Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CFT)
Central law for Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT).
Applies to: banks, insurers, investment institutions, leasing companies, trust offices, payment service providers, etc.
Key obligations:
Client Research (Customer Due Diligence, CDD)
Mandatory reporting of unusual transactions (via FIU-NL)
Ongoing client monitoring
Sanctions Act 1977
Prohibits transactions with sanctioned individuals, countries, or entities.
Organizations must check (inter)national sanction lists.
Financial Supervision Act (Wft)
Regulates behavioral supervision, prudential supervision, and integrity supervision.
Contains provisions for controlled and ethical business operations.
GDPR / General Data Protection Regulation
Requires that the processing of personal data is necessary, proportional, and lawful.
Limit the retention periods of customer data, unless otherwise required by industry regulations.
European Regulations & Directives
The 4th, 5th and 6th AMLD (Anti-Money Laundering Directives)
EU Sanction Regulations
MiFID II (for investment firms)
Solvency II (for insurers)
Data
Mandatory?
Explanation
Data
According to the identity document
Date and Place of Birth
Nationality
Address
Type, number, and validity of Identification document
Verification of authenticity and validity
BSN (if applicable)
Only if required by law
Purpose and nature of the relationship
For example, saving, investing, insuring
Source of funds
In case of increased risk
Politically Exposed Person (PEP) status
With additional safeguards in case of a positive result
UBO-check (if through an intermediary)
Sanctions list check
Initial and periodic
Data
Mandatory?
Explanation
Registered name, Chamber of Commerce number
Commercial register extract required
Legal form & country of establishment
Identity of representatives
Identify & verify drivers
Identify & verify UBOs
Ultimate Beneficial Eigenaren
Ownership structure
Especially in complex structures
Purpose & nature of the relationship
Source of funds
Sanctions list check
About entity and UBOs
Ongoing Due Diligence (ODD)
Organizations must keep customer information up-to-date by:
Periodic reassessment (review)
Continuous monitoring of transactions
Screening of sanction lists and PEP lists
Periodic recheck of inclusion on an exclusion register
Checking for validity during changes (KYC data, address, IBAN number, telephone number, income details, etc.)
The frequency of this is based on risk (Risk-Based Approach, RBA):
Risk category
Frequency review (indicative)
Examples
Low risk
Once every 3-5 years
Regular consumer without cash transactions
Moderate risk
Once every 1-3 years
Freelancer, small business
High risk
Once every 6-12 months
PEP, foreign structure, trust arrangement
Transaction monitoring:
Continuous (real-time or near real-time).
Analysis of transaction patterns, geographical risks, sector risks, etc.
Strange or unusual transactions must be reported to FIU-Netherlands.
Data Retention Obligation
5 years after ending customer relationship (Wwft)
Staff training
Annually (for institutions subject to Wwft).
Policy Documentation
Organizations should document and keep updated AML/CFT policies, risk assessments, and procedures.
Audits and internal controls
Regularly, depending on the risk profile.
The Dutch Central Bank (DNB)
Banks, insurers, payment institutions
Authority for the Financial Markets (AFM)
Investment institutions, financial advisors
FIU-Netherlands
Report Center for Unusual Transactions
Tax and Customs Administration/WWFT Supervision Office
(for certain non-financial institutions)