AFM: basic requirements and information security require attention

Following a risk-based survey of financial service providers, the AFM concludes that some do not meet the “basic requirements” in the field of controlled and sound business operations. The AFM conducted this survey among 31 financial service providers, using the results of the Market Monitor published late last year in the report Market Impressions.

About the survey

The survey was conducted on a risk-based basis. In this case, this means that of the 31 selected service providers, 21 had previously come into contact with the AFM in connection with shortcomings in compliance with laws and regulations. Five firms were selected because they work with freelancers and the other five were added as a control group. These five firms have not previously come into contact with the AFM. Unfortunately, the AFM does not mention in its report whether major differences can be observed between the ‘repeat offenders’ and the control group.

Risk-based or market-wide

A regulator is limited in the stakes. In any investigation, choices have to be made regarding the scope of the investigation. How many companies, which subjects? The more subjects and companies involved in the investigation, the greater the capacity required. It is understandable that the AFM will target those companies that have previously been highlighted for deficiencies. From its responsibility as regulator and confidence in the financial markets, it is right for the AFM to focus on these companies.

Adding the five ‘randomly selected’ companies may give the impression that this is a market-wide picture. In the report, the AFM is clear that because of the risk-based selection, no reliable statements are made about the entire sector. The AFM does express disappointment that only a few service providers met all the requirements during the survey. The regulator’s conclusions are solid.

Important topics

The topics the regulator is calling attention to are:

1. Diploma requirement
   For every advice licence, the firm must have an advising customer employee with a valid Wft diploma. All employees advising clients must have a valid Wft diploma and PE certificate, if applicable.
2. Cooperation freelancers
   The main part of the remuneration of freelancers should be fixed and the variable part (not exceeding 20% of the fixed remuneration) should be limited (maximum 50%), depending on quantitative targets.
3. Incidents policy and incidents register
   A financial service provider should have an incident policy and an incident register.
4. Remuneration policy
   A remuneration policy should be described and published on the website.
5. Professional liability insurance
   Depending on the licence, a financial service provider should have professional liability insurance. Check to what extent the insured amounts match the legal minimum amount.
6. Affiliation with Kifid
   It is a legal requirement to have a membership of the Financial Services Complaints Institute (Kifid).

In addition to these topics, the AFM calls attention to information security. Based on another survey (self-assessment), the AFM concludes that the sector still needs to take steps here. The report shows that this survey was conducted among the larger financial service providers. The regulator concludes that ownership of data and systems, risk management in outsourcing, and password management need attention at these firms. About half have had to provide an improvement plan and are being monitored by the AFM. The report provides a lot of information in the area of Information Security and measures against cyber risks. We therefore recommend going through these carefully and assessing what may be applicable to your organisation, given your IT situation and existing cyber-threats.

The rise of DORA

With the rise of DORA (Digital Operational Resilience Act), new requirements will fall on large financial services firms from 17 January 2025, with the aim of increasing digital resilience. The AFM indicates that digital resilience is also important for smaller firms.

It becomes clear that the AFM attaches great importance to good controlled operations, which includes the management of ICT risks. We see the regulator’s interest in having an information security policy even among start-ups. It seems that the AFM will pay more attention to this aspect in its ongoing supervision in the coming year.

It is good if financial service providers prepare for this, for instance by already starting to take stock of all systems and checking how their security and continuity is arranged. Although DORA only applies to large financial service providers starting from a certain number of employees and turnover, it is a practical document that offers various tools, such as which agreements are important to record in case of (ICT) outsourcing.

Checklist: well prepared for AFM supervision

We recommend that financial service providers revisit the topics covered in this survey. It can be expected that the AFM will return to this in its supervision next year. So it is important to make sure that the following is well regulated:

• Is a qualified adviser available for each advice licence?
• Is there collaboration with freelancers? If so, check the remuneration arrangements. Assess these for variable components and dependencies. Roughly speaking, you can say that remuneration that depends on targets or performance qualifies as variable.
• Check whether the incident policy and the incident register are still in place. Bring this policy to the attention of your company again. The duty to report is an important part of the incident policy. Failure to comply with this reporting obligation results in a supervisory interest.
• Check whether the remuneration policy is still up to date and findable on the website.
• Check whether the professional liability insurance is still in force and whether the insured amounts are in line with the required minimum insured amounts per event and per year (applies to advice and mediation in insurance, mediation in mortgage credit and national regime)
• Check whether your affiliation with Kifid is still correct. You can easily check this via https://www.kifid.nl/register/.

How can Projective Group help?

Need help formulating policy? Or have a check carried out on whether your business still fully complies with all current requirements since obtaining the licence. We will be happy to help.