AFM SREP Market Review 2025: Policy Exists, Execution Does Not
The Dutch Authority for the Financial Markets (AFM) has published its 2025 SREP Market Review, and the central finding is uncomfortably familiar: most supervised firms have the right policies in place, but the day-to-day execution of those policies is where things fall apart. For accounting firms, auditors, and CFOs advising or operating regulated entities in the Netherlands, the review identifies three structural pressure points that demand immediate attention: weak internal control execution, inadequate ICT risk management, and blurred accountability across outsourced and collaborative arrangements.
What the AFM Actually Found
A Positive Baseline, a Problematic Gap
The AFM acknowledges that firms have generally done the foundational work. Compliance frameworks exist. Regulatory obligations are documented. Staff competency requirements are addressed in writing. That is the good news, and it is real progress compared with earlier review cycles.
The problem sits between the written framework and the live environment. The AFM's supervisory assessment found that internal controls are frequently not executed on a structured, ongoing basis, and when they are performed, they are not consistently recorded. Process evaluations that should happen periodically either do not occur at all or happen without producing evidence that could withstand scrutiny during a supervisory examination.
The AFM's framing is direct: a policy that exists on paper but cannot be demonstrated to work in practice offers no real protection to the firm, its clients, or the market. The daily application of controls is what creates genuine resilience.
ICT Risk: Detection Without Prevention
The second major finding concerns technology governance. As firms across the Dutch financial sector become more operationally dependent on IT infrastructure, including third-party platforms and cloud-based systems, the AFM found that the control environment around that infrastructure has not kept pace.
Specific weaknesses identified include vulnerability detection that is not being acted upon systematically, backup testing that is either absent or irregular, and incident response preparation that remains theoretical rather than tested. The AFM observed a pattern where firms can identify a problem when it surfaces but have not invested proportionate effort in preventing it from arising in the first place.
Critically, the review notes that these gaps are more pronounced where firms rely on external IT providers. Arrangements with those vendors often lack clear contractual controls, monitoring obligations, or escalation protocols. With the broader EU regulatory environment now placing significant demands on ICT resilience through the Digital Operational Resilience Act (DORA), firms that have not yet aligned their third-party IT arrangements with structured oversight are running a compliance risk on two fronts simultaneously. Our earlier coverage of DORA ICT incident reporting obligations for EU firms sets out what that framework requires in practice.
Accountability Gaps Across Key Processes
Where Responsibility Goes Unclaimed
The AFM's third core concern is the absence of clear ownership over critical processes. The review identifies several areas where it is genuinely unclear, at the operational level, who is responsible for a given control, who provides oversight, and how monitoring is actually conducted. The specific domains the AFM calls out include best execution, sustainability obligations, and third-party collaboration arrangements.
This is not simply an organisational design issue. When accountability is diffuse, tasks that everyone nominally shares tend to be tasks that no one actively manages. The AFM notes that this ambiguity also creates downstream risk for clients, particularly where collaborative arrangements between firms introduce questions about which entity is responsible for what the client experiences.
The Client-Facing Dimension
The AFM connects accountability failures directly to client outcomes. Where internal processes are not clearly owned and monitored, the risk is not only a regulatory finding during a supervisory visit. The risk is that clients receive inconsistent or inadequate service, or that responsibilities in a partnership arrangement are never properly clarified with the end user. Placing accountability explicitly and documenting how each owner monitors their area is, in the AFM's view, the practical mechanism through which client interests stay central.
What This Means for Firms Handling Digital Assets
Crypto Accounting Software and the Controls Environment
For accounting firms and CFOs that use crypto accounting software or digital asset accounting software as part of a regulated workflow, the SREP findings carry a specific implication. Supervisory reviews increasingly look past the software licence and the policy document to ask whether the tool is actually being used as intended, whether outputs are being checked, and whether there is a clear owner for the reconciliation or reporting process it supports.
A firm that can show it runs structured periodic reviews of its crypto bookkeeping software outputs, documents exceptions, and has a named internal owner for the process is in a materially better position than one where the software runs in the background and outputs are treated as inherently reliable. The AFM's emphasis on demonstrable execution applies as directly to technology-assisted compliance processes as it does to manual ones.
The AFM's expectations around third-party arrangements are also relevant here. Vendors providing digital asset accounting software are third parties. Firms that have not formalised what they expect from those vendors in terms of data integrity, incident notification, and business continuity are exhibiting exactly the kind of gap the SREP review flags. The AFM's earlier guidance to crypto service providers on distance marketing and online interface requirements underlines the regulator's appetite for concrete, documented compliance rather than principle-level commitments.
Three Actions Compliance Teams Should Take Now
Structured Control Testing with Evidence
Internal controls need to be tested on a defined schedule and that testing needs to produce records. If a supervisory examination arrived tomorrow, the firm should be able to show not just that a control exists but when it was last tested, what the result was, who reviewed it, and what happened if something was found. That paper trail is what the AFM is looking for and what many firms currently cannot provide.
ICT Vendor Reviews
Every material IT provider, including any platform used for crypto accounting or digital asset reporting, should be subject to a documented review that addresses: what the vendor is contractually required to deliver in terms of resilience and security, how the firm monitors that delivery, and what the firm's own response plan is if the vendor experiences an incident. Where those answers do not exist in writing, the firm has a gap that the SREP framework would classify as a control weakness.
Explicit Accountability Assignment
For each significant process, particularly those touching best execution, sustainability reporting, or any outsourced function, a named owner should be documented alongside a defined monitoring frequency. Where multiple firms share a process through a partnership, the client-facing responsibilities of each party should be written down and reviewed at least annually. Ambiguity is not a neutral state. In the AFM's view, it is a risk.
Frequently Asked Questions
What is the AFM SREP market review?
The Supervisory Review and Evaluation Process (SREP) market review is published by the AFM to share aggregate findings from its supervision of Dutch financial firms. The 2025 edition identified execution gaps in internal controls and ICT risk management as priority areas for improvement across the sector.
Does the SREP review apply to firms offering crypto-asset services in the Netherlands?
The SREP framework applies to AFM-supervised entities. Firms providing crypto-asset services under MiCA or operating under Dutch registration obligations fall within the AFM's supervisory perimeter. The control expectations described in the 2025 review apply to those firms in the same way they apply to traditional financial services providers.
What specifically does the AFM expect on ICT risk?
The AFM expects firms to go beyond detecting ICT vulnerabilities and to build prevention into their standard processes. That includes regular backup testing, documented incident response procedures, and clear contractual arrangements with external IT providers covering resilience, monitoring, and escalation. These expectations align with DORA requirements now in force across the EU.
How should firms document accountability under the SREP expectations?
Each material process should have a named owner, a defined review frequency, and a record of recent monitoring activity. Where third parties are involved, the division of responsibilities should be documented and accessible. The AFM's concern is not with the existence of a governance structure on paper but with whether that structure can be demonstrated to function in practice.
What is the consequence of non-compliance with SREP expectations?
The SREP review is a supervisory signal rather than a binding rule, but findings from market reviews inform the AFM's risk-based supervision priorities. Firms that do not act on publicly identified weaknesses are more likely to be subject to targeted supervisory engagement, formal requirements, or enforcement action if the same gaps are found during an individual examination.
Source: AFM SREP Marktbeeld 2025
