ESMA_QA_2791
26/02/2026
Subject Matter
Records / audit trail / digital workflows / use of user credentials / Record-keeping and audit trail for “under supervision” in digital/segregated advisory workflows
Original question
I would like to request a general clarification on the interpretation of the ESMA Guidelines ESMA/2015/1886 (rev.) regarding record-keeping requirements for “under supervision” (in particular paragraphs 19, 20(c) and 20(g)).
In practice, client communication, suitability documentation and system completion are often performed in a segregated and digital manner (e.g. different staff members involved in the client interaction, documentation and approval). This raises, in particular, the following questions:
1. Minimum requirements for records / traceability
What minimum requirements arise from the Guidelines regarding records to enable the competent authority to verify that supervision actually takes place and is carried out to an appropriate extent?
2. Objective evidence of assumption of responsibility
Is the mere formal naming of a qualified person in the documentation (e.g. in the suitability statement) sufficient, or do the Guidelines expect objectively verifiable review/approval/sign-off evidence?
3. Digital processes / segregated documentation
What requirements apply in digital systems and segregated documentation workflows where client communication, suitability documentation and system completion are not carried out by the same person?
4. Use of user credentials / role awareness
How should “under supervision” be assessed under the Guidelines if user credentials of a qualified person are used for system documentation/system completion, but that person does not provide a conscious assumption of responsibility (review/approval/sign-off) or is not aware that they are intended to act as the supervisor?
In practice, client communication, suitability documentation and system completion are often performed in a segregated and digital manner (e.g. different staff members involved in the client interaction, documentation and approval). This raises, in particular, the following questions:
1. Minimum requirements for records / traceability
What minimum requirements arise from the Guidelines regarding records to enable the competent authority to verify that supervision actually takes place and is carried out to an appropriate extent?
2. Objective evidence of assumption of responsibility
Is the mere formal naming of a qualified person in the documentation (e.g. in the suitability statement) sufficient, or do the Guidelines expect objectively verifiable review/approval/sign-off evidence?
3. Digital processes / segregated documentation
What requirements apply in digital systems and segregated documentation workflows where client communication, suitability documentation and system completion are not carried out by the same person?
4. Use of user credentials / role awareness
How should “under supervision” be assessed under the Guidelines if user credentials of a qualified person are used for system documentation/system completion, but that person does not provide a conscious assumption of responsibility (review/approval/sign-off) or is not aware that they are intended to act as the supervisor?
Status: Question Rejected
Additional Information
Level 1 Regulation
Directive 2014/65/EU - Markets in Financial Instruments Directive (MiFID II)
Level 2 Regulation
Regulation 2017/565 - MiFID II Delegated Regulation
Level 3 Regulation
ESMA/2015/1886 - Guidelines - Assessment of knowledge and competence (MiFID)
Additional Legal Reference
ESMA Guidelines ESMA/2015/1886 (rev.), paras. 4(j), 19, 20(c)-(g); MiFID II (Directive 2014/65/EU), Art. 16(2) and 16(6), Art. 25(1), Art. 25(2), 25(6) and 25(9); Commission Delegated Regulation (EU) 2017/565, Art. 54 and Art. 72.
Historic Question Reference
follow-up to ESMA email ref. 26-0343 + Submitted Question (ESMA_QA_2790)
Topic
Suitability