Building a MiFID II Compliance Framework for Investment Firms

MiFID II (Markets in Financial Instruments Directive, 2014/65/EU) and its companion regulation MiFIR form the backbone of conduct-of-business regulation for investment firms in the EU. In the Netherlands, these are implemented through the Wft (Wet op het financieel toezicht) and supervised by the AFM.

This article is for compliance officers, COOs, and management board members at Dutch investment firms who need to either build a compliance framework from scratch or assess whether their existing framework actually holds up. It's structured around the practical building blocks — not the legal text.

The compliance framework: what it actually consists of

A MiFID II compliance framework isn't a single document — it's an interconnected set of policies, procedures, controls, and governance arrangements that together ensure the firm meets its regulatory obligations on an ongoing basis. The core components are:

• Governance and organisational structure — the foundation everything else sits on
• Conduct of business rules — how you interact with clients and the market
• Transaction reporting — the data you report to regulators
• Record keeping — what you retain and for how long
• Compliance monitoring programme — how you check that everything works
• Incident management and breach reporting — what happens when things go wrong

Let's walk through each one.

1. Governance and organisational structure

MiFID II requires investment firms to have clear governance arrangements with well-defined, transparent, and consistent lines of responsibility. In practice, this means:

Management body

The management board (directie) must collectively possess sufficient knowledge, skills, and experience to understand the firm's activities and principal risks. Each board member must pass the AFM's fitness and propriety assessment, which covers expertise, reliability, and time commitment.

The four-eyes principle (vierogenprincipe) is mandatory — at least two managing directors who jointly make decisions. The AFM assesses whether the board as a whole has adequate coverage across the firm's key risk areas.

Three lines of defence

The AFM expects investment firms to implement the three-lines model:

• First line — business operations, owning and managing risks day-to-day
• Second line — compliance and risk management functions, providing oversight, challenge, and advice
• Third line — internal audit, providing independent assurance

For smaller firms, some overlap is permissible (e.g., compliance and risk management in one person), but the functions must be organisationally distinct and have independent reporting lines to the board. Internal audit can be outsourced, but the firm retains responsibility for oversight.

Compliance function

Article 22 of Commission Delegated Regulation 2017/565 sets out specific requirements for the compliance function. It must be permanent, effective, and independent. The compliance officer must have direct access to the management body and sufficient authority, resources, and expertise.

The compliance function's responsibilities include: monitoring and assessing the adequacy of the firm's measures and procedures, advising staff on regulatory obligations, and assessing the impact of regulatory changes.

2. Conduct of business

The conduct-of-business rules under MiFID II are extensive. The key areas for most Dutch investment firms are:

Client categorisation

Every client must be classified as Retail, Professional, or Eligible Counterparty. The classification determines the level of protection the client receives and the obligations the firm owes. The categorisation process must be documented, and clients must be notified of their classification and their right to request a different category.

Suitability and appropriateness

If you provide investment advice or portfolio management, you must assess suitability — considering the client's knowledge, experience, financial situation, and investment objectives. If you provide execution-only services for complex instruments, you must assess appropriateness (knowledge and experience only).

These assessments must be documented and reviewable. The AFM has been increasingly focused on the quality of suitability assessments in its supervisory practice.

Best execution

Firms that execute orders must take all sufficient steps to obtain the best possible result for clients, considering price, costs, speed, likelihood of execution, settlement, size, and nature of the order. The best execution policy must be documented and disclosed to clients. Annual reporting on top execution venues (RTS 28 reports) is required.

Conflicts of interest

Every investment firm must identify, prevent, manage, and disclose conflicts of interest. The conflicts of interest policy must cover conflicts between the firm and clients, between staff and clients, and between different clients. A conflicts register must be maintained and reviewed at least annually.

Inducements

MiFID II significantly restricts the payment and receipt of inducements (fees, commissions, non-monetary benefits) between firms. Independent advisers and portfolio managers are subject to a near-complete ban. For other firms, inducements are only permissible if they enhance the quality of the service and are disclosed to the client. The Dutch implementation through the Wft is stricter than the MiFID II minimum in several areas.

3. Transaction reporting

MiFIR Article 26 requires investment firms to report transactions in financial instruments to the competent authority. In the Netherlands, reports go to the AFM. This is one of the most operationally demanding MiFID II obligations.

What gets reported

Every transaction in a financial instrument admitted to trading or traded on a trading venue must be reported. The report contains 65 fields covering the instrument, the parties, the transaction details, and the decision-making chain.

Reporting channels

Firms can report directly to the AFM or through an Approved Reporting Mechanism (ARM). Most smaller firms use an ARM because it handles the technical formatting and submission. Larger firms sometimes build direct reporting capabilities.

Key challenges

• Client identification — natural persons require LEI or national ID concatenation codes; legal entities require LEI. Obtaining and maintaining LEIs for all reportable clients is an ongoing operational task.
• Instrument identification — ISIN-based, but the instrument reference data (FIRDS) must be checked to confirm reportability.
• Decision maker and execution fields — the report must identify who made the investment decision and who executed the transaction, including short selling indicators and waiver flags.
• Accuracy and completeness — the AFM runs data quality checks and will query firms with anomalous patterns. Error correction must happen within the prescribed timeline.

4. Record keeping

MiFID II imposes extensive record-keeping requirements. Investment firms must retain:

• All orders received and transmitted — including order parameters, timestamps, client identification
• All transactions executed — with sufficient detail to reconstruct the transaction
• Client agreements — the terms of service and all associated documentation
• Suitability/appropriateness assessments — the basis for any investment advice or service
• Communications — telephone conversations and electronic communications relating to transactions (or intended transactions) must be recorded and retained

The standard retention period is 5 years, but the AFM can extend this to 7 years. Telephone recording requirements under MiFID II Article 16(7) are particularly onerous — all relevant calls must be recorded, stored securely, and retrievable on request.

5. Compliance monitoring programme

Having policies and procedures is necessary but not sufficient. The compliance function must operate an active monitoring programme to assess whether those policies are being followed and whether they remain adequate.

A robust compliance monitoring programme includes:

• Risk-based annual plan — prioritising monitoring activities based on a compliance risk assessment. Not everything needs testing every year, but high-risk areas should be reviewed frequently.
• Thematic reviews — deep dives into specific areas (e.g., best execution, suitability, conflicts of interest) on a rotating basis.
• Ongoing monitoring — automated or semi-automated checks that run continuously (e.g., trade surveillance, personal account dealing monitoring, gift and entertainment registers).
• Reporting to the board — quarterly compliance reports summarising findings, incidents, regulatory developments, and the status of remediation actions.
• Regulatory change management — a structured process for identifying, assessing, and implementing changes in applicable regulations.

The AFM evaluates the quality of compliance monitoring programmes during supervisory visits. A paper exercise that doesn't lead to actual findings and improvements will be flagged.

6. Incident management and breach reporting

When things go wrong — and they will — the firm needs a clear process for identifying, escalating, remediating, and (where required) reporting incidents.

The incident management framework should cover:

• Incident identification and classification — what constitutes an incident, severity levels, initial response procedures
• Escalation matrix — who gets informed, at what severity level, and within what timeframe
• Root cause analysis — understanding not just what happened but why, and what systemic issues it reveals
• Regulatory reporting — certain incidents must be reported to the AFM (serious breaches, client complaints above threshold, data breaches under GDPR)
• Remediation tracking — actions taken to prevent recurrence, with ownership and deadlines

Common framework weaknesses

After reviewing compliance frameworks at dozens of Dutch investment firms, the weaknesses I encounter most frequently are:

1. Paper compliance. Policies exist but aren't operationalised. Staff don't know them, processes don't follow them, and monitoring doesn't test them. The AFM sees through this quickly.
2. Governance gaps. The compliance function exists in name but lacks real independence, resources, or board access. Compliance is treated as a cost centre rather than a management function.
3. Missing monitoring evidence. Monitoring activities happen informally but aren't documented. Without evidence, the AFM assumes it doesn't happen — and they're often right to.
4. Regulatory change lag. Firms react to regulatory changes after the implementation deadline rather than proactively assessing and planning for them. This leads to rushed, incomplete implementations.
5. Transaction reporting quality. Reports are submitted on time but with systematic data quality issues. The AFM's data quality programme is becoming increasingly sophisticated, and persistent errors draw supervisory attention.

Making it sustainable

A compliance framework that depends on heroic effort from one or two individuals is not sustainable. The firms that maintain effective compliance over time share these characteristics:

• Board commitment. Compliance is a standing board agenda item, not an afterthought. The compliance officer has genuine access and influence.
• Proportionate design. The framework is sized to the firm's actual activities and risks — neither over-engineered nor under-built. A 20-person firm doesn't need the same infrastructure as a universal bank.
• Integrated processes. Compliance isn't a separate overlay — it's embedded in business processes. Client onboarding includes categorisation. Trading includes best execution monitoring. Product development includes target market assessment.
• Technology leverage. Manual compliance processes don't scale. Invest in tools for trade surveillance, transaction reporting, regulatory change tracking, and compliance workflow management.
• Continuous improvement. The framework evolves based on monitoring findings, incident lessons, regulatory feedback, and business changes. An annual review is the minimum — quarterly updates to high-risk areas are better.