AFM Sees Persistent Gap Between Policy & Practice

Key Takeaways

• Policies Are Not The Problem: The AFM found that many firms have established governance, compliance and competency frameworks, but implementation remains uneven.
• Internal Controls Need Greater Discipline: Controls are not always performed consistently, documented adequately or reviewed regularly.
• ICT Risk Management Remains A Weak Spot: Vulnerability management, backup testing and incident preparedness continue to require improvement.
• Prevention Needs More Attention: Firms are generally better at identifying issues than preventing them, particularly in the area of cyber risk.
• Clear Ownership Reduces Risk: The AFM highlighted the need for stronger accountability and clearer responsibilities across key business processes and third-party relationships.

Deep Dive

A recurring theme runs through the Dutch Authority for the Financial Markets' 2025 SREP Market Overview. Firms have spent considerable effort building policies, documenting processes and establishing governance structures. The harder part is making sure those things function as intended once they leave the page.

The regulator's assessment is not that firms lack frameworks. In many cases, it found the opposite. Compliance arrangements are in place. Regulatory requirements have been incorporated into policies. Professional competence standards are largely established.

Yet when supervisors look beyond the documentation, a different picture often emerges.

The Gap Between Design and Execution

The AFM points to a familiar problem in regulated industries: controls that exist formally but are not consistently carried out. Internal controls are not always performed systematically. Documentation is sometimes incomplete. Processes are not always reviewed on a regular basis. None of those shortcomings sounds dramatic in isolation. Taken together, they create a risk that organisations develop confidence in systems that are less effective than they appear.

That distinction matters. Regulators rarely discover major failures because a policy was missing. More often, they find that a policy existed but was not followed, tested or embedded deeply enough into daily operations.

The AFM's review suggests that some firms remain caught in that space between having a framework and operating one.

Technology Risk Moves Higher Up the Agenda

The findings are particularly notable in information and communications technology risk management. Financial firms have become increasingly dependent on technology, but the regulator found that critical risk management activities are not consistently organised across the sector. Vulnerability identification, backup testing and incident preparedness all remain areas requiring attention.

The AFM observed that firms are often capable of identifying issues once they have emerged. Preventing those issues receives less attention.

That is becoming a more consequential weakness. As cyber threats continue to grow, organisations have less room for reactive approaches. The regulator is urging firms to strengthen preventive measures and establish clearer arrangements with external technology providers that support critical operations.

The message is less about discovering new risks than about managing well-understood ones with greater discipline.

Accountability Cannot Be Assumed

Another concern raised in the review involves ownership. Across areas including best execution, sustainability and third-party relationships, the AFM found that responsibilities are not always sufficiently clear. Questions that sound basic can become surprisingly difficult to answer in practice. Who owns a process? Who oversees it? How is monitoring performed? What happens when responsibilities overlap?

Where those answers are unclear, important activities can fall through the cracks. The issue extends beyond internal governance. The AFM noted that uncertainty can also arise for clients, particularly in arrangements involving multiple parties. When responsibilities are poorly defined, accountability becomes harder to establish when something goes wrong.

For the regulator, clearer role allocation is not an administrative exercize. It is a risk management requirement.

A Need for Self-Assessment

The AFM is not asking firms to start over. Most already have the building blocks in place. What the regulator is asking for is more demanding. It expects firms to scrutinize how those frameworks operate in practice, identify weaknesses and make improvements where necessary.

The findings amount to a reminder that effective management is measured less by the quality of policies than by the consistency of their execution. The firms that perform best under supervisory scrutiny are rarely those with the thickest policy manuals. They are the ones that can demonstrate, day after day, that the controls described in those manuals actually work.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.