The Wwft explained for Dutch firms

If you work in compliance at a Dutch bank, payment firm, trust office or other regulated business, the Wwft is the law that frames almost everything you do. Its full name is the Wet ter voorkoming van witwassen en financieren van terrorisme, the Act on the prevention of money laundering and the financing of terrorism. It is the Dutch implementation of the EU anti-money-laundering directives, and for now it sits at the centre of the Dutch AML regime.

In my experience, people who are new to Wwft compliance reach for the legal text first and end up lost. It is easier to understand the law as a set of connected obligations: know who you serve, understand your own risks, check your clients, watch their transactions, and report what looks unusual. Below I walk through each part, with the Dutch specifics that often catch people out.

Who the Wwft applies to

The Wwft does not only cover banks. It applies to a broad set of institutions and professionals that the law calls obliged entities. These include:

• Banks, payment institutions, electronic-money institutions and other financial undertakings.
• Investment firms, asset managers and certain insurers.
• Trust offices and company-service providers.
• Civil-law notaries, lawyers in defined situations, accountants and tax advisers.
• Real-estate agents, and dealers in high-value goods above set cash thresholds.

If you are an obliged entity, the Wwft requires you to build a programme around the risk you face. The exact supervisor depends on the sector. For banks, payment firms and most financial institutions, the supervisor is De Nederlandsche Bank (DNB).

The risk-based approach

The Wwft is built on a risk-based approach. The law does not give you a single fixed checklist to apply identically to every client. Instead it asks you to assess where your money-laundering and terrorist-financing risks are highest, and then to direct your effort and controls there. Higher risk means more scrutiny; lower risk, properly justified, means you can be proportionate.

This matters because it puts the burden of judgement on the firm. You have to be able to explain, with evidence, why you treat a given client, product or country as higher or lower risk. A risk-based approach without documented reasoning is not defensible when a supervisor asks to see it.

The SIRA: your systematic integrity risk analysis

The starting point for the whole framework is the business-wide risk assessment. In the Netherlands this is known as the SIRA, the systematic integrity risk analysis. The SIRA is where you identify and analyse the integrity risks your institution is exposed to across clients, products, services, delivery channels and geographies, and then map your controls against them.

DNB places real weight on the SIRA, and treats it as the foundation that everything else rests on. A few points I would stress:

• It must be specific to your business, not a generic template borrowed from elsewhere.
• It must be current. A SIRA that has not been refreshed after you launched a new product or entered a new market is already out of date.
• It should cover integrity risks broadly, including money laundering, terrorist financing, sanctions, corruption and conflicts of interest, not only the narrow AML question.

Client due diligence, EDD and the UBO

Client due diligence, often called CDD, is how you put the risk-based approach into practice at the level of the individual relationship. Before you enter a business relationship or carry out certain occasional transactions, the Wwft requires you to:

• Identify the client and verify that identity on reliable, independent evidence.
• Identify the ultimate beneficial owner (the UBO), the natural person who ultimately owns or controls the client, and take reasonable steps to verify who that is.
• Understand the purpose and intended nature of the relationship.
• Monitor the relationship on an ongoing basis, including the transactions that pass through it.

Where risk is higher, you must apply enhanced due diligence (EDD). Typical triggers include politically exposed persons, complex or opaque ownership structures, and links to higher-risk jurisdictions. EDD means going further: gathering more information on source of funds and source of wealth, applying senior sign-off, and monitoring the relationship more closely. The opposite, simplified due diligence, is allowed only in genuinely lower-risk situations and still requires a recorded justification.

Transaction monitoring

Identifying a client once is not enough. The Wwft requires ongoing monitoring of transactions so that activity is consistent with what you know about the client and their risk profile. In practice this means transaction-monitoring systems and rules that flag activity for review.

The point of monitoring is not to generate the largest possible number of alerts. It is to detect the activity that actually matters, with rules tuned to your real risks and an investigation process that can act on what surfaces. Coverage and quality count for more than raw volume.

Reporting unusual transactions to FIU-Nederland

This is the single most important Dutch specificity, and the one I see misunderstood most often. The Netherlands does not operate a suspicious-transaction reporting regime. Under the Wwft, obliged entities must report unusual transactions, ongebruikelijke transacties, to FIU-Nederland, the Dutch Financial Intelligence Unit.

The distinction is real and practical. A transaction is reportable if it meets defined objective or subjective indicators of being unusual. You do not need to have concluded that money laundering is taking place. The threshold sits earlier than the "suspicion" standard used in many other countries. FIU-Nederland then analyses the unusual-transaction reports it receives and may declare a transaction suspicious, at which point it can be passed to law enforcement. That declaration is the FIU's job, not yours. Reporting must be done without delay once you identify a transaction as unusual.

DNB supervision

For most financial institutions, DNB supervises compliance with the Wwft and the Sanctions Act. DNB issues guidance, conducts examinations, and can take enforcement action where it finds weak controls. When DNB examines a firm, it tends to start from the SIRA and work outward into CDD files, monitoring and reporting. A firm that can show a coherent line from its risk assessment through to its day-to-day decisions is in a far stronger position than one with strong individual controls that do not connect.

What changes from 2027: the EU AML package

The framework is about to shift significantly. The EU has adopted a new AML package that moves much of the core rulebook from national law into directly applicable EU regulation. The main pieces are the Anti-Money Laundering Regulation (the AMLR, Regulation (EU) 2024/1624), a sixth directive (AMLD6), and a new EU authority, AMLA.

The headline points for Dutch firms are:

• Most of the AMLR applies from 10 July 2027. It harmonises core obligations such as customer due diligence and beneficial-ownership rules directly across the EU, reducing the room for national variation.
• AMLD6 will continue to be transposed into Dutch law, so the Wwft framework adapts rather than disappears overnight.
• AMLA begins direct supervision of selected high-risk cross-border institutions from 2028, working alongside national supervisors such as DNB.

For now, the Wwft remains the law to know. But anyone building or reviewing a Dutch AML programme today should be reading it with one eye on the AMLR, because the obligations you design now should still stand up when the single rulebook takes effect.