MiFID II compliance isn't a checkbox — it's a continuous obligation. And yet, most CRM vendors selling into financial services treat it as a marketing claim rather than an engineering commitment. After auditing 23 platforms on behalf of our financial services clients, here's what we found.

What MiFID II Actually Requires from Your CRM

The Markets in Financial Instruments Directive II (MiFID II) imposes specific requirements on how financial firms record, store, and retrieve client communications and transaction data. For your CRM and growth platform, this means:

  • Immutable audit trails for all client interactions — emails, calls, meetings, and digital touchpoints
  • Data residency within the EU or approved jurisdictions
  • Right to erasure workflows that don't break your audit trail
  • Suitability assessment documentation linked to client records
  • Best execution reporting integration
  • Retention periods of 5-7 years depending on instrument type

The 7 Questions to Ask Any CRM Vendor

  1. 1Can you provide your MiFID II compliance attestation from a qualified legal firm — not just your own marketing team?
  2. 2Are audit logs truly immutable, or can admins delete or modify records?
  3. 3Where exactly is our data stored, and can we choose EU-only residency?
  4. 4How do you handle right-to-erasure requests without breaking audit continuity?
  5. 5Do you have a dedicated compliance team, or is this handled by general engineering?
  6. 6What is your breach notification SLA, and have you had any breaches in the past 24 months?
  7. 7Can you provide a list of current financial services clients we can reference?

"We evaluated 6 platforms. Only one could answer all 7 questions with documentation rather than promises. That's the one we chose." — Chief Compliance Officer, European Wealth Manager

Common Compliance Gaps We Found

In our audit of 23 platforms, the most common gaps were: audit logs that could be modified by super-admins (17 of 23 platforms), data stored in US-only infrastructure with no EU option (14 of 23), and no documented process for suitability assessment linkage (21 of 23).

74%
Platforms with modifiable audit logs
61%
US-only data storage
91%
No suitability linkage

What a Truly Compliant Platform Looks Like

A genuinely MiFID II compliant growth platform will have: cryptographically signed audit logs that cannot be altered by any user including admins, EU data residency as a standard option (not an enterprise add-on), documented right-to-erasure workflows that preserve audit integrity, and a dedicated compliance team that can answer technical questions — not just sales questions.