AFM DMFSD Online Interface Requirements: What Crypto Service Providers Must Do Now
The revised Distance Marketing of Financial Services Directive (DMFSD) enters into force on 19 June 2026 in the Netherlands. The Dutch Authority for the Financial Markets (AFM) has issued a direct call to the market: firms must ensure their digital client journeys are fair, transparent, and free from manipulative design. Crypto-asset service providers (CASPs), crowdfunding platforms, and all financial firms that conclude contracts remotely via websites, apps, or other digital channels are within scope.
What the DMFSD Requires of Online Interfaces
The DMFSD covers three main areas: pre-contractual information obligations, a consumer right of withdrawal, and rules governing online interfaces. The AFM has specifically called out the online interface provisions as complex and consequential for consumer protection, asking the market to give them heightened attention.
The three prohibited interface practices
Under the revised directive, firms are prohibited from designing digital environments that:
- Materially distort or restrict a consumer's ability to make a free, informed decision;
- Repeatedly prompt a consumer to reverse a choice already made, unless doing so genuinely serves the consumer's interest;
- Make terminating a contract meaningfully harder than entering into one, unless that asymmetry is also in the consumer's interest.
These provisions directly target so-called dark patterns: design choices that exploit cognitive biases, create friction at cancellation, or nudge users toward options that benefit the provider rather than the client. For CASPs operating onboarding flows, subscription products, or trading interfaces, this means a careful audit of every click path is now a regulatory obligation, not just good UX practice.
Who Is in Scope
Entities covered by the DMFSD
The rules apply to any firm concluding distance contracts with consumers in the Netherlands. That includes:
- Licensed financial undertakings (banks, insurers, investment firms);
- Crypto-asset service providers authorised or notified under MiCA;
- Crowdfunding service providers.
The AFM's focus on CASPs is deliberate. As crypto platforms have rapidly scaled their retail onboarding, the regulator is signalling that the same consumer protection standards applying to traditional financial services now extend fully to digital asset services. Firms that have assumed lighter-touch treatment for crypto interfaces should revisit that assumption immediately. For context on AFM's broader approach to sanctions and client obligations, see our coverage of AFM guidance on sanctions compliance for accountants.
What Compliance Looks Like in Practice
Critical review of the choice environment
The AFM expects firms to conduct a genuine assessment of whether their online environment steers consumers in ways that do not serve consumer interests. This goes beyond removing obvious manipulative elements. Firms should examine:
- Default settings that pre-select higher-cost or higher-risk products;
- Confirmation screens that make opting out visually harder than opting in;
- Cancellation flows with unnecessary friction steps, waiting periods, or obscured pathways;
- Repeated consent or upsell prompts after a consumer has already declined.
The AFM has also pointed to its earlier publications on online influence as relevant reading for firms building their compliance case. Demonstrably fair client interaction is the expected standard, not just the absence of obvious violations. Firms should document their assessment and be ready to show the regulator how they identified and remediated any steering that did not serve the consumer.
Accountability and evidence
Compliance needs to be demonstrable. That means maintaining records of design decisions, the rationale behind interface choices, and any changes made following internal review. For firms already familiar with AFM's expectations around client due diligence, the evidentiary logic is similar: the burden is on the firm to show it acted fairly. See also our piece on AFM PEP client due diligence obligations for a parallel example of how the regulator frames documented compliance.
Operational Priorities Before the Deadline
With 19 June 2026 as the effective date, firms should have already begun or completed a review. Those that have not should treat the following as urgent:
- Map every digital touchpoint used to conclude or manage consumer contracts;
- Test cancellation and opt-out flows against the asymmetry prohibition;
- Remove or redesign any recurring prompts that override previous consumer decisions without a clear consumer benefit;
- Update internal policies and staff training to reflect the new interface obligations;
- Retain audit trails of the review and any remediation steps taken.
The DMFSD online interface provisions are now effective law. The AFM's public call for market attention signals active supervision is coming. Firms that treat this as a product design question rather than a legal compliance obligation do so at their own risk.
Source: AFM Netherlands
Frequently Asked Questions
When does the revised DMFSD take effect in the Netherlands?
The revised Distance Marketing of Financial Services Directive entered into force on 19 June 2026. All firms within scope must be compliant from that date.
Are crypto-asset service providers subject to the DMFSD online interface rules?
Yes. The AFM has explicitly confirmed that CASPs concluding distance contracts with consumers, including through websites and apps, fall within the scope of the DMFSD. This applies to MiCA-authorised and notified providers operating in the Netherlands.
What counts as a prohibited dark pattern under the DMFSD?
The directive prohibits interface designs that materially impair free and informed consumer decisions, that repeatedly ask consumers to reverse a choice they have already made (without a genuine consumer benefit), or that make contract termination harder than contract entry. This covers a wide range of common UX practices including pre-ticked boxes, buried cancellation options, and persistent upsell prompts.
How should firms document DMFSD compliance for the AFM?
The AFM expects firms to be able to demonstrate fair and careful client interaction. Practically, this means retaining records of interface design decisions, the reasoning behind them, any internal reviews conducted, and changes made in response. Firms should be able to show a clear audit trail if the supervisor asks.
Does the DMFSD apply to mobile apps as well as websites?
Yes. The rules cover contracts concluded via any digital channel, including websites, mobile apps, and other remote interfaces. Any channel used to enter into or manage consumer contracts with financial or crypto services falls within scope.
FAQ
The revised Distance Marketing of Financial Services Directive entered into force on 19 June 2026. All firms within scope must be compliant from that date.
Yes. The AFM has explicitly confirmed that CASPs concluding distance contracts with consumers, including through websites and apps, fall within the scope of the DMFSD. This applies to MiCA-authorised and notified providers operating in the Netherlands.
The directive prohibits interface designs that materially impair free and informed consumer decisions, that repeatedly ask consumers to reverse a choice they have already made (without a genuine consumer benefit), or that make contract termination harder than contract entry. This covers a wide range of common UX practices including pre-ticked boxes, buried cancellation options, and persistent upsell prompts.
The AFM expects firms to be able to demonstrate fair and careful client interaction. Practically, this means retaining records of interface design decisions, the reasoning behind them, any internal reviews conducted, and changes made in response. Firms should be able to show a clear audit trail if the supervisor asks.
Yes. The rules cover contracts concluded via any digital channel, including websites, mobile apps, and other remote interfaces. Any channel used to enter into or manage consumer contracts with financial or crypto services falls within scope.
