ESMA Statement on AI for MiFID Investment Firms | TLY

AI Regulation Tracker  /  Guidance and supervisory expectations

ESMA Sets Out How Existing MiFID II Duties Apply to AI in Investment Services

On May 30, 2024, ESMA published a public statement telling firms that use AI in retail investment services to keep meeting their existing MiFID II duties: acting in the client's best interest, suitability, governance, and honest disclosure. It is initial guidance, not a new rule, and it changes no legal duty on its own. Published May 30, 2024; this is an evergreen supervisory signal, not a new 2026 action, and it adds no new binding duties (the MiFID II duties are the binding law).

The Leveraged Years AI Regulation News

The document is short and to the point. ESMA published it on May 30, 2024, under reference ESMA35-335435667-5924, to give investment firms and credit institutions initial guidance on using AI in retail investment services while staying inside MiFID II. It is not the EU AI Act, and it is not a new rulebook. ESMA is looking at AI through the lens of the conduct and organisational rules that already govern how firms treat clients, and telling firms those rules do not bend just because a model is now doing some of the work.

ESMA frames the scope broadly. It covers AI that a firm formally adopts, and it also covers staff quietly using third-party tools like general-purpose chatbots, with or without senior management's knowledge. The uses it has in mind are the obvious ones: customer support, help with investment advice and portfolio management, compliance, risk management, fraud detection, and general operational drafting. Wherever those touch a client, the duties travel with them.

What ESMA actually expects

Strip away the framing and there are five threads, all of them existing MiFID II obligations reasserted in an AI context.

First, best interest. ESMA puts this at the center. In its words, "Central to the use of AI in investment services is the unwavering commitment to act in clients' best interest," and it stresses that this applies regardless of the tools a firm chooses. AI does not create a carve-out from the client's best interest; it sits underneath it.

Second, accountability at the top. ESMA is blunt that using AI does not let anyone off the hook. It states that "firms' decisions remain the responsibility of management bodies, irrespective of whether those decisions are taken by people or AI-based tools." The management body is expected to understand how AI is used in the firm, oversee it, and build governance structures that monitor its impact. You cannot point at a model and say the model decided.

Third, suitability and conduct. When AI feeds into advice or portfolio management, ESMA expects heightened diligence on suitability and product governance, so that recommendations still line up with the client's financial situation, investment objectives including sustainability preferences and risk tolerance, and their knowledge and experience. This is the robo-advice and automated-advice area, and ESMA points back to its existing suitability guidelines for it.

Fourth, disclosure and honest information. ESMA expects that when firms tell clients how they use AI, the information is "clear, fair and not misleading," and that firms using AI for client interactions such as chatbots "should transparently disclose to clients the use of such technology during these interactions." Clients should know when they are talking to a machine.

Fifth, record-keeping. ESMA expects firms to keep comprehensive records on AI use and on related client complaints, documenting the decision-making processes, data sources, algorithms used, and any changes over time. If a regulator or a client asks how an AI-assisted decision was made, the firm should be able to show its work.

What this is, and what it is not

This is the part worth being careful about, because a regulator's name on a document invites over-reading.

This is a public statement offering initial guidance. ESMA itself describes it as serving "the purpose of initial guidance to firms on this key topic in light of MiFID II relevant obligations." It is not a regulation, a technical standard, or a directive. It does not add a new obligation, a new disclosure line item, or a new filing. Every duty it describes already existed under MiFID II before May 30, 2024. What ESMA did was connect those existing duties to the way firms are starting to deploy AI, and signal that it and national competent authorities will keep watching to decide whether further action is needed.

So the binding force here is indirect. The statement is non-binding. The MiFID II best-interest, suitability, product governance, organisational, and record-keeping requirements it rests on are very much binding, and those are what a supervisor would actually enforce. Read this as ESMA telling firms how it expects to see those rules applied when AI is in the loop, not as a fresh legal hurdle.

What this means for US advisers and finance teams

Whether this reaches you depends on your footprint. If your firm provides investment services to retail clients in the EU, or runs MiFID-scope operations there, this statement describes how your EU supervisor expects AI to sit inside the conduct rules you already follow. It is not exotic. It maps almost one to one onto the questions a careful compliance function would already ask before letting a model touch advice or client communications.

If you have no EU footprint, ESMA has no authority over you, and nothing here binds a US filing or a US advisory relationship. But the pattern is a useful benchmark. A major securities regulator looked at AI in advice and landed on a familiar posture: humans stay accountable, suitability still governs, clients get told when they are dealing with a machine, and you keep records you can defend. That lines up closely with where US suitability and best-interest expectations, including Reg BI for broker-dealers and the fiduciary standard for advisers, already point. That Reg BI and adviser-fiduciary comparison is an analogy for US broker-dealers, asset managers, and advisers serving EU retail clients, not an equivalent or a standalone US-law trigger. If you are building AI into a robo-advice flow, a client chatbot, or a portfolio tool, ESMA's five threads are a clean checklist to pressure-test your own controls against.

The through-line is governance and documentation. The duties ESMA reasserts are the ones that turn into enforcement and client harm when they are skipped: who is accountable for the AI-assisted recommendation, is it actually suitable, did the client know AI was involved, and can you reconstruct how the output was produced. None of that is new. AI just raises the stakes on getting it written down.

What to do now

Read the real message: existing MiFID II duties apply to AI, and firms, not models, stay responsible. Map where AI already touches your advice, client interactions, and portfolio work, since those are the spots ESMA is focused on. Keep a named person and the management body accountable for AI-assisted decisions. Make sure any client-facing AI, especially chatbots, discloses that it is AI. Confirm your suitability process still holds when a model is feeding it. And keep records of data sources, algorithms, and changes over time. If you operate in the EU, treat this as your supervisor's stated expectation. If you do not, treat it as a benchmark, and base any change to your controls on your own applicable US standards and your compliance and legal advisers.

Questions professionals are asking

Did ESMA create a new rule for AI in investment services?

No. This is a public statement, ref. ESMA35-335435667-5924, published on May 30, 2024, providing initial guidance. It is non-binding and adds no new legal duty. It restates how existing MiFID II best-interest, conduct, organisational, and record-keeping requirements apply when firms use AI.

What does ESMA expect firms to do?

Keep acting in the client's best interest, keep the management body accountable for decisions whether made by people or AI, apply heightened diligence to suitability and product governance, disclose AI use to clients clearly and honestly including when a chatbot is AI, and maintain comprehensive records of AI use, data sources, algorithms, and changes over time.

Does this apply to US asset managers, broker-dealers, or advisers?

Only if they provide investment services to EU retail clients or run MiFID-scope operations, in which case it describes their EU supervisor's expectations. Firms with no EU footprint are not bound by it, but it is a useful comparative benchmark for AI and robo-advice governance that lines up with US best-interest and suitability expectations.

Is the May 2024 date a problem if I am reading this in 2026?

No. The statement was published on May 30, 2024 and remains ESMA's standing guidance on AI in retail investment services. Nothing here implies it is brand new; it is an evergreen supervisory expectation still in effect as of mid-2026.

How does this relate to the EU AI Act?

ESMA says this statement is based on the MiFID II framework and is without prejudice to the broader EU framework on digital governance, including the AI Act and DORA. In other words, meeting MiFID II duties for AI does not replace any separate obligations a firm may have under those regimes.

RELATED BRIEFINGS

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal, accounting, or investment advice. Confirm how any rule or supervisory expectation applies to your situation with qualified professionals in the relevant jurisdiction.