Wwft Compliance for Dutch Audit Firms: What You Actually Need to Do

Which accountants and services fall under the Wwft

Article 1a, lid 4, letter b of the Wwft designates external registered accountants (registeraccountants) and external accounting consultants (accountants-administratieconsulenten) as institutions under the act. The scope isn’t limited to statutory audit work. Any professional activity performed in your capacity as an external accountant falls within scope, including compilation engagements, forensic accounting, advisory services related to financial statements, and bookkeeping performed in a professional capacity.

Administrative offices (administratiekantoren) that perform comparable activities are also covered. The BFT’s October 2024 Specific Guideline confirms that the nature of the activities determines whether the Wwft applies, not the scale. A sole practitioner compiling financial statements (FS) for five clients has the same obligations as a 200-person audit firm.

There is one exception that trips people up. The Wwft applies to you as an external accountant performing professional activities. If you happen to be an RA or AA but you serve as a volunteer board member or treasurer of a local association, the BFT has confirmed that this private, non-professional activity does not trigger Wwft obligations. The VGBA (articles 7-9) and NV NOCLAR may still apply to you personally in that situation.

For audit firms, the practical question is usually not whether the Wwft applies (it does) but which engagements require a separate Wwft client investigation. The answer under the BFT’s guidance is every new client engagement. If you accept a statutory audit, you perform Wwft due diligence. If the same client later asks you to compile management accounts, you don’t need a new Wwft investigation (the existing client relationship continues), but you must update your risk assessment if the new service changes the risk profile.

Client due diligence: what the Wwft requires before you start work

The Wwft requires client due diligence (cliëntenonderzoek) before establishing a business relationship or performing an incidental service. For accountants, this means before signing the engagement letter. You cannot perform the investigation retroactively. The BFT’s enforcement actions consistently flag firms that started work before completing due diligence.

This is where the ID-check-as-tick-box-exercise problem shows up. We’ve seen this on about half the engagement acceptance files we review: a passport copy and a KVK extract are placed in the folder on day one, nobody reads them, and nothing is revisited until the BFT comes knocking. The file should tell a story. An inspector should be able to open it and see what you knew about the client, what you asked, and why you concluded the risk was acceptable.

Standard due diligence under articles 3 and 4 of the Wwft involves four steps. First, identify the client. For a legal entity, this means recording the name, legal form, registered address, and Chamber of Commerce number. Second, verify the client’s identity using reliable, independent sources. A KVK extract alone is usually sufficient for a standard-risk Dutch B.V.

Third, identify and verify the identity of the Ultimate Beneficial Owner (UBO). Under the Wwft’s definition, the UBO is the natural person who holds (directly or indirectly) more than 25% of the shares, voting rights, or ownership interest in the entity. For a standard B.V. with a single shareholder-director, this is straightforward. For holding structures with multiple layers, you need to trace through each entity until you reach the natural person or persons with ultimate control. Record the UBO’s name and date of birth, their nationality, their residential address, and the nature and extent of their interest. Verify using KVK extracts, shareholder registers, notarial deeds, or annual report disclosures.

Fourth, determine the purpose and intended nature of the business relationship. For a statutory audit, this is usually evident from the engagement terms. The Wwft requires you to document it explicitly anyway. If a prospective audit client approaches your firm and the request doesn’t align with the entity’s apparent business activities (a dormant holding company suddenly needing a full statutory audit despite no obvious legal obligation), record that misalignment in the Wwft file.

Enhanced due diligence (verscherpt cliëntenonderzoek) applies in higher-risk situations. Under article 8 of the Wwft, this includes clients established in high-risk countries identified by the European Commission, clients who are Politically Exposed Persons (PEPs) or their family members and close associates, correspondent banking relationships, and any situation where the firm’s own risk assessment identifies an elevated risk of money laundering or terrorist financing. Enhanced measures include obtaining additional information about the source of the client’s funds and wealth, more intensive monitoring of the business relationship, approval from senior management to establish or continue the relationship, and more frequent updating of the client’s risk profile.

PEP screening is the step most commonly missed at smaller firms. Under article 1, lid 1 of the Wwft, PEPs include heads of state, government ministers, parliamentarians, senior judiciary members, central bank board members, ambassadors, senior military officers, and several other categories. Family members and known close associates of PEPs are also covered. For a Dutch B.V. with a director who also serves as a provincial council member (Statenlid), you need to assess whether this constitutes a PEP designation and document the conclusion.

Monitoring and reporting unusual transactions

Under article 3, lid 2, letter d of the Wwft, you must monitor the business relationship on an ongoing basis. For accountants, “monitoring” doesn’t mean real-time transaction screening as it does for banks. It means staying alert to the transactions and activities you encounter during your professional work and assessing whether anything is unusual.

FIU-Nederland lists indicators that help you determine whether a transaction requires reporting. For accountants, there are two relevant indicator categories.

One is the objective indicator. You must always report (regardless of your own assessment) any transaction where you have reason to suspect it involves the financing of terrorism. There are no materiality thresholds. If the indicator is met, you report.

The subjective indicator requires you to report transactions that you have reason to consider unusual. Judgment matters here. A construction client that suddenly shows large cash payments to a supplier in a jurisdiction with no obvious business connection to the project may qualify. A recurring pattern of round-number transfers between related entities without clear commercial substance may qualify. The key question the BFT asks is not whether you reported every possible unusual transaction, but whether you had a structured process for assessing transactions and whether your conclusions were documented.

Reporting goes to the FIU-Nederland through their online portal. You need to create an account in advance (not when you discover something unusual). Reports must be filed without delay (onverwijld). The Wwft requires you to report both completed transactions and intended transactions (transactions the client has proposed but not yet executed). You must not inform the client that a report has been or will be filed (the tipping-off prohibition under article 23 of the Wwft).

Nobody enjoys submitting the first FIU report on a long-standing client, but skipping it is how files get flagged. You’re reporting unusual transactions, not proven criminal activity. The FIU assesses whether the reported transaction is suspicious and, if so, forwards it to law enforcement. Your obligation is to flag, not to investigate. If you wait until you’re certain a transaction is criminal before reporting, you’ve likely missed the reporting deadline and created a compliance failure.

Firm-level requirements: SIRA, compliance, training, and internal procedures

Beyond individual client due diligence and transaction monitoring, the Wwft imposes requirements at the firm level that the BFT inspects as a separate workstream.

The Systematic Integrity Risk Analysis (SIRA) is required under article 2b of the Wwft. Your firm must identify and assess the money laundering and terrorist financing risks relevant to your practice, considering client types, services offered, delivery channels, and geographic exposure. A mid-sized Dutch audit firm whose clients are predominantly Dutch B.V.s in manufacturing has a different risk profile from a firm that audits holding structures with subsidiaries in high-risk jurisdictions. The SIRA should reflect this. It’s not a one-time exercise. The BFT expects you to update it when your client base, services, or risk environment changes.

Article 2d of the Wwft requires the firm to appoint a compliance officer (or equivalent function) responsible for Wwft compliance. For smaller firms, this doesn’t have to be a dedicated full-time role, but someone must be formally designated and that designation must be documented. The BFT’s enforcement actions show that firms without documented compliance responsibility are treated more severely than firms that have a policy but fall short on execution.

Training obligations under article 35 of the Wwft require your employees to receive adequate training to recognise unusual transactions and perform due diligence correctly. Training must be periodic (not just at onboarding) and documented in a verifiable way, including a training plan for each employee. The BFT checks training records during inspections.

Screening obligations require you to verify the background of your employees, particularly those in positions that could expose the firm to integrity risks. This can range from checking CVs and diplomas to requesting a Verklaring Omtrent het Gedrag (VOG, certificate of good conduct), depending on the role and your firm’s risk assessment.

Internal procedures (kantoorprocedures) must be documented and available to the BFT at all times. These cover how your firm performs client due diligence, how transactions are assessed for unusual activity, how reports are filed with the FIU, how the SIRA is maintained, and how Wwft-related information is retained. The BFT has issued aanwijzingen (directions) to firms that did not have documented internal procedures, even where the firm argued it followed the rules informally.

Worked example: Wwft file for a new statutory audit client

Firm: Kuiper and Hoekstra Accountants B.V., a non-PIE firm in Utrecht with 6 partners.

Prospective client: Van Leeuwen Vastgoed B.V., a real estate investment company (€22M portfolio value, 8 employees) seeking a statutory audit for financial year 2025. The company is held through Van Leeuwen Holding B.V. (100% shareholder: J.P. van Leeuwen, Dutch national, resident in the Netherlands).

1. Identify the client and verify identity

Record: Van Leeuwen Vastgoed B.V., registered at Maliebaan 42, Utrecht. KVK number: 12345678. Legal form: besloten vennootschap. Request a recent KVK extract (not older than four weeks) and verify the registered details match the information provided by the prospective client.

Documentation note: File the KVK extract with a date stamp. Record who performed the identification, the date, and the sources used. The BFT expects a trail, not just a ticked box.

2. Identify and verify the UBO

Van Leeuwen Vastgoed B.V. is 100% held by Van Leeuwen Holding B.V. Van Leeuwen Holding B.V. is 100% held by J.P. van Leeuwen (sole shareholder-director). The UBO is J.P. van Leeuwen. Verify identity using a passport copy (or in-person verification with the original document, which is preferable under the BFT’s guidance). Record: full name, date of birth, nationality, nature and extent of interest (100% indirect ownership through Van Leeuwen Holding B.V.).

Documentation note: For holding structures with more than one layer, draw the ownership chart and file it. The BFT wants to see that you traced through each entity. A note saying “UBO is J.P. van Leeuwen” without showing how you arrived at that conclusion is insufficient.

3. Perform a risk assessment

Assess the client against your firm’s SIRA categories. Van Leeuwen Vastgoed operates in real estate, which the Dutch National Risk Assessment (NRA) for money laundering identifies as a higher-risk sector. The NRA 2023 (published by WODC) flags real estate as a conduit for laundering proceeds from predicate offences. This does not mean you refuse the client. It means you apply enhanced vigilance.

Additional risk factors to assess: the source of funding for the property portfolio (bank financing from ABN AMRO, documented in the loan agreements), whether the portfolio includes properties in areas associated with criminal activity, and whether J.P. van Leeuwen holds any public functions that would trigger PEP classification. In this case: no PEP designation, no high-risk country involvement, no unusual ownership structures, and standard bank financing. Risk classification: elevated (due to sector) but manageable with standard-plus due diligence.

Documentation note: Record the risk factors assessed, the sources consulted (NRA 2023, KVK, client interview), the risk classification assigned, and the enhanced measures applied. If the risk classification is elevated, document what additional steps you took beyond standard due diligence. For Van Leeuwen, this might include verifying the source of equity investment in the holding company.

4. Document purpose and nature of the relationship

The business relationship consists of an annual statutory audit of Van Leeuwen Vastgoed B.V. under Dutch GAAP (RJ). The audit is required because the company exceeds the size criteria under the Dutch Civil Code (assets above €7.5M, revenue above €15M as of the 2024 thresholds). Document this in the Wwft file alongside the signed engagement letter.

Documentation note: This step is often skipped because it seems obvious. The BFT still requires it to be in the file. One sentence is sufficient.

5. Set up ongoing monitoring

During the statutory audit, you will encounter the client’s transactions as part of your audit procedures. The Wwft monitoring obligation runs in parallel: as you perform the audit, remain alert to transactions that appear unusual given your understanding of the client’s business. If Van Leeuwen Vastgoed acquires a property from a related party at significantly above or below market value, that’s relevant both for your audit work (related party transactions under ISA 550 ) and for your Wwft obligations (potentially unusual transaction). Document your ongoing monitoring assessment at each audit cycle.

Documentation note: Many firms document Wwft monitoring in a separate section of the permanent audit file. This ensures the monitoring obligation is addressed at each engagement cycle and is visible to the BFT without requiring the inspector to search through the entire audit file.

The completed Wwft file now contains identity verification, UBO identification and tracing, a documented risk assessment referencing the NRA and sector-specific factors, a statement of the purpose of the business relationship, and a monitoring framework linked to the annual audit cycle. Total time to prepare: approximately 90 minutes for a standard Dutch B.V. with a single holding layer.

What the BFT inspects and how enforcement works

The Bureau Financieel Toezicht supervises accountants’ compliance with the Wwft. The BFT’s approach combines cooperative engagement (sharing knowledge, issuing guidelines, publishing FAQs, and conducting seminars) with enforcement when it finds violations.

The BFT conducts both regular investigations (routine inspections without prior indication of problems) and special investigations (triggered by signals, referrals, or BFT’s own intelligence). The BFT also runs partial investigations focused on specific Wwft obligations across multiple firms simultaneously, similar to the AFM’s thematic reviews. Recent partial investigations have focused on risk policy and management, compliance and audit functions, training obligations, and screening of employees.

When the BFT finds violations, it has a range of enforcement tools. An aanwijzing (direction) requires the firm to take specific corrective action within a set deadline, often accompanied by a penalty for non-compliance. An administrative fine (bestuurlijke boete) can be imposed for failure to comply with specific Wwft obligations. The standard fine amount under the Besluit Bestuurlijke Boetes Financiële Sector is €500,000, which the BFT moderates based on factors including the firm’s turnover, the number of violations, the severity of the breach, and whether the firm cooperated. In serious cases, the BFT refers the matter to the Public Prosecution Service (Openbaar Ministerie) for criminal investigation.

Published BFT enforcement actions against accountancy firms show a pattern. The most common violations are insufficient client due diligence (particularly UBO identification), failure to report unusual transactions, failure to maintain monitoring procedures, and absence of documented internal procedures or SIRA. The fine for FSV Accountants + Adviseurs of €133,559 (after objection) combined all of these elements. The smaller fines (€1,000-€2,000) typically involve one or two isolated violations at smaller practices. The BFT publishes all sanctions by name, which creates reputational consequences beyond the financial penalty.

The EU AML reform package: what changes by 2027

In May 2024, the EU adopted a reform package consisting of the Anti-Money Laundering Regulation (AMLR, Regulation 2024/1624) and the sixth Anti-Money Laundering Directive (AMLD6, Directive 2024/1640). A separate regulation establishes the AMLA, a new EU-level Anti-Money Laundering Authority.

The most significant change for Dutch accountants is that the AMLR is a regulation, not a directive. It will be directly applicable in all EU member states without requiring national transposition. This means the current Dutch Wwft will be partially replaced by EU-level rules that apply uniformly across Europe. The AMLR is expected to apply from July 2027.

For accountants specifically, Accountancy Europe published guidance in September 2025 highlighting the key impacts. The AMLR maintains accountants as obliged entities and strengthens requirements in customer due diligence (more prescriptive UBO verification requirements), beneficial ownership transparency (alignment with the beneficial ownership registers), targeted financial sanctions compliance, and record retention periods. The AMLD6 harmonises national supervisory frameworks and introduces minimum standards for cooperation between FIUs and supervisory authorities.

The practical effect for a Dutch audit firm is that your Wwft procedures will need to be updated to align with the AMLR requirements by mid-2027. The underlying obligations (due diligence, monitoring, reporting, and record retention) remain conceptually similar, but the specific requirements will change in detail. Start tracking the AMLR implementation timeline in your firm’s quality calendar now, rather than waiting for the BFT to issue updated guidance.

Practical checklist for Wwft compliance

1. Verify that every active client engagement has a completed Wwft file with identity verification, UBO identification and tracing (with supporting documentation such as KVK extracts and ownership charts), and a documented risk assessment. If any file is incomplete, prioritise it. The BFT fines firms for individual engagement-level failures.
2. Check whether your firm has a current, documented SIRA that reflects your actual client base and service portfolio. If you added real estate clients or clients with international structures since the last SIRA update, update it. Article 2b of the Wwft requires this.
3. Designate a compliance officer in writing and ensure the designation is filed where the BFT can find it. For firms under 10 people, the managing partner can fill this role, but the formal assignment must exist.
4. Review your training records. Every employee should have a documented training plan and evidence of periodic Wwft training. If you haven’t conducted training in the last 12 months, schedule it.
5. Register for the FIU-Nederland reporting portal before you need it. Creating an account takes time. Having the account ready means you can report without delay when an unusual transaction surfaces.
6. For elevated-risk clients (real estate, international structures, cash-intensive businesses, PEP-connected entities), document the additional due diligence measures you applied. The BFT’s enforcement pattern shows that “insufficient enhanced due diligence” is the most commonly cited violation alongside failure to report.

Common mistakes

• Performing Wwft client investigation after the engagement has started. The Wwft requires due diligence before establishing the business relationship. The BFT’s 2024 Specific Guideline is explicit on this point. Starting work and completing the investigation later creates a compliance gap that the BFT will flag.
• Failing to trace through holding structures to the natural person UBO. A KVK extract showing the direct shareholder is Van Leeuwen Holding B.V. is not sufficient. You need to continue to the natural person behind the holding. The BFT found this deficiency in multiple published enforcement actions, including the SB and Partners fine in February 2025.
• Treating the SIRA as a one-time document. The Wwft requires your risk analysis to reflect your current client base and risk environment. A SIRA written in 2019 that hasn’t been updated to reflect post-pandemic changes in your practice or the addition of new client sectors will not satisfy the BFT.

Related content

• SIRA for audit firms. Glossary entry covering what a Systematic Integrity Risk Analysis must contain, how to structure it for a Dutch audit practice, and how often to update it.
• Financial Ratio Calculator. Useful for identifying anomalous financial patterns in client data that may trigger enhanced Wwft monitoring during your audit work.

Related tools and reading

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme): Full legislative text at wetten.overheid.nl.
• BFT Specific Guideline (October 2024): The BFT's guidance on Wwft obligations for accountants.
• Dutch National Risk Assessment (NRA 2023): WODC publication identifying sector-specific money laundering risks.
• EU AMLR (Regulation 2024/1624): The directly applicable EU regulation that will partially replace the Wwft from July 2027.