Dutch Authority for the Financial Markets flags weak execution and ICT risk controls in SREP Market View 2025

The Dutch Authority for the Financial Markets has published its SREP Market View 2025, concluding that many firms have their basic policies and processes in place but fall short in execution. The main weaknesses are in internal controls and ICT risk management. The authority’s core message is that firms must ensure governance and controls do not merely exist on paper but can be shown to work in daily practice. Internal controls are not always carried out consistently or documented properly, and firms do not always review processes regularly, creating a risk that formal policies are ineffective in operation. In ICT, the AFM points to shortcomings in vulnerability detection, backup testing and incident preparedness, leaving organizations exposed as dependence on technology grows. It also says firms often identify problems more readily than they prevent them, and need clearer arrangements with external IT providers. Across areas such as best execution, sustainability and third-party cooperation, roles, ownership, supervision and monitoring are often not defined clearly enough, which can leave key tasks uncovered and create uncertainty for clients. The AFM expects market participants to use the findings from the SREP Market View to assess their organizations critically and make improvements where needed.