FCA Call Recording Requirements Explained for Financial Services Teams

Financial services firms that fail to record calls properly face fines, enforcement action, and reputational damage. The FCA has made this clear repeatedly -- firms that cannot produce recordings when asked, or that leave gaps in their recording coverage, are treated as firms that have something to hide. The regulatory expectation is straightforward: if a conversation could relate to a transaction or client outcome, it should be recorded, stored securely, and retrievable on demand.

Yet the rules themselves are not always straightforward. FCA requirements overlap with retained MiFID II obligations, intersect with GDPR data retention principles, and vary depending on the type of firm and the nature of the communication. This guide breaks down exactly what is required, who must comply, how long recordings must be kept, and how modern tools can reduce the call recording compliance burden.

What the FCA Requires for Call Recording

The FCA's call recording requirements are not optional guidance. They are binding rules with enforcement consequences.

The Regulatory Framework

The primary source is SYSC 10A of the FCA Handbook -- "Recording of telephone conversations and electronic communications." This section requires applicable firms to record telephone conversations and electronic communications relating to activities carried out when dealing with clients.

Supporting requirements come from the Conduct of Business Sourcebook (COBS), which governs how firms interact with clients, and from the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook more broadly, which requires firms to maintain adequate records of their business activities.

The rules apply to communications made on any device -- landlines, mobile phones, VoIP systems, and softphones. The FCA does not distinguish between channels. If the conversation relates to regulated activity, it must be recorded regardless of how it takes place.

Who Must Record

The recording obligation applies to a broad range of FCA-regulated firms:

Banks and building societies -- all client-facing communications relating to financial products
Investment firms -- any conversation relating to transactions, order handling, or investment advice
Insurance companies and intermediaries -- calls where policies are discussed, sold, or amended (see our insurance call recording compliance guide for sector-specific detail)
Independent financial advisors (IFAs) -- client consultations, recommendations, and suitability discussions
Wealth managers -- portfolio discussions, investment decisions, and client instructions
Brokers -- order reception, execution instructions, and deal confirmations
Debt management firms -- calls relating to debt collection compliance and arrangements

The obligation extends beyond front-office staff. Compliance officers, operations teams, and anyone who communicates with clients or counterparties about regulated activities may fall within scope. For a detailed look at how these rules apply to advisory firms specifically, see our financial advisor call compliance guide.

MiFID II and FCA: How the Rules Overlap

Understanding the relationship between FCA rules and MiFID II is essential for firms that deal in investment products. The two frameworks are closely aligned but not identical.

What MiFID II Adds

MiFID II introduced specific recording requirements for investment firms across the EU. These rules focus on communications that relate to -- or are intended to relate to -- transactions:

Conversations relating to the reception and transmission of orders
Conversations relating to the execution of orders on behalf of clients
Communications relating to dealing on own account
Conversations that are intended to result in transactions, even if no transaction ultimately occurs

The critical distinction is that MiFID II captures intent. A call where a client discusses a potential trade that never happens still falls within scope. Firms cannot apply recording selectively based on whether a transaction was actually completed.

Post-Brexit: UK Retained Law vs EU Requirements

When the UK left the EU, MiFID II recording requirements were retained in UK domestic law through the European Union (Withdrawal) Act 2018. The FCA incorporated these requirements into its own rulebook, meaning UK firms must continue to comply with substantially the same obligations.

However, the two frameworks have begun to diverge. The EU has continued to update MiFID II, while the UK has pursued its own regulatory path. Firms operating across both jurisdictions need to track both sets of requirements. For firms with EU-based clients or operations, our EU compliance guide for financial advisors covers the cross-border considerations in detail.

Which Framework Takes Priority

For UK-authorized firms, the FCA's rules take priority. Where FCA requirements and retained MiFID II provisions overlap, the FCA's interpretation governs. In practice, the FCA has generally maintained or strengthened MiFID II-era recording requirements rather than relaxing them. Firms should treat FCA rules as the floor, not the ceiling.

Recording Retention and Storage Requirements

Recording calls is only the first step. The FCA is equally concerned with how recordings are stored, for how long, and whether they can be retrieved when needed.

Retention Periods

Retention requirements vary depending on the regulatory framework and jurisdiction. The following table summarizes the key obligations:

Regulatory Framework	Minimum Retention Period	Accessibility Requirement
FCA (SYSC 10A)	5 years	First 6 months readily accessible
ESMA / EU MiFID II	5 years	Readily accessible throughout
Some national regulators	Up to 7 years	Varies by jurisdiction
FCA general record-keeping (SYSC 9)	5 years (3 years for non-MiFID business)	Prompt retrieval on request

The "readily accessible" requirement for the first six months means recordings must be retrievable quickly -- typically within hours, not days. After six months, recordings can be moved to longer-term storage, but they must still be producible within a reasonable timeframe if the FCA requests them.

Storage Quality and Accessibility

The FCA requires that recordings are stored on durable media -- meaning the format cannot be altered after the fact. Key storage requirements include:

Recordings must be of sufficient quality to be clearly audible and understood
Storage must prevent tampering or modification -- recordings cannot be edited, spliced, or selectively deleted
Firms must maintain systems that allow prompt retrieval of specific recordings by date, participant, or subject matter
Backup and disaster recovery procedures must ensure recordings are not lost due to technical failures

Firms that rely on basic voicemail or consumer-grade recording tools often fall short of these requirements. The FCA expects enterprise-grade storage with audit trails showing who accessed recordings and when.

A tension exists between FCA retention requirements and GDPR data minimisation principles. GDPR requires that personal data should not be kept longer than necessary for its purpose. FCA rules require recordings to be kept for a minimum of five years.

For FCA-regulated firms, the resolution is relatively clear: the regulatory obligation provides a lawful basis for retaining recordings for the required period. However, firms should:

Not retain recordings beyond the required period without a separate justification
Implement automated deletion policies that remove recordings once the retention period expires
Ensure GDPR call recording policies are documented and communicated to data subjects
Consider data subject access requests -- individuals have the right to request copies of their recorded conversations

The interplay between regulatory retention and data protection is one of the more complex areas of GDPR recording compliance. Firms should document their retention rationale and review it periodically.

Call recording consent is one of the most frequently misunderstood areas of UK compliance. The legal position is more permissive than many firms assume, but best practice still favours transparency.

The UK operates under a one-party consent framework for call recording, established by the Regulation of Investigatory Powers Act 2000 (RIPA). This means that as long as one party to the call -- typically the firm -- consents to and is aware of the recording, the recording is lawful. The other party does not need to give explicit consent for the recording to take place.

This is a significant difference from jurisdictions like parts of the United States, where all-party consent is required. UK firms have a clear legal basis for recording without obtaining explicit agreement from the other party.

For FCA-regulated firms, the strongest lawful basis for recording under GDPR is Article 6(1)(c) -- compliance with a legal obligation. Since the FCA requires firms to record calls relating to regulated activities, the recording is not a choice -- it is a legal requirement. This means:

Firms do not need to obtain consent under GDPR Article 6(1)(a) as a prerequisite for recording
The legal obligation basis stands independently -- a caller cannot "opt out" of being recorded if the recording is required by regulation
Firms should document this lawful basis in their data protection records

Best Practice: Notification Even When Not Legally Required

While consent is not strictly necessary, the FCA and the Information Commissioner's Office (ICO) both recommend that firms notify callers that recording is taking place. This is a transparency measure, not a consent mechanism. Standard practice includes:

A recorded message at the start of calls stating that the conversation will be recorded
Clear language explaining the purpose -- regulatory compliance, training, or quality assurance
Informing callers where they can find the firm's privacy notice for more detail

Notification builds trust and reduces the risk of complaints. It also supports the firm's position if a recording is later challenged. For teams looking to improve how they handle recorded calls, our sales call recording guide covers practical implementation steps.

Common Compliance Failures and FCA Enforcement

The FCA publishes enforcement notices that reveal the most common ways firms fail to meet recording obligations. These patterns repeat across firms of all sizes.

Gaps in Recording Coverage

The most frequent failure is selective recording -- capturing calls on office landlines while missing mobile phones, personal devices, and remote worker communications. Since the shift to hybrid working, this problem has intensified. The FCA expects firms to record all in-scope communications regardless of where the employee is located or what device they use.

Common gaps include:

Mobile phone calls made outside the office
Calls made through personal devices (bring your own device policies)
Communications through messaging platforms not integrated with recording systems
Calls transferred between departments where recording drops

Inadequate Retrieval Systems

Recording calls is meaningless if the firm cannot find and produce specific recordings when the FCA asks. Enforcement actions have targeted firms that:

Store recordings in formats that degrade over time
Lack indexing or search capabilities to locate specific conversations
Cannot match recordings to specific clients, dates, or transactions
Take weeks to respond to regulatory data requests that should take hours

Maintaining searchable, well-indexed archives is not optional. The FCA treats slow or incomplete retrieval as a systemic failure, not a minor inconvenience.

Failure to Monitor Recorded Calls

Recording without reviewing is a compliance failure in its own right. The FCA and the Consumer Duty both expect firms to use their recordings proactively -- not just store them as insurance. This means:

Regular sampling and review of recorded calls for call quality and conduct issues — or better yet, using call QA software to automate coverage
Monitoring for signs of customer vulnerability, as required under the Consumer Duty
Reviewing calls where complaints have been raised
Using call data to identify training needs and process improvements

A firm that records 100% of calls but reviews 0% has not met its obligations. The FCA expects active supervision, not passive archiving. Our compliance monitoring guide covers how to build an effective review programme. For a structured approach to call reviews, see our quality assurance checklist.

Penalties and Enforcement Actions

FCA penalties for recording failures vary based on severity, but they are consistently significant:

Fines ranging from tens of thousands to millions of pounds
Requirements to implement costly remediation programmes
Public censure that damages client confidence and business development
In severe cases, restrictions on the firm's permissions or individual prohibitions

The FCA treats recording failures seriously because recordings are often the only objective evidence of what was said during a client interaction. Without them, the regulator cannot fulfil its supervisory role, and firms cannot defend themselves against complaints.

How AI Tools Help with FCA Call Recording Compliance

Meeting FCA recording requirements with manual processes is possible for very small firms, but it does not scale. As call volumes grow, the gap between what firms record and what they actually review widens. AI-powered tools close that gap.

Automated Compliance Monitoring at Scale

Traditional compliance monitoring involves sampling a small percentage of calls -- typically 2-5% -- and manually reviewing them for issues. This means 95-98% of calls go unreviewed, and compliance issues in those calls go undetected until a client complains or the FCA investigates.

AI-powered call scoring and sentiment analysis can assess every call automatically, flagging conversations that contain compliance risk indicators: missing disclosures, signs of customer confusion, or language suggesting pressure tactics. This shifts compliance monitoring from reactive sampling to proactive, comprehensive coverage. Learn more about effective approaches in our guide on how to monitor sales calls.

Audit Trail and Retrieval

One of the most practical benefits of AI-powered call intelligence is searchability. AI transcription converts every recording into a searchable text transcript, making it possible to:

Find specific conversations by keyword, client name, or topic in seconds
Produce complete audit trails showing every interaction with a given client
Respond to FCA data requests within hours rather than weeks
Cross-reference call content with transaction records for compliance reviews

This directly addresses one of the FCA's most common enforcement triggers -- the inability to retrieve recordings promptly. When every call is transcribed and indexed, retrieval becomes a search query, not an archaeological dig.

Reducing Manual QA Burden

The shift from sampling 2-5% of calls to reviewing 100% is only possible with automation. AI tools can score calls against customizable compliance criteria, identify patterns across hundreds of conversations, and surface the calls that genuinely need human attention.

For financial services teams specifically, this means:

Suitability discussions are automatically checked for completeness
Disclosure requirements are tracked across every call
Vulnerability indicators are flagged in real time
Compliance teams focus their limited time on genuine issues rather than random sampling

Coldread provides this capability for phone-first teams, with AI transcription, automated call scoring, and searchable call archives designed for compliance-heavy industries. Plans start at $29/mo -- see pricing for details. Teams in financial advisory and insurance can configure compliance-specific scoring criteria without writing code. For advisory firms, our call intelligence for financial advisors page covers industry-specific features.

FCA call recording requirements are not going to become simpler. The Consumer Duty has added new expectations around vulnerability detection and outcome monitoring. Hybrid working has multiplied the number of devices and channels that need recording coverage. And the FCA continues to invest in its supervisory technology, making it easier to request and analyse large volumes of call data.

Firms that treat recording as a checkbox exercise -- record the calls, store them somewhere, hope nobody asks -- are exposed. The firms that are well-positioned are those that record comprehensively, store securely, retrieve instantly, and review continuously. The technology to do this at scale exists today. The question is whether firms will adopt it before the FCA comes asking, or after.