Sanctions Screening: Audit Firm Obligations

Two separate legal obligations, one screening process

Dutch audit firms operate under two distinct legal regimes that both require sanctions screening. The Wwft is the anti-money laundering and counter-terrorist financing law. It designates accountants as “gatekeepers” and requires them to perform client due diligence (CDD), including identification, verification, UBO determination, and risk assessment. The Bureau Financieel Toezicht (BFT) supervises audit firms’ compliance with the Wwft.

The Sanctions Act 1977 (Sanctiewet 1977) is a separate statute that implements EU and UN sanctions regulations in Dutch law. It imposes a direct prohibition on providing funds or economic resources to designated persons. Unlike the Wwft, which focuses on detection and reporting, the Sanctions Act creates an absolute prohibition. Providing services to a designated person is itself an offence, regardless of whether you knew they were designated.

For audit firms specifically, the BFT clarified in its October 2024 guidance that Wwft institutions must include sanctions risk in their firm-wide risk assessment (the SIRA, Systematic Integrity Risk Analysis). In its June 2024 revised Guidelines, the AFM reinforced this, stating that institutions must document who is screened, against which lists, who is responsible for screening, and how hits are resolved.

One screening process must satisfy both laws simultaneously. The Wwft drives the timing (client acceptance, ongoing CDD reviews). Sanctions Act obligations drive the scope (every designated person must be caught, regardless of CDD timing). If you screen only at acceptance and never again, you satisfy neither.

The EU criminalisation directive

EU Directive 2024/1226, adopted April 2024, requires member states to criminalise intentional sanctions violations by May 2025. The directive explicitly lists accounting, auditing, and tax consulting services among the service types covered. Maximum penalties for legal persons: the higher of €40 million or 5% of total worldwide turnover. The Netherlands was required to transpose this directive by May 2025, making the criminal liability exposure for audit firms concrete rather than theoretical. This changes the risk calculus for partners: a sanctions screening failure is no longer only a BFT administrative fine. It is a potential criminal offence.

Who you must screen and against which lists

The persons you must screen depend on your CDD obligations under the Wwft combined with the Sanctions Act’s broader prohibition.

At minimum, screen the client entity itself (including all trade names and legal name variants). Screen every UBO identified during CDD (the natural persons who ultimately own or control the entity, using the 25% ownership threshold under the Wwft). Screen every person authorised to represent the client in the engagement (directors, signatories, persons providing management representations). And screen any counterparty to a material transaction where your firm provides a service related to that transaction (for example, if you audit a transaction where the counterparty is in a high-risk jurisdiction).

The lists you screen against must include the EU Consolidated Financial Sanctions List (maintained by the European Commission, updated when Council Regulations are published in the Official Journal), the Dutch national sanctions list (maintained by the Ministry of Foreign Affairs), and the UN Security Council Consolidated List. Many firms also screen against OFAC’s Specially Designated Nationals (SDN) list because of the cross-border nature of their clients’ operations, though this is not legally required under Dutch law.

The AFM’s 2024 Guidelines specify that firms must record which lists they screen against. If you only screen against the EU list but not the Dutch national list, document that decision. The BFT can ask why.

When screening must happen

Screening is not a one-time event. The Wwft and Sanctions Act create four distinct screening moments.

Client acceptance

Before you sign the engagement letter, screen all relevant persons against all relevant lists. If you find a hit, do not accept the engagement until the hit is resolved (either confirmed as a false positive or escalated to the compliance officer and, if necessary, reported). The Wwft prohibits you from providing services if CDD cannot be completed (Wwft Article 5(1)).

Periodic CDD review

The Wwft requires ongoing monitoring of the business relationship (Wwft Article 3(2)(d)). The frequency depends on the client’s risk classification: annual for standard-risk clients, more frequent for high-risk. Each periodic review should include a fresh sanctions screen.

List update screening

When the EU publishes a new sanctions package (and 16 packages have been adopted against Russia alone since February 2022), your existing client base must be re-screened against the updated list. The Sanctions Act’s prohibition is immediate upon publication in the Official Journal. There is no grace period. If a person is designated today, providing services to them tomorrow is an offence. For firms with 50 or more Wwft clients, manual re-screening after every list update is impractical. Automated screening tools that monitor list changes and flag new matches are the standard approach.

Event-driven screening

If you become aware of a change in the client’s ownership or control structure during the engagement (a new UBO, a change of director, a corporate restructuring), screen the new persons before continuing to provide services. ISA 550.17 already requires you to remain alert to related party information during the audit. Sanctions screening is an extension of that alertness.

What documentation the BFT expects

The AFM’s revised 2024 Guidelines and the BFT’s inspection practice set a clear documentation standard. Your firm must be able to produce, for every client, four categories of evidence.

A record of each screening event: the date, the persons screened, the lists screened against, and the outcome (no hit, false positive resolved, or true hit escalated). This record must be retrievable per client. If the BFT asks to see the screening history for Client X, you produce it.

Evidence of the screening method used. If you use a commercial screening tool (such as World-Check, Dow Jones Risk & Compliance, or Orbis), record the tool name, version, list source, and date of the list update applied. If you screen manually using the EU’s sanctions map (sanctionsmap.eu), save a screenshot or PDF showing the search query, the date, the list version, and the result. The AFM’s Guidelines state that institutions must record the basis on which screening was performed.

Hit resolution documentation. For every positive match, document how it was resolved. Was it a false positive (different person, common name, date of birth mismatch)? Who made that determination? If it was a true positive, what action was taken? Was the compliance officer notified? Was FIU-NL informed? The decision trail must be complete.

Firm-level policy documentation. Your Wwft policy manual must describe the screening process, the lists used, the frequency of screening, and the escalation procedure. The SIRA must include sanctions risk. Staff training records must show that relevant personnel understand their obligations. The BFT checks all of these during inspections.

Hit resolution: what to do when a name matches

Most hits from screening tools are false positives. Common names, transliteration variants, and partial matches generate noise. But every hit requires a documented resolution.

Step one: compare the identifying information. Match the entity or person against the sanctions listing entry using all available data points (full legal name, date of birth, nationality, passport number, address, aliases listed in the sanctions regulation). If the identifying information does not match, document it as a false positive. Save the comparison.

Step two: if the identifying information is ambiguous or matches on multiple data points, escalate to the firm’s compliance officer immediately. Do not continue providing services until the matter is resolved. The compliance officer determines whether to request additional information from the client, consult the firm’s legal adviser, or report to the relevant authority.

Step three: if the person is confirmed as designated, you must freeze any economic resources you control (which is unusual for an audit firm, but could include retaining client funds in an escrow context) and report to the appropriate authority. You must terminate the engagement. Under the Sanctions Act, continuing to provide audit services to a designated person is a direct violation. Under EU Directive 2024/1226, it is a criminal offence.

Step four: assess whether a report to FIU-NL is required under the Wwft’s unusual transaction reporting obligation. A true sanctions hit during CDD is an indicator of potential money laundering or terrorist financing. The reporting obligation under the Wwft is separate from the sanctions compliance obligation under the Sanctions Act. Both may apply.

Worked example: Bakker Maritime Services B.V.

Client scenario: Bakker Maritime Services B.V. is a Dutch ship management company with €22 million revenue. It manages a fleet of 14 vessels for various owners. Your firm receives a mandate for the FY2025 statutory audit. UBO: Johannes Bakker (Dutch national, 62% shareholding). Bakker Maritime has a subsidiary in Cyprus (Bakker Maritime Cyprus Ltd.) and contracts with a Turkish port services provider (Karadeniz Liman A.S.) for bunkering services.

Step 1: Client acceptance screening

Screen Bakker Maritime Services B.V. (and trade name variants) against the EU Consolidated Financial Sanctions List, the Dutch national sanctions list, and the UN Consolidated List. For UBO Johannes Bakker, use full name, date of birth (14 March 1968), and Dutch nationality. Check the Cypriot subsidiary by legal name. Run Karadeniz Liman A.S. as a material counterparty in a jurisdiction with elevated sanctions risk.

Step 2: Resolve the hit

The screening tool returns a potential match on “Karadeniz” against an entity on the EU Russia sanctions list (Council Regulation (EU) 2024/XXX). Compare identifying details. The sanctioned entity is Karadeniz Enerji (a Russian-owned energy company). The client’s counterparty is Karadeniz Liman A.S. (a Turkish port services company, different legal entity number, different jurisdiction, different ownership). Conclusion: false positive. Different legal entity, different beneficial ownership, different industry.

Step 3: Accept the engagement

All screening results are negative (one false positive resolved). CDD is complete. The engagement letter is signed on 11 October 2025.

Step 4: Ongoing monitoring

On 15 January 2026, the EU publishes a new sanctions package. The firm’s automated screening tool re-screens the full client base against the updated list. No new hits for Bakker Maritime Services B.V. or its related persons. A screening event is logged automatically.

Practical checklist

1. Include sanctions risk in your SIRA. Verify that your firm’s Systematic Integrity Risk Analysis includes sanctions risk as a separate risk category, with assessment of the jurisdictions your clients operate in and the sectors with elevated sanctions exposure (ISA 220.18, ISQM 1.28).
2. Screen before signing. Before signing any engagement letter, confirm that sanctions screening has been completed for the client entity, all identified UBOs, and all persons authorised to represent the client. Document the screening date, tool, lists, and outcome (Wwft Article 3(2)).
3. Re-screen on list updates. Set your screening tool (or manual process) to re-screen the full client base whenever the EU publishes a new sanctions regulation. Verify that the list update was applied within 24 hours of publication in the Official Journal.
4. Document hit resolution thoroughly. For every screening hit, document the resolution with enough detail that the BFT can reconstruct your reasoning without asking you a question. False positive determinations must include the comparison of identifying data points.
5. Review screening coverage annually. Are you screening the right persons against the right lists? Have new lists or jurisdictions become relevant since the last review?
6. Train client-facing staff. Train all client-facing staff on the firm’s sanctions screening procedure, including how to recognise a situation that requires escalation. Record the training in the Wwft training log.

Common mistakes

• Screening only at client acceptance and never again. The BFT’s inspection findings consistently cite this as the most common gap. The EU published 16 Russia sanctions packages between February 2022 and December 2024. A client screened clean in 2022 may have a UBO who was designated in 2024. If you didn’t re-screen, you don’t know.
• Using only the EU sanctions map without saving evidence. The EU sanctions map (sanctionsmap.eu) is a valid source, but it produces no audit trail by default. If you screen manually, you need a screenshot or PDF export showing the search term, date, and result. “Checked, no hits” written in a Word document is not evidence of a screening event. It is evidence of a claim.
• Treating the Sanctions Act as a subset of the Wwft. They are separate laws with separate obligations. The Wwft requires CDD, risk assessment, and unusual transaction reporting. The Sanctions Act prohibits providing economic resources to designated persons. You can be fully Wwft-compliant and still breach the Sanctions Act if you fail to catch a designation that falls outside your CDD cycle. The screening process must serve both statutes independently.

Related content

Frequently asked questions

Further reading and source references

• Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme): the Dutch anti-money laundering and counter-terrorist financing act, including CDD obligations for audit firms.
• Sanctions Act 1977 (Sanctiewet 1977): the Dutch statute implementing EU and UN sanctions regulations.
• EU Directive 2024/1226: criminalisation of intentional sanctions violations, adopted April 2024, transposition deadline May 2025.
• AFM Revised Wwft Guidelines, June 2024: documentation and screening requirements for supervised institutions.
• BFT October 2024 Guidance: requirements for including sanctions risk in the SIRA.
• ISQM 1, Quality Management for Firms: the firm-level quality management standard, including risk assessment obligations relevant to sanctions screening.