In this article
In 2020, the Autorité des marchés financiers (AMF) published the results of a series of short-format supervisory inspections (“SPOT”)1 dedicated to a topic that sits at the core of market integrity and investor protection: the recording and retention of telephone conversations and electronic communications. These obligations stem directly from MiFID II Article 16(7) and Delegated Regulation (EU) 2017/565, both of which require investment firms to capture and store communications linked to orders, transactions, and related decision-making activities.
Between November 2019 and February 2020, the AMF inspected five investment service providers (ISPs) to assess how these rules functioned in practice. Although the institutions generally had the required recording systems in place, the AMF identified persistent weaknesses in governance, procedural consistency, monitoring, and incident management—areas that determine whether a firm can truly demonstrate compliance rather than merely operate recording tools.
Legal Framework Behind the Obligations
The AMF’s findings must be understood within the broader European and French regulatory framework governing the recording and retention of telephone conversations and electronic communications.
At the European level, MiFID II Article 16(7)2 requires investment firms to record all telephone conversations and electronic communications that relate to activities involving financial instruments, whether or not they ultimately lead to a transaction. These recordings must be stored in a durable medium, preserved for at least five years, and remain easily accessible to both the firm and the competent authority.
This obligation is further elaborated in Commission Delegated Regulation (EU) 2017/5653, which provides the operational detail behind MiFID II.
Article 76 sets out the requirements for establishing a recording policy, identifying communications to be captured, maintaining a record of individuals and devices that fall within scope, and ensuring ongoing monitoring of the recording system. Article 72 specifies how these records must be retained, emphasizing their completeness, unalterability, and retrievability. The Delegated Regulation therefore defines not only what must be recorded, but how firms must organize, oversee, and evidence their compliance.
At the national level, these European rules are complemented by the AMF General Regulation4, which contains additional provisions on recording and record keeping. In particular, Articles 312-395, 312-406, and 312-417 reinforce the MiFID II framework by specifying how recordings must be captured, how access to recordings must be controlled and documented, and how long recordings must be retained. These articles underline the need for clear procedures, consistent oversight, and documented internal controls, ensuring that firms can demonstrate the reliability of their recording systems in practice.
Taken together, these European and French provisions form a comprehensive regulatory architecture that requires firms not only to deploy functioning recording tools, but also to implement robust governance, auditable processes, and effective, ongoing monitoring. The AMF’s SPOT inspections therefore assess much more than technical capability—they evaluate whether firms have built the organizational structures necessary to comply with the letter and spirit of MiFID II’s record-keeping obligations.
Scope of Recording: Governance Failures Undermine Technical Compliance
The AMF’s first major finding concerns the definition and management of the scope of individuals whose communications must be recorded. According to MiFID II, this scope must include any person involved in activities that may result in a transaction, which means firms must maintain accurate and up-to-date lists of recorded employees and devices.
However, the AMF found that scope management was often inconsistent. Several institutions relied on ambiguous job titles, such as “assistant” or “specialist,” to determine whether an employee should be recorded. In some cases, the lists were incomplete, outdated, or even non-existent.
One ISP had no formal list at all, representing a direct violation of Delegated Regulation 2017/565, Article 76(4), which explicitly requires firms to keep records of the devices and individuals whose communications are captured.
These shortcomings highlight a crucial insight: technical systems alone cannot ensure compliance if firms do not maintain strong governance structures around those systems.
The AMF did observe examples of good practice. One institution created a dedicated governance committee responsible for reviewing who must be recorded and ensuring regular updates. Another adopted a more conservative and risk-averse approach by recording all emails for staff in market-related functions, thereby eliminating ambiguity entirely.
Telephony & Messaging: Capable Systems but Fragmented Practices
Turning to the technical environment, the AMF evaluated fixed telephony, mobile devices, and the major electronic messaging tools used by market participants—including Outlook, Symphony, Bloomberg, Reuters/Refinitiv, ICE Chat, and Skype for Business.
Fixed telephony systems, especially those used on trading floors, were generally well-implemented, with many firms deploying dual recording mechanisms, such as per-call capture combined with continuous 30-minute loops. The AMF highlighted this as an example of operational robustness.
Mobile devices were more problematic. Although most institutions prohibited mobile use for market activities due to the inability to guarantee compliant recording, the COVID-19 pandemic forced several firms to temporarily relax this rule. In one case, the AMF discovered that a market-facing employee had engaged in unrecorded mobile conversations, a clear breach of MiFID II obligations and the firm’s own procedures.
Messaging systems varied in maturity and adoption. While recording mechanisms existed, some tools—particularly Symphony—were not used consistently across client interactions, reducing their effectiveness. In a few institutions, however, electronic communications were stored for longer than the required five years, with retention periods extended to seven years, a practice the AMF viewed favorably.
Procedures: Adequate in Principle but Fragmented in Organisation
The AMF found that most firms had documented procedures that referenced the correct legal sources. Yet even when the content was accurate, the structure and organisation of procedures often created compliance risks. Recording requirements were sometimes spread across multiple unrelated documents, making it difficult for employees to apply them consistently.
In certain institutions, procedures did not explicitly mention the legally mandated retention period, despite the clear obligation under MiFID II to store communications for five years.
There were also cases where procedures did not formally document the requirement to inform employees and clients about recording. Although firms generally notified employees in practice, the absence of formal procedure weakened internal coherence and created potential vulnerabilities during audits.
Control Systems: Insufficient Monitoring Across All Institutions
MiFID II requires firms to implement effective internal control systems ensuring that recording mechanisms operate reliably and that all required communications are captured. Despite this, the AMF concluded that monitoring was one of the weakest areas across the inspected institutions.
Controls were often incomplete, performed too infrequently, or poorly documented. Some firms did not describe the methodology, scope, or results of their checks, leaving significant uncertainty as to whether recording systems had functioned continuously throughout the period.
Only one institution had implemented a comprehensive 24/7 automated monitoring and alerting system, which immediately flagged recording failures. The AMF viewed this system as an example of good practice consistent with the regulatory expectation of ongoing operational oversight.
Incident Management: A Structural Weakness with Serious Consequences
Perhaps the most notable deficiencies related to incident detection, documentation, and remediation. MiFID II obliges firms to detect failures in the recording system promptly, log them completely, and take measures to correct and prevent recurrence. Yet several institutions lacked a dedicated incident-management system capable of meeting these expectations.
The AMF found logs that were incomplete, missing key information such as incident start and end dates, the nature of remedial measures, or the timeline of resolution. In some cases, failures in messaging-system recording went undetected for extended periods, indicating that monitoring processes were insufficient.
Institutions that outsourced parts of their monitoring sometimes faced reduced internal visibility, which further weakened their ability to respond to incidents adequately. By contrast, one firm maintained both real-time reporting and monthly summary reports to management, a practice the AMF highlighted as particularly strong.
Final Perspective: Compliance Requires More Than Technology
The AMF’s SPOT inspections provide a clear and detailed snapshot of how French investment service providers are implementing MiFID II’s communication-recording obligations. The findings reveal that while technical recording solutions are typically in place, the broader framework of governance, procedural alignment, monitoring, and incident management often lags behind.
MiFID II’s record-keeping requirements are fundamentally about enabling regulators to reconstruct the lifecycle of a transaction, verify whether the firm acted in the client’s best interest, and ensure that internal processes support fair and transparent markets. To meet these objectives, financial institutions must not only install compliant recording technologies but also develop rigorous and consistently applied governance frameworks.
The AMF’s conclusions underscore that effective compliance is holistic, requiring the integration of technology, procedure, oversight, documentation, and continuous improvement. As communication channels continue to expand across mobile, digital, and collaboration platforms, the expectations placed on institutions will only grow.
References
- https://www.amf-france.org/en/news-publications/publications/spot-inspection-campaigns/summary-spot-inspections-recording-telephone-conversations-and-electronic-communications-and ↩︎
- https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii/article-16-organisational-requirements ↩︎
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0065 ↩︎
- https://www.amf-france.org/en/eli/fr/aai/amf/rg/20250331 ↩︎
- https://www.amf-france.org/en/eli/fr/aai/amf/rg/article/312-39/20180103/notes ↩︎
- https://www.amf-france.org/en/eli/fr/aai/amf/rg/article/312-40/20180309/notes ↩︎
- https://www.amf-france.org/en/eli/fr/aai/amf/rg/article/312-41/20180103/notes ↩︎
