At the end of June 2026, regulatory tolerance ends. Recording will no longer be enough, you will have to prove that you have monitored, analyzed and acted.
At the end of June 2026, regulatory tolerance ends. Recording will no longer be enough, you will have to prove that you have monitored, analyzed and acted.
For more than a decade, investment firm compliance has been based on one reflex: register. Telephone communications, electronic exchanges, transactions — everything is captured, stored, archived. Many have made this obligation a regulatory hygiene rite, a box to be checked. MiFID III tells them today that it was insufficient. And she gives them until the end of June 2026 to correct it.
2018: MiFID II lays the foundation. Registration becomes a legal obligation.
Before 2018, recording communications was a good practice. MiFID II made this an enforceable legal obligation. Article 16(7) of Directive 2014/65/EU states: every investment firm must record telephone conversations and electronic communications relating to the receipt, transmission and execution of orders — whether or not they result in a transaction.
Article 76 of Delegated Regulation 2017/565/EU sets out the complete system. It imposes in particular: a written registration policy, adapted to the size and organization of the company [Art. 76(1)] ; effective supervision of this policy by the management body [Art. 76(2)] ; an up-to-date register of people with company devices or approved private devices [Art. 76(4)] ; staff training [Art. 76(5)] ; regular, proportionate and risk-based checks of records [Art. 76(6)] ; and the ability to demonstrate to the relevant authorities all registration policies and procedures upon their request [Art. 76(7)].
Before any service is provided, customers must be informed that their exchanges are recorded and that a copy is available to them on request for five years — seven years if the competent authority requests it. [Art. 76(8)].
At the heart of the system, article 76(10) brings together three fundamental requirements:
Quality — “Companies shall ensure the quality…of recordings of all telephone conversations and electronic communications.”
Accuracy — “…the accuracy…of records of all telephone conversations and electronic communications.”
Completeness — “…and the completeness of records of all telephone conversations and electronic communications.”
Durable medium: “Recordings are stored on a durable medium which allows them to be read or copied and they must be kept in a form which does not allow the original recording to be modified or erased.”
Source: Delegated Regulation (EU) 2017/565, article 76(10) — full text available on EUR-Lex, CELEX:32017R0565.
The same article also requires that recording devices be technologically neutral and re-evaluated regularly, in particular each time a new communication channel is approved. [Art. 76(3)]. The retention period runs from the day the recording was created [Art. 76(11)].
MiFID II already made registration a structured system: written policy, supervision by management, regular checks, staff training, obligations towards clients and authorities. It wasn’t just a box to check. It is this base that MiFID III goes beyond.
From 2018 to 2026, the regulator observed. Records pile up, sanctions fall — but risky behavior continues to escape control. The diagnosis is made: recording is not enough if no one analyzes. MiFID III is the answer.
2026: MiFID III takes the plunge. Monitoring becomes an obligation.
Directive 2024/790/EU does not start from scratch. It is based on the MiFID II base and adds a new requirement: active monitoring of the content of recordings. The management body must approve the monitoring policy, receive the report, and answer for its effectiveness. This is no longer a subject for compliance managers. It is a subject of governance.
An establishment which has recordings but does not put in place a system for active monitoring of their content fails to meet the requirements of Directive 2024/790/EU. Registration alone, no matter how exhaustive, is no longer sufficient.
Clarification: Directive 2024/790/EU covers active monitoring obligations and the responsibility of the management body. Regulation 2024/791/EU revises MiFIR on transparency and reporting. Their national transposition (RTS/ITS) is in progress depending on the Member States — check with your legal advisor.
Who is affected? — and the answer surprises
The scope of application covers all entities which execute orders or provide investment services within the meaning of Annex I of Directive 2014/65/EU — banks, management companies, but also corporates with their own trading desks, industrial entities on commodity markets, certain insurance structures. Actors who have not all structured their compliance around this reality.
The planned sanctions reach up to 10% of global annual turnover or 5 million euros for legal entities [Dir. 2024/790/UE] — amounts that place this subject on the agenda of executive committees, not just compliance managers.
“Recording without monitoring means creating an archive that no one uses. MiFID III requires the content to be used.”
The real challenge: monitoring at real volume scale
Article 76(6) of Delegated Regulation 2017/565/EU already requires regular checks of registrations, “proportionate and risk-based”. MiFID III goes further by imposing active monitoring of content. An average-sized establishment produces several thousand hours of recording each month. Compliance teams can only cover, at best, 1 to 3% of the volume through manual listening. The requirement of completeness imposed by Article 76(10) cannot be achieved by this means alone.
The scalable answer is automated analysis: natural language processing, identification of the counterparty and the asset discussed, detection of risk situations calibrated by business — asset management, intermediation, private banking. These technologies make it possible to analyze 100% of recordings and identify risky signals: price manipulation or abuse of privileged information within the meaning of Regulation (EU) 596/2014 [Art. 12 et 14]obligation to report suspicious transactions [Art. 16(1) MAR]breaches of the duty to advise [Dir. 2014/65/UE Art. 24-25]best-effort execution failures [Art. 27-28].
AI does not replace the judgment of the compliance manager. It provides the analysis surface that no human team can cover alone. The final decision — declare, escalate, close — remains human and documented.
A rarely mentioned, but decisive point: data sovereignty. In the financial sector, entrusting the analysis of your communications to an infrastructure outside France is not a trivial technical choice. This is a governance risk in its own right.
Three questions every leader must ask themselves before the end of June
AUTOCHECKLIST · MiFID III COMPLIANCE
1. Is your recording policy written, approved by your management body and regularly evaluated?
Section 76(1) requires a written policy tailored to the size and organization of the business. Article 76(2) requires effective supervision of the management body. Section 76(3) requires regular reassessment.
2. Can you attest to the quality, accuracy and completeness of all your records?
This triple imperative is required by Article 76(10) of Delegated Regulation 2017/565/EU. The recordings must also be stored on a durable, non-modifiable and non-erasable medium.
3. Do you have an active monitoring system for the content of your recordings, documented and approved by your management body?
This is the central requirement of Directive 2024/790/EU (MiFID III). The absence of such a device constitutes an independent failure, independent of the quality of the recordings themselves.
A paradigm shift, not a technical update
MiFID II created the obligation to register. MiFID III creates an obligation to understand what has been recorded. This shift is fundamental. It transforms a technical constraint into a requirement for active, permanent and documented vigilance.
What we are already observing in the best-prepared establishments: this requirement, when well equipped, ceases to be a constraint and becomes a lever. Automatically reconstruct the exchanges that led to the execution of an order, detect customer dissatisfaction before it becomes a dispute, identify a process deviation in real time — all information that business management demands, independently of any regulatory obligation. Compliance should not be endured. It can become a management tool.
The solutions that will survive this evolution are those that bridge the gap between the conservation imposed by Article 76 of Delegated Regulation 2017/565 and the active monitoring required by Directive 2024/790. Between the archive and the proof.
The end of June 2026 is not a deadline for equipping yourself. This is a deadline to be able to demonstrate. Establishments that approach it without a documented automated monitoring system are not only taking a regulatory risk — they are exposing themselves to an information asymmetry with their regulator that the first control will make visible. Compliance does not protect those who display it. It protects those who can prove it.
Regulatory references:
Directive 2014/65/EU (MiFID II) Art. 16(7) · Delegated Regulation (EU) 2017/565 Art. 76(1) to 76(11) — CELEX:32017R0565 · Directive 2024/790/EU (MiFID III — active surveillance) · Regulation 2024/791/EU (revised MiFIR) · Regulation (EU) 596/2014 (MAR) Art. 12, 14, 16(1) · Directive 2014/65/EU Art. 24-25, 27-28
Antony Derbès is co-founder and CEO of Open Lake Technology, a French publisher of communications recording, compliance and analysis solutions for the regulated financial sector, founded in 2018, SOC 2 Type II certified, 80+ clients in France. This article reflects its analysis of the texts in force and does not constitute legal advice.
