Key takeaways
- Instead of desk-based trading, mobile communication now leads the way, forcing firms to rethink how they capture, validate, and govern every interaction.
- MiFID III (Directive 2024/790) and MiFIR 2 (Regulation 2024/791) amend MiFID II with stricter requirements for transaction reporting, best execution and communication retention, with key deadlines in September 2025 and June 2026.
- The regulatory focus shifts from passive recording to active monitoring and behavioral oversight of client communications.
- Off-channel communications, including WhatsApp, Teams and SMS, are getting more attention from regulators, requiring firms to archive across every channel employees use.
- Firms already compliant with MiFID II still need to close specific gaps: broader channel coverage, surveillance capabilities and faster retrieval for regulatory audits.
- A centralized, multi-channel archiving platform simplifies compliance by consolidating capture, retention, search and export in one system.
Introduction
The deadline for EU member states to transpose MiFID III into national law was September 29, 2025, and most have now done so. Firms that haven’t updated their archiving and recordkeeping practices face regulatory exposure at a time when enforcement is accelerating.
The compliance bar has shifted: regulators now want evidence that you monitored, flagged and acted on what your archived data revealed. If you’re already managing FINRA compliance archiving, many of the same principles apply.
In this article, you’ll learn:
- What MiFID III is and how it differs from MiFID II
- How the new rules affect communication archiving and recordkeeping
- Which communication channels must be archived under MiFID III
- A step-by-step checklist to prepare your compliance program
What is MiFID III?
MiFID III is the common name for MiFID II/MiFIR review Directive 2024/790. It amends MiFID II rather than being a wholly new directive.
The directive is paired with MiFIR 2 (Regulation 2024/791), and together they form the next generation of EU financial market regulations. The core objectives are straightforward:
- Improve market transparency
- Strengthen investor protection
- Modernize transaction reporting, and
- Align EU rules with global standards.
The practical impact is significant. MiFID III raises the bar on how firms capture, retain and produce communications for regulators.
MiFID II vs. MiFID III Compliance: Key Changes
If you’re already compliant with MiFID II, you don’t need to start from scratch. But you do need to identify and close specific gaps. A European Parliament briefing on the MiFID II/MiFIR review provides the legislative context for these changes.
Here’s how the two frameworks compare:
| Area | MiFID II | MiFID III |
| Market transparency | Post-trade transparency requirements | EU-wide consolidated tape for real-time market data |
| Payment for order flow | Permitted under certain conditions | EU-wide ban on PFOF |
| Transaction reporting | Fixed data fields | Extended fields, near real-time reporting, stronger ESMA oversight |
| Volume cap mechanism | Double cap (4%/8%) for dark pool trading | Single 7% cap for reference price and negotiated trades |
| Recording obligations | Store conversations that may lead to transactions | Active monitoring and behavioral oversight of communications |
| Investor protection | Suitability and disclosure obligations | Stricter requirements including digital channel coverage |
| Best execution | Standard reporting and documentation | Stricter documentation with venue selection justification |
The most significant shift for compliance teams sits in the recording obligations row. MiFID II asked you to capture and store communications. MiFID III expects you to prove you actively monitored those communications for misconduct, unauthorized recommendations and policy violations.
This is the difference between having an archive and using an archive. Under MiFID III, the question regulators ask changes from “Did you record it?” to “Did you act on what you found?”
Best execution requirements also carry operational weight. Firms must now document why they selected specific execution venues, not just that they achieved best execution. This means trade-related communications need to be linked to execution records in a way that’s searchable and producible.
How MiFID III Affects Communication Archiving and Recordkeeping
This is where MiFID III hits compliance teams hardest. The foundational MiFID II requirement to record and retain communications related to transactions (established under Article 16 of MiFID II) remains in place. MiFID III builds on that baseline with higher expectations around regulatory compliance archiving.
The five-year minimum retention period continues, extendable to seven years upon regulatory request. But the emphasis has shifted from storage duration to retrieval speed and audit readiness. Regulators expect you to produce specific communications quickly, mapped to particular transactions and client files.
What this means in practice:
- Immutability — Archived communications must be tamper-proof. You need to be able to show that records haven’t been altered since capture.
- Searchability — Your archive must support granular search, filtering by date range, participant, keyword, channel and transaction reference.
- Exportability — When a regulator requests records, you need to produce them in accepted formats within expected timeframes.
- Transaction mapping — Communications must be linkable to specific trades, client accounts and execution records. It’s no longer enough to archive your messages in one system and your trade records in another. They need to be linked so that, for any given trade, you can show both what was decided and the conversation that led to that decision.
Off-channel communications face sharper scrutiny under MiFID III. Regulators are specifically targeting the use of personal devices, unapproved messaging apps, and encrypted channels that fall outside a firm’s archiving infrastructure.
The compliance question has changed. It’s no longer enough to show you recorded a phone call or saved an email. You need to show a complete communication record across every channel, with evidence that you monitored it for compliance risks.
Which communication channels must be archived for MiFID compliance
MiFID III doesn’t provide an exhaustive channel list. Instead, it applies a broad principle: if a communication could relate to a transaction or client interaction, it must be archived.
In practice, this means your archiving coverage must include:
- Email — Business accounts and personal accounts used for business purposes. See our guide to email compliance for detailed requirements.
- Instant messaging and chat — Microsoft Teams, Slack, Bloomberg chat
- Mobile messaging — WhatsApp, Signal, iMessage, SMS. For mobile-specific guidance, see archiving text messages for compliance.
- Social media — LinkedIn messages, X posts and direct messages. Social media archiving covers how to capture these channels compliantly.
- Voice calls — Landline, mobile and VoIP, including recorded lines
- Video conferencing — Teams and Zoom recordings
- Collaboration platforms — SharePoint and OneDrive communications
Most firms can capture any one of these channels well enough. The harder problem is bringing all of them into a single, searchable archive where records can be cross-referenced and produced together during an audit or investigation.
In practice, many organizations end up using a different vendor for each channel, one tool for email, another for voice, a separate platform for mobile messaging. These systems rarely talk to each other, which leaves records scattered across disconnected systems and makes it difficult to assemble a complete picture when a regulator comes asking.
The shift from passive recording to active monitoring
Under MiFID II, the compliance model was largely reactive. You stored the data. If a regulator asked for it, you produced it.
MiFID III compliance moves toward proactive oversight. Regulators now expect firms to monitor communications for signs of misconduct, mis-selling, unauthorized product recommendations and conflicts of interest.
AI-powered surveillance is becoming the regulatory expectation, not just a best practice. Cross-channel monitoring, where a chat message can be correlated with what was said on a call, represents the new standard. Regulators want to see that you’re looking for patterns of non-compliance, not waiting for complaints to surface.
The implication for archiving infrastructure is clear. Your archive isn’t just a storage system anymore. It needs to serve as the foundation for active compliance monitoring, feeding data into surveillance tools that can flag issues before they become regulatory problems.
How to Prepare for MiFID III: Compliance Checklist
Whether you’re closing gaps in an existing MiFID II program or building MiFID III compliance capabilities from scratch, these 7 steps cover the priorities:
- Audit your current archiving coverage — Map every communication channel your employees use for business purposes. Identify gaps where messages aren’t being captured. Pay special attention to mobile messaging apps, BYOD use, personal email accounts and collaboration platforms that may fall outside your current archiving scope.
- Upgrade retention and retrieval capabilities — Confirm that your archive supports fast, granular search across all captured channels. Test your ability to place legal holds, apply redactions and export records in formats that regulators accept. If producing records for an audit takes days instead of hours, review the cloud archiving features that can close that gap.
- Implement cross-channel monitoring — Deploy surveillance tools that can flag misconduct, sentiment anomalies and policy violations across email, chat, voice and messaging. Under MiFID III, you need to show that you acted on what your data revealed.
- Close off-channel gaps — Enforce policies that prevent the use of unapproved messaging platforms for business communications. Where employees use approved mobile channels, make sure those channels feed into your centralized archive.
- Review best execution documentation — Confirm that trade-related communications are linked to execution records. Under MiFID III’s stricter best execution rules, you need to demonstrate that venue selection decisions are documented and that supporting communications are retrievable.
- Train front office and compliance staff — Employees need to understand the PFOF ban implications, off-channel communication rules and their role in the active monitoring framework. Compliance training should cover practical scenarios, not just regulatory abstractions.
- Test audit readiness — Run mock regulatory requests. Ask your team to produce all communications related to a specific client, trade or time period. Measure how long it takes, if the results are complete and address any gaps before a real request arrives.
Summary of the Main Points
- MiFID III (Directive 2024/790) and MiFIR 2 amend the existing MiFID II framework with stricter obligations around market transparency, transaction reporting, best execution and communications archiving.
- The most significant shift for compliance teams is the move from passive recording to active monitoring of communications.
- Off-channel communications (WhatsApp, Teams, SMS, social media) now require the same archiving coverage as email and voice channels.
- Your archive must support fast retrieval, granular search, legal hold, redaction and export in regulator-accepted formats.
- Audit readiness is the new compliance benchmark. Regulators will ask not just if you captured communications, but whether you monitored them and acted on findings.
FAQ
When does MiFID III take effect?
The MiFID III directive came into force in March 2024, and EU member states were required to transpose it into national law by September 29, 2025. Transposition has not been uniform, and firms operating across multiple jurisdictions should confirm the in-force status in each market where they operate, since revised provisions generally apply only once a member state has implemented them.
What communications must be archived under MiFID III?
Any communication that could relate to a transaction or client interaction must be archived. This includes email, instant messaging (Teams, Slack), mobile messaging (WhatsApp, SMS), social media messages, voice calls, video conferences and collaboration platform communications. The broad principle is: if employees use a channel for business, it must be captured and retained.
How long must firms retain records under MiFID III?
The minimum retention period is five years, consistent with MiFID II. Regulators can extend this to seven years. Under MiFID III, the emphasis shifts from retention duration to retrieval speed and the ability to produce specific records mapped to transactions and client files.
How is MiFID III different from MiFID II?
MiFID III introduces several changes: an EU-wide ban on payment for order flow, a consolidated tape for real-time market data, stricter best execution documentation requirements and expanded transaction reporting fields. For compliance teams, the most impactful change is the shift from passive communication recording to active monitoring and behavioral oversight.
Read Next:MiFID II Regulation and Compliance: A Comprehensive Guide |











