In recent years, European financial markets have faced tighter rules to make trading fairer and safer for investors.
One of the biggest changes came with MiFID II, introduced in 2018. This regulation set new standards for transparency, investor protection, and recordkeeping, affecting banks, brokers, and investment firms across the EU.
It also placed stricter requirements on how companies store and manage financial data, and continues to shape compliance today.
In this blog post, we’ll explore:
- What is MiFID II
- Who it applies to
- What are its benefits
- How to stay compliant with this regulation
What Is MiFID II?
MiFID II stands for the Markets in Financial Instruments Directive II. It’s a European Union regulation that came into effect in January 2018, building on the original MiFID introduced in 2007.
The directive was designed to make financial markets more transparent, strengthen investor protection, and standardize rules across the EU.
Who does MiFID II apply to?
MiFID II affects a wide range of organizations that provide financial services or deal with financial instruments in the EU, including:
- Investment firms — brokers, dealers, and asset managers
- Banks and credit institutions, when they provide investment services
- Trading venues — stock exchanges, multilateral trading facilities (MTFs), and organized trading facilities (OTFs)
- Market participants — investment advisors, portfolio managers, and high-frequency traders
- Third-country firms — non-EU companies providing investment services within the EU
In short, any business involved in trading, advising, or managing investments for clients within the EU must comply with MiFID II’s rules.
What does MiFID II cover?
Some of the main areas include:
- Investor protection — ensures clients receive clear information and fair treatment
- Market transparency — requires companies to report transactions in detail
- Trading practices — regulates how trades are executed and monitored
- Recordkeeping — obligates companies to keep detailed records of communications and transactions for regulatory compliance
For organizations, this means stricter oversight, more detailed reporting, and big changes in how data and communications are stored and managed.
Essential MiFID II Regulations and Their Benefits
MiFID II introduced changes to how trading and investing are carried out in the EU. The goal was to make financial markets more transparent, fair, and accountable, while giving investors greater protection.
Here’s what these changes mean in practice:
Regulated trading
One of MiFID II’s biggest reforms was to move trading from unregulated environments, like over-the-counter (OTC) deals and dark pools, onto regulated trading platforms. It also created a new venue type called the organized trading facility (OTF) to capture trades that previously happened outside oversight.
To prevent abuse in dark pools (private exchanges where large trades are hidden from the public until later) MiFID II set a strict limit: no more than 8% of a stock’s total trading volume over 12 months can occur in these venues.
Benefit: These rules make trading more open, so smaller investors aren’t hurt by hidden deals. Big investors can still make large trades without shaking the market.
Transparency
MiFID II requires regulated markets and multilateral trading facilities (MTFs) to publish bid and offer prices continuously, giving everyone a clearer view of market activity.
The law also stopped banks and brokers from bundling research costs into trading fees. Instead, research and transactions must be billed separately.
Benefits:
- Transparency in costs: Investors can see exactly what they are paying for.
- Better quality of research: When research costs are separated, providers have to prove their value to clients.
- Fairer competition: Investors are protected from hidden fees and unfair pricing practices.
Investor protection
To reduce conflicts of interest, MiFID II restricts the incentives that investment firms and advisors can receive from third parties. They’re now required to act in the client’s best interest and to be transparent about commissions and fees.
Benefit: Investors are more likely to receive unbiased advice, rather than being steered toward products that pay higher commissions to advisors.
Reporting requirements
MiFID II requires investment firms to report every transaction to regulators by the following day (T+1). This process, known as MiFID transaction reporting, includes details like who carried out the trade, what was traded, and at what price. Firms must also keep detailed records of communications, including emails, chats, and phone calls, related to these trades.
Benefit: Regulators have stronger tools to detect and prevent market abuse, ensuring a more secure trading environment.
Commodity speculation and high-frequency trading (HFT)
MiFID II placed strict rules on algorithmic and high-frequency trading, which had previously been lightly regulated. Companies must thoroughly test their algorithms, keep records of how they work, and comply with rules that prevent them from creating instability or misleading signals.
The regulation also introduced:
- Market-making obligations requiring continuous liquidity.
- A standardized tick size regime to level the playing field in pricing, i.e., the smallest amount by which the price of a stock or other asset can move when it’s traded.
- Anti-fraud measures banning manipulative practices like “quote stuffing,” i.e., spamming the market with fake orders to trick others and gain an unfair advantage.
Benefit: Markets are more stable and fair, preventing abuse by fast traders while protecting all participants, including smaller firms and individual investors.
Exceptions to MiFID II
Although MiFID II has a broad scope, there are some exceptions. Certain entities and activities are exempt, such as:
- Central banks and other public institutions managing public debt
- Employee share schemes that don’t provide services to the public
- Commodity dealers below specific trading thresholds
- Intragroup services where investment services are provided within the same corporate group
- Insurance firms already regulated under other EU frameworks
These exemptions are designed to prevent overlap with existing regulations and to avoid placing unnecessary compliance burdens on activities that pose limited risk to the market.
Key Compliance Requirements Relevant to IT and Compliance Teams
MiFID II sets out strict requirements that directly affect IT departments and compliance teams. These obligations go beyond financial reporting and touch on how data, communications, and transactions are captured, stored, and monitored.
Below are the main areas you need to focus on.
Recordkeeping and communications archiving
Under MiFID II, companies must record all communications that could lead to a transaction.
This doesn’t just mean emails — it also includes voice calls, instant messages, mobile texts, chats, and even video meetings. So, to stay compliant, you need to archive comms on all your channels, including SMS messages, iMessages, Slack, WhatsApp, Zoom, and Teams.
- Retention period — All records must be kept for at least five years, and in some cases up to seven years if requested by a regulator.
- Data integrity — Records must be stored in a tamper-proof archive. That means they can’t be altered or deleted. To ensure trust, archives need features like timestamping and audit trails that prove data hasn’t been changed.
This requirement makes communications archiving solutions critical for day-to-day compliance. In many ways, it mirrors ediscovery practices, where organizations must be able to quickly locate, preserve, and produce digital records in response to regulatory or legal requests.
Surveillance and monitoring
Besides collecting records, MiFID II also requires you to actively monitor them. The goal is to detect and prevent potential market abuse, insider trading, or other non-compliant behavior.
- Firms often use tools like keyword spotting, alerts, and random sampling to review communications.
- Increasingly, AI and analytics are being used to scan huge volumes of data, spot unusual patterns, and highlight potential risks before they escalate.
For compliance teams, this means ongoing oversight, not just storing data for later review.
Data storage and retrieval
There’s another caveat since having the data isn’t enough. It must also be searchable and easily retrievable. When regulators request information, you’re expected to deliver it quickly and in a usable format.
- Data must be stored in what MiFID II calls a “durable medium” — a system that preserves its integrity over time, by keeping records safe, unaltered, and easy to access for years
- Information should be exportable on demand, ensuring that regulators or auditors can access what they need without delays.
This requirement makes indexing and robust search capabilities essential in any archiving system.
Reporting obligations
MiFID II also sets strict rules for how trades and transactions are reported.
- Companies must submit detailed transaction reports to regulators no later than the next working day (T+1).
- These reports include critical information such as who carried out the trade, what was traded, and at what price.
- Because deadlines are tight and errors can be costly, most organizations rely on automated reporting systems to reduce manual effort and ensure accuracy.
Challenges Companies Face with MiFID II Compliance
Meeting the regulation’s strict requirements is rarely straightforward, and many investment firms run into the same obstacles:
Managing diverse communication channels
Today’s financial professionals don’t just rely on email or phone calls. They use iMessages, Microsoft Teams, WhatsApp, Bloomberg chat, Slack, and other platforms to communicate with colleagues and clients.
Capturing, storing, and monitoring all of these channels in a compliant way can be extremely complex. Missing just one channel could result in a serious compliance gap.
Breaking down data silos
Many firms struggle with data silos, where information is stored separately across departments or systems.
Compliance teams may not have full visibility into communications handled by IT or trading desks, making it difficult to create a single, reliable source of truth. This fragmentation slows down audits, investigations, and regulatory reporting.
Outdated archiving tools
Some firms still rely on legacy archiving systems that were never designed to handle high volumes of data or modern communication platforms. These outdated tools often lack features like tamper-proof storage, fast search, and AI-driven categorization and classification — all of which are essential for MiFID II compliance.
Rising costs of compliance
Building and maintaining a compliant IT infrastructure requires significant investment.
From secure storage to advanced monitoring tools, the costs can add up quickly. Smaller firms, in particular, may struggle to keep up with the financial and technical demands.
Training and awareness
Even the best technology won’t work without well-trained employees.
Staff need to understand what the MiFID II regulation requires, which communications must be recorded, and how to use compliance tools correctly. Ongoing training is necessary to prevent mistakes and ensure everyone remains aware of their responsibilities.
Best Practices for Maintaining MiFID II Compliance
Staying compliant with the MiFID II directive is an ongoing process that requires consistent effort and the right systems in place.
Here are some best practices firms can follow to reduce risk and make compliance more manageable.
Implement a centralized, policy-based archiving strategy
Instead of using separate tools for email, chat, voice, and mobile messaging, you should adopt a centralized archiving solution that captures all communication channels in one place and lets you search from a single interface.
This ensures consistency, eliminates blind spots, and makes it easier for your compliance team to enforce retention policies and other requirements across the entire organization.
Regularly review and update policies
Regulations evolve, and so do the ways employees communicate.
Compliance policies should be reviewed and updated regularly to keep pace with new channels (like WhatsApp, iMessage, or Teams) and any changes in MiFID II rules. Outdated policies can leave your company exposed to compliance risks.
Conduct audits and penetration testing
Regular internal audits help confirm that recordkeeping and monitoring systems are working as intended. In addition, penetration testing can identify security weaknesses before regulators or hackers find them.
Both practices ensure you’re always audit-ready and that your data is well-protected.
Train staff regularly on communications compliance
Employees play a crucial role in compliance.
Regular training sessions help staff understand what types of communications must be recorded, how to use compliance tools properly, and what behaviors regulators are watching for. Refresher courses keep awareness high and reduce the risk of accidental violations.
Document everything for audit readiness
When regulators ask for information, you must be able to respond quickly and confidently.
Keeping clear documentation of policies, training sessions, audits, and monitoring practices proves that the organization takes compliance seriously.
Summary of the Main Points
- MiFID II is an EU regulation that aims to make financial markets more transparent, improve investor protection, and standardize rules across member states.
- The law covers banks, brokers, investment firms, trading venues, advisors, and even some non-EU firms operating in EU markets.
- To stay compliant, firms must capture, store, and make searchable all relevant communications across channels like email, chat, voice, and video, in tamper-proof archives.
- Compliance teams are required to actively monitor stored communications using tools like keyword alerts, random sampling, and AI analytics to spot and prevent suspicious activities. Information must be stored in a durable medium and be easily searchable and exportable on demand to meet regulator requests without delays.
FAQ
What types of communication are covered under MiFID II?
All electronic and voice communications intended to lead to a transaction must be recorded, including emails, phone calls, video calls, chats, and messaging apps.
Does MiFID II apply to U.S. companies?
Yes, if a U.S.-based firm offers services to clients in the EU or trades on EU markets, it must comply.
What are the MiFID II research unbundling rules?
They require companies to separate the cost of research from trading fees, so investors see exactly what they’re paying for. This increases transparency, reduces conflicts of interest, and pushes providers to deliver higher-quality research.
Why is MiFID II important for investors?
It gives them greater protection, clearer information, and fairer markets by making trading more transparent and regulated.
Is there a U.S. equivalent to MiFID II?
Yes. The closest U.S. equivalent is the Dodd-Frank Act, introduced after the 2008 financial crisis. Like MiFID II, it aims to make financial markets more transparent, protect investors, and reduce systemic risks through stricter reporting, oversight, and compliance rules.
What happens if a firm violates MiFID II?
Firms that fail to comply with MiFID II can face heavy fines, trading restrictions, or even loss of license. Beyond financial penalties, violations can damage a company’s reputation, erode client trust, and trigger increased scrutiny from regulators.
