ESMA Issues Guidance on AI Use in Retail Investment Services: Navigating Benefits, Risks, and Compliance

13th June 2024

The European Securities and Markets Authority (“ESMA”) has published a public statement concerning the use of Artificial Intelligence (“AI”) in the provision of retail investment services by investment firms (the “Statement”). The Statement addresses the potential impacts, benefits, and risks of AI for the provision of investment services and focused on the application of AI in investment services.  


On 30 May 2024, ESMA published its Public Statement on the use of Artificial Intelligence in the provision of retail investment services. It aims to guide investment firms utilising or planning to use AI technologies in a way that they can ensure compliance with the key organisational, prudential and conduct requirements under Directive 2014/65/EU on markets in financial instruments (“MiFID II”) and the corresponding regulations. 

The Statement provides guidance on the following MiFID II requirements and obligations: 

  •  Acting in clients’ best interest; 
  • Transparency obligations; 
  • Organisational requirements: governance, risk management, knowledge and competence of staff; 
  • Conduct of business; and 
  • Record keeping obligations. 

ESMA notes that while the use and regulation of AI is still in the initial phase and the development is not uniform across investment firms and EU Member States, the potential impact on investment firms’ behaviours and retail investor protection is likely to be significant. In addition, ESMA emphasises that investment firms’ decisions remain the responsibility of management bodies, irrespective of whether those decisions are taken by people or AI-based tools.  

According to the Statement, AI has the potential to transform retail investment services by enhancing efficiency, innovation, and decision-making. However, it also introduces risks like algorithmic biases, data quality issues, and transparency challenges. ESMA notes the different areas for potential uses of AI for investment firms, such as customer service and support (for example AI-powered chatbots and virtual assistants), investment advice and portfolio management, compliance, risk management, fraud detection and for operational efficiency. 

Risks for investment firms and clients when using AI 

ESMA notes that the use of AI might also cause regulatory risks. Where investment firms rely on AI and not having human control mechanisms in place, the use of AI might cause a lack of accountability and oversight. ESMA notes that this might be the case of over-reliance on AI which may undermine human judgment in decision-making. 

In addition, where investment firms do not fully understand or monitor how AI accesses and processes data, the use of AI might cause a lack of transparency and explainability. This is due to the fact that many AI systems operate as “black boxes,” making their decision processes opaque. AI tools may produce incorrect or biased results due to issues in training data and inherent algorithmic biases. 

With regard to security and data privacy, ESMA notes that handling large amounts of data raises significant privacy and security concerns. It is crucial that investment firms ensure compliance with data protection regulations to safeguard any sensitive client information collected for the purpose of the provision of investment services.  

MiFID II Requirements 

Investment Firms must ensure that when they make use of AI, their services and conduct comply with the MiFID II requirements, such as organisational and conduct of business obligations. 

Acting in the Clients’ Best Interest 

The requirement to act in the clients’ best interest is stipulated in Art. 24(1) of MiFID II. ESMA emphasis in paragraphs 7, 8 and 9 of the Statement that the obligation to act in clients’ best interest is “an overarching requirement which applies irrespective of the tools that the firm decides to adopt in the provision of services.” In addition, investment firms should be transparent on the role of AI in investment decision-making processes related to the provision of investment services. ESMA expects that when investment firms provide clients with information on how they use AI tools for the provision of investment services, they should disclose this to clients in a clear, fair and not misleading manner. This also applies where AI is used for client interactions, (for example using chatbots or other types of AI-related automated systems).  

Regardless of tools and mechanisms an investment firm uses, it must always act in clients’ best interests and be transparent about AI’s role in decision-making. 

Governance and Risk Management 

ESMA in its Statement emphasises the role of governance and risk management, as well as other organisation obligations including knowledge and training of staff. In accordance with Art. 8(3) of MiFID II, where an investment firm uses AI tools, it is crucial that the management body of the firm, in its responsibility to establish robust governance structures, has an understanding of those tools and techniques. This is to ensure that firms can establish robust governance, risk management, and training programs to manage AI integration, as well as ensuring oversight of the usage of AI, including the oversight in relation to outsourcing. ESMA also notes the importance of staff training in relation to AI where used. 

With regard to the requirements of an effective governance structure, investment firms shall establish and conduct regular AI model testing, and monitor AI systems to identify and mitigate potential risks and biases. Such robust governance structures shall include tests and controls (ex-ante) of those AI tools to ensure the accuracy of information supplied to and/or utilised by AI tools in order to prevent the dissemination to clients of erroneous information or the provision of misleading investment advice. Furthermore, ESMA outlines its expectations in respect of the use of AI tools in investment decision-making processes (paragraph 12 of the Statement) and what robust risk management tools entail (paragraph 13 of the Statement). Robust risk management tools should enable investment firms to identify, assess, and manage the risks associated with AI-driven investment decision-making, such as algorithmic biases, and data security vulnerabilities. “ESMA expects firms to implement comprehensive testing and monitoring systems, applying the principle of proportionality, to evaluate the performance and impact of AI applications on their service offerings.”  

Conduct of Business  

MiFID II outlines the rules and obligations for the conduct of business, such as amongst others the rules concerning product governance (Art. 16 of MiFID II), investor protection (Art. 24 of MiFID II), assessment of suitability and appropriateness and reporting to clients (Art. 25 of MiFID II). When investment firms are using AI systems for the provision of investment advice and portfolio management services, firms must ensure suitability and alignment with clients’ financial situations, objectives, and knowledge. 

ESMA notes in paragraph 20 of the Statement, that where investment firms use AI systems in the provision of investment services, “it becomes crucial to have robust controls to ensure that the systems are designed and monitored for example in the context of product governance to align the distribution of products to the target market, or in the context of the assessment of suitability, to align recommendations and decisions with the client’s financial situation, investment objectives (including sustainability preferences and risk tolerance), and knowledge and experience.” 

Investment firms should implement rigorous quality assurance processes for their AI tools, such as testing of algorithms and their outcomes for accuracy, fairness, and reliability in various market scenarios. Additionally, ESMA outlines that firms should conduct periodic stress tests to evaluate how these AI systems perform under extreme market conditions.  

In respect of the provision of investment advice, reference is made to the ESMA Guidelines on certain aspects of the MiFID II suitability requirements (ESMA35-43-3172), where it outlines the application of MiFID II requirements when using automated or semi-automated systems for the provision of investment advice or portfolio management (robo-advice). 

Record Keeping 

With regards to record keeping, ESMA clarifies that investment firms are expected to maintain comprehensive records of AI utilisation and related client interactions, ensuring compliance with Art. 16(6) of MiFID II. Paragraph 24 of the Statement states that “Firms are expected to maintain records that document the utilisation of AI technologies in the various aspects related to the provision of investment services. These records should encompass aspects of AI deployment, including the decision-making processes, data sources used, algorithms implemented, and any modifications made over time.” 


The use of AI when carrying out or providing investment services presents both opportunities and challenges. Investment firms must uphold and comply with MiFID II requirements, foster transparency, and implement robust risk management practices to harness AI’s potential while protecting investor confidence and interests. 

The Statement provides useful guidance for investment firms and should be taken into consideration by investment firms when using AI in the provision of retail investment services 

How can Zeidler help?  

If you have any questions or require support, the Zeidler Legal Team is here to help. Our global team of professionals remains up to date on the latest legal, regulatory and compliance changes concerning the use of Artificial Intelligence. If you require additional information or assistance, please get in touch with us. 


Patricia Nitschke