EU Anti-Money Laundering Directive: Auditor Obligations

Why auditors are obliged entities under EU AML law

AMLD4 (Directive 2015/849) Article 2(1)(3)(a) designates statutory auditors and audit firms as “obliged entities.” This is not optional and does not depend on the type of client or the size of the engagement. Every statutory auditor performing audit work in an EU member state has AML obligations. The directive applies to the auditor, not to the audit. If you hold an RA or AA designation in the Netherlands and perform statutory audits, you are an obliged entity under the Wwft from the moment you accept a client.

The obligations fall into four categories: client due diligence (know your client before and during the engagement), suspicious transaction reporting (report to the FIU when you encounter indicators of money laundering or terrorist financing), record-keeping (retain due diligence records and transaction evidence), and internal policies and procedures (maintain a firm-level AML compliance framework). Each of these applies in parallel with your audit responsibilities under the ISAs. They are not part of the audit. They are a separate legal obligation triggered by your status as an obliged entity.

Enforcement is real. The Bureau Financieel Toezicht (BFT) supervises auditors’ compliance with the Wwft in the Netherlands. BFT has published enforcement actions against audit firms for failing to perform adequate client due diligence, for failing to report suspicious transactions, for inadequate internal AML procedures, and for insufficient record-keeping. These are not theoretical risks. A 2022 BFT enforcement action resulted in a €40,000 fine against a mid-tier firm for systemic Wwft non-compliance across multiple engagements.

Client due diligence: what the Wwft requires from auditors

Wwft Article 3 requires you to perform client due diligence before establishing a business relationship (i.e., before accepting the audit engagement) and on an ongoing basis throughout the engagement. The due diligence elements are specified in Wwft Article 3(2): identify and verify the identity of the client, identify and verify the identity of the ultimate beneficial owner (UBO), assess and document the purpose and intended nature of the business relationship, and conduct ongoing monitoring of the business relationship.

Identification means obtaining the client’s legal name, registered address, KVK registration number, and the identity of natural persons who are directors or authorised representatives. Verification means checking these details against an independent and reliable source. For a Dutch B.V., the KVK extract satisfies the legal entity verification. For the UBO, you check the UBO register (maintained by the KVK since 27 March 2022, though access restrictions have applied since a 2022 CJEU ruling). If the UBO register is not accessible, Wwft Article 3(2)(b) requires you to take reasonable measures to verify the UBO’s identity through other means (shareholder register, deed of incorporation, or client declaration supported by additional documentation).

The ongoing monitoring obligation is the one most auditors overlook. Wwft Article 3(2)(d) requires you to monitor the business relationship throughout its duration, including scrutiny of transactions to ensure they are consistent with your knowledge of the client. During the audit, if you encounter transactions that do not match the client’s business profile, the Wwft requires you to investigate further. This is not the same as an ISA 240.35 fraud risk assessment, though the information may overlap. The Wwft obligation is triggered by ML/TF indicators, not by misstatement risk.

Suspicious transaction reporting: the obligation most auditors underestimate

Wwft Article 16 imposes the reporting obligation: if you know, suspect, or have reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing, you must report it to FIU-Nederland without delay. Wwft Article 16a extends this to intended transactions that were not completed. The report is made directly to FIU-Nederland through the FIU’s online portal (goAML).

The threshold for reporting is lower than most auditors assume. You do not need to be certain that money laundering is occurring. You do not need to complete an investigation. “Reasonable grounds to suspect” is the standard. The Wwft Indicatorenlijst (the list of objective and subjective indicators published by the Ministry of Finance) provides guidance on what constitutes reasonable grounds. Objective indicators include transactions involving countries on the EU high-risk third country list. Subjective indicators include transactions that have no apparent economic purpose, transactions that do not match the client’s business profile, or situations where the client provides false or misleading information about the transaction.

Two aspects of the reporting obligation catch auditors off guard. First, the tipping-off prohibition. Wwft Article 23 prohibits you from informing the client (or anyone other than FIU-Nederland and your firm’s AML compliance officer) that a report has been made or is being considered. You cannot tell the client. You cannot discuss it with the client’s other advisers. Second, the Wwft reporting obligation overrides professional confidentiality. Wwft Article 22 explicitly states that the reporting obligation takes precedence over any duty of confidentiality owed to the client. Your professional secrecy obligation under the Wta (Wet toezicht accountantsorganisaties) does not protect you from failing to report.

The practical scenario is this: during fieldwork, you identify a series of transactions that trigger a subjective indicator. Report to FIU-Nederland through goAML. You continue the audit. Withdrawing from the engagement solely because you filed a report would effectively tip off the client, so you stay. If the suspicious transactions also constitute potential fraud, you assess them simultaneously under ISA 240. If they also constitute potential non-compliance with laws, you assess them under ISA 250. The Wwft obligation runs in parallel.

How AML obligations interact with ISA 250

ISA 250.13 requires you to obtain sufficient appropriate audit evidence regarding compliance with laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements. AML legislation does not typically affect amounts in the financial statements directly (a client’s failure to file suspicious transaction reports does not change the balance sheet). But ISA 250.14 requires the auditor to perform procedures to identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements. Penalties for AML non-compliance can be material.

The interaction works in both directions. Your ISA 250.14 procedures may identify non-compliance that triggers your Wwft reporting obligation. Your Wwft due diligence may identify information relevant to your ISA 240.35 fraud risk assessment or your ISA 570.10 going concern evaluation (if the client’s business model depends on transactions that appear to lack economic substance, the going concern assumption may be questionable).

ISA 250.19 requires you to communicate identified or suspected non-compliance to those charged with governance. But the Wwft tipping-off prohibition under Article 23 constrains what you can communicate and when. If you have reported a suspicious transaction to FIU-Nederland, you cannot tell the audit committee that you have done so. You can, however, communicate your concerns about the underlying transactions under ISA 250 without referencing the Wwft report. This requires careful drafting. Document your communication strategy in the engagement file.

ISA 250.23 requires the auditor to consider the implications of non-compliance for the audit opinion. If the client’s non-compliance with AML legislation is material (because of penalties, regulatory action, or reputational damage that affects going concern), it may require a modification to the opinion or an emphasis of matter paragraph. Evaluate each case against the specific financial statement impact.

Enhanced due diligence triggers and PEP screening

Wwft Article 8 requires enhanced due diligence in specified high-risk situations. The mandatory triggers include: a client or UBO who is a Politically Exposed Person (PEP) as defined in Wwft Article 1, a business relationship or transaction involving a country on the EU high-risk third country list (currently maintained under Delegated Regulation (EU) 2016/1675, as amended), a correspondent banking relationship, and any situation where the risk assessment identifies a higher risk of ML/TF.

PEP screening is the trigger that affects auditors most frequently. A PEP is a natural person who holds (or has held within the past 12 months under Dutch implementation) a prominent public function. The definition extends to family members and known close associates. If the UBO of your audit client is a PEP, Wwft Article 8(5) requires you to obtain senior management approval for the engagement, take adequate measures to establish the source of wealth and source of funds, and conduct enhanced ongoing monitoring.

In practice: before accepting any new audit engagement, screen the UBO against a PEP database (World-Check, Dow Jones, or equivalent). If the UBO is a PEP, document the enhanced due diligence measures taken. If the engagement is ongoing and the UBO becomes a PEP (for example, a client’s majority shareholder is appointed to a ministerial position), the enhanced measures must be applied from that point forward. Monitor for changes annually.

The EU high-risk third country list also triggers enhanced due diligence. If the audit client has significant business relationships with entities in listed jurisdictions, Wwft Article 8(3) applies and you must take additional measures to understand the nature and purpose of those transactions. Verify the commercial rationale. The EU list is updated periodically; check the current version before each engagement cycle.

Record-keeping and the five-year retention rule

Wwft Article 33 requires you to retain all client due diligence records, transaction records, and supporting documentation for five years after the end of the business relationship (i.e., after the last audit engagement for that client). This retention period is separate from and potentially longer than the audit working paper retention period under the Wta and ISQM 1.

The records you must retain include: copies of identification documents or data sources used to verify the client’s identity, the UBO identification and verification records, the risk assessment for the business relationship, records of any suspicious transaction reports made, ongoing monitoring documentation, and any enhanced due diligence documentation. These records must be sufficient to allow the BFT or FIU-Nederland to reconstruct the due diligence process if requested.

The practical implication for firms: maintain a separate Wwft client file (or a clearly delineated section within the engagement file) that is retained on a different schedule from the audit file if necessary. If the firm’s standard working paper retention is six years but the Wwft relationship ended two years before the last audit, the Wwft retention may extend to seven years from the last audit.

The 2024 EU AML package: what changes for auditors

The EU adopted a new AML legislative package in 2024 consisting of the AML Regulation (Regulation (EU) 2024/1624, directly applicable across member states), the Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640), and the regulation establishing the Anti-Money Laundering Authority (AMLA, Regulation (EU) 2024/1620). The AML Regulation replaces much of the substance currently in AMLD4/5 and, as a regulation rather than a directive, will apply directly without national transposition.

For auditors, the key changes in the AML Regulation include: a maximum harmonised framework for client due diligence (reducing the current variation between member states), more detailed rules on UBO identification and verification, a harmonised definition of PEP that reduces national divergence in implementation, an expanded set of mandatory enhanced due diligence triggers, and clearer rules on the application of due diligence measures to existing business relationships.

AMLA will become the EU-level supervisor for certain high-risk obliged entities (primarily large financial institutions). Auditors will continue to be supervised at the national level (by the BFT in the Netherlands), but AMLA will set supervisory standards and coordinate cross-border enforcement. AMLD6 replaces AMLD4 and contains the provisions that require national transposition, including the rules on national FIU powers, supervisory frameworks, and criminal law provisions.

The transitional timeline matters for planning. The AML Regulation applies from 10 July 2027. AMLD6 must be transposed into national law by 10 July 2027. Firms should be building implementation plans now for updated client due diligence procedures, UBO verification processes, and risk assessment frameworks. The substantive changes do not alter the fundamental obligation (auditors remain obliged entities with the same four categories of duties) but they tighten the specific requirements within each category.

Worked example: Dekker & Visser Accountants auditing Rietmolen Vastgoed B.V.

Client profile: Rietmolen Vastgoed B.V. is a Dutch real estate holding company owning eight commercial properties in Rotterdam and The Hague. Annual rental income: €6.2M. Total assets: €48M. The UBO is a single natural person (Hendrik Rietmolen, 100% shareholder). The company is financed by a combination of bank debt (€28M) and shareholder loans (€9M). Dekker & Visser Accountants is a six-partner firm performing the statutory audit.

1. Perform client due diligence under Wwft Article 3

Before accepting the engagement, Dekker & Visser collects: KVK extract for Rietmolen Vastgoed B.V. (verification of legal entity), copy of Hendrik Rietmolen’s passport (UBO identification), UBO register check at KVK (UBO verification), and a risk assessment of the business relationship.

Risk assessment: real estate is a sector identified as higher risk for money laundering by the European Commission’s 2022 Supranational Risk Assessment. The Wwft Indicatorenlijst flags real estate transactions as a sector requiring heightened attention. Dekker & Visser classifies this engagement as elevated risk (not high enough to trigger full enhanced due diligence under Wwft Article 8, but above the baseline). Ongoing monitoring procedures are set at a higher frequency.

2. Screen for PEP status and sanctions

Dekker & Visser screens Hendrik Rietmolen against the World-Check PEP and sanctions database. Result: no PEP match. No sanctions match. Screen repeated at the start of each audit cycle.

3. Identify a suspicious transaction during fieldwork

During testing of the shareholder loan balance, the audit team notes that €1.8M of the €9M shareholder loan was advanced in four cash tranches of €440K–€460K over a two-month period. The source of these funds is a personal bank account held by Hendrik Rietmolen at a bank in a country on the EU high-risk third country list. The client’s explanation: proceeds from the sale of a holiday property in that jurisdiction.

Procedure: request documentary evidence of the property sale (sale contract, notarial deed, bank statement showing the proceeds). The client provides a sale contract, but the contract is between two parties neither of which is Hendrik Rietmolen (it names a different individual as seller). The bank statement shows the funds originating from a corporate account, not from the named purchaser.

Assessment: the transaction has no clear economic rationale consistent with the explanation provided. The documentation is inconsistent. This triggers the Wwft Article 16 reporting obligation. The “reasonable grounds to suspect” threshold is met.

Action: the engagement partner files a suspicious transaction report with FIU-Nederland through the goAML portal. No one informs the client (Wwft Article 23 tipping-off prohibition). The firm’s AML compliance officer is notified. Fieldwork continues.

4. Assess the audit implications under ISA 250.19

The suspicious transaction raises questions under ISA 250.14 (non-compliance with laws), ISA 240.35 (fraud risk indicators), ISA 570.10 (if the client’s financial position depends on funds whose origin is unexplained), and ISA 260.16 (communication with those charged with governance). Dekker & Visser evaluates: the €1.8M shareholder loan is 3.8% of total assets and 19% of equity. If the loan were reclassified or written off, it would breach the bank’s loan-to-value covenants on two properties.

Dekker & Visser’s engagement partner communicates concerns about the shareholder loan documentation to the supervisory board under ISA 250.19, framing the communication around the documentary inconsistencies and the need for the board to investigate the source of funds. No reference is made to the Wwft report. The language is specific to the audit evidence gap, not to the AML reporting.

This worked example demonstrates the parallel tracks: the Wwft obligation (report to FIU, observe tipping-off prohibition) runs alongside the ISA obligations (ISA 250.19 communication, ISA 240.35 reassessment, ISA 570.10 evaluation). The two tracks share information but have different recipients, different legal bases, and different confidentiality constraints.

Practical checklist for every engagement

1. Complete Wwft client due diligence before accepting any statutory audit engagement. Identify and verify the client entity, identify and verify the UBO, perform a risk assessment, and screen the UBO against PEP and sanctions databases. Document each step in a Wwft client file separate from the audit engagement file.
2. Repeat PEP and sanctions screening at the start of each audit cycle. Update the risk assessment if the client’s business profile, ownership structure, or sector risk indicators have changed.
3. During fieldwork, remain alert to Wwft subjective indicators. Transactions with no apparent economic purpose, transactions inconsistent with the client’s business profile, payments to or from high-risk jurisdictions, structuring of transactions to avoid thresholds, and clients providing false or incomplete information about transaction purposes.
4. If a suspicious transaction is identified, report to FIU-Nederland through goAML without delay. Do not inform the client. Notify the firm’s AML compliance officer. Continue the audit. Document the report reference in a restricted-access section of the file.
5. Draft ISA 250.19 communications carefully. Address the documentary and audit evidence issues without referencing any Wwft report filed. Have the firm’s AML compliance officer review the draft before sending.
6. Retain all Wwft due diligence records for five years after the end of the business relationship with the client (Wwft Article 33), regardless of the firm’s standard audit file retention period.

Common mistakes regulators flag

• Treating Wwft client due diligence as a one-time exercise performed at engagement acceptance and never updated. Wwft Article 3(2)(d) requires ongoing monitoring throughout the business relationship. The BFT’s 2023 thematic inspection of audit firms found that 40% of firms inspected had no documented process for ongoing client due diligence updates during the engagement.
• Conflating the Wwft reporting obligation with the ISA 240.35 fraud risk assessment. A transaction that triggers a Wwft suspicion indicator must be reported to FIU-Nederland regardless of whether it constitutes a fraud risk to the financial statements. The two obligations have different thresholds, different reporting channels, and different legal consequences for failure.
• Informing the client that a suspicious transaction report has been filed or is under consideration. The Wwft Article 23 tipping-off prohibition is absolute. Violation carries criminal sanctions. This includes indirect tipping-off, such as withdrawing from an engagement immediately after filing a report without an alternative explanation, or suddenly requesting documentation that makes the report obvious.

Related content

Frequently asked questions

Further reading and source references

• AMLD4, Directive (EU) 2015/849: Article 2(1)(3)(a) on auditors as obliged entities, Articles 11–24 on due diligence requirements.
• Wwft, Wet ter voorkoming van witwassen en financieren van terrorisme: Articles 3, 8, 16, 16a, 22, 23, and 33 on Dutch implementation.
• ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements: paragraphs 13–23 on auditor responsibilities.
• AML Regulation, Regulation (EU) 2024/1624: the directly applicable framework effective from 10 July 2027.
• AMLD6, Directive (EU) 2024/1640: replacement directive for AMLD4, transposition deadline 10 July 2027.
• BFT enforcement actions: published decisions on Wwft non-compliance by audit firms in the Netherlands.