Home Blog Netherlands
Jurisdiction Guide · Netherlands · DNB

AML/CFT Compliance in the Netherlands: DNB, Wwft, and the 2026 Regulatory Landscape

RegMantle Editorial · 16 April 2026 · 13 min read

The Netherlands' AML/CFT regime is tightening, with De Nederlandsche Bank (DNB) and the Authority for Financial Markets (AFM) stepping up enforcement. Recent cases, including a €775 million settlement with ING in 2018 and a €298 million agreement with Rabobank in December 2023, highlight the importance of documented anti-money laundering measures. The Dutch regulator, DNB, is focusing on compliance failures, particularly in customer due diligence and suspicious transaction reporting.

Key Facts at a Glance

Primary regulator
DNB (De Nederlandsche Bank) for prudential supervision and AML/CFT compliance
Primary AML law
Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) - Act on Prevention of Money Laundering and Terrorism Financing
Conduct regulator
AFM (Authority for Financial Markets)
Criminal offence
Section 420 SR (Criminal Code)
FIU
FIU-Nederland at the Dutch Police
EU supervisor
AMLA (candidate for direct supervision, though Frankfurt won)
Current guidance
DNB Guidelines on AML/CFT
Coming legislation
EU AMLR (2024/1624) applies 10 July 2027

The Regulatory Landscape

The Netherlands' AML/CFT framework is based on the Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft), which transposes successive EU directives. The Wwft, substantially amended in 2018 (4AMLD) and 2020 (5AMLD), sets out obligations for a wide range of entities, including credit institutions, payment institutions, and crypto service providers. The De Nederlandsche Bank (DNB) and the Authority for Financial Markets (AFM) share supervisory responsibilities, with DNB focusing on prudential supervision and AML/CFT compliance.

The European framework has been rebuilt with the Sixth Anti-Money Laundering Directive (EU) 2024/1640 in force, and the EU Anti-Money Laundering Regulation (AMLR) (EU) 2024/1624 will apply directly from 10 July 2027. The new EU Anti-Money Laundering Authority, AMLA, although based in Frankfurt, will have implications for Dutch institutions.

DNB's AML/CFT Guidance

DNB has issued guidelines on AML/CFT, which provide detailed expectations for institutions. These guidelines emphasize the importance of risk-based approaches, customer due diligence, and suspicious transaction reporting. Institutions are expected to implement documented controls, including transaction monitoring and reporting of suspicious activities to the FIU-Nederland.

Customer Due Diligence and KYC

Dutch CDD obligations follow the familiar EU template. Identification of natural persons requires verified data on full name, place and date of birth, nationality, and a residential address. For legal entities, verification typically rests on commercial register excerpts, articles of association, and beneficial ownership records held in the UBO Register, which has been operational since 2020.

Beneficial ownership thresholds follow the 25% standard. Where no natural person can be identified above that threshold, the senior managing official is recorded as the "notional" beneficial owner. PEP screening is required for clients, beneficial owners, and counterparties.

Sanctions Screening

Sanctions implementation in the Netherlands rests on EU regulations directly applicable in Member States, supplemented by the Sanctions Act 1977 and the Decree on Sanctions. Enforcement responsibility is shared between DNB and the FIU-Nederland.

For obliged entities, this means real-time screening against the EU Consolidated Financial Sanctions List, the UN Consolidated List, and any national designations.

SAR/STR Reporting

Suspicious Activity Reports must be filed via FIU-PORTAL, the FIU's electronic reporting platform. The Money Laundering Reporting Ordinance codifies formal and substantive minimum standards for SARs and Suspicious Transactions and Order Reports (STORs), including content requirements, structural fields, and timeliness expectations. Deficient filings will themselves become a basis for administrative fines, and in serious cases, criminal exposure for individuals.

⚠ Practical Note

The "duty to stand still" is widely misunderstood. A transaction subject to a SAR may be executed only after the FIU or prosecutor consents, or after three working days have elapsed without prohibition. Executing earlier exposes the institution and individual decision-makers to administrative and criminal liability.

Risk-Based Approach

Institutions are required to implement a risk management system proportionate to their nature and size, anchored in a documented institution-wide risk assessment. The 2024 guidelines formalised the requirement to maintain separate risk analyses for money laundering and for terrorist financing.

DNB's Risks in Focus 2026 publication identifies inadequate AML/CFT prevention as one of six core supervisory priorities for the coming three-year horizon. Expect intensified inspections, with particular attention to payment institutions, e-money institutions, and crypto-asset service providers.

Crypto-Assets: MiCAR and Wwft

The Netherlands' crypto-asset framework was rebuilt in late 2024 and early 2025 around the EU's Markets in Crypto-Assets Regulation (MiCAR). The domestic implementing legislation, the Uitvoeringsbesluit MiCA en TFR, gives DNB enhanced supervisory powers.

A new Decree on Crypto-Asset Service Providers addresses transfers to and from unhosted (self-custodied) wallets, requiring obliged entities to assess the elevated money-laundering risk such transfers can present and apply risk-mitigating measures.

Recent Enforcement

The 2024-2025 enforcement record demonstrates DNB's willingness to use the full range of penalties available under the Wwft, including turnover-based calculations that produce eight-figure fines for systemic failures.

DateInstitutionPenaltyBasis
Dec 2023Rabobank€298mAgreement to resolve AML investigation
2018ING€775mSettlement for historical AML failings
2021ABN AMRO€480mPenalty for AML deficiencies

Practical Compliance Checklist for Dutch Institutions

Minimum Documentation Set Under the Wwft

  1. Institution-wide risk assessment under Section 5 Wwft, with separate ML and TF analyses, refreshed annually and on material change.
  2. Internal safeguards manual under Section 7 Wwft, covering customer due diligence, ongoing monitoring, sanctions screening, training, and reporting.
  3. Written CDD procedures aligned with the Wwft, including KYC review cycles.
  4. Sanctions screening policy covering EU, UN, and national lists with documented matching logic and false-positive review procedure.
  5. SAR/STR procedures referencing Section 16 Wwft, the FIU-PORTAL, and the same-day/next-working-day standard.
  6. PEP identification and EDD procedure including the 12-month post-departure continuation requirement.
  7. Designated AML Officer and deputy notified to DNB under Section 8 Wwft.
  8. Staff training programme under Section 7(2) Wwft, with documented annual refresher cycles.
  9. For CASPs: documented procedures for unhosted wallet transfers and blockchain analytics deployment evidence.

Common Pitfalls

Three patterns dominate recent enforcement files. The first is SAR latency: institutions that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late. DNB's view is that "without undue delay" is a real-time standard, not a weekly one.

The second is fragmented governance: where AML investigations sit across multiple business lines, multiple geographies, or multiple legal entities, DNB treats the resulting coordination failures as substantive breaches in their own right.

The third is over-reliance on commercial screening tools without documented rationale. DNB accepts the use of third-party PEP and sanctions databases but expects the obliged entity to be able to evidence the matching algorithms applied, the false-positive thresholds set, the data quality controls in place, and the periodic validation of the vendor.

Looking Ahead

The EU Anti-Money Laundering Regulation (AMLR) applies directly from 10 July 2027 and will replace much of the Wwft's substantive content. Institutions should treat the period to mid-2027 as a transition window: build now to AMLR standards using the DNB guidelines as a forward-looking interpretation, rather than waiting for parallel Dutch legislation that may never materialise in its current form.

How RegMantle Helps

RegMantle generates jurisdiction-specific AML/CFT documentation for Dutch institutions, citing the Wwft, and applicable EU regulations directly in the text. Generated documents include the institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with Wwft, sanctions screening policy referencing the EU Consolidated Financial Sanctions List, SAR/STR procedures keyed to Section 16 Wwft and the FIU-PORTAL, and the staff training programme required under Section 7 Wwft.

Generate your Dutch AML documentation in minutes

Stop paying €15,000 to €50,000 for templated consultancy outputs. RegMantle produces audit-ready, Wwft-compliant documentation in under ten minutes.

Start Free →