Key points
- Wwft customer due diligence (CDD) must be completed before signing the engagement letter, not after. Article 3 sets the sequence: identify the client, identify the ultimate beneficial owner (UBO), assess the risk, then proceed.
- Unusual transaction reports go to FIU-Nederland within two weeks of the moment you identify the unusual nature. Missing the deadline is a criminal offence under Dutch law.
- Since 1 January 2026, the Wwft prohibits cash payments of EUR 3,000 or more for the sale or purchase of goods (previously EUR 10,000).
- BFT fined FSV Accountants + Adviseurs B.V. EUR 133,559 for cumulative Wwft failures, including missing CDD and unreported unusual transactions.
What the Wwft requires from audit firms
Pull an average Wwft file from a Dutch mid-tier firm and you will probably find a Chamber of Commerce extract from three years ago, a UBO declaration signed at onboarding, and nothing since. The BFT's October 2024 guideline on Wwft compliance for accountants and tax advisers explicitly flagged this pattern: firms treat CDD as a one-time onboarding task and then let the file go stale. I think this is the single most common Wwft failure in practice, because it feels like the work is already done.
What actually happens is that the Wwft creates two obligations that run for the full life of the client relationship, not just at intake.
First, customer due diligence. Wwft article 3 requires every gatekeeper (audit firms, accountants, tax advisers) to complete CDD before entering a business relationship or carrying out an occasional transaction. CDD has four components: identifying the client, identifying the UBO per article 3(2), establishing the purpose and intended nature of the relationship, and conducting ongoing monitoring. For audit firms, this runs parallel to acceptance and continuance under ISQM 1. You cannot sign the engagement letter until you have verified the client's identity, traced the UBO, and assessed the money laundering risk. Article 8 requires enhanced due diligence for higher-risk situations (politically exposed persons, complex ownership structures, high-risk jurisdictions).
Second, unusual transaction reporting. Article 16 obliges the firm to report any unusual transaction to FIU-Nederland immediately, and in any case within two weeks. Failure to report is a criminal offence. Not an administrative penalty. A criminal offence.
Two supervisors enforce the Wwft in parallel. The BFT (Bureau Financieel Toezicht) supervises accountants and tax advisers. The AFM supervises audit firms holding a Wta licence. Both conduct unannounced inspections, and a firm can receive findings from both regulators on the same client engagement.
Worked example: Van der Berg Logistics B.V.
Client: Dutch transport and logistics company, FY2025, revenue EUR 19M, Dutch GAAP (RJ) reporter. Van der Berg is owned 70% by a holding company registered in Curacao and 30% by the founder, a Dutch resident. The firm is engaged for the statutory audit.
Client identification and verification
The firm verifies Van der Berg's identity using a current Chamber of Commerce extract. It records the legal form (B.V.), registered address, KvK number, and date of incorporation. The engagement partner reviews the articles of association to confirm the shareholding structure.
UBO identification
The 70% holding company in Curacao triggers enhanced due diligence under Wwft article 8. The firm traces the ownership chain through the Curacao entity to identify the natural person(s) with ultimate beneficial ownership (25% or more interest). Two individuals own the holding company: a Dutch national (40%) and a Curacao resident (60%). Both are identified and verified using passport copies.
Risk assessment and ongoing monitoring
Van der Berg is classified as higher risk based on two factors: the offshore holding structure and the cash-intensive nature of certain logistics operations. The firm establishes a monitoring plan requiring annual refresh of the UBO documentation and quarterly review of unusual payment patterns in the client's bank statements during the audit.
Unusual transaction identification during the audit
During interim procedures in October 2025, the audit team identifies a EUR 280,000 payment from Van der Berg to a Panamanian entity with no supporting contract or commercial rationale. The engagement partner assesses this as an unusual transaction under article 16 and reports it to FIU-Nederland within five business days. The firm does not inform the client (tipping-off prohibition under article 23).
Here is where it gets difficult in practice. The team still has to finish the audit. Management will ask why certain questions are being asked about the Panamanian payment, and the team cannot explain that a report has been filed. I have seen engagements where the atmosphere in the room shifts overnight after an article 16 report, and you are left pretending nothing has changed. There is no good guidance on how to handle that tension. You just manage it.
What firms actually get wrong
The BFT fined FSV Accountants + Adviseurs B.V. EUR 133,559 for multiple Wwft violations, including failure to conduct adequate CDD and failure to report unusual transactions. That fine is larger than many engagement fees for smaller statutory audits. It illustrates a pattern the BFT enforces consistently: Wwft failures are cumulative. A single missing UBO identification combined with a single unreported unusual transaction produces a penalty that makes the engagement unprofitable retroactively.
Most firms do not get the onboarding step wrong. They get the ongoing monitoring wrong, because nobody wants to reopen a Wwft file on a long-standing client. It feels like a tick-box exercise: copy last year's assessment, confirm nothing has changed, move on. The BFT's 2024 guideline specifically targeted this behaviour, requiring periodic reassessment of the client risk profile and refresh of UBO information. On multi-year recurring audits, Wwft files routinely contain identification documents that are four or five years old, with no evidence that anyone reassessed the risk or checked whether the UBO structure changed.
There is a reasonable counterargument here. If the client's ownership structure genuinely has not changed, a fresh CDD review produces the same conclusions as last year's. Some practitioners argue that the annual refresh obligation creates busywork without improving the quality of AML detection, because the real risk factor (a suspicious transaction) would surface during audit fieldwork regardless of whether the UBO passport copy is current. I think that argument underestimates how much ownership structures do change in practice, especially in private companies with holding structures. But it explains why firms deprioritise the refresh: they do not believe it will catch anything that fieldwork would miss.
Wwft vs. Wta
| Dimension | Wwft | Wta |
|---|---|---|
| Purpose | Prevent money laundering and terrorist financing through gatekeeper obligations | Supervise audit firm quality and integrity for statutory audit engagements |
| Supervisor | BFT (accountants and tax advisers) and AFM (Wta-licensed firms) | AFM exclusively |
| Scope | All professional services by designated gatekeepers | Statutory audits only (wettelijke controle) |
| Key obligation | CDD and unusual transaction reporting | Quality management system, independence, engagement quality |
| Penalty | Administrative fines (BFT) and criminal prosecution | Administrative fines, licence conditions, or licence withdrawal (AFM) |
A firm can pass its AFM inspection on audit quality with no findings and simultaneously fail a BFT inspection on Wwft compliance. The two regimes impose separate obligations, enforced by separate supervisors, on the same firm. Firms that integrate Wwft procedures into their ISQM 1 acceptance and continuance policies reduce the risk of gaps between the two frameworks, but in my experience most firms still run these as separate compliance streams with separate checklists and separate partners responsible. That creates exactly the kind of gap both supervisors are looking for.
Related terms
Related reading
Frequently asked questions
Does the Wwft apply to review and compilation engagements, or only statutory audits?
The Wwft applies to all services provided by accountants acting in their professional capacity, not only statutory audits. Review engagements under Dutch COS 2400, compilation engagements under COS 4410, tax advisory work, and general consulting services all fall within scope. The determining factor is whether the professional is acting as a gatekeeper per Wwft article 1(a), not the type of engagement.
What happens if an audit firm fails to report an unusual transaction?
Failure to report an unusual transaction is a criminal offence under Dutch law, carrying potential fines and (in serious cases) criminal prosecution. The BFT can impose administrative fines independently. Beyond the legal consequences, a missed report may trigger an AFM investigation into the firm's broader audit quality if the Wta licence conditions are called into question. Wwft article 16 sets the reporting deadline at two weeks from identifying the unusual nature.
How does the Wwft interact with the EU Anti-Money Laundering Regulation?
The EU AML Regulation (AMLR), expected to apply from mid-2027, will replace parts of the Wwft with directly applicable EU rules on customer due diligence and UBO identification. The Wwft will remain in force for provisions not covered by the regulation, including certain Dutch-specific reporting obligations and the BFT's supervisory mandate. Firms should monitor the transposition timeline, as the interaction between the Wwft and the AMLR will require updated internal procedures.