CryptaCount
EN
EnglishENDeutschDEEspañolESFrançaisFRItalianoIT日本語JA한국어KONederlandsNLPolskiPLPortuguêsPT
Log in Start Free

AFM AI Act Implementation Assessment: Gaps Firms Must Address

CryptaCount Editorial · · 8 min read
AML / KYC / LICENSING AFM AI Act Implementation Assessment:Gaps Firms Must Address

The Dutch financial markets regulator, the Autoriteit Financiële Markten (AFM), has concluded that the proposed national implementation law for the EU AI Regulation is broadly workable but requires targeted adjustments before it can support effective supervision of artificial intelligence in financial services. The assessment, published on 12 June 2026, covers two documents: a formal feasibility review and a public consultation response. Both carry direct implications for financial firms, auditors, and any operator using AI-driven tools, including those used for crypto bookkeeping software and broader digital asset accounting software workflows.

What the AFM Actually Assessed

Feasibility review versus consultation response

A feasibility review (uitvoeringstoets) is a structured assessment by a supervisory authority of whether a draft law can be enforced in practice. It asks whether supervisory powers are clear, whether adequate resources exist, and whether information flows are workable. A consultation response is the regulator's formal position on the same draft during the public comment period, expressing support where warranted and identifying specific improvements needed.

The AFM submitted both documents in relation to the proposed Uitvoeringswet AI-verordening, the Dutch statute that will designate national competent authorities and set enforcement procedures for the EU AI Regulation within the Netherlands.

The AFM's overall finding

The regulator's headline conclusion is measured: the draft law is implementable in principle, but several areas need adjustment for supervision to be both effective and future-proof. AFM Chair Laura van Geest stated that targeted changes are needed around capacity, clear powers, and an unambiguous division of responsibilities between supervisors.

Key Concerns Raised by the AFM

Supervisory task allocation between AFM and DNB

The most substantive concern in the consultation response relates to how supervisory responsibilities are split between the AFM and De Nederlandsche Bank (DNB). The AFM's mandate centres on conduct-of-business supervision, with the individual consumer's interest at its core. DNB's mandate is prudential. The AFM argues that both authorities should be formally designated to supervise compliance with the AI Regulation's prohibited applications and with the high-risk AI norms, each operating from within their own existing mandate. The current draft, in the AFM's reading, does not achieve this cleanly enough.

This matters for financial firms because unclear jurisdictional lines create compliance uncertainty. A firm unsure whether the AFM or DNB will scrutinise a particular AI application cannot calibrate its internal governance or its audit trails with confidence.

New supervisory scope under the AI Regulation

The EU AI Regulation introduces entirely new categories of oversight that the AFM has not previously exercised. These include:

  • Supervision of prohibited AI applications
  • Transparency obligations toward consumers when AI systems are deployed
  • High-risk AI applications, with credit-scoring and insurance pricing cited specifically

Each of these requires new technical expertise within the regulator, additional supervisory instruments, and close operational cooperation with DNB. The AFM flags this openly as a resource and capability challenge, not merely a legal drafting issue.

Publication regime and confidentiality

The AFM also recommends that the draft law establish a clear publication regime for supervisory decisions and that the confidentiality provisions align properly with the existing secrecy framework in the Wet op het financieel toezicht (Wft). Without that alignment, there is a risk that information gathered during AI supervision could either be disclosed inappropriately or, conversely, siloed in a way that limits cross-authority cooperation.

Capacity and data-sharing conditions

Running through both documents is a consistent theme: effective AI supervision requires adequate capacity and the legal basis to share data across authorities. The AFM does not treat these as minor administrative points. Without them, even a well-drafted law will produce supervision that is reactive rather than proactive.

Why This Matters for Financial Firms Using AI

AI in financial services is already in scope

The EU AI Regulation is directly applicable across all member states. The Dutch implementation law does not add new substantive obligations beyond what the Regulation itself requires, but it determines who will enforce those obligations, with what powers, and under what procedural rules. That makes the AFM's feasibility assessment a practical compliance signal, not just a legislative technicality.

For any firm using AI in credit decisions, customer-facing communications, pricing, fraud detection, or regulatory reporting, the high-risk classification provisions are already live. The Dutch implementation law's readiness affects how and when enforcement will follow.

Implications for crypto accounting software and digital asset workflows

Firms relying on crypto accounting software or digital asset accounting software that incorporates AI-driven categorisation, risk scoring, or automated reconciliation should note the AFM's emphasis on explainability and data quality. The Regulation's requirements around high-risk AI systems include obligations to maintain technical documentation, ensure human oversight, and provide users with meaningful information about how the system operates. If the software vendor's AI component meets the high-risk threshold, the deploying firm shares responsibility for compliance.

This is directly relevant to audit workflows. Accounting firms using AI tools to process on-chain transaction data or generate risk assessments for crypto clients will need to document the AI system's logic, verify its training data quality, and confirm that oversight mechanisms are in place. Good crypto bookkeeping software does not automatically resolve these obligations; the governance layer sits with the firm deploying it.

The AFM's concerns around consumer transparency also extend to B2B-facing AI tools when those tools ultimately affect retail customers downstream. Accounting firms advising crypto businesses on AI governance should factor in this chain-of-accountability dynamic.

Connection to broader EU regulatory architecture

The AFM assessment sits alongside a broader EU regulatory build-out. The MiCA framework, whose transitional period for crypto-asset service providers expired in July 2026 (see our coverage of MiCA transitional period expiry and mandatory CASP authorization), already imposes conduct requirements on CASPs operating in the Netherlands. The AI Regulation adds a further layer for any CASP using AI in customer-facing or risk-management processes. The AFM's insistence on a clean split between its own conduct mandate and DNB's prudential role reflects the same logic that underpins MiCA's dual-supervision model.

Separately, the AFM has been active in specifying requirements for digital interfaces used by crypto service providers (see AFM's earlier requirements for crypto service providers on online interfaces). The AI supervision framework will overlay those existing interface and disclosure obligations, meaning compliance programmes need to be integrated rather than siloed.

What Firms Should Do Now

Practical steps before the implementation law is finalised

The draft law is still moving through the legislative process, and the AFM's recommendations may or may not be adopted in full. That uncertainty is itself a reason to act early rather than wait for a final text. Firms operating in the Dutch financial market, or using AI tools whose output affects Dutch consumers, should take the following steps.

First, map every AI system currently in use against the EU AI Regulation's risk classification tiers. Systems used in credit scoring, insurance pricing, AML screening, or customer behaviour analysis are the most likely candidates for high-risk classification. Second, review vendor contracts to confirm that AI tool providers can supply the technical documentation the Regulation requires, including information on training data, intended purpose, accuracy metrics, and human oversight mechanisms. Third, document internal governance for each AI system, including who within the firm is responsible for monitoring outputs and what escalation procedures exist when the system produces unexpected results.

Fourth, engage with the ongoing legislative process. The AFM's consultation response is publicly available and sets out the regulator's expectations in detail. Compliance teams and their advisers should read both documents directly rather than relying on summaries.

Frequently Asked Questions

What is the Uitvoeringswet AI-verordening?

It is the Dutch national implementation law for the EU AI Regulation. The Regulation itself is directly applicable across the EU, but each member state must enact a national law to designate competent supervisory authorities and establish procedural enforcement rules. The Uitvoeringswet does this for the Netherlands.

Which AI applications in financial services are classified as high-risk under the EU AI Regulation?

The EU AI Regulation's Annex III lists high-risk AI systems. In financial services, this includes AI used in creditworthiness assessment and insurance pricing, among other applications. Systems used in those contexts must meet documentation, oversight, and transparency requirements before deployment.

Does the AFM's assessment change anything for firms right now?

Not directly. The EU AI Regulation is already in force and its requirements apply regardless of where the Dutch implementation law lands. What the AFM's assessment changes is the signal it sends about supervisory intent: the regulator wants clear powers, adequate resources, and a defined role alongside DNB. Firms should expect active enforcement once the implementation law is finalised.

How does this affect firms using AI in crypto accounting or digital asset workflows?

If any AI component within a crypto accounting or digital asset workflow meets the high-risk threshold, the deploying firm is responsible for compliance with the Regulation's technical and governance requirements, even if the AI is supplied by a third-party vendor. Firms should audit their tool stack and require documentation from vendors accordingly.

Where can firms find the AFM's full assessment documents?

Both the feasibility review and the consultation response are published on the AFM's official website. The source link below takes you directly to the relevant press release, which links to both documents in full.

Source: Autoriteit Financiële Markten (AFM)

EUNLGeneralProposedAML/KYC & Licensing

Related articles

AML/KYC & Licensing
CCDII Licensing: How Crypto Accounting Software Helps Compliance
AML/KYC & Licensing
AFM DORA Review: ICT Risk Gaps at Trading Venues
AML/KYC & Licensing
AFM Flags Five PEP Due-Diligence Failures: What Firms Must Fix Now
AML/KYC & Licensing
AFM Integrates AMLA Eligibility Reporting Into Existing Questionnaires