Free tool

UK Call Recording Retention Calculator

3 questions. Get the minimum retention period that applies to your call recordings across UK regulatory regimes: FCA SYSC 10A.1, MiFID II Article 16(7), PCI DSS 4.0.1, MLR 2017, SRA, ICOBS, UK GDPR, HMRC business records, and the Financial Ombudsman Service complaint window. Every rule is cited to its source.

Built for compliance officers to sanity-check policy against multiple overlapping regimes. Not a substitute for review by your compliance team or a solicitor.

Step 1 of 333%
What regulatory scope applies to your firm?

Select all that apply. If you are unsure of some, err on the side of including them.

The rules the calculator considers

The calculator maps your firm type and activity to the following UK regulatory retention rules and returns the longest applicable minimum. Each rule is cited to its source so you can verify.

RegimeMinimum retentionReference
FCA SYSC 10A (MiFID II onshored)5 years (7 on FCA request)SYSC 10A.1.6R
FCA SYSC 9 general record-keepingTypically 3-6 yearsSYSC 9.1.1R
FCA CONC / Consumer Credit Act6 years post account closureCONC 7 / s.140A CCA
Money Laundering Regulations 20175 years from end of relationship (max 10)MLR 2017 reg. 40
PCI DSS 4.0.1Business-need only. SAD banned post-auth.PCI DSS Req. 3
SRA Standards (solicitors)6 years typical, longer for wills/trustsSRA Code
FCA ICOBS / IDD (insurance)3 years non-life, 5 years lifeICOBS + IDD
Ofcom General Conditions12 months (billing / complaints)GC C4
UK GDPR storage limitationBusiness-need only, documentedArt. 5(1)(e)
Financial Ombudsman Service window6 years (practical minimum)DISP 2.8.2R

Delivering the retention

Knowing the retention period is one thing; delivering it is another. Common compliance failures are: inconsistent retention across systems, no tamper-proof storage, access logs missing, integrations with the compliance archive breaking silently, and mobile-channel gaps where deals or advice happen off-Teams.

ONSIM Mobile Compliance Recording is a UK business SIM/eSIM with network-level call and SMS recording. Retention is configurable per account from 6 months to 7 years and beyond, storage is tamper-proof, access is role-based and logged, and integrations exist with the archive vendors compliance teams already use (Smarsh, Theta Lake, Verint, ASC, NICE, Global Relay). Because recording happens on the mobile network, not on the device, iOS updates and app permissions do not create a compliance gap.

Frequently asked questions

About UK call recording retention

What is the standard FCA call recording retention period?

5 years under SYSC 10A.1.6R (which onshores MiFID II Article 16(7) into the FCA Handbook). The FCA can require an extension to 7 years. Clients must be told that recordings will be available to them for 5 years on request.

Which activities does FCA SYSC 10A apply to?

Telephone conversations and electronic communications related to receiving, transmitting and executing client orders in MiFID financial instruments (and for collective portfolio managers). Non-MiFID activities fall under the more general SYSC 9 record-keeping obligation.

Does PCI DSS ban call recording?

No. It bans storage of Sensitive Authentication Data (SAD - CVV, PIN, full magnetic stripe) after authorisation, and that includes recordings. In practice this means the recording must be paused during card entry, split-channel DTMF-suppressed, or the payment step handled by a certified IVR outside the recorded stream. See our PCI DSS call recording page for the architectures.

How long do UK GDPR say we can keep recordings?

UK GDPR does not set a specific period. Article 5(1)(e) requires you to retain personal data "no longer than necessary" for the purpose. You must define a retention period, document your justification, and delete when the purpose is fulfilled. Any regime-specific minimum (FCA, MLR, PCI, etc.) takes precedence.

What if a call is in scope of multiple regimes?

The longest applicable minimum wins. If a call is FCA SYSC 10A (5 years) and CONC (6 years) and MLR (5 years from relationship end), retain for 6 years or until the MLR relationship ends plus 5 years, whichever is later.

Do special circumstances override statutory minima?

Yes. An active complaint, regulatory investigation or litigation hold overrides the general minimum. Everything relevant must be retained until the matter is fully concluded and the limitation period on any resulting claim has expired.

What if we handle EU customers cross-border?

EU MiFID II applies directly to EU counterparty relationships. Some EU jurisdictions require 7 years by default rather than by request. Confirm with your compliance team based on the specific counterparty domicile and product.

Is this legal or compliance advice?

No. This tool gives an indicative answer based on common UK regulatory rules current at time of publication. It does not replace review by your compliance team or a solicitor with regulatory expertise. Cross-check every citation against the current source before setting policy.

How does ONSIM deliver these retention periods?

ONSIM Mobile Compliance Recording is a UK business SIM/eSIM with network-level call and SMS recording, configurable retention (from 6 months to 7 years and beyond), tamper-proof storage, role-based access, and integrations with the archive vendors compliance teams already use (Smarsh, Theta Lake, Verint, ASC, NICE, Global Relay).

Are the answers saved?

Your answers are saved in your own browser (localStorage) so you can come back and finish the check. Nothing is uploaded or logged by ONSIM.