A letter from De Nederlandsche Bank announcing an on-site examination focuses the mind quickly. Whether it lands as a routine thematic review or follows a specific concern, the questions are the same: is our anti-money-laundering framework actually working, and can we prove it on demand? In my experience, firms that handle examinations well are not the ones that scramble to assemble evidence in the weeks before. They are the ones who could have produced most of it on any ordinary Tuesday.
This post sets out, from an educational standpoint, how DNB tends to supervise AML and CFT under the Wwft, the areas it usually examines, how to run a sensible pre-examination readiness review, and how the arrival of AMLA will shift supervisory expectations across the EU. None of it is a substitute for legal advice, but it should help you think about readiness as an ongoing state rather than a one-off project.
How DNB supervises
DNB is the prudential and integrity supervisor for most Dutch financial institutions, and its AML and CFT work is risk-based. Supervision is not only the formal on-site examination. It includes periodic data requests, self-assessment questionnaires, thematic reviews across a sector, and follow-up on earlier findings. An examination is best understood as one point on a continuous supervisory relationship, which is why the institution's track record and the credibility of its own reporting matter as much as any single file.
Examiners typically work from your own documents outward. They will read your policies and your business-wide risk assessment, then test whether what happens in practice matches what the paperwork claims. A gap between the two is one of the most common and most damaging findings, because it suggests the framework exists on paper but not in the day-to-day.
The areas DNB tends to examine
No two reviews are identical, but a recognisable set of themes comes up again and again. It is worth knowing where the probing usually concentrates.
- The SIRA. The systematic integrity risk analysis is the foundation, and examiners start there. They look for a current, institution-specific assessment that covers customers, products, channels and geographies, links each material risk to a control, and is approved at the right level. A generic or stale SIRA undermines everything built on top of it.
- Customer due diligence files. Expect a sample of files to be pulled and worked through end to end: identification and verification, ultimate beneficial ownership, purpose and intended nature of the relationship, source of funds or wealth where relevant, and evidence that risk classification drove the depth of due diligence applied.
- Transaction monitoring effectiveness. The question is not how many alerts you generate but whether monitoring detects the risks your SIRA identified. Examiners look at scenario coverage, tuning and rationale for thresholds, alert handling quality, and the backlog. Volume without coverage is not reassurance.
- Governance and the compliance function. DNB looks at the standing and independence of compliance, board and senior-management engagement with integrity risk, the quality of management information, and whether the three lines of defence genuinely operate. A compliance function without authority or resources is a structural finding.
- Unusual-transaction reporting to FIU-Nederland. A Dutch specificity that catches out firms used to other regimes: in the Netherlands you report unusual transactions (ongebruikelijke transacties), not suspicious ones. Examiners test whether your objective and subjective indicators are applied correctly, and whether reports are made to FIU-Nederland promptly and with enough quality to be useful.
Running a pre-examination readiness review
The most useful preparation is to examine yourself before the regulator does, using broadly the method they would. A focused self-assessment, ideally run with enough independence that it is not marking its own homework, tends to surface the issues that matter.
- Re-read your own framework as an outsider. Pull your policies, your SIRA and your procedures, and ask whether someone with no prior knowledge could understand how the controls work and why they are calibrated as they are.
- Sample your own files. Take a risk-weighted selection of CDD and enhanced-due-diligence cases and test them against your own standards. The point is to find the gaps yourself while you still control the timetable.
- Trace risk to control to evidence. For each material risk in the SIRA, confirm there is a named control and tangible proof it operates. Broken links here are exactly what examiners probe hardest.
- Check the reporting chain. Walk an unusual transaction from detection to the report filed with FIU-Nederland, and time it. Late or thin reporting is both a finding and a real-world risk.
- Assemble an evidence pack. Minutes, management information, training records, model-tuning documentation and quality-assurance results should be findable in minutes, not reconstructed under pressure.
Common findings and evidencing remediation
Recurring findings cluster around a few themes: a SIRA that is generic or out of date, due-diligence files missing source-of-funds rationale or UBO evidence, monitoring scenarios that do not map to the institution's actual risks, weak management information, and unusual-transaction reporting that is slow or inconsistent. The pattern beneath most of them is the same, a framework that is sound on paper but thin in execution.
When findings do land, how you respond matters as much as the finding itself. Credible remediation has a clear root-cause analysis rather than a surface fix, a realistic and resourced plan with owners and dates, and evidence that the change has actually taken effect, such as re-tested files or refreshed monitoring output. Supervisors are generally more reassured by an institution that understands precisely why something failed and can show it is fixed than by one that promises a quick patch.
How AMLA will change expectations
The supervisory landscape is about to shift. The EU AML package introduces a single rulebook through the AMLR (Regulation (EU) 2024/1624), most of which applies from 10 July 2027, alongside AMLD6 and a new EU authority, AMLA. From 2028 AMLA begins directly supervising a group of selected high-risk cross-border firms, and it will also drive convergence in how national supervisors such as DNB approach their work.
For most institutions the practical effect is twofold. First, expectations become more harmonised and, in places, more prescriptive, so the discretion that once varied by member state narrows. Second, supervisory methodology converges, which means the evidence-led, risk-to-control-to-proof approach DNB already favours is likely to become the common European baseline. Preparing well for a DNB examination today is, in effect, preparing for the supervisory culture the whole EU is moving towards.
Key takeaways
- DNB supervises AML on a risk basis and works outward from your own documents, so a gap between written framework and daily practice is a frequent, damaging finding.
- The recurring examination themes are the SIRA, CDD files, transaction-monitoring effectiveness, governance and the compliance function, and timely unusual-transaction reporting to FIU-Nederland.
- Remember the Dutch specificity: you report unusual transactions (ongebruikelijke transacties), not suspicious ones.
- Run a pre-examination self-assessment using the regulator's own method: re-read the framework as an outsider, sample your files, and trace each risk to a control to real evidence.
- AMLA and the AMLR (most rules from 10 July 2027, direct supervision from 2028) will harmonise and raise expectations, making today's evidence-led readiness the European baseline.