Financial Advisor Call Recording: MiFID II & GDPR

Financial advisors in the EU operate under some of the strictest call recording requirements of any industry. MiFID II mandates recording of calls related to investment services. GDPR governs how those recordings are stored, accessed, and shared. And if you advise clients across borders, additional layers of national regulation apply.

The result is a compliance landscape where getting it right protects your firm and your clients, but getting it wrong exposes you to regulatory fines, client complaints, and potential loss of your authorisation.

This guide covers the practical requirements EU financial advisors face when recording client calls, how MiFID II and GDPR interact, and how to build a compliant call recording operation.

MiFID II Call Recording Requirements

The Markets in Financial Instruments Directive II (MiFID II), which took effect in January 2018, introduced mandatory call recording for investment firms across the EU. The requirements are detailed in Article 16(7) of the directive and further specified in the delegated regulation.

What Must Be Recorded

MiFID II requires firms to record telephone conversations and electronic communications that relate to, or are intended to result in, transactions. This includes:

Client orders placed or received by phone
Investment advice given during a call
Calls that are intended to result in transactions -- even if no transaction ultimately occurs
Internal calls between traders, advisors, and dealing desks where investment decisions are discussed

The scope is broad. A call where a client asks about a particular investment product and receives advice, even if they decide not to proceed, falls within the recording requirement.

Calls You Do Not Need to Record

MiFID II does not require recording of purely administrative calls -- appointment scheduling, address changes, or general account enquiries where no investment-related discussion takes place. However, the boundary is often unclear in practice. A client calling to check their portfolio balance might segue into asking about rebalancing, which constitutes investment advice.

Most firms find it simpler and safer to record all calls with clients rather than trying to distinguish administrative calls from investment-related ones in real time.

Recording Quality and Completeness

Recordings must be of sufficient call quality to be clearly understood and must capture the complete conversation. A recording that cuts off mid-call, has poor audio quality, or fails to capture one party clearly does not meet the requirement.

The recording must also be stored in a format that is durable, accessible, and tamper-proof. You must be able to retrieve any recording quickly and demonstrate that it has not been altered since capture.

Retention Requirements Under MiFID II

MiFID II mandates a minimum retention period of five years for call recordings. National regulators can extend this to seven years, and several have done so.

Jurisdiction	Retention Period
EU default (MiFID II)	5 years minimum
Germany (BaFin)	5 years
France (AMF)	5 years
Netherlands (AFM)	5 years
UK (FCA, post-Brexit)	5 years (up to 7 on request)
Spain (CNMV)	5 years

The five-year period runs from the date of the recording, not the date of any resulting transaction. This is an important distinction -- a call that does not result in a transaction still needs to be retained for five years.

Practical Retention Management

Five years of call recordings represents a significant volume of data. Plan for this from the outset:

Storage capacity. Calculate based on your call volume. A typical financial advisory call lasts 15-30 minutes. At standard compression, budget approximately 1 MB per minute. A firm making 50 calls per day will accumulate roughly 15-25 GB per month.

Automated lifecycle management. Tag recordings with their creation date and set automated deletion at the five-year mark (or seven years if your regulator requires it). Manual deletion tracking across five years of recordings is not feasible.

Backup and redundancy. Recordings that are lost or corrupted before their retention period expires represent a compliance failure. Maintain backups in a geographically separate location.

MiFID II tells you that you must record calls. GDPR tells you how to handle the personal data within those recordings. The two frameworks overlap, and understanding where they align and conflict is essential.

Lawful Basis for Recording

Under GDPR, you need a lawful basis to process personal data. For MiFID II-mandated recordings, the strongest basis is legal obligation (Article 6(1)(c)) -- you are required by law to record these calls.

This is more robust than consent because:

Consent can be withdrawn, but you cannot stop recording calls that MiFID II requires you to record
Consent must be freely given, but clients have no genuine choice about whether regulated calls are recorded
Legal obligation does not require a balancing test, unlike legitimate interests

You should still inform clients that calls are being recorded and why, but this is a transparency obligation, not a consent requirement.

The Right to Erasure Conflict

GDPR gives individuals the right to request deletion of their personal data (Article 17). MiFID II requires you to retain recordings for five years. These obligations directly conflict.

The resolution is in GDPR Article 17(3)(b), which provides an exemption from the right to erasure when processing is necessary for compliance with a legal obligation. You can and should retain MiFID II-mandated recordings for the full retention period, even if a client requests deletion.

However, you must:

Inform the client that their request cannot be fulfilled due to a legal retention obligation
Specify the legal basis (MiFID II, Article 16(7))
Confirm when the recording will be deleted (at the end of the retention period)
Delete the recording promptly once the retention period expires

Data Minimisation

GDPR requires that you do not process more personal data than necessary. For call recordings, this means:

Record only calls that fall within MiFID II scope (or record all calls but apply MiFID II retention only to in-scope calls)
Limit access to recordings to those with a legitimate business need
Do not use recordings for purposes beyond those disclosed to clients (e.g., do not use regulatory recordings for marketing analysis without a separate lawful basis)

Cross-Border Considerations

Financial advisors who serve clients across EU member states face additional complexity.

National Variations

While MiFID II is an EU-wide directive, implementation varies by member state. Key differences include:

Extended retention periods. Some regulators can request retention beyond the default five years. If you operate across borders, apply the longest applicable retention period to simplify compliance.

Language requirements. Some jurisdictions require that recording announcements and privacy notices be provided in the local language. If you serve French and German clients from a single office, your compliance materials need to work in both languages.

National supervisory authority. Different data protection authorities may have different interpretations of GDPR requirements. Your lead supervisory authority is determined by where your main establishment is located, but you may need to engage with authorities in other member states.

Passporting and Third-Country Firms

If you passport your services across the EU under MiFID II, your recording obligations follow your authorisation. Post-Brexit, UK firms serving EU clients need to consider both FCA requirements and the MiFID II requirements of the EU jurisdictions where they operate.

Third-country firms providing services into the EU must comply with MiFID II recording requirements for those services, regardless of the regulatory regime in their home jurisdiction.

Building a Compliant Call Recording Stack

For financial advisory firms, compliance is not a feature to evaluate after selecting your tools. It is the primary selection criterion.

Technical Requirements

Your call recording system must support:

Automatic recording of all client-facing lines with no manual intervention required
Tamper-proof storage -- recordings must be immutable once captured
Minimum five-year retention with automated lifecycle management
Rapid retrieval -- regulators may request specific recordings and expect timely delivery
Encryption at rest and in transit
Access controls with comprehensive audit logging
Quality monitoring to detect recording failures or degradation

Compliance Documentation

Maintain the following documentation:

Recording policy detailing what is recorded, why, how long recordings are kept, and who has access
DPIA covering call recording as a processing activity
Privacy notices that inform clients about recording, its legal basis, retention periods, and their rights
DPAs with every processor that handles call data
Record of processing activities that includes call recording
Client communication templates for responding to data access and deletion requests

Staff Training

Every advisor and support staff member who handles client calls should understand:

Why calls are recorded and the legal basis
How to deliver the recording announcement
What to do if a client objects to recording
How to handle data access and deletion requests
The consequences of non-compliance for the firm and for them personally

Document training delivery and maintain records. Regulators expect evidence that staff are trained, not just that a training programme exists.

Using Call Intelligence for Compliance Monitoring

Call intelligence platforms add a layer of automated monitoring that manual processes cannot match.

Suitability Verification

AI analysis can review every advisory call to verify that the advice given aligns with the client's stated risk profile using sentiment analysis, investment objectives, and financial situation. This catches suitability issues before they become complaints or regulatory findings.

Disclosure Monitoring

Automated checks can verify that required disclosures were made during each call -- risk warnings, fee disclosures, conflict of interest statements. Rather than sampling a small percentage of calls, every call is reviewed.

Trend Analysis

Patterns that are invisible in individual call reviews become clear with aggregate analysis. An advisor whose suitability scores are declining over time, a product that consistently generates unclear disclosure conversations, or a particular client segment that receives less thorough advice -- these patterns inform targeted training and process improvements.

Coldread provides automated call analysis that supports these compliance monitoring use cases. Every call is transcribed, analysed, and scored, giving compliance teams visibility across all client interactions without the manual burden of listening to recordings. For firms using Aircall or Ringover, Coldread integrates directly with your existing phone system.

Common Compliance Failures

Recording Gaps

Calls made from mobile phones, personal devices, or unmonitored lines are a frequent source of compliance gaps. MiFID II requires that all in-scope calls are recorded, regardless of the device used. Implement policies that restrict client communications to monitored channels.

Inadequate Retrieval

Storing recordings is not enough. You must be able to retrieve specific recordings quickly when requested by regulators or in response to client complaints. If your retrieval process involves searching through unindexed audio files, you have a practical compliance problem even if you technically have the recordings.

Missing DPAs

Financial firms often have DPAs with their primary technology vendors but miss processors further down the chain -- the cloud provider hosting the recording storage, the AI service transcribing calls, or the backup provider. Map your entire data processing chain and ensure DPAs cover every link.

Firms that manage MiFID II compliance through their compliance team and GDPR through their data protection officer, with no coordination between the two, end up with inconsistent policies and gaps. These frameworks interact constantly in the context of call recording and should be managed together.

Getting Started

If you are reviewing your firm's call recording compliance:

Audit your recording coverage -- are all in-scope calls being captured on all channels?
Verify retention -- are recordings kept for the required period and deleted when it expires?
Check your GDPR documentation -- DPIA, privacy notices, DPAs, processing records
Review your retrieval process -- can you find a specific recording within a reasonable timeframe?
Assess monitoring -- what percentage of calls are reviewed for suitability and disclosure compliance?

For a broader look at GDPR requirements for call recording, see our GDPR compliance implementation guide and GDPR call recording overview.

Related reading:

Explore how Coldread helps financial advisory teams stay compliant. Plans start at $29/month -- no per-seat pricing, no annual contracts.