What does Wwft client due diligence require before accepting an engagement?

The Wwft requires four steps before establishing a business relationship: identify the client (name, legal form, address, KVK number), verify the client's identity using independent sources, identify and verify the Ultimate Beneficial Owner (natural person holding more than 25% of shares/voting rights), and document the purpose and intended nature of the business relationship. Enhanced due diligence applies for high-risk countries, PEPs, and elevated-risk situations identified in your risk assessment.

Wwft Compliance for Dutch Audit Firms: What You Actually Need to Do

Q: Which accountants and services fall under the Wwft?

All external registered accountants (registeraccountants) and external accounting consultants (accountants-administratieconsulenten) are designated as institutions under the Wwft. The scope isn't limited to statutory audit work: any professional activity performed in your capacity as an external accountant falls within scope, including compilation engagements, forensic accounting, advisory services related to financial statements, and bookkeeping. A sole practitioner compiling financial statements for five clients has the same obligations as a 200-person audit firm.

Q: What penalties can the BFT impose for Wwft violations?

The BFT can issue directions (aanwijzingen) requiring corrective action, administrative fines up to a standard amount of 500,000 euros (moderated based on turnover, severity, and cooperation), and referrals to the Public Prosecution Service for criminal investigation. All sanctions are published by name. Recent published fines range from 1,000-2,000 euros for isolated violations at smaller practices to 133,559 euros for combined failures at larger firms.

Key takeaways

The Wwft applies to all external accountants performing professional activities, not just statutory audit work. A sole practitioner has the same obligations as a 200-person firm.
Client due diligence must be completed before establishing the business relationship. Starting work and completing the investigation later creates a compliance gap the BFT will flag.
Your firm must maintain a SIRA (Systematic Integrity Risk Analysis), designate a compliance officer, provide periodic training, and document internal procedures.
The EU AMLR (directly applicable regulation) will partially replace the Wwft from July 2027, requiring updates to your firm's procedures.

Which accountants and services fall under the Wwft

Article 1a, lid 4, letter b of the Wwft designates external registered accountants (registeraccountants) and external accounting consultants (accountants-administratieconsulenten) as institutions under the act. The scope is not limited to statutory audit work. Any professional activity performed in your capacity as an external accountant falls within scope, including compilation engagements, forensic accounting, advisory services related to financial statements, and bookkeeping.

The BFT's October 2024 Specific Guideline confirms that the nature of the activities determines whether the Wwft applies, not the scale. A sole practitioner compiling financial statements for five clients has the same obligations as a 200-person audit firm.

For audit firms, the practical question is usually not whether the Wwft applies (it does) but which engagements require a separate Wwft client investigation. The answer: every new client engagement. If the same client later asks for additional services, you don't need a new investigation, but you must update your risk assessment if the new service changes the risk profile.

Client due diligence: what the Wwft requires before you start work

The Wwft requires client due diligence (cliëntenonderzoek) before establishing a business relationship or performing an incidental service. For accountants, this means before signing the engagement letter. You cannot perform the investigation retroactively.

Standard due diligence under articles 3 and 4 involves four steps:

Identify the client. For a legal entity: name, legal form, registered address, and Chamber of Commerce number.
Verify the client's identity using reliable, independent sources. A KVK extract is usually sufficient for a standard-risk Dutch B.V.
Identify and verify the UBO. The Ultimate Beneficial Owner is the natural person holding (directly or indirectly) more than 25% of shares, voting rights, or ownership interest. For holding structures with multiple layers, trace through each entity to the natural person.
Document the purpose and intended nature of the business relationship.

Enhanced due diligence triggers

Enhanced due diligence applies for clients in high-risk countries (European Commission list), Politically Exposed Persons (PEPs) and their family members, and any situation where your risk assessment identifies elevated risk. Enhanced measures include obtaining additional information about the source of funds, more intensive monitoring, and senior management approval.

PEP screening is the step most commonly missed at smaller firms. PEPs include heads of state, government ministers, parliamentarians, senior judiciary members, central bank board members, ambassadors, and senior military officers. Family members and known close associates are also covered.

Monitoring and reporting unusual transactions

Under article 3, lid 2, letter d of the Wwft, you must monitor the business relationship on an ongoing basis. For accountants, "monitoring" means staying alert to transactions and activities you encounter during your professional work and assessing whether anything is unusual.

FIU-Nederland lists two relevant indicator categories for accountants:

Objective indicator: You must always report any transaction where you have reason to suspect it involves the financing of terrorism. No materiality thresholds apply.
Subjective indicator: You must report transactions you have reason to consider unusual. Judgment matters. The BFT asks whether you had a structured process for assessing transactions and whether your conclusions were documented.

Reports go to the FIU-Nederland through their online portal. You must not inform the client that a report has been or will be filed (the tipping-off prohibition under article 23). You are reporting unusual transactions, not proven criminal activity. If you wait until you are certain a transaction is criminal before reporting, you have likely missed the reporting deadline.

Firm-level requirements: SIRA, compliance, and training

The SIRA (Systematic Integrity Risk Analysis) is required under article 2b. Your firm must identify and assess money laundering and terrorist financing risks relevant to your practice. It is not a one-time exercise. The BFT expects you to update it when your client base, services, or risk environment changes.

Article 2d requires the firm to appoint a compliance officer (or equivalent function). For smaller firms, this doesn't have to be a dedicated full-time role, but someone must be formally designated and that designation must be documented.

Training obligations under article 35 require periodic training documented in a verifiable way, including a training plan for each employee. The BFT checks training records during inspections.

Screening obligations require you to verify the background of employees in positions that could expose the firm to integrity risks, ranging from CV checks to requesting a Verklaring Omtrent het Gedrag (VOG).

Internal procedures must be documented and available to the BFT at all times, covering due diligence, transaction assessment, FIU reporting, SIRA maintenance, and information retention.

Worked example: Wwft file for a new statutory audit client

Firm: Kuiper and Hoekstra Accountants B.V., a non-PIE firm in Utrecht with 6 partners. Prospective client: Van Leeuwen Vastgoed B.V., a real estate investment company (€22M portfolio, 8 employees) seeking a statutory audit. Held through Van Leeuwen Holding B.V. (100% shareholder: J.P. van Leeuwen, Dutch national).

1. Identify the client and verify identity

Record the company details and request a recent KVK extract (not older than four weeks). File the extract with a date stamp. Record who performed the identification, the date, and the sources used.

2. Identify and verify the UBO

Van Leeuwen Vastgoed is 100% held by Van Leeuwen Holding, which is 100% held by J.P. van Leeuwen. The UBO is J.P. van Leeuwen. Draw the ownership chart and file it. Verify identity using a passport copy. Record full name, date of birth, nationality, and the nature and extent of interest.

3. Perform a risk assessment

Real estate is flagged as a higher-risk sector in the Dutch National Risk Assessment (NRA 2023). This does not mean you refuse the client. It means you apply enhanced vigilance. Assess source of funding, geographic exposure, and PEP status. In this case: no PEP, no high-risk country involvement, standard bank financing. Risk classification: elevated but manageable.

4. Document purpose and set up ongoing monitoring

Record that the relationship consists of an annual statutory audit. During each audit cycle, remain alert to transactions that appear unusual. Document the monitoring assessment at each engagement cycle in a separate section of the permanent audit file.

Total preparation time: approximately 90 minutes for a standard Dutch B.V. with a single holding layer.

What the BFT inspects and how enforcement works

The Bureau Financieel Toezicht conducts regular investigations (routine inspections), special investigations (triggered by signals), and partial investigations focused on specific Wwft obligations across multiple firms. Recent partial investigations have focused on risk policy, compliance functions, training obligations, and employee screening.

Enforcement tools include directions (aanwijzingen), administrative fines (standard amount €500,000, moderated based on circumstances), and referrals to the Public Prosecution Service. All sanctions are published by name.

Published enforcement actions show a pattern. The most common violations are insufficient client due diligence (particularly UBO identification), failure to report unusual transactions, failure to maintain monitoring procedures, and absence of documented internal procedures or SIRA. The fine for FSV Accountants + Adviseurs of €133,559 combined all of these elements. Smaller fines (€1,000-2,000) typically involve one or two isolated violations.

The EU AML reform package: what changes by 2027

In May 2024, the EU adopted a reform package consisting of the Anti-Money Laundering Regulation (AMLR), the sixth Anti-Money Laundering Directive (AMLD6), and the AMLA Regulation establishing a new EU-level authority.

The most significant change: the AMLR is a regulation, not a directive. It will be directly applicable without requiring national transposition. The current Wwft will be partially replaced by EU-level rules. The AMLR is expected to apply from July 2027.

The underlying obligations (due diligence, monitoring, reporting) remain conceptually similar, but specific requirements will change. Start tracking the AMLR implementation timeline in your firm's quality calendar now.

Practical checklist for Wwft compliance

Verify that every active client engagement has a completed Wwft file with identity verification, UBO identification and tracing, and a documented risk assessment.
Check whether your firm has a current, documented SIRA that reflects your actual client base and service portfolio.
Designate a compliance officer in writing and ensure the designation is filed where the BFT can find it.
Review your training records. Every employee should have a documented training plan and evidence of periodic Wwft training.
Register for the FIU-Nederland reporting portal before you need it.
For elevated-risk clients, document the additional due diligence measures you applied.

Common mistakes

Performing Wwft client investigation after the engagement has started. The Wwft requires due diligence before establishing the business relationship. The BFT's 2024 Specific Guideline is explicit on this point.
Failing to trace through holding structures to the natural person UBO. A KVK extract showing the direct shareholder is a holding company is not sufficient. You need to continue to the natural person. This deficiency appeared in multiple published enforcement actions.
Treating the SIRA as a one-time document. The Wwft requires your risk analysis to reflect your current client base and risk environment. A SIRA written in 2019 that has not been updated will not satisfy the BFT.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Frequently asked questions

Which accountants and services fall under the Wwft?

All external registered accountants and accounting consultants are designated as institutions under the Wwft. The scope covers any professional activity including compilation engagements, forensic accounting, advisory services, and bookkeeping. A sole practitioner has the same obligations as a 200-person firm.

What does Wwft client due diligence require?

Four steps before establishing the business relationship: identify the client, verify identity using independent sources, identify and verify the UBO (natural person holding more than 25% of shares/voting rights), and document the purpose and nature of the relationship. Enhanced due diligence applies for high-risk countries, PEPs, and elevated-risk situations.

What is a SIRA and why does the BFT require it?

A SIRA (Systematic Integrity Risk Analysis) is required under article 2b. Your firm must identify and assess money laundering and terrorist financing risks. It must be updated when your client base, services, or risk environment changes. Firms without a documented SIRA face enforcement action.

What penalties can the BFT impose for Wwft violations?

The BFT can issue directions requiring corrective action, administrative fines up to a standard 500,000 euros (moderated based on circumstances), and referrals to the Public Prosecution Service. All sanctions are published by name. Recent fines range from 1,000 euros for isolated violations to 133,559 euros for combined failures.