Overview
Spain's National Securities Market Commission, the Comisión Nacional del Mercado de Valores (CNMV), has a reputation for its balanced approach to financial supervision, emphasising investor protection while fostering market innovation.
As the regulator responsible for transposing the Markets in Financial Instruments Directive II (MiFID II) into Spanish law, CNMV sets the standards for record keeping to ensure transparency, compliance monitoring, and dispute resolution.
This blog delves into CNMV's record keeping regime under the Securities Markets and Investment Services Law (LMVSI), exploring its alignment with MiFID II, the scope of obligations, and challenges posed by modern communications.
KEY TAKEAWAYS
-
Capture Everything, on Every Channel - Article 32 of Royal Decree 217/2008 and LMVSI Article 177 demand that client‑facing calls, chats, emails, and even internal order‑routing discussions be recorded in full, regardless of the device or platform.
-
Five‑Year Minimum, WORM‑Grade Integrity - Records must be retained for at least five years (often seven) in a "durable medium" that prevents alteration or deletion; in practice, that means WORM‑equivalent storage with rapid, on‑demand retrieval.
-
Penalties Scale Quickly - Failures that hinder CNMV oversight can escalate from "serious" (€60k–€5 m) to “very serious” (€300k–€10 m or 10 % of turnover), with fines tripled for aggravating factors, making comprehensive, tamper‑proof audit trails a critical safeguard.
Spain’s Record-Keeping Mandate Under MiFID II (Marco Legal en España)
While MiFID II provides the EU-wide blueprint, the legally binding requirements in Spain are codified in its national legislation. The primary statute is the Ley de los Mercados de Valores y de los Servicios de Inversión (LMVSI), or Law 6/2023. This modern law, which replaced its predecessor (the LMV (The Ley del Mercado de Valores)), serves as the principal instrument for transposing MiFID II into the Spanish legal system.
The granular details of these obligations are further elaborated in Royal Decree 217/2008. This decree specifies the precise measures firms must implement for risk management and, critically, the recording of communications and transactions. The interplay between the high-level principles in the LMVSI and the detailed mandates in Royal Decree 217/2008 creates a comprehensive and robust legal framework.
LMV vs. LMVSI
A key point of clarification is the distinction between two important pieces of legislation: the LMV and the LMVSI, the latter representing a significant evolution in Spain's regulatory landscape.
DECREE VS. DECREE
As there are several references in this piece to the 'Royal Decree', it's worthwhile clarifying the distinctions between them that have been present throughout the lifetime of MiFID II.
The most important distinction is between a Royal Legislative Decree (Real Decreto Legislativo), which acts as a primary law with the same force as an Act of Parliament, and a standard Royal Decree (Real Decreto), which is a secondary regulation that provides the detailed rules for implementing a primary law.
The former securities law, the LMV, was officially a Royal Legislative Decree (4/2015). For years, it served as the foundational primary law for the market. However, this has since been repealed and replaced by the modern LMVSI, which is now the principal statute.
Sitting underneath this primary law is the detailed rulebook, Royal Decree 217/2008. This is a secondary regulation containing the granular, "how-to" requirements for firms, including the specific taping obligations (in its Article 32) and other conduct of business rules. To ensure these detailed rules remained current following the introduction of the LMVSI, a more recent modernising decree, Royal Decree 815/2023, was introduced.
This new decree does not replace Royal Decree 217/2008 but rather amends and updates it, aligning its provisions with the LMVSI and incorporating new European frameworks for areas like crypto-assets (MiCA).
The LMVSI sets the high-level principles, while Royal Decree 217/2008, as amended by Royal Decree 815/2023, provides the detailed operational manual that firms must follow.
Key Sections of the LMVSI
|
Theme
|
LMVSI Article
|
Why it matters
|
|
Core record‑keeping duty
|
Art. 177 “Registros”
|
• Requires every Spanish investment firm to keep a register of all services, activities and operations.
• Register **must include the recordings of telephone conversations and electronic communications that relate to investment activity.
• Records must be supplied to clients on request and kept for 5 years (extendable to 7).
• Firms must adopt “medidas razonables” to prevent business on unrecorded channels and allow clients to use alternative durable media.
|
|
Algorithmic‑trading records
|
Art. 178 “Negociación algorítmica”
|
• Obligates firms using algo or HFT strategies to keep order‑flow and system‑event logs, to notify CNMV, and to retain those records (“registros de sus órdenes”) for supervisory review.
|
|
CNMV inspection powers
|
Art. 234 “Facultades de supervisión e inspección”
|
• Empowers CNMV to access any document or data it deems relevant and to conduct on‑site inspections.
|
|
Mandatory co‑operation & data handover
|
Art. 242 “Obligaciones de colaboración”
|
• Compels all supervised persons and entities to deliver books, registers, programmes, magnetic/optical files and recorded telephone conversations to CNMV on demand.
|
|
Order‑handling audit trail
|
Arts. 218‑223 (Gestión y ejecución de órdenes)
|
• Set out the systems/procedures for order management and the duty to demonstrate to CNMV that orders were executed per policy, linking trade data with comms records.
|
|
Sanctioning framework
|
Arts. 298‑306 (Infracciones) + 312‑313 (Sanciones)
|
• Define when poor or incomplete records become “infracción grave” or “muy grave” and list the monetary/ancillary penalties CNMV can impose.
|
The Scope of "Taping" (Obligación de Grabación)
The obligation to record communications is detailed in Article 32 of Royal Decree 217/2008.
"La empresa de servicios de inversión tomará todas las medidas razonables para impedir que un empleado o una persona contratada realice, envíe o reciba llamadas telefónicas o comunicaciones electrónicas en material de su propiedad que la empresa no pueda registrar o copiar".
"The investment services firm shall take all reasonable steps to prevent an employee or a contracted person from making, sending or receiving telephone calls or electronic communications on equipment owned by them that the firm cannot record or copy."
Section 15 of CNMV's MiFID II FAQ outlines that recording obligations cover “las grabaciones de las conversaciones telefónicas o comunicaciones electrónicas”, the recording of telephone and electronic communications tied to client order reception, transmission, and execution, even if no transaction occurs.
The rules are technology-neutral, covering emails, chats, video calls, and more. CNMV stresses completeness: partial recordings are inadequate. Face-to-face interactions require detailed minutes, including timestamps and participants. Surveys post-MiFID II implementation showed improvements, but CNMV continues to emphasise full capture from the conversation start.
Some examples of in-scope communications include;
-
If a broker calls a client to take an order, that call must be recorded. Likewise, an email or WhatsApp message exchange discussing a potential trade or investment recommendation must be archived.
-
If a trader on the firm’s account discusses a trade idea over a recorded line or chat, that communication is in scope. Internal calls that effectively amount to order instructions (e.g. a portfolio manager calling a trading desk to execute a trade for a managed account) are considered part of the order execution chain and should be captured as well, even if the client is not party to the call.
-
If a face-to-face meeting with a client results in an order (or advice likely to lead to a trade), MiFID II requires documentation of the conversation. In practice, firms must produce a written minute or note capturing the key details of the in-person discussion (date, time, attendees, initiator, and the order details such as instrument, price, volume, etc.). These written records of offline conversations are considered equivalent to recordings and must be kept in the records system.
The CNMV’s guidance (in Q&As) emphasises that the conclusion of a transaction is not a prerequisite for the recording obligation to apply.
This broad mandate was introduced in Spain’s MiFID II transposition with little dilution of the EU text. As a result, banks and investment firms must record nearly all client-facing conversations regarding investment services. The goal is to capture a complete audit trail of who said what, when, and in what context. The CNMV can then monitor compliance with conduct rules and market integrity in detail. Indeed, CNMV officials noted that the law intends to have "irrefutable proof" of each order and client instruction, leaving no ambiguity in case of disputes.
The Five-Year Rule: Retention, Accessibility, and Data Integrity
The requirements for record retention are specified in Article 177(3) of the LMVSI.
CNMV rules are aligned with MiFID II (Article 16(7)): the standard retention period for these records is five years. This is codified in Spanish regulation: firms must keep all required records for at least 5 años. However, the law also “abre la puerta” for the CNMV to demand records be kept for up to seven years in specific cases. In practice, CNMV can invoke this extension (to a 7-year retention) when necessary for supervisory reasons (e.g., an investigation is ongoing or if the firm’s activities warrant longer observation). In our experience, most firms choose to proactively keep certain records for 7 years to be safe, especially since other regulations (like anti-money laundering laws) may require longer retention.
During the retention period, records must be maintained in a manner that they can be promptly provided to the CNMV upon request. MiFIR Article 25 (and its Spanish transposition) clearly states that investment firms “must at all times make available to the competent authority, during a five-year period, the data related to all orders and all transactions” carried out. So, on-demand retrieval. If CNMV conducts an inspection or asks for a sample of records (e.g. “provide all communications with Client X around the sale of Bond Y last July”), the data should be readily accessible.
Do Requirements Differ Across Communication Types?
Mirroring ESMA’s stance, the CNMV enforces a technology-neutral approach, a principle derived from the broad scope outlined in Article 32 of Royal Decree 217/2008. The law does not limit the recording mandate to traditional phone lines or official email, it extends to all forms of communication that a firm’s employees might use to discuss investments with clients or counterparties. This includes: fixed-line and mobile phones, emails, SMS/text messages, instant messaging chats (Bloomberg chat, WhatsApp, Teams, etc.), video or conference calls, and any new electronic communication tools that may be adopted in the future.
The CNMV expects firms to capture communications regardless of the channel
Therefore, firms must not use a medium that cannot be recorded for in-scope conversations. If an employee is discussing business, that discussion must happen on a recorded line or platform. The CNMV (through ESMA guidance) has explicitly addressed the use of personal devices and apps: investment firms may permit relevant staff to use mobile devices (even personal phones) for work-related communications only if those communications are recorded appropriately. The firm should have controls to prevent any “relevant” conversation from occurring on an unmonitored channel. For example, if a relationship manager typically talks to clients via WhatsApp, the firm must either capture those WhatsApp chats with an archiving solution or prohibit their use for client orders.
In March 2020, as the COVID-19 pandemic forced widespread remote work, ESMA and CNMV issued a special communication reminding firms of their obligations on call recording. They acknowledged practical challenges (e.g. sudden teleworking surges making recording harder), but insisted that firms make "all reasonable efforts" to continue recording conversations. The guidance allowed for temporary alternatives such as written notes of conversations.
“Por ejemplo, la política debe incluir, entre otros factores, el hecho de que los datos deben conservarse por un periodo mínimo de cinco años, y se debe impedir que las personas pertinentes tengan la posibilidad de eliminar las grabaciones”.
"For example, the policy must include, among other factors, the fact that data must be retained for a minimum period of five years, and relevant persons must be prevented from having the possibility to delete the recordings".
Article 296: Very Serious Infringements
Article 296 of the LMVSI defines “very serious” infringements, which carry the highest penalties due to their significant impact on market integrity, investor protection, or systemic stability.
Article 296.1.b
“La vulneración de las normas sobre conducta de las empresas de servicios de inversión, en particular las relativas a... la grabación de conversaciones telefónicas y comunicaciones electrónicas relacionadas con la prestación de servicios de inversión, y la conservación de registros, cuando dicha vulneración sea de especial gravedad.”
“Breach of the rules on the conduct of investment firms, particularly those relating to... the recording of telephone conversations and electronic communications related to the provision of investment services, and the retention of records, when such breach is of particular severity.”
This section explicitly targets failures in recording telephone conversations and electronic communications (e.g., emails, chats, video calls) tied to investment services, as well as inadequate record retention. A breach is “very serious” if it is systemic, deliberate, or significantly hinders CNMV’s ability to monitor compliance (e.g., incomplete recordings missing the start of order-related discussions or non-tamper-proof storage).
MiFID II does not require a “very serious” category, leaving classification to Member States, and lists determination factors like gravity, duration, and systemic impact (Article 71).
Article 296, cross-referenced with Article 295
“Sancionables con multa de 300.000 a 10.000.000 de euros, o, en su caso, de hasta el doble del beneficio obtenido o del perjuicio causado, o el 10% del volumen de negocio anual.”
(Punishable by a fine of €300,000 to €10,000,000, or, where applicable, up to twice the profit obtained or damage caused, or 10% of the annual turnover.) Penalties can be tripled for aggravating factors (e.g., repeated breaches, significant harm) or reduced for mitigating factors (e.g., self-reporting, minimal impact).
MVSI’s “very serious” category with fines up to €10 million (or 10% turnover) exceeds MiFID II’s €5 million individual minimum, adding a prescriptive national layer not required by the EU. This diverges from ESMA’s harmonisation goal, as Spain’s explicit tiering could lead to stricter enforcement for severe record-keeping failures.
The potential to triple fines for aggravating factors (e.g., systemic taping failures enabling insider trading) goes beyond MiFID II’s doubling provision, making Spain’s regime potentially harsher for high-impact breaches.
Article 302: Serious Infringements
Article 302 defines “serious” infringements, which are less severe but still significant, often involving isolated or lower-impact breaches. The article allows for proportionate sanctions while maintaining deterrence.
Article 302.1
“La vulneración de las normas sobre la grabación de conversaciones telefónicas y comunicaciones electrónicas, la llevanza de registros, y los requisitos organizativos internos, cuando no alcance la gravedad de una infracción muy grave.”
“Breach of the rules on the recording of telephone conversations and electronic communications, record-keeping, and internal organisational requirements, when not reaching the severity of a very serious infringement.”
Covers non-systemic breaches, such as incomplete recordings (e.g., missing timestamps, partial chat captures) or short-term retention failures that don’t broadly undermine CNMV oversight. For instance, failing to record a single client order discussion via email might qualify if it’s isolated and causes minimal harm.
LMVSI’s “serious” tier (fines from €60,000 to €5 million) introduces a lower threshold not required by MiFID II, allowing nuanced enforcement for minor breaches.
Tamper-Proof Storage and Data Integrity (Soporte Duradero)
As explored in our recent blog on the FCA’s stance on Record Keeping, how records are stored and managed is equally important. MiFID II (via its Delegated Regulation, Article 76) and Spanish law mandate that firms keep these records in a durable medium that preserves their integrity. In practice, this means using storage solutions where data cannot be altered or erased without leaving a trace. The CNMV states that “telephone conversations and electronic communications should be stored in a durable medium that makes it possible to reproduce or copy them in a format that does not alter or erase the original record”. This requirement is often met by using WORM (Write-Once-Read-Many) technology or similarly secure storage systems.
Beyond preventing tampering, firms need to ensure that records are organised in a way that facilitates audit trails. Regulators (or internal compliance teams) should be able to retrieve all communications relating to a particular trade or client instruction and be confident that nothing has been doctored. In Spain, firms are required to maintain records such that one can “reconstruct the stages through which a transaction passed". This means the communication records must tie into the transaction records. For instance, if a client orders a trade over a recorded phone call, the time stamp of that call, the recorded audio, the order ticket, and the trade execution details should all be linkable. During an investigation or compliance review, CNMV could ask: “Show us the entire audit trail for Client X’s order on date Y – including the phone call where the order was placed, any Bloomberg chat that amended it, and the trade confirmation". Firms must be able to produce that trail quickly and reliably.
Why Both CNMV and the FCA Expect WORM‑Grade Immutability
Regulators on both sides of the Channel avoid naming a specific technology, yet their language leads to the same technical outcome: records must be immutable, tamper‑proof, and reproducible on demand. In practice, that means WORM (Write‑Once, Read‑Many) storage or an equivalent control.
|
Requirement CNMV
|
CNMV (Spain)
|
FCA (UK)
|
Practical Translation
|
|
Legal wording
|
“Soporte duradero… que permita la reproducción sin alteración del registro original". (LMV art. 194; MiFID II art. 16 & Deleg. Reg. art. 76)
|
“Durable medium… allows the unchanged reproduction of the information stored". (SYSC 9 glossary; SYSC 9.1)
|
Storage must prove that the data cannot be changed during its retention period.
|
|
Purpose
|
Ensure the CNMV can reconstruct every stage of a transaction and verify market integrity.
|
Enable the FCA to supervise and, if necessary, enforce against misconduct.
|
Regulators must be able to trust the evidence in court‑grade form.
|
|
Retention
|
5 years (extendable to 7).
|
5 years for MiFID communications; longer for some rulebooks.
|
WORM lock must match (or exceed) regulatory retention clocks.
|
|
Technology guidance
|
Technology‑neutral; firms must deploy controls “that prevent alteration or deletion".
|
Principles‑based; “unchanged reproduction” places the burden on firms to guarantee immutability.
|
Regulator doesn’t say “WORM”, but the spec is WORM.
|
In a resolution published in June 2024, the CNMV imposed a total fine of €180,000 on MiraltaBank for two "very serious" infractions. While one part of the fine relates to conflicts of interest, the larger portion is instructive for understanding the regulator's stance on record keeping.
-
The firm was fined €100,000 for having "repeatedly failed to meet its obligations concerning the registration of operations and supporting documents for client orders" (incumplido de forma reiterada sus obligaciones con respecto a los registros de operaciones y justificantes de órdenes de clientes).
-
The CNMV did not simply cite a failure to "record conversations." The focus on the "registration of operations" and, crucially, the "supporting documents" (justificantes) points to a systemic failure in the firm's ability to create and maintain a complete and verifiable audit trail for its client-facing activities. This reinforces the understanding that the CNMV expects more than just siloed data; it demands a coherent and reconstructible evidential package that links every client order to its supporting context and documentation.
Conclusion
Spain’s updated Securities Markets and Investment Services Law (LMVSI) cements the CNMV’s reputation for marrying rigorous investor protection with technology‑neutral rules that keep pace with modern communications.
By explicitly extending MiFID II’s record‑keeping blueprint, Spain has created one of Europe’s clearest, modern frameworks. Firms operating in or servicing the Spanish market must therefore treat call recording, message capture, and tamper‑proof storage not as back‑office chores but as frontline controls.
SOURCES
NAVIGATE CNMV RULES WITH CONFIDENCE
SteelEye empowers you to meet record-keeping obligations seamlessly and securely.
From MiFID II taping to LMVSI retention, our platform streamlines compliance with tamper-proof storage and built-in audit readiness.
Stay inspection-ready. Futureproof your compliance strategy.
Book your demo today. ⬇️