KYC & AML Compliance in the Netherlands 2026: AFM and DNB Requirements for Fintechs

Dutch fintech teams operate under the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme) from day one. Customer due diligence, transaction monitoring, sanctions screening, and unusual transaction reporting are all mandatory.

VOVE ID helps fintech founders and compliance teams implement KYC and AML properly in the Netherlands under AFM and DNB supervision. The real challenge is not knowing that the Wwft exists but translating these obligations into a smooth, production-ready onboarding and monitoring flow.

This is exactly where most compliance setups start to break.

Dutch regulation: one AML law, multiple supervisors

The core Dutch AML framework is the Wwft. It requires customer due diligence, ongoing monitoring, sanctions controls, and reporting of unusual transactions to FIU-Nederland.

On paper it looks straightforward. In practice, teams must understand which supervisor oversees which part of their business.

• DNB is typically the supervisor for payment institutions, e-money institutions, crypto providers, and most financial service providers.
• AFM focuses more on conduct and market supervision for investment firms, fund managers, and capital markets businesses.

Dutch AML cannot be treated as a generic EU checkbox. The control framework must be built around your specific licence, customer types, and product flows.

Customer due diligence: what Dutch KYC really requires

Under the Wwft, firms must:

• Identify and verify the customer
• Understand the purpose and intended nature of the relationship
• Identify beneficial owners
• Apply enhanced due diligence where risk is higher

For individuals, this means reliable remote identity verification (documents + biometrics + liveness). For businesses, it goes far beyond the company name — you must verify directors, beneficial owners (UBO), and authority to act.

Remote onboarding in the Netherlands usually combines document checks, biometric verification, sanctions screening, and database/registry lookups to meet both Wwft and eIDAS requirements.

AML operations: monitoring, sanctions, and FIU reporting

KYC is only the start. The Wwft demands continuous monitoring of customers and transactions to detect unusual patterns.

The Dutch standard is based on “unusual transactions” — not just clearly criminal ones. If something triggers objective or subjective indicators, it must be reported to FIU-Nederland, even without full proof of crime.

Sanctions screening must be ongoing, not just at onboarding. Many fintechs fail here because their systems are fragmented: KYC in one tool, monitoring in another, and decisions in spreadsheets.

UBO verification: the hardest part of Dutch business onboarding

For corporate clients, UBO identification is mandatory. The Dutch UBO register (managed by KVK) requires companies to determine natural persons with >25% ownership or control.

In practice, this often gets complicated with foreign parents, holding companies, nominees, or outdated records. A clean KVK extract is rarely enough — you need to map and verify the actual control structure.

MiCA and MiFID II: additional layers Dutch teams cannot ignore

For crypto and investment platforms, MiCA and MiFID II add extra requirements around onboarding, suitability, source of funds, and conduct rules. These don’t replace Wwft — they increase pressure on the same customer workflow.

A realistic Dutch onboarding failure

A Netherlands-based investment platform onboards an SME treasury client:

Documents provided:

• KVK extract
• Director passport
• Corporate address
• PDF shareholding chart

Problems appear quickly:

• Mismatch between KVK directors and submitted ownership chart
• Foreign parent company with no verified UBO
• First transactions already inconsistent with the stated business profile

The result? Incomplete UBO file + urgent unusual transaction review. What started as a simple onboarding became an AML escalation.

How VOVE ID handles Dutch KYC and AML

VOVE ID brings identity verification, business verification, UBO checks, sanctions screening, and monitoring into one connected workflow.

• For individuals: document + biometric verification with risk screening
• For businesses: KVK matching, UBO discovery, and control verification
• Ongoing: continuous sanctions and transaction monitoring with clear audit trail

This gives compliance teams one single source of truth instead of disconnected systems.

Practical Netherlands KYC & AML Checklist

Onboarding

• Map your exact licence and supervisory perimeter first
• Verify identity and authority before activating the relationship
• Complete UBO and control verification for all business clients

Identity & Ownership

• Cross-check against KVK and official registries
• Identify and verify beneficial owners and control persons
• Escalate unclear or high-risk ownership structures

Monitoring & Reporting

• Screen all customers and UBOs against sanctions and PEP lists
• Monitor transactions from day one against customer profile
• Have a clear process for FIU-Nederland unusual transaction reporting

Operations

• Keep everything in one auditable workflow
• Re-screen when risk factors change (jurisdiction, ownership, activity)
• Document all approval, escalation, and reporting decisions

Conclusion

Dutch AML compliance is not just a regulatory checkbox — it is a core operating model.

The strongest teams treat onboarding, UBO verification, monitoring, and reporting as one continuous workflow. Fragmented systems create risk exactly when regulators expect higher standards.