Introduction to MiFiD III, Part Two: What does MiFID III mean for financial compliance?

The introduction of the Markets in Financial Instruments Directive II (MiFID II) in early 2018 was more than just a rolling update, but rather a huge shift in the European financial landscape.  

Building upon the trailblazing framework of its 2007 predecessor, this second iteration sought to close regulatory loopholes, enhance investor protection, and move as much trading as possible on to regulated, transparent platforms.  

For firms across the EU, it meant they had a lot of work to do, not a lot of time to do it in, and severe penalties for those that couldn’t keep up. Even the Financial Conduct Authority (FCA) gave advice that some firms at the time might simply be better off merging with larger entities to gain access to resources and expertise needed to comply, rather than trying to navigate the regulations alone.  

It was a massive requirement, touching everything from product governance and transaction reporting to the mandatory recording of effectively all client interactions. 

Now, financial service providers are facing the next wave of reforms, unofficially referred to as ‘MiFID III’ (check out or taster introduction to how the impending MiFID III regulations are shaping up). 

This term isn’t an official designation, and refers to a varied package of legislative updates led by the Markets in Financial Instruments Regulation (MiFIR) and the new Retail Investment Strategy (RIS).  

These reforms signal a clear development in the regulators' attitude, and echoes trends on both sides of the Atlantic, where emphasis is now far more on holistic compliance and data completeness rather than just asking if a crime has been committed.  

This evolution from a structural to a fully forensic framework has profound and far-reaching implications for all businesses with compliance recording obligations, transforming the act of recording from a passive archiving task into fully pro-active, evidentiary necessity. 

Recapping MiFID II 

The 2018 rules of MiFID II are generally not being replaced or even significantly rephrased. The most powerful item remains Article 16(7), under which financial service providers are obligated to keep records of all services, activities and transactions, and the communications pertaining to them.  

The phrasing of the article showed foresight by being deliberately broad in its definitions and staying technology-neutral, mentioning not just telephones and emails, but also alluding to (then) emergent communication methods including instant messaging, chat apps, and video conferencing.  

Crucially, the articles also extended obligations retroactively to completed deals, including interactions that even could have led to a transaction, even if a trade never materialized.  

This principle is what generates the vast majority of the challenge for compliant business. Even the European Securities and Markets Authority (ESMA) has acknowledged the difficulty, stating in a 2023 Decision that "…it is impossible to appreciate upfront whether the conversation will lead to the conclusion of a transaction". A concession that hasn’t made much difference to fines levied, before or since.   

This obligated service providers to take a very broad approach to which interactions needed to happen under a compliant umbrella, effectively including the entire client interaction and advisory process, not just the final order.  

Although the rules about when recording should happen were intentionally broad, they’re clear on who must be captured. The obligation covers all personnel using equipment provided to, or authorized for the use of, a firm's employees and contractors – directly addressing Bring-Your-Own-Device (BYOD) usage. Businesses are required to prevent staff from using any private, unrecorded equipment or apps for interactions that fall within the scope of the recording rules.  

Even face-to-face meetings are covered. While they don’t require electronic recording, firms must produce written minutes or notes that include dates, locations, attendees, and core details of any orders discussed. 

Once captured, these records must be stored in a ‘durable medium’ that prevents manipulation, alteration, or deletion. The standard retention period is a minimum of five years, extended to seven years in the event of an investigation or request by regulators. The records must be readily accessible for regulators and even available to clients upon request.  

What is MiFID III? 

MiFID III isn’t actually an item of legislation, but rather a useful term for a raft of interlocking reforms being released together, designed to refine and strengthen the existing rules. The two most significant items in the bundle are the MiFIR Review and the Retail Investment Strategy. 

The review of the Markets in Financial Instruments Regulation (MiFIR) focuses primarily on data completeness and transparency.  

One of its most ambitious transparency goals is to deliver a functional Consolidated Tape Provider (CTP). While the name might suggest an antique ticker tape news machine (revolutionary fintech in its day), the system envisioned is a unified, real-time source of complete market data for multiple asset classes right across the EU, greatly expanding market transparency.  

The MiFIR review also ups the transparency obligation for service providers. Some of these amendments are specific to certain types of traders, dealing with very technical products, such as replacing the ‘double volume cap’ for ‘dark pool trading’ with an apparently simpler 7% single volume cap. There is also a ban on Payment for Order Flow (PFOF) deals, which in simple terms is when service providers receive kickbacks from third parties for directing client orders to them; something that is now recognized as a conflict of interest. 

The Retail Investment Strategy (RIS) enhances protections for non-professional investors. Not entirely dissimilar to the MiFIR rules on PFOF, it tightens the rules around ‘inducement’ payments made by manufacturers to ensure that financial advice is in the client's best interest.  

Another key rule of the RIS, again demonstrating MiFID III’s new emphasis on intent, is the introduction of ‘value for money’, which will require firms to demonstrate their fees are justified and proportionate. The RIS also strengthen rules about marketing communications and promotional material, including paid content by social media influencers, to ensure it’s not misleading. 

The implementation timeline is most charitably described as multi-tiered, but MiFIR’s own text officially states that it came into force at the end of March 2024. However, many provisions require further technical endorsement from the ESMA to become operational and are expected to remain ‘under consultation’ until late 2026.  

Acknowledging what it terms as ‘regulatory fatigue’ in the industry, the ESMA has initiated a ‘strategic pause’ on some aspects of MiFID III while businesses and regulators work on simplifying implementation, but has still made it clear that data completeness obligations will still definitely be increasing. Legal analysis has observed that the RIS is now on a slower legislative track and not expected to become fully applicable until mid-2026. 

Overall, the MIFID III process makes relatively few direct amendments to the core text of Article 16(7). Instead, it expands the definitions of what’s covered by standards of conduct, and therefore puts more activities under the remit of the Article without making any direct changes to it. As captures are essentially the only evidence a business can use to prove compliance, the effective scope of what they need to cover expands significantly.  

For instance, was a business influenced by a (now banned) PFOF arrangement? An auditable trail with enough detail for forensic reconstruction demonstrating that the execution was legit is the only viable defense. The same is true for the ‘value for money’ obligation.  

Consequently, recording obligations are no longer an exercise in data retention, but the creation of a forensic evidentiary archive that can be analyzed and searched with enough nuance to demonstrate intent and tone. To all extents and purposes, MIFID III has made AI-powered transcript analysis a necessity.  

From passive capture to active surveillance 

The cumulative effect of MiFID III is to drive compliant strategies from passive to proactive, analytic surveillance. Recording interactions isn’t enough, and what now needs to be proved is that businesses are using those recordings to actively scan for misconduct and identify potential risks before they happen. The question has changed from "Did you record it?" to "What did you do about it?". 

Compliance was already far from a simple exercise in documentation, but now it’s becoming a form of active self-analysis and oversight. The substance and tone of conversation is becoming part of data completeness. It’s no longer enough to simply shelve a five-year-old phone call, as under MiFID III businesses will need to demonstrate they’re actively monitoring these archives for red flags.  

This requires a whole new class of compliance tool, capable of going beyond keyword flagging. Advanced analytics are needed to sift conversations for turn of phrase, sentiment, and tone that might indicate non-compliance or undue pressure being placed on a customer. 

Without explicitly stating so, this shift basically means MiFID III requires the adoption of AI compliance tools. The sheer volume of data already captured under MiFID II makes meaningful manual review an operational impossibility. No compliance team of any size can analyze every call, email, SMS, and WhatsApp text.  

The only viable way to support active detection is with sophisticated AI tech that can perform full annotated transcription, natural language processing, and sentiment analysis at scale. MiFID III never once says the term "AI", but definitively compels its adoption. 

Firms that continue basic archive systems will be unable to demonstrate the active, risk-based oversight now demanded, leaving them exposed to enforcement action.  

It’s worth noting that this new regime of enforcing risk management is not exclusive to MiFID III.  

While recently investigating a leading US investment bank, the American SEC ruled that the firm was not keeping sufficiently secure and detailed records, and were ruled that the firm was not keeping sufficiently secure and detailed records, and were thus liable for a $1.5 million penalty, even though the enforcement judgement noted there was no suggestion of malfeasance or client harm.  liable for a $1.5 million penalty, even though the enforcement judgement noted there was no suggestion of malfeasance or client harm.  

The evidential burden is shifting from standardized reports to forensic demonstrations of putting clients first, for which analyzed communication records are effectively the only practical form of proof. 

A unified data strategy for MiFID III 

In the new regulatory environment, fragmented and incomplete data is not just inefficient, but will also be punished as a critical compliance failure.  

The regulatory trend of MiFID III is clearly pushing towards data unification. The era of siloed, single-purpose recording systems is definitively over. These legacy architectures, where voice transcripts are stored in one system, emails in another, and sales data in a third, make it nearly impossible to meet the core regulatory demand to "accurately reconstruct the audit trail of a transaction".  

This demands a unified data strategy, underpinned by tech that can cross reference and ‘connect the dots’ between conversations and execution records. In the event of audit, a business that can rapidly and completely present the entire lifecycle of a client interaction  – from an initial inquiry on WhatsApp, through a series of advisory calls on Microsoft Teams, to the final execution report with all linked transaction identifiers  – will find themselves facing a very much more cooperative regulator.  

Preparing for demonstrable compliance 

The MiFID III bundle doesn’t represent a simple rulebook update. It marks a technological tipping point for the financial services industry and the start of ‘demonstrable compliance’.  

The presumption of innocence, a popular feature of every justice system since the sixth-century Digest of Justinian, does not apply to financial service providers, and the burden of proof is now squarely on their shoulders. MiFID III requires such businesses to proactively and convincingly show that they’re operating with integrity and in the best interest of their clients, and will be assumed guilty until they can prove otherwise. 

Data incompleteness and an inability to proactively detect risks are no longer minor technical breaches. They will at best be considered symptoms of weak compliance culture that can lead to severe reputational damage, and at worst be judged as violations in and of themselves and attract significant fines and capital expenditure requirements.  

Meeting MiFID III means implementing systems that can capture every relevant interaction, regardless of channel or device. It means leveraging AI-powered analytics to actively monitor that data for nuanced signs of misconduct, creating a unified data strategy that can link communications to transactions, and providing an unassailable audit trail of every client relationship.  

The smartest financial service providers, the ones that will continue to lead the market, will be those that not only manage risk and insulate against litigation, but leverage their new compliance to demonstrate trustworthiness to clients in an industry that demands nothing less. 

Talk to 1GLOBAL experts today to discuss how best to ensure your organization’s compliance framework is safeguarding your business, and your clients.