (FCA). (2025, October). PS25/13: MiFID organisational regulation policy statement.
  8. Financial Conduct Authority (FCA). (n.d.). SYSC 10A: Recording telephone conversations and electronic communications. FCA Handbook.
  9. Jatheon. (2025, August 29). MiFID II regulation and compliance: A comprehensive guide.
  10. SteelEye. (2023). Is Zoom archiving and supervision your compliance blind spot?
  11. TrueScreen. (2026). MiFID II recording obligations: Requirements and penalties.
  12. Wilmac Technologies. (2025, August 15). Understanding what compliant Microsoft Teams recording requires in financial services.
Previous story
← EU Data Act and Video Conferencing: What Changes for Providers in 2026
Ensuring Compliance in Video Communications Across Borders
Cross-Border Compliance - Digital Samba
Security

Ensuring Compliance in Video Communications Across Borders

April 12, 2024 12 min read
GDPR Compliance in Video Meetings: What You Need To Know
GDPR Compliant Video Conferencing
Security

GDPR Compliance in Video Meetings: What You Need To Know

September 7, 2023 12 min read
Navigating HIPAA and GDPR: A Guide to Video Conferencing for Healthcare Professionals
HIPAA-Compliant Video Conferencing for Therapists - Digital Samba
Security

Navigating HIPAA and GDPR: A Guide to Video Conferencing for Healthcare Professionals

October 5, 2023 9 min read