Teams recording retention requirements
How long you have to keep Microsoft Teams recordings depends on the rules that govern your organization — and getting it wrong is a violation in its own right. This guide walks through the retention requirements under SEC 17a-4, FINRA, Dodd-Frank, MiFID II, and HIPAA, then shows how to apply them to your recorded calls.
Teams Voice Recording Team
Compliance & Solutions Engineering, Type5 Technology
Last reviewed July 1, 2026
Why retention matters
Retention is one of the most misunderstood parts of a call-recording program. Many teams assume the hard part is capturing the call — but capturing it is only the beginning. What a regulator actually asks for, months or years later, is a complete, unaltered record produced on demand. If that record was deleted too early, stored somewhere it could be tampered with, or simply never governed by a retention rule at all, the recording effectively does not exist for compliance purposes.
Retention failures cut in two directions, and both are violations. Keeping records for too short a period — deleting or overwriting them before your obligation expires — means you cannot produce evidence a regulator is entitled to see. That alone can trigger enforcement, independent of whatever the records might have contained. Mishandlingrecords is equally serious: if a record can be silently edited, re-recorded, or lost because it lived in a user's personal drive with default settings, its evidentiary value is compromised. Regulators expect records to be preserved in a way that demonstrates integrity, not just existence.
There is also a quieter risk in the other direction. Keeping records too longcan conflict with privacy obligations and data-minimization principles, and it needlessly expands the volume of sensitive data you have to secure. The objective, then, is not "keep everything forever" — it is to keep each record for exactly as long as the relevant rule requires, in a form you can defend, and then dispose of it on schedule. That is what configurable, policy-driven retention delivers, and it is why the way you store and govern Microsoft Teams recordings matters as much as whether you record them at all.
Retention at a glance
The table below summarizes the retention periods most commonly associated with each regime. These are general figures — the exact period depends on the record type, your jurisdiction, and your firm's own policies — so treat this as an orientation rather than legal advice. Where more than one regulation applies to the same record, retain it for the longest required period.
| Regulation | Typical retention | Note |
|---|---|---|
| SEC Rule 17a-4 | Commonly 3–6 years | Recent records must be readily accessible; historically WORM storage. |
| FINRA Rule 4511 | Per SEA Rule 17a-4 | Books-and-records rule points back to the SEC preservation periods. |
| Dodd-Frank | ~5 years | Swap dealers retain relevant communications, generally at least five years. |
| MiFID II | 5 years (up to 7 on request) | Transaction-related communications; extendable by a competent authority. |
| HIPAA | Per your policy | No fixed call-recording period; retain and secure PHI per your HIPAA policy. |
The sections that follow explain each of these in more depth and point to the authoritative source for the underlying rule.
SEC 17a-4 and FINRA
For US broker-dealers, the foundational recordkeeping rule is SEC Rule 17a-4. It requires firms to preserve a range of business communications and records for defined periods — commonly three to six years depending on the record type — and to keep the most recent portion readily accessible. "Readily accessible" is a meaningful phrase: it is not enough to have the record buried in cold storage that takes weeks to retrieve. Recent records must be producible quickly when a regulator asks.
Historically, Rule 17a-4 required electronic records to be preserved in a non-rewriteable, non-erasable format — often referred to as WORM (write once, read many). The purpose is integrity: a record that cannot be overwritten or erased cannot be quietly altered after the fact. A 2023 amendment to the rule modernized this by also permitting an audit-trail alternative, under which a firm may store records in a system that maintains a complete, tamper-evident record of every change instead of using strict WORM media. Either way, the underlying expectation is unchanged: records must be preserved so that any modification would be detectable.
FINRA layers its own supervision and books-and-records obligations on top of the SEC rules. Rule 3110 covers supervision — including the requirement to have systems and procedures reasonably designed to achieve compliance — while FINRA Rule 4511 addresses books and records and directs firms to preserve records for the periods specified under SEA Rule 17a-4. In practice, that means FINRA-regulated firms inherit the SEC preservation timelines, and a recorded Teams call that relates to firm business falls squarely within scope. We cover this landscape in more detail on our financial services page.
MiFID II
Firms with EU or UK-linked activity face a parallel set of obligations under MiFID II, the European framework for investment services overseen in part by ESMA. MiFID II requires firms to record telephone conversations and electronic communications that relate to the reception, transmission, and execution of orders — in short, the communications around transactions. If a Microsoft Teams call is used to arrange, advise on, or execute a transaction, it can fall within this recording obligation.
The retention period under MiFID II is five years, and a competent authority can require records to be kept for up to seven years. This makes MiFID II one of the longer-horizon regimes a firm may have to plan for, and it reinforces why a durable, governed archive matters: a five-to-seven-year obligation is not something you want resting on recordings scattered across individual users' drives with default retention.
For firms subject to both US and European rules, the practical approach is to configure retention to the strictest applicable period so a single archive satisfies every regime at once.
HIPAA and healthcare records
Healthcare works differently from financial services. HIPAA does not itself mandate that you record calls, and it does not impose a single fixed retention period for call recordings the way SEC 17a-4 does. Instead, the obligation is triggered by content: if a recording contains protected health information (PHI), then that recording is subject to the HIPAA Security Rule and must be secured, encrypted, access-controlled, and retained according to your organization's own policies and applicable state law.
In other words, retention under HIPAA is per your policy — but the security expectations around the recording are not optional. A recorded Teams call that captures a patient conversation is PHI, and it must be handled with the same safeguards as any other PHI you hold: restricted access, encryption, audit logging, and disposal on a defined schedule. Storing those recordings inside a governed archive in your own tenant, rather than in unmanaged user drives, is what makes those safeguards enforceable in practice. Our healthcare page goes deeper on protecting PHI in recorded calls.
Applying retention to Teams recordings
Knowing the required retention period is only useful if you can actually apply it to your recordings — and this is where native Microsoft Teams behavior falls short. By default, Teams recordings land in whatever location the meeting type dictates: channel meeting recordings go to the channel's SharePoint site, while other meeting recordings go to the organizer's OneDrive. That scattering across many user drives, each with default settings, is not built for regulated recordkeeping. There is no single governed store, and retention is inconsistent from user to user.
Microsoft 365 does provide retention labels and policies through Microsoft Purview, and these can be layered onto recordings. Purview is a capable information-governance tool. But applying it after the fact to recordings spread across dozens of OneDrive accounts is fragile: coverage gaps are easy to introduce, and demonstrating to an auditor that every in-scope call was captured and retained correctly becomes an exercise in reconstruction rather than a straightforward report.
A governed compliance archive with configurable retention solves this at the source. Our service captures every in-scope Teams call automatically and uploads the recording and transcript to a SharePoint document library in your own tenant, where retention is applied deliberately to that single, dedicated store. You control access and retention; the evidence stays inside your Microsoft 365 environment; and retention is set to your regulatory obligation rather than left to default behavior. That combination — complete capture plus a governed store plus configurable retention — is what makes a recording program defensible.
- Complete capture. Policy-based recording captures every in-scope call, so there are no missing records to explain later.
- A single governed store. Recordings and transcripts land in one SharePoint library in your tenant, not scattered across user drives.
- Configurable retention. Retention is set to your specific obligation — three to six years, five years, seven years, or per your HIPAA policy.
- Your controls. Access, encryption, and retention rules stay under your administration, inside your own Microsoft 365 environment.
To see how the capture side fits together with storage and retention end to end, read our overview of Microsoft Teams compliance recording.
Frequently asked questions
Related reading
See compliance recording running on your own Teams tenant
Book a walkthrough and we'll show you policy-based capture, transcription, and SharePoint archiving on a dedicated server built for your organization.