Legal disclaimer: This article is for informational purposes only and does not constitute legal advice. Requirements under MiFID II, GDPR, and applicable national regulations vary by firm type, jurisdiction, and activity. Consult qualified legal counsel for guidance specific to your organisation.
In 2024, national competent authorities across the European Economic Area issued 294 sanctions specifically under MiFID II and MiFIR, totalling nearly EUR 44.5 million, according to ESMA's 2024 Annual Sanctions Report. Across all EU financial regulations combined, regulators imposed over 970 sanctions for an aggregate of more than EUR 100 million in the same year. MiFID II/MiFIR was, alongside the Market Abuse Regulation, one of the two most heavily enforced regimes. Many of these enforcement actions involved failures in the recording and retention of client communications. That category now explicitly includes video calls.
Hybrid advisory is no longer a pandemic workaround. It is the default. Wealth managers, investment advisers, and compliance officers are conducting client meetings and advisory sessions on video platforms every day. The regulatory expectation from ESMA, the FCA, and BaFin is that the same discipline applied to telephone recording for years must now extend to every video call where investment services are discussed or provided.
The problem is that most video platforms were not built with this in mind. This article covers what MiFID II actually requires for video recording, how it intersects with GDPR, and what genuinely compliant video infrastructure looks like in practice.
Table of contents
The shift from phone-based advisory to video conferencing has been structural and lasting. Post-COVID hybrid working accelerated a transition already under way, and regulators have adapted their expectations accordingly.
Under MiFID II, video calls qualify as 'electronic communications' for the purposes of the recording obligation in Article 16(7). ESMA has been consistent on this point: the regulatory expectation is not limited to telephone calls. Any communication conducted via a platform that could lead to the provision of investment services or the execution of a transaction is within scope, regardless of the channel used. The scope is narrower than it might first appear, however. Article 16(7) applies specifically to communications relating to client order services (receiving, transmitting, and executing client orders) and to dealings on own account. KYC and AML identity verification calls sit under separate regimes, and internal committee meetings that do not involve receiving or executing client orders are not in scope. Investment-advice-only firms may also qualify for a national-discretion exemption under Article 3 of MiFID II, which can replace the full recording obligation with a contemporaneous-note requirement. Check your specific activity scope with legal counsel before deciding which sessions require the full Article 16(7) regime.
The FCA has applied equivalent requirements in its SYSC 10A framework. UK firms should note that since Brexit, and following the FCA's PS25/13 policy statement in October 2025, the recording rules have been domesticated into the FCA Handbook as a standalone UK regime. The substantive requirements are similar, but the legal basis is now FCA SYSC 10A, not Directive 2014/65/EU directly. Firms with cross-border UK/EU advisory activity face dual-jurisdiction obligations. BaFin applies equivalent standards in Germany.
The non-compliance risks are material and escalating. Fines under MiFID II can reach EUR 5 million or 10 per cent of annual turnover, whichever is higher. Beyond financial penalties, firms face licence revocation, increased supervisory scrutiny, and reputational damage that is hard to put a number on but easy to avoid.
The challenge is that platforms built for general enterprise collaboration (such as Zoom, Microsoft Teams, and Cisco Webex) were not designed to meet these requirements out of the box. Recording is typically user-initiated or scheduling-dependent. Storage defaults may be US-based. Immutability, chain-of-custody logging, and API-driven archival integration are either absent or require significant additional tooling. For firms that need video calls that banking regulators will actually accept, this creates a meaningful gap.
Article 16(7) of Directive 2014/65/EU is the core provision. It requires investment firms to record telephone conversations and electronic communications that relate to transactions concluded when dealing on own account and to the provision of client order services covering the reception, transmission, and execution of orders.
Article 16(7) Subparagraph 2 extends the obligation beyond completed transactions. This is where many firms misunderstand the scope: as ESMA confirmed in Q&A 2416 (answer published June 2025), communications intended to result in the conclusion of transactions must also be recorded, even if no transaction ultimately occurs. The scope covers any conversation that could lead to a transaction, not just those that do.
What must be captured goes beyond a simple audio or video stream:
Retention under Article 16(6) is a minimum of five years, extendable to seven at the request of the competent authority. BaFin, for example, may request the seven-year extension; firms operating in Germany should plan for seven years by default rather than treating the five-year period as a reliable ceiling.
Accessibility requirements mean that recordings must be provided to regulators promptly on request and must remain readable and non-degraded throughout the retention period. Searchability by client name, date, and adviser is an operational expectation, not a nice-to-have.
Firm-controlled recording infrastructure is a firm requirement. ESMA's Q&A guidance is clear that investment firms cannot rely on participants' own devices to capture recordings. The firm must control the recording infrastructure. If a client joins a video call from their own device and records it locally, that recording does not satisfy the firm's obligations under Article 16(7). The firm's platform must independently capture and retain the session.
The most common question compliance officers face when implementing video recording workflows is how to reconcile MiFID II's mandatory recording obligation with GDPR's principles of consent and data minimisation.
The answer is simpler than it first appears.
Regulatory compliance for video recordings is not only about capturing the call. It is also about protecting it against tampering, controlling access, and maintaining a complete chain of custody from creation to deletion.
The five-year baseline. Article 16(6) of MiFID II sets a minimum retention period of five years from the date of recording. The retention clock starts at the date the recording is created, not at the date a transaction is completed or an order is executed.
Planning for seven years. Competent authorities can extend the retention obligation to seven years on request. BaFin and other national authorities have exercised this option. Any firm under active investigation or supervisory review may face such a request. The safe assumption is to plan for seven-year retention by default.
Backup and redundancy. Backup copies of recordings must be geographically separated from the primary store, encrypted using the same standards as primary storage, and regularly tested for restoration. A backup that cannot be successfully restored is not a compliant backup.
Secure deletion. After the applicable retention period has elapsed, recordings must be securely deleted, meaning the data must be overwritten so that recovery is impossible. The deletion event must be logged, including the date, the recording identifier, and confirmation that destruction was completed. Metadata records (date, participants, duration, deletion timestamp) should be retained after content deletion as proof of compliant handling throughout the lifecycle.
Use this checklist as a starting framework when evaluating video platforms for MiFID II compliance in 2026. It is not exhaustive, and your legal team should conduct a full gap assessment against applicable national requirements.
We built our platform for enterprise compliance from the ground up. Each requirement in the checklist above maps to a specific, documented feature. Note that platform documentation alone does not substitute for your own legal and technical assessment before treating any solution as compliant for your firm's specific obligations.
Recording a session is only the first step. For a video platform to fit into a firm's existing compliance stack, it must connect with archival, surveillance, and eDiscovery systems without manual intervention.
Our REST API and webhook events provide that integration layer. Three key webhook events drive compliance workflows: session.started, session.ended, and recording.available. A typical MiFID II-compliant archival pattern works as follows:
recording.available webhook triggers automatically when a session ends.Session metadata (session identifiers, participant lists, timestamps, room configuration) can be combined with CRM data to create a searchable compliance archive that satisfies the MiFID II accessibility requirement: recordings retrievable by client name, date, and adviser. For firms with existing surveillance platforms, this means video recordings sit alongside telephone and chat records in a unified compliance interface, which is exactly the model regulators expect to see.
Standard enterprise platforms share common limitations that matter for MiFID II compliance. The table below maps each platform against the requirements that matter most for financial services recording obligations.
| Requirement | Zoom | Microsoft Teams | Cisco Webex | Digital Samba |
|---|---|---|---|---|
| Server-side automatic recording | Partial: admin-enforceable via group policy; bypass via local recording possible | Partial: admin-enforceable via meeting policy; gaps for some session types | Partial: requires admin configuration | Yes: native, server-side, policy-enforced per room (no host action required) |
| Covers peer-to-peer and unscheduled calls | Partial: scheduled sessions only by default | No: P2P calls and private chats not captured | Partial | Yes: all room types configurable |
| EU-only data residency (native) | Partial: US-based by default; EU storage via region settings on paid plans | No: requires specific EU tenant setup | Yes: full EU data residency (Frankfurt/Amsterdam); EDPS approval July 2023 | Yes: Netherlands (production), Germany (backup); no data outside EU |
| US CLOUD Act exposure | Yes: US-incorporated | Yes: US-incorporated | Partial: EU hosting reduces exposure; sovereign-controls product with EU-based key management (Eviden, Deutsche Telekom) | None: EU-headquartered (Spain); no US entity processes recording or session data |
| AES-256 encryption at rest | Yes | Yes | Yes | Yes |
| End-to-end encryption (E2EE) | Optional: disables cloud recording | Limited: constrains compliance recording | Optional: disables server-side recording | Yes: configurable per room (E2EE on for internal, off for recorded client sessions) |
| Tamper-evident storage / integrity verification | Yes, but third-party tooling required | Yes, but third-party tooling required | Yes, but third-party tooling required | Yes, but third-party tooling required |
| Immutable audit log for recording access | Yes, but third-party tooling required | Yes, but third-party tooling required | Yes, but third-party tooling required | Yes, but third-party tooling required |
| Configurable retention up to 7 years | Yes: admin-configurable retention policies | Yes: configurable via Microsoft Purview | Yes: configurable via Control Hub | Yes: customer-controlled deletion via dashboard or API |
| REST API / webhook for archival export | Yes | Yes | Yes | Yes: recording.available webhook event for direct export |
| On-premises deployment option | No | No | Partial: on-premises gateway in specific configurations | Yes: full on-premises deployment with customer-controlled encryption keys |
| GDPR Article 28 DPA available | Yes | Yes | Yes | Yes |
Certified compliance recorders such as ASC Technologies, Theta Lake, NICE, Verint, and Global Relay are the established industry approach for extending any video conferencing platform to meet full MiFID II tamper-evidence and audit-grade retention requirements. They are used by many of the largest regulated firms in Europe and recognised by ESMA. The relevant questions for any procurement decision are all-in cost, integration effort, and how cleanly the platform's native capabilities (residency, recording control, API access) integrate with the chosen archive. Evaluate all platforms against your regulatory requirements and with the guidance of qualified legal counsel.
MiFID II's recording obligations have always extended to video calls. What has changed is the volume of video-based advisory activity now falling within scope, and the intensity of regulatory enforcement being applied to firms that fail to treat video as the regulated communication channel it is.
A consumer-grade video platform with optional recording isn't compliant infrastructure. What MiFID II compliance actually requires in 2026 is server-side automatic recording, encryption with integrity verification, EU data residency, role-based access control, complete audit logging, and API-driven archival integration into your existing compliance stack. That's what we built Digital Samba to provide.
References