Following a risk-based survey of financial service providers, the AFM concludes that some do not meet the “basic requirements” in the field of controlled and sound business operations. The AFM conducted this survey among 31 financial service providers, using the results of the Market Monitor published late last year in the report Market Impressions.
The survey was conducted on a risk-based basis. In this case, this means that of the 31 selected service providers, 21 had previously come into contact with the AFM in connection with shortcomings in compliance with laws and regulations. Five firms were selected because they work with freelancers and the other five were added as a control group. These five firms have not previously come into contact with the AFM. Unfortunately, the AFM does not mention in its report whether major differences can be observed between the ‘repeat offenders’ and the control group.
A regulator is limited in the stakes. In any investigation, choices have to be made regarding the scope of the investigation. How many companies, which subjects? The more subjects and companies involved in the investigation, the greater the capacity required. It is understandable that the AFM will target those companies that have previously been highlighted for deficiencies. From its responsibility as regulator and confidence in the financial markets, it is right for the AFM to focus on these companies.
Adding the five ‘randomly selected’ companies may give the impression that this is a market-wide picture. In the report, the AFM is clear that because of the risk-based selection, no reliable statements are made about the entire sector. The AFM does express disappointment that only a few service providers met all the requirements during the survey. The regulator’s conclusions are solid.
The topics the regulator is calling attention to are:
In addition to these topics, the AFM calls attention to information security. Based on another survey (self-assessment), the AFM concludes that the sector still needs to take steps here. The report shows that this survey was conducted among the larger financial service providers. The regulator concludes that ownership of data and systems, risk management in outsourcing, and password management need attention at these firms. About half have had to provide an improvement plan and are being monitored by the AFM. The report provides a lot of information in the area of Information Security and measures against cyber risks. We therefore recommend going through these carefully and assessing what may be applicable to your organisation, given your IT situation and existing cyber-threats.
With the rise of DORA (Digital Operational Resilience Act), new requirements will fall on large financial services firms from 17 January 2025, with the aim of increasing digital resilience. The AFM indicates that digital resilience is also important for smaller firms.
It becomes clear that the AFM attaches great importance to good controlled operations, which includes the management of ICT risks. We see the regulator’s interest in having an information security policy even among start-ups. It seems that the AFM will pay more attention to this aspect in its ongoing supervision in the coming year.
It is good if financial service providers prepare for this, for instance by already starting to take stock of all systems and checking how their security and continuity is arranged. Although DORA only applies to large financial service providers starting from a certain number of employees and turnover, it is a practical document that offers various tools, such as which agreements are important to record in case of (ICT) outsourcing.
We recommend that financial service providers revisit the topics covered in this survey. It can be expected that the AFM will return to this in its supervision next year. So it is important to make sure that the following is well regulated:
Need help formulating policy? Or have a check carried out on whether your business still fully complies with all current requirements since obtaining the licence. We will be happy to help.