In the previous article, we examined how an investigation by the AFM or DNB typically unfolds and the role a compliance officer can play during that process. However, once the supervisory authority has completed its investigation, a new phase begins. One that is equally decisive for a financial institution: interpreting the investigation findings, dealing with any enforcement measures, and drafting and implementing a remediation or improvement plan.
This article outlines what financial institutions can expect after a supervisory investigation has concluded, and how they can work with the compliance officer to ensure effective follow-up.
Four possible outcomes
At the end of an on-site investigation, the AFM or DNB usually provides an oral debrief. Afterwards, the financial institution typically receives a draft report to which it may respond, followed by a final investigation report. In practice, there are also situations in which the supervisory authority immediately proceeds to the next step without issuing written feedback—for example, by sending a supervisory letter outlining findings and expectations. In cases of (very) serious breaches, the authority may even issue an immediate intention to impose a remedial measure.
In broad terms, following an investigation, the AFM or DNB may take one of four routes, depending on the nature and severity of the findings.
1. No further action
If no breaches have been identified, or if a minor breach has already been resolved, the supervisory authority usually takes no further steps. The investigation is then concluded, often with a brief written notice.
2. Remediation without enforcement
If the breaches are minor and the supervisory authority trusts that the financial institution will address them independently, it will generally refrain from imposing enforcement measures. In such cases, a final investigation report will be issued with specific points of attention and expectations for improvements. The institution may be asked to submit a remediation plan or periodic progress updates.
A constructive response and realistic plan are essential to maintain trust and avoid escalation.
3. Informal enforcement
If, however, the supervisory authority has insufficient confidence that the financial institution will adequately address the breaches on its own initiative, it may impose an informal enforcement action. For minor breaches, this may take the form of a supervisory letter or meeting detailing expectations and required improvements. For more serious breaches, the AFM or DNB may issue a warning letter or hold a warning meeting as an informal measure.
Informal measures cannot be appealed, but the financial institution must comply. A lack of follow-up may still lead to formal enforcement.
4. Formal Enforcement
For serious breaches, the supervisory authority often opts for formal enforcement, such as a direction, an order subject to incremental penalty payments, or an administrative fine. The institution will first receive a notice of the intention to impose the measure. It may then submit a written or oral view (“zienswijze”), which can be prepared together with the compliance officer.
The content and structure of the view depend on the specific situation. If the facts underlying the alleged breach are incorrectly presented, or if circumstances have changed since the investigation, this can be explained and substantiated in the response. The institution may also argue that the proposed enforcement measure is unnecessary or disproportionate.
If a direction is proposed, the institution may additionally comment on the behavioural guideline describing what must be done to end the breach, particularly if the guideline is vague or does not align with the actual findings.
If the timelines in a proposed direction or order with penalty payments are unrealistic, this can also be addressed in the response. A draft remediation or improvement plan may be attached to demonstrate how the institution intends to correct the shortcomings.
After assessing the response, the supervisory authority may still decide to impose the measure. A formal decision will then be issued, against which the institution may lodge an objection, appeal, and (if necessary) higher appeal.
The type of enforcement applied depends on factors such as the seriousness of the breaches, the degree of culpability, and the institution’s willingness to remediate.
Publication of formal enforcement decisions
When AFM or DNB impose a formal enforcement measure, they are generally required to publish the decision. A fine in the highest category must be published shortly after it is imposed. For most other enforcement measures, publication occurs only once the decision becomes final and binding (“onherroepelijk”)—either because all objection and appeal procedures have confirmed its lawfulness, or because the deadlines for lodging such procedures have passed.
Before the supervisory authority may publish the decision, it must first notify the institution of its intention to publish, allowing it to submit a view.
If the authority then decides to proceed with publication, the institution may request a provisional injunction from the administrative court within five working days to suspend publication. If the request is denied, publication will take place immediately. If publication is suspended, the supervisory authority must await the objection and appeal procedures.
From findings to a remediation or improvement plan
Investigation findings generally lead to the creation of a remediation or improvement plan. This plan translates the findings into concrete improvement points with a detailed description of the actions required. Often, the risk assessment must first be updated before policies, procedures, systems, or training can be adjusted. Focusing solely on symptomatic fixes—such as file remediation—typically does not provide a sustainable solution. The foundations (policies, procedures, training) must be strengthened first.The compliance officer plays an important role in working with the institution’s management to translate the investigation findings into practical actions.
The remediation or improvement plan should also specify which documentation must be developed or revised, such as policies and procedures, training materials, or client communications.
The plan must clearly outline roles and responsibilities. Management remains ultimately accountable; operational teams carry out the actions; and the compliance and risk management functions provide advice and independent testing. External parties—such as Projective Group—may be engaged for specialist expertise.
The supervisory authority must be able to see who is responsible for each action, and how independence in testing is safeguarded.
A realistic timeline is essential. Remediation programmes require time and resources. Overly ambitious deadlines may backfire if the institution later has to report delays to the supervisory authority. Progress is typically monitored through periodic reporting, which may be shared with the authority upon request.
A well-structured plan with realistic timelines and clear reporting demonstrates that the institution has control over the remediation process and is committed to meaningful improvement.
The role of the compliance officer
In the post-investigation phase, the compliance officer can play a crucial role. Once the financial institution receives the investigation report or a notice of intended enforcement, the compliance officer should be involved immediately. As first reader of the AFM or DNB document, the compliance officer can translate supervisory jargon into practical implications for the institution. What exactly is the essence of the findings? How serious does the supervisory authority consider the breaches? What can be inferred regarding enforcement or expected remedial actions? This initial analysis helps the institution gain clarity.
The compliance officer can also advise on possible next steps. Is informal follow-up expected, or is the authority steering towards formal enforcement? Is it advisable or necessary to submit a view? Must a remediation plan be drafted and executed?
By separating facts from emotions, clarifying the findings, and creating calm, the compliance officer helps the institution determine its course of action. The officer can also ensure coherence between content, planning, and decision-making so that the approach does not devolve into ad-hoc actions but leads to structural improvement.
The aim is not only to respond to the findings but also to strengthen the institution’s compliance framework in the long term.
Support from Projective Group
An AFM or DNB investigation may result in remediation or improvement actions and, in some cases, enforcement measures. Projective Group has extensive legal, risk, and compliance expertise. Several former AFM and DNB supervisors work within our team.
With this experience, we support financial institutions throughout the supervisory process. In our role as external compliance officer, we assist in preparing for, managing, and completing supervisory investigations. We also provide legal support in communications with supervisors or when responding to an enforcement measure.
In doing so, we ensure a legally robust and professional process in which compliance and transparency are paramount.
