Note: Original case documentation is in Danish
The Danish Financial Supervisory Authority (Danish FSA) has shared the findings of a thematic review into three banks that has identified “persistent recordkeeping issues” stemming from inadequate controls and the use of error-prone manual systems. The investigation into Danske Bank, Jyske Bank, and Nykredit Bank also identified instances of off-channel communications, as well as concerns surrounding data completeness.
A repeating theme
The SEUnder EU regulation, adopted in Denmark under executive order (Section 10 of Executive Order No. 921 of 26 June 2017), all voice communications and digital messages that may lead to a transaction or the provision of services connected to a client order must be captured and retained for a minimum period of five years. These obligations are still mandatory even if no transaction takes place or a firm provides no services, and firms need to have written policies detailing their recordkeeping systems and processes.
The Danish FSA’s study, which took place between October 2024 and June 2025, found that, while all three firms had systems and policies in place to meet these recordkeeping obligations and manage the use of unauthorized communications channels, serious issues were still prevalent.
This included instances of WhatsApp, Facetime, iMessage, Signal, and Telegram being used as “unapproved channels” of communication that prevented communications data being recorded. The banks were therefore unable to evidence sufficient data completeness to meet regulatory requirements.
Incomplete data completeness
The Danish FSA’s findings regarding both Danske Bank and Nykredit Bank unearthed issues with data completeness regarding transaction monitoring and the retention of communications records.
While the regulator found that Danske Bank had internal controls to ensure that relevant employee’s devices were set up for “correct logging,” the bank had “not established a dedicated qualitative control” in relation to monitoring stored documents. This meant the bank could not adequately evidence whether investment conversations had been stored and could be found in its archives, and that these records met the required standards of quality, accuracy, and completeness.
The Danish FSA’s investigation summary highlighted that missing communications data poses risks to investor protection, as it cannot be verified how advice was given or what agreements were reached. It also hampers efforts to detect or prove market abuse, and weakens legal certainty.
Similarly, it was found that Nykredit Bank did not have dedicated qualitative controls for monitoring archived transactions and order communications. It could not ensure that documentation was findable, accurate, and complete.
The Danish FSA identified that the bank “relies on deficiencies to be discovered through indirect controls” such as market abuse monitoring efforts or regarding complaints or regulatory inquiries. In essence, the bank did not have controls or systems, such as “necessary periodic monitoring” in place to ensure the data they were collecting was complete or accurate, and any identification of missing or incomplete records would only happen accidentally because of other processes.
Manual mishandling
mRegarding Jyske Bank, the Danish FSA found that employees that primarily worked in investments had their voice conversations automatically recorded. Those that only partially work with investments only have their conversations recorded by manually activating the recording system if their conversations turn to investment topics.
While Jyske bank had stated that it established both automated controls and dedicated qualitative controls where management follow-up to ensure the quality and completeness of captured conversations, it was found that the manual recording processes for investment conversations resulted in “a high margin of error.”
The Danish FSA conceded that while Jyske bank’s concerns around “unnecessarily intrusive monitoring and recording” of employees may have some merit, they do not offset the high rate of human error of manually activated recording processes, and the increased requirements for dedicate follow ups and quality checking of these processes and the data they record.
Greater expectations
None of the three banks involved in the thematic study received a fine, but all three were ordered to take steps to improve their data collection and compliance processes.
Both Danske Bank and Nykredit Bank have been ordered to establish qualitative controls to monitor the accuracy and completeness of their trading communications data in line with recordkeeping requirements. These banks must ensure both voice and digital communications related to transactions and client orders are stored, can be found, and “confirm the quality, accuracy, and completeness of the records that are captured.” It was noted that Nykredit Bank has already implemented these controls after receipt of a draft regulatory order
Due to the “number and nature” of issues at Jyske Bank, the Danish FSA concluded that the recordkeeping systems and processes – particularly those relating to manual recording – were inadequate. The bank has been ordered to review and improve its systems and processes, and “should consider whether there should be a higher degree of automation” to avoid the potential for human error.
As the Danish FSA summarized, the “purpose of the documentation requirements is to ensure investor protection and increase legal certainty in the interests of both the securities dealer and their clients.” If firms cannot locate necessary data, or evidence that it is being consistently captured and compliantly stored, they cannot prove they are meeting regulatory requirements. They also leave themselves open to potential risks like market abuse slipping through the cracks in their data completeness.
Regulatory expectations are rising. It is no longer enough for firms to evidence that they are capturing their communications data – they need to be able to evidence that this data is accurate, high-quality, available, and complete.
Firms are under increasing pressure to not only evidence that they are capturing and compliantly archiving communications data across all the channels they use – including voice – but that their data is complete, high-quality, and easily accessible when needed. Making sure your communications compliance solutions measure up to this new standard is essential for meeting regulatory requirements – because data needs to be captured and complete to be compliant.
