OVERVIEW
Germany's Federal Financial Supervisory Authority, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), has developed a reputation for rigour and exacting standards.
While the Markets in Financial Instruments Directive II (MiFID II) provides a pan-European framework, it is the national implementation and supervisory posture that define the expectations for regulated firms.
Recent enforcement actions underscore the gravity of this reality. In early 2025, BaFin imposed a significant €23.05 million fine against Deutsche Bank AG, citing a range of organisational breaches that included critical failures in its telephone recording obligations under the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG). This penalty was not an isolated event but the culmination of a clear trend towards more stringent oversight and more substantial financial consequences for non-compliance.
This blog explores how BaFin's record keeping rules and specific national transposition through the WpHG is prescriptive on everything from IT governance to transaction reporting. Successfully operating within the German market requires a deep and nuanced understanding of what can be termed the "German Standard."
To provide a comprehensive analysis, we will deconstruct the core tenets of BaFin's record keeping regime. We will explore the foundational rules under the WpHG, explore the critical link between communications and trade data, and tackle the new frontier of modern collaboration tools and off-channel communications.
KEY TAKEAWAYS
- Under the WpHG (transposing MiFID II), firms must record and retain all communications intended to lead to transactions, including internal back-office discussions and all channels (e.g., phone, email, chats, video), with a focus on completeness and integrity to enable regulatory monitoring and prevent non-compliance.
- Records must be kept for at least five years (extendable to seven) in tamper-proof formats, readily accessible to BaFin and clients upon request, and integrated with trading data to provide full audit trails for compliance, investigations, and dispute resolution.
- BaFin enforces a technology-neutral approach, prohibiting unrecorded business discussions on personal devices or apps like WhatsApp, with increasing scrutiny and fines (e.g., Deutsche Bank's €23.05 million penalty) highlighting the need for robust policies, technology, and compliance culture to address new media risks.
The Core Record Keeping Mandate
At the heart of Germany's financial regulatory framework lies a set of comprehensive and unyielding obligations for the recording and retention of data. These rules, primarily codified in the German Securities Trading Act (WpHG), translate the principles of MiFID II into specific, enforceable mandates.
The Legal Bedrock: WpHG and MiFID II
The WpHG serves as the national legislation that transposes the EU's MiFID II into German law, effectively rendering MiFID II's requirements locally binding and enforceable by BaFin. The cornerstone of these obligations is found in Section 83 of the WpHG, which outlines the record keeping and retention duties for investment services enterprises. Section 83 mandates that firms must keep records of all investment services, ancillary services, and transactions they undertake.
The stated purpose is to enable BaFin to monitor compliance not only with the WpHG itself but also with overarching EU regulations like the Markets in Financial Instruments Regulation (MiFIR) and the Market Abuse Regulation (MAR). This makes it clear that regulatory compliance in Germany is measured against the specific text and BaFin's interpretation of the WpHG, not merely against the general principles of MiFID II.
Firms must therefore look to the WpHG and associated BaFin guidance as their primary source of truth.
The Scope of "Taping" (Aufzeichnungspflicht)
A central pillar of Section 83 is the recording obligation, commonly known as "taping" (Aufzeichnungspflicht). BaFin's interpretation of this requirement is expansive and leaves little room for ambiguity. The obligation applies to any telephone conversation or electronic communication that is intended to lead to a transaction, irrespective of whether a transaction is ultimately concluded. This includes not only direct investment advice but also services related to the reception, transmission, and execution of client orders.
The scope extends far beyond client-facing interactions. BaFin explicitly states that the taping requirement is not limited to the front office. It also covers internal, back-office communications where employees discuss client orders. This could involve, for example, operations staff clarifying order details among themselves or liaising with brokers to obtain price information. This broad interpretation means that the surveillance net must be cast much wider than many firms traditionally anticipate, capturing a far greater volume of internal data. This expansion of scope fundamentally alters the nature of surveillance from a client-protection tool to a comprehensive internal monitoring mandate, creating significant operational, technical, and data privacy challenges. It requires firms to implement policies and systems capable of capturing and analysing huge volumes of data from non-revenue-generating departments.
The rules are designed to be "technology-neutral," meaning they apply equally to all forms of electronic communication. This includes traditional channels like email and landline phone calls, as well as modern methods such as video conferences, online chats, and instant messaging. This broad scope is reinforced by BaFin's own market surveys, which have revealed that one of the most common and serious compliance failures is the submission of incomplete recordings.
In its initial survey after MiFID II's implementation, BaFin found that nearly one in five recordings were incomplete. The regulator specifically condemned the practice of starting a recording only at the end of a conversation to create a summary "for the supervisory authority," deeming such "staged conversation summaries" as impermissible. A follow-up survey in 2019 noted that while some technical issues had improved, the completeness and integrity of recordings remained a key focus.
This demonstrates that BaFin is not merely checking for the existence of a record, but is scrutinising its quality and completeness. The expectation is that the entire relevant portion of a conversation is captured, beginning from the moment the discussion moves towards investment services. This places a heavy burden on firms to deploy technology that can record automatically and reliably, and more importantly, to have assurance mechanisms that can prove the integrity and completeness of the captured interaction.
The Five-Year Rule: Retention, Accessibility, and Data Integrity
The WpHG establishes clear parameters for the retention and management of these extensive records. The standard retention period for all communications and transaction records is five years, a significant increase from the pre-MiFID II era. Critically, BaFin reserves the right to extend this period to seven years on a case-by-case basis, particularly if needed to preserve evidence for an investigation. This obligation also applies to other key records, such as issuer insider lists, which must also be retained for five years.
The requirements go far beyond basic storage. Records must be maintained in a durable medium and in a format that renders them tamper-proof, often referred to as a Write-Once-Read-Many (WORM) compliant format. This is to ensure the evidential value of the records cannot be compromised. Furthermore, while the records must be protected from unauthorised access, they must also be readily accessible to BaFin upon request.
This accessibility extends to clients as well. Section 83(7) of the WpHG grants clients the right to request a copy of the recordings of their conversations and communications at any time during the retention period. Firms must have procedures in place to fulfil these requests promptly. Finally, the use of these records is strictly controlled. They may only be analysed for specific, legitimate purposes, such as fulfilling client orders, responding to client complaints, or complying with a regulatory request from BaFin.
Do Requirements Differ ACROSS Communication Types? Consistency Across Different Communication Channels
Traditional channels like office phones, work email, and recorded lines were the initial focus, but “modern electronic channels, such as online chats or video calls” are explicitly included under the rules. The regulation equally covers communications via collaboration platforms (e.g. Microsoft Teams, Zoom, Slack) when used to discuss investment decisions or orders. Even voicemails or SMS/text messages involving orders would be in scope. The principle is comprehensive: firms can’t evade the rules by moving a conversation to a different app.
Across different media, the requirements stay consistent in spirit: capture the interaction, keep it for five years, and ensure it’s accessible if regulators need to review it. What differs is how firms implement this. For phone calls, firms use taping systems; for emails, servers are configured to copy all messages to an archive; for chats and voice messages, newer regtech solutions are employed. The emergence of “off-channel” communications – employees using personal phones or unauthorised apps – has been a particular concern (more on that shortly). BaFin and other regulators expect that if a business conversation happens, the firm must either conduct it on an approved, recorded channel or not at all.
In summary, no matter the medium – telephone, email, SMS, Bloomberg, WhatsApp, Microsoft Teams, or Zoom – if the communication involves a client order, a trade, or advice on a transaction, BaFin expects it to be duly recorded and retained. Firms should therefore adopt a channel-by-channel compliance strategy to ensure nothing falls through the cracks. This channel-neutral approach ensures that new technology doesn’t create a loophole in surveillance – an email, a phone call, or a chat message are all treated with equal importance under record keeping rules.
Is Trading Data in THE Scope of BaFin’s Record Keeping Rules?
Yes – trading data and transactional records are very much in scope for record keeping, though they often fall under parallel regulations. It’s helpful to distinguish two broad categories of records that financial firms must maintain:
-
Communications records – as discussed above, the voice and electronic communications that precede, discuss, or execute trades. These provide context and evidence of who said what, when.
-
Transaction records – the data about the trades themselves, such as order details, trade confirmations, execution reports, and trading logs.
BaFin (in line with MiFID II) requires firms to keep extensive records of all services, activities, and transactions they undertake in financial markets. This means that every order and trade should be recorded in the firm’s systems with sufficient detail to reconstruct the trade’s lifecycle. For example, firms keep electronic logs of order entries, modifications, cancellations, and executions. They also maintain records of trade confirmations, account statements, and other data tied to the transaction. These trading records often must be kept for five years (or even longer under general commercial law or tax law requirements).
Notably, the communications recording requirement complements the trading data records. Communications (like a phone call where a client gives an order, or a Bloomberg chat where a trader negotiates a price) provide the context and intent, while the trading system records provide the fact of execution. Both are crucial for a complete audit trail. In a potential market abuse investigation or client complaint, regulators like BaFin will look at trading data alongside call recordings or chat transcripts to see the full picture. MiFID II explicitly introduced these rules to enable supervisors to monitor compliance and detect abuses by cross-checking communications with trading outcomes.
It’s worth noting that while trading data retention is often handled by different systems than communications surveillance, BaFin views them together as part of firms’ recordkeeping and evidence preservation duties. For instance, a firm must be able to produce both the recorded phone call where a client said “buy 1000 shares at €50” and the trading record showing whether that order was executed accordingly. In BaFin’s own words, the recorded evidence is there to show “whether the bank entered the order correctly and completely”.
In practice, trading data retention is well-established – order management systems and trading platforms automatically store order and trade history. The retention period for these is generally five years at minimum under MiFID II, matching the communications retention period (and certain data like client identity and transaction details are also needed for regulatory transaction reporting). BaFin can request these records at any time to investigate compliance with market rules.
In summary, financial firms should treat trading records and communications records as two sides of the same coin in compliance. Both need to be retained and readily available. A robust compliance program integrates communications surveillance with trading data, sometimes termed “trade reconstruction.” This allows firms and regulators to piece together the timeline: from initial client contact or internal decision, through to the actual transaction in the market, all backed by records.
A hot topic in compliance is how regulators are dealing with new forms of communication. In today’s world, employees and clients can communicate through a myriad of channels: WhatsApp, Telegram, Signal, Microsoft Teams, Slack, Zoom, and more. These platforms often combine features – text chat, voice calls, video meetings, file sharing – hence the term “hyper-feature” platforms. They are incredibly useful for business productivity, but they pose a compliance headache: how to capture and oversee communications happening on these channels?
BaFin has made its expectations clear: the rules apply equally to these new media. If anything, BaFin appears to be stepping up oversight in response to the proliferation of off-channel messaging. As mentioned, BaFin launched inquiries into at least one major bank’s use of WhatsApp for business, amid concerns that senior executives were conducting business conversations on chats that weren’t being archived. This followed on the heels of U.S. regulators imposing nearly $2 billion in fines industry-wide for similar WhatsApp record keeping failures (a wake-up call globally).
Whether an employee is chatting on a personal smartphone or a work-issued device, if they are communicating about company business (trades, advice, orders, etc.), it falls under recordkeeping rules. BaFin’s law explicitly forbids required communications on private devices unless the firm can record them. Practically, this means firms must either prevent the use of apps like WhatsApp for work or deploy technology to capture those chats.
Recent Developments and Guidance from BaFin
BaFin continuously updates its guidance to help firms comply with record keeping obligations. Some recent developments and points of note include:
-
Post-MiFID II Reviews: After MiFID II took effect, BaFin conducted market surveys and noted generally good implementation of taping, with a few gaps (like some calls not recorded from the very start). BaFin used its findings to remind firms that all relevant conversations – from the first “hello” if it’s an investment call – must be recorded fully. Firms were advised against practices like summarising a call’s content at the end instead of recording live (BaFin explicitly said such staged summaries are not permissible). This kind of feedback has been shared via BaFin’s publications and speeches.
-
FAQ and MaComp: BaFin maintains an FAQ on conduct rules (which includes record keeping topics) and has issued MaComp (Minimum Requirements for Compliance) circulars. These clarify detailed questions. For example, BaFin’s guidance indicates that even certain written communications like tailored client advice sent by messaging apps should be retained, and even communications with potential clients (not yet clients) might be in scope if they involve investment recommendations. BaFin also clarified how marketing communications are treated – purely generic marketing might not need recording, but if a marketing message is sufficiently specific or sent to a particular client group, it might trigger record keeping requirements. This nuance shows that firms must evaluate the content of communications, not just their form. Keeping an eye on BaFin’s FAQ updates (which are periodically revised) is important, as BaFin often uses them to address new issues that arise (e.g., how to handle record keeping for video recordings of advisory sessions, or text messages confirming trade details).
- International Coordination: BaFin, like other European regulators, works closely with ESMA (European Securities and Markets Authority) and overseas regulators on these matters. There is a clear global momentum to tighten record keeping enforcement. For instance, in mid-2023, the SEC penalised dozens of firms (including affiliates of European banks) for off-channel messaging, and around the same time, the FCA sent out inquiries to UK firms about their WhatsApp controls. BaFin has not been silent in this arena – its scrutiny of Deutsche Bank’s communications is a case in point, and it likely has asked other German institutions similar questions behind closed doors. We can expect more guidance to emerge. It wouldn’t be surprising if BaFin issues a formal communication or circular addressing mobile device use once it concludes its fact-finding, possibly aligning with any guidance ESMA might issue Europe-wide. Firms should stay alert for such developments, as regulators often give guidance as a prelude to stricter enforcement (the message being: “We’ve told you our expectations clearly; failing to meet them now could result in penalties.”).
In essence, the regulatory direction is clear: BaFin wants to ensure no blind spots in firms’ record keeping. The spirit is preventive - by enforcing rigorous record retention and modernising rules to cover new media, BaFin aims to deter malfeasance (like insider trading organised on private chats) and ensure that if misconduct occurs, the evidence is preserved for investigation. Financial institutions are encouraged to treat record keeping not just as a tick-box duty, but as a core part of their compliance culture - something that protects the firm and its customers.
A Comparative Regulatory Landscape: BaFin vs. The FCA and AMF
While MiFID II was intended to create a harmonised regulatory framework across the European Union, the reality of its implementation has revealed significant divergence in practice. The national competent authorities (NCAs) in Germany, the United Kingdom, and France, while pursuing the same high-level goals of market integrity and investor protection, exhibit distinct supervisory cultures, enforcement priorities, and rule interpretations. For international firms, understanding these nuances is critical, as a one-size-fits-all compliance strategy for Europe is likely to fall short.
The UK's FCA: A "Super-Equivalent" and Culture-Focused Approach
The UK's Financial Conduct Authority (FCA) has often been characterised by its willingness to implement "super-equivalent" rules that go beyond the MiFID II baseline. A prime example is its decision to remove the taping exemption that previously existed for discretionary investment managers (DIMs), extending the full recording and five-year retention requirement to them to close a perceived gap in its supervisory reach.
Beyond specific rules, the FCA places a profound emphasis on a firm's internal culture, governance, and the personal accountability of its leadership. This is embodied in the Senior Managers and Certification Regime (SM&CR), which seeks to ensure that senior individuals can be held directly responsible for failures within their areas of responsibility (interestingly changes are coming to this regime, which we will write about in the coming weeks). The FCA's enforcement actions frequently cite breaches of its high-level, overarching Principles for Businesses, such as PRIN 3, which requires firms to "take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems". This demonstrates a focus that is less on ticking boxes and more on whether a firm's governance and culture are genuinely geared towards producing good outcomes.
France's AMF: A Process-Oriented and Data Quality-Driven Supervisor
France's Autorité des Marchés Financiers (AMF) displays a supervisory style that is highly process-oriented and driven by a focus on data quality. This is evident in its program of short, thematic "SPOT" inspections, which are designed to assess the operational effectiveness of firms' compliance arrangements.
The findings from these inspections reveal the AMF's priorities. The regulator has highlighted "poor practices" such as failing to document the retention period for recordings in internal procedures or not having a formal process for tracking and managing recording incidents. This shows a deep concern with the robustness and quality of the processes that underpin compliance. This focus on quality extends to data itself. The AMF has issued highly prescriptive guidance on the technical format for transaction reporting data, including detailed rules on how to construct identifiers for retail investors, to ensure the accuracy and completeness of the data it receives.
BaFin's Position: Rules-Driven & Prescriptive
BaFin's approach can be synthesized as a unique combination of the styles seen elsewhere. It marries broad, principle-based requirements for overall risk management, such as the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement - MaRisk), with extremely granular, technical regulations for specific activities like transaction reporting under the WpHG.
However, what increasingly distinguishes BaFin is its clear willingness to use significant enforcement action as its primary tool for driving compliance. While other regulators may favour dialogue or procedural reviews, BaFin has demonstrated a readiness to impose headline-grabbing fines to signal its intolerance for breaches.
The following table provides a comparative summary of these distinct regulatory approaches and can be downloaded using the form below.
Illustrations of BaFin's exacting standards are found in its recent enforcement record. Unlike the FCA, BaFin does not typically publish detailed PDF reports or extensive case documentation for individual administrative fines, but the detail of what was reported is provided below.
-
Deutsche Bank AG (€23.05 million, Feb 2025): This fine was multifaceted, but a core component related to violations of record keeping obligations. BaFin found that the bank's Postbank branch had "violated the requirement to record telephone conversations in connection with investment services". Crucially, the regulator framed this not just as a taping failure under WpHG §83, but as a broader breach of organisational requirements under WpHG §80. This links the technical act of recording directly to the firm's overall governance and control framework, showing that BaFin views record keeping failures as a symptom of deeper institutional problems.
-
UmweltBank AG (€520,000, Apr 2025): While smaller in value, this fine is highly instructive. BaFin penalised the bank specifically for the "inadequately staffed" WpHG compliance function over several years and for the failure of the compliance officer to submit a complete report to management. This action demonstrates that BaFin's scrutiny extends beyond technology and rules to the very structure of the compliance function itself. It serves as a stark warning that having a compliance department in name only is insufficient; it must be adequately resourced with qualified personnel to perform its duties effectively.
-
Citigroup Global Markets Europe AG (€12.975 million, May 2024): This penalty was imposed for control failures in the firm's algorithmic trading systems that led to a "flash crash" in European equities. While not a direct record keeping fine, it highlights BaFin's intense focus on the intersection of technology, risk management, and market integrity. It shows that as firms rely more on complex technology for trading, BaFin expects their control, monitoring, and, by extension, their data recording and surveillance systems to be equally sophisticated.
Conclusion
BaFin’s record keeping requirements are a cornerstone of financial compliance in Germany’s markets. They ensure that whether a trade is discussed over a phone call, an email, or a chat message, a transparent record exists to hold everyone accountable. For firms, meeting these requirements involves a blend of policy, process, and technology: clear rules for employees, robust systems to capture multi-channel communications, and diligent oversight by compliance teams. The payoff the ability to prove best execution and proper conduct, quickly resolve disputes with factual evidence, and build trust with regulators and clients.
Is your firm equipped to meet BaFin’s rising expectations?
Book a demo with SteelEye today and see how our advanced communications and trade surveillance platform helps you capture, retain, and reconstruct every interaction across every channel.
✅ Full audit trail
✅ Multi-channel capture (including WhatsApp, Teams, Zoom)
✅ Automated trade and communications reconstruction
Get BaFin-ready. Book a demo today. 👉
