.svg "MCO-Color-logo")
Electronic communications compliance is now a global expectation for regulated firms, not a local control issue. Financial regulators increasingly expect firms to capture, retain, and supervise business-related communications across approved channels, while privacy and data protection laws shape how that monitoring is carried out.
That makes communications surveillance a cross-border compliance issue encompassing market conduct, books and records, supervision, and data governance.
For firms operating in multiple jurisdictions, the challenge is not only knowing which rules exist, but understanding which regulators apply, which communications must be retained or supervised, and how retention and monitoring obligations interact with privacy requirements.
Regulators focus on whether firms can produce reliable business communication records and supervise them to detect misconduct or breaches. In the U.S., the SEC and FINRA link recordkeeping and supervision to regulated activity.
In Europe and the UK, MiFID II and the FCA handbook require recording and retention for relevant communications tied to client orders and investment business. GDPR and UK data protection rules require lawful, fair, transparent, and secure processing of personal data.
This is why communications surveillance has become more demanding. Firms are expected to monitor more channels, address off-channel risks, maintain usable records, and still comply with data protection obligations.
Pro Tip- Build your eComms framework around business activity, not around channel names. Regulators care whether relevant communications were captured and supervised, even when the technology mix changes.
Electronic communications compliance, often shortened to eComms compliance, is the process of governing how a firm captures, reviews, stores, retrieves, and supervises business-related communications across digital and voice channels.
This covers email, recorded voice, messaging platforms, collaboration tools, text messages, and any other approved methods. A firm’s exact obligations depend on its activities and jurisdictions, but all must: (1) evidence what was communicated, (2) preserve required records, and (3) supervise communications for compliance risks. SEC Rule 17a-4 governs broker-dealer record preservation, FINRA Rule 3110 covers supervisory systems for compliance, and MiFID II details recording for certain client service activities.
No single regulator owns global communications compliance. Firms often answer to several authorities at once, depending on entity type, product set, geography, and customer base.
SEC
The SEC’s recordkeeping framework for broker-dealers includes Rules 17a-3 and 17a-4, which require broker-dealers to maintain specified records. The SEC’s 2022 amendments to electronic recordkeeping requirements also updated how firms may preserve records electronically, including an audit-trail alternative to traditional WORM-style preservation.
FINRA
FINRA Rule 3110 requires firms to establish and maintain a supervisory system reasonably designed to ensure compliance, including the review of written, electronic, and oral communications related to securities business.
CFTC
CFTC rules require certain regulated entities to keep full, complete, and systematic records, including specified oral and written communications. CFTC Regulation 1.31 sets retention requirements, while related rules cover oral communications that lead to the execution of transactions.
ESMA and MiFID II framework
Under MiFID II, records must include telephone conversations and electronic communications relating to at least dealing on own account and the provision of client order services, including the reception, transmission, and execution of client orders. ESMA guidance also clarifies that the recording requirement covers relevant stages of these communications.
FCA
The FCA Handbook includes rules on recording telephone conversations and electronic communications in relevant contexts. SYSC 10A specifically covers the recording of telephone conversations and electronic communications, and other FCA handbook provisions apply in sector-specific contexts.
Privacy and data protection authorities
GDPR, the ePrivacy Directive, and the UK Data Protection Act 2018 shape how firms collect, retain, and manage personal data in surveillance programs. GDPR principles include lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, security, and accountability.
Although the rules differ by jurisdiction, the major themes are broadly consistent.
Firms are expected to preserve records in a way that supports examination, investigation, and internal review. That includes maintaining records for required periods and producing them in an accessible format. SEC Rule 17a-4 and CFTC Regulation 1.31 both address preservation and retention requirements, while MiFID II and FCA rules define recording obligations in investment contexts.
A recurring regulatory concern is whether firms are conducting business on channels that are not captured, supervised, or retained in line with policy and regulation. The underlying issue is not just technology use. The question is whether firms can maintain complete, auditable records of business communications where rules require them.
A recurring regulatory concern is whether firms are conducting business on channels that are not captured, supervised, or retained in line with policy and regulation. The underlying issue is not just technology use. The question is whether firms can maintain complete, auditable records of business communications where rules require them.
In Europe and the UK, firms also need to ensure that communications monitoring is carried out in accordance with applicable privacy law. GDPR and the UK data protection framework make lawful basis, transparency, minimisation, security, and accountability central to any monitoring program that processes personal data.
Pro Tip- Do not treat retention and privacy as separate projects. In practice, communications surveillance only works well when recordkeeping, supervision, and data governance are designed together.
GDPR affects communications surveillance because monitored messages, call recordings, metadata, and related review records often contain personal data. That means firms need a lawful basis for processing, must be transparent about how monitoring works, and should avoid collecting or retaining more data than is necessary for the stated purpose.
The European Commission’s GDPR guidance highlights the following as core principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, integrity, confidentiality, and accountability.
Compliance teams must collaborate with legal, privacy, and security teams to set retention periods, control data access, define permissions, and provide employee notice—meeting both surveillance and privacy obligations.
MiFID II clearly ties communication recording to regulated activity. Article 16(7) requires records of phone and electronic communications related to transactions on own account and client order services. ESMA Q&A further explains that the requirement covers all relevant stages of conversation and communication.
For firms subject to MiFID II, they must ensure that approved channels support the recording of communications. They must also take steps to prevent business activity from shifting to channels that cannot meet these obligations. s-border compliance challenges
Cross-border eComms compliance is difficult because firms rarely face one rulebook. A global institution may need to satisfy U.S. recordkeeping and supervision expectations, MiFID II recording requirements, FCA handbook rules, and privacy obligations under the GDPR or the UK Data Protection Act simultaneously.
Common challenges include:
Pro Tip- Start by mapping obligations to business activity, legal entity, and user population. That usually produces a clearer control model than mapping everything channel-by-channel.
A practical communications surveillance program should do more than archive messages. It must capture relevant communications, retain them for the required period, provide risk-based supervision, and enable timely retrieval when needed.
That usually means firms need:
Approved channels should match how employees actually work. If the policy only allows channels that the business does not realistically use, off-channel risk tends to grow.
Records should be stored in a way that supports audits, exams, internal investigations, and legal requests.
Not every communication needs the same level of review. Firms typically need a defensible, risk-based approach that aligns supervisory effort to business risk.
Ownership should be defined across compliance, legal, IT, records, privacy, and business leaders. Communications surveillance usually fails when each team assumes the other team owns the problem.
Pro Tip- Measure success by retrievability and supervisory usability, not just ingestion volume. A system that stores everything but cannot support timely review does not solve the real compliance problem.
Global communications surveillance is not just about keeping more records. It is about keeping the right records, supervising them appropriately, and doing so in a way that stands up across different regulatory and privacy regimes.
For compliance teams, the real challenge is operational. Firms need to know which regulators apply, which communications are in scope, how long records must be kept, how supervision should work, and how privacy obligations affect monitoring design. The firms that manage this well usually treat communications compliance as a connected governance issue rather than a set of isolated technology tasks.
Electronic communications compliance is the process of capturing, retaining, supervising, and retrieving business-related communications in line with regulatory and internal policy requirements. It typically covers channels such as email, voice, messaging platforms, and collaboration tools.
Electronic communications compliance is shaped by a range of regulators and legal frameworks depending on jurisdiction and business activity. These can include financial regulators, conduct regulators, prudential regulators, and privacy authorities across the U.S., UK, EU, and other regions.
Communications surveillance helps firms reduce conduct risk, maintain required records, support regulatory reporting and investigations, and detect potential policy breaches or misconduct. It also helps demonstrate that the firm has appropriate supervision and governance in place.
GDPR affects communications monitoring because monitored communications often contain personal data. Firms need to ensure that monitoring is lawful, proportionate, transparent, secure, and aligned with data governance obligations such as retention and access controls.
MiFID II requires certain firms to record telephone conversations and electronic communications that relate to relevant client order services and other in-scope investment activities. Firms must also retain these records in line with applicable requirements.
Firms can improve compliance by defining approved channels clearly, capturing in-scope communications consistently, applying risk-based supervision, maintaining proper retention controls, and making sure records can be retrieved quickly when needed.
Off-channel communication risk arises when employees conduct business through channels that are not approved, captured, or supervised by the firm. This creates recordkeeping gaps and can expose the firm to regulatory and supervisory issues.
Cross-border compliance is difficult because firms may need to meet different retention, supervision, privacy, and recording obligations across jurisdictions. Requirements can vary by regulator, business line, and communication type.
