TL;DR: Financial institutions spend billions on compliance technology while enforcement actions escalate. The problem isn’t the technology. It’s governance structure. Without clear accountability, documented decisions, and event-driven risk reassessment, even advanced systems fail. Dutch small businesses face identical structural weaknesses.
Core failures in financial crime prevention:
- No single person owns enterprise-wide financial crime risk
- Risk assessments function as annual paperwork exercises, not operational tools
- Growth happens without corresponding control updates
- Decision rationale goes undocumented, creating accountability gaps
- Technology exists without governance to direct it
Global financial institutions spend billions on compliance technology. Yet enforcement actions grow larger and more frequent.
The pattern is clear: advanced technology does not prevent financial crime when governance is absent.
This problem doesn’t come from sophisticated criminals or outdated systems. The problem lives in boardrooms and executive committees where financial crime gets treated as an operational compliance issue instead of a balance sheet risk.
For expat entrepreneurs running small businesses in the Netherlands, this matters. The governance failures enabling financial crime at major institutions mirror the structural weaknesses creating exposure in micro and small companies.
Why Technology Alone Fails to Prevent Financial Crime
Financial institutions globally spend approximately €190 billion per year maintaining financial crime compliance programs. In the U.S. and Canada alone, spending reached €56 billion in 2024. 99% of institutions reported increased costs.
Enforcement actions continue to escalate.
TD Bank case study
In October 2024, TD Bank became the largest bank in U.S. history to plead guilty to Bank Secrecy Act program failures. The bank paid over €2.8 billion in penalties after allowing €620 million to be laundered through its accounts.
The bank had technology:
- Machine learning models
- Adaptive risk scoring
- Integrated case management platforms
What TD Bank didn’t have was governance.
Between January 2018 and April 2024, TD Bank failed to monitor approximately $18.3 trillion worth of transaction activity. That’s 92% of total transaction volume.
This wasn’t a system limitation. The bank actively enforced a “flat cost paradigm” preventing any budget increase to the AML compliance program year-over-year, despite regulators identifying problems.
The Office of the Comptroller of the Currency stated: “TD Bank’s persistent prioritization of growth over controls allowed its employees to break the law.”
One criminal chose TD Bank specifically because it had the “most permissive policies.” He deposited more than €930,000 in cash in a single day.
Bottom line: Technology spending increases while governance decisions prioritize growth over control. The result is predictable enforcement action.
How These Failures Show Up in Dutch Small Businesses
The same governance failures enabling €620 million in money laundering at TD Bank exist in smaller forms across businesses throughout the Netherlands.
Unclear accountability
When multiple people touch financial decisions but no single person owns the outcome, control disappears.
In Dutch small businesses, this shows up when the founder approves invoices, the bookkeeper processes payments, and the accountant reviews everything quarterly. Each person assumes someone else is watching for problems.
Growth without control updates
You launch a new service, start accepting international payments, or add a business partner. Your compliance structure stays the same.
Risk accumulates quietly until De Nederlandsche Bank (DNB) or the Belastingdienst asks questions you can’t answer.
Cost control over risk management
You delay implementing proper invoice approval systems because they cost money. You skip formal contracts with suppliers because they slow things down. You handle cash informally because banking fees are high.
Each decision saves money today and creates exposure tomorrow.
Missing proof of decisions
You make good decisions based on trust and experience. When the Belastingdienst audits your company or a supplier relationship goes wrong, you can’t prove what you decided or why.
The system doesn’t measure your intentions. It measures your documentation.
Key insight: Small business governance failures mirror institutional patterns. The scale differs. The structure doesn’t.
Who Is Accountable When Financial Crime Occurs?
Major enforcement actions consistently reveal one pattern: no single executive is accountable for enterprise-wide financial crime risk.
Responsibility disperses across compliance, risk, legal, operations, fraud, and technology. When something fails, everyone points to someone else’s domain.
Individual liability is increasing
In January 2025, the OCC issued enforcement actions against individual Wells Fargo executives for governance failures:
- Former Executive Audit Director: €1.4 million fine
- Former Chief Auditor: €6.5 million fine
- Former Community Bank Group Risk Officer: €9.3 million fine for failure to credibly challenge the bank’s incentive compensation program and failure to escalate known risks
Regulators now hold individuals accountable for governance failures, not only institutions.
What this means for Dutch business owners
You are the single point of accountability.
When your business structure allows financial crime or regulatory violations, Dutch authorities look to you personally. The Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) holds business owners responsible for knowing their customers and monitoring transactions.
If you can’t prove you implemented basic controls, you can’t claim you didn’t know.
Reality check: Regulatory enforcement increasingly targets individuals, not corporate entities. Personal liability follows governance failure.
Why Risk Assessments Fail
The Financial Action Task Force (FATF) sets international standards the Netherlands implements through the Wwft. These standards require risk-based approaches grounded in understanding your actual exposure.
Most institutions treat risk assessments as annual compliance exercises. They recycle prior-year documents with minor edits, use generic typologies instead of institution-specific analysis, and acknowledge emerging threats superficially without operationalizing them.
Danske Bank case study
Danske Bank processed an estimated €213 billion in suspicious transactions through its Estonian branch between 2007 and 2015. The SEC alleged up to 99% of the Estonian branch’s profits were derived from suspicious transactions from high-risk, non-resident customers.
Regulators warned the bank in 2012 about high money laundering risk compared to other banks. Senior management failed to take corrective action.
Internal communications from April 2013 show senior management were aware of concerns about “blacklisted Russian customers” and worried about “new orders in the AML area.” The priority was regulatory appearances over substantive fixes.
The bank paid €1.9 billion in fines in December 2022.
How this shows up in Dutch small businesses
Risk assessment failures follow the same pattern at smaller scale:
You start accepting cryptocurrency payments without assessing how this changes your Wwft obligations
- You expand into cross-border e-commerce without understanding how this affects your BTW (VAT) and customs compliance
- You hire international contractors without clarifying their tax status or your withholding responsibilities
Each expansion creates new risk. Without reassessment, the risk compounds invisibly.
Core problem: Risk assessment functions as annual paperwork instead of event-driven analysis. Business changes. Documentation doesn’t.
What Controls Actually Work
Technology doesn’t define risk appetite, determine escalation standards, or override commercial pressure. Those are governance decisions.
Here’s what reduces exposure in practice:
Single-point accountability for financial decisions
One person approves. A different person processes. A third person reviews. Document who did what and when.
This applies whether you’re processing a €500 supplier invoice or a €50,000 contract.
Event-driven risk reassessment
Every time you launch a new product, enter a new market, or change your business model, reassess your compliance obligations.
The Belastingdienst and DNB expect you to understand how changes affect your risk profile. Annual reviews are insufficient.
Proof of decision rationale
When you make exceptions to your normal processes, document why:
- Paying a supplier early
- Accepting cash over your usual threshold
- Onboarding a customer without complete documentation
The decision might be reasonable. Without documentation, it looks like absent control.
Growth controls
Before you scale operations, confirm your compliance structure can handle the volume:
- Can your bookkeeping system track additional transactions?
- Do you have capacity to perform proper due diligence on new customers?
- Can your documentation processes keep pace?
Regular control testing
Test your controls. Try to process an invoice without proper approval. Try to make a payment without documentation.
If your controls don’t catch it, they don’t work.
Takeaway: Effective controls require separation of duties, documentation of rationale, event-driven reassessment, and regular testing. Design alone proves nothing.
Why Founders Miss Governance Failures
You’re focused on revenue, product development, and customer acquisition. Compliance feels like bureaucratic overhead slowing everything down.
This perspective creates the exact conditions where control fails.
Financial crime and regulatory violations don’t announce themselves. They accumulate through small decisions seeming reasonable in isolation:
- Paying a supplier without proper documentation because you trust them
- Accepting cash to avoid transaction fees
- Skipping customer verification because the deal is time-sensitive
Each decision makes sense operationally. Together, they create a structure where violations occur without detection.
The cost becomes visible only when it’s too late to prevent.
The pattern: Operational pressure overrides control discipline. Small exceptions accumulate into structural weakness.
What Dutch Regulatory Requirements Apply?
The Netherlands has specific obligations expat entrepreneurs often underestimate.
Wwft compliance
If your business handles certain financial transactions, provides services involving large cash amounts, or operates in sectors like real estate or precious metals, you must register with the Wwft.
Required actions:
- Customer due diligence
- Transaction monitoring
- Suspicious activity reporting
DNB supervision
De Nederlandsche Bank supervises compliance with the Wwft for many sectors. They conduct inspections, issue fines, and can restrict your business operations if they find systematic failures.
Belastingdienst documentation requirements
Dutch tax authorities require you to maintain proper administration proving your income, expenses, and tax positions.
“I didn’t know” is not a defense when you can’t produce required documentation.
UBO register
The Ultimate Beneficial Owner register requires you to report who ultimately owns or controls your company. Failing to register or providing incorrect information creates liability.
Critical point: These obligations are structural requirements defining whether you’re operating legally. They’re not optional.
What Good Governance Looks Like
Good governance doesn’t require expensive technology or large compliance teams.
It requires structure:
You know who makes which decisions and who reviews them
- You document the rationale for exceptions to standard processes
- You reassess risk when your business changes
- You test whether your controls work
- You maintain proof of compliance you can produce on demand
When Dutch authorities ask questions, you answer with documentation, not explanations.
When suppliers, customers, or partners create unusual situations, you have a process for evaluating and documenting your response.
When you grow, your compliance structure grows with you.
This isn’t bureaucracy. It’s the price of maintaining control as your business becomes more complex.
Essential truth: Structure precedes scale. Governance enables growth without loss of control.
The Decision
Financial crime isn’t a technology problem. It’s a governance problem.
You can spend money on sophisticated systems and still fail if you haven’t defined who owns risk, how decisions get made, and what proof you maintain.
Or you can build the governance structure first and let technology support it.
Structure is cheaper than recovery.
If you can’t prove your decisions, you don’t control them.
Frequently Asked Questions
Does compliance technology prevent financial crime?
No. Technology provides tools for detection and monitoring. Governance provides the structure determining how those tools get used, who owns risk, and what actions follow detection. Without governance, technology generates alerts nobody acts on.
Who is accountable for financial crime in a small Dutch business?
You are. As the business owner or director, Dutch authorities hold you personally responsible under the Wwft for implementing controls, knowing your customers, and monitoring transactions. You can’t delegate accountability to your bookkeeper or accountant.
How often should I reassess my compliance obligations?
Every time your business changes. New products, new markets, new payment methods, new customer types, and new business partners all create new risk. Annual reviews are insufficient. Reassessment must be event-driven.
What happens if I can’t produce documentation during a Belastingdienst audit?
The Belastingdienst can reject your expense claims, assess additional tax, and impose penalties. “I didn’t know” is not a defense. The system measures your documentation, not your intentions.
What controls work for small businesses without large compliance teams?
Separation of duties (one person approves, another processes, a third reviews), documentation of decision rationale for exceptions, event-driven risk reassessment, and regular control testing. These don’t require technology or staff. They require discipline.
Can I avoid Wwft registration if my transactions are small?
No. Wwft obligations depend on your business type and activities, not transaction size. If you handle certain financial transactions, provide services involving large cash amounts, or operate in specific sectors (real estate, precious metals), registration is mandatory.
What’s the difference between governance and compliance?
Compliance is following rules. Governance is the structure determining who makes decisions, who reviews them, how risk gets assessed, and what proof gets maintained. Good governance makes compliance possible. Compliance without governance is theater.
Why do major banks with sophisticated systems still fail?
Because governance failures override technological capability. TD Bank had machine learning and risk scoring but enforced a “flat cost paradigm” preventing investment in controls. Danske Bank had systems but senior management prioritized regulatory appearances over substantive fixes. Technology doesn’t override executive decisions.
Key Takeaways
- Financial crime is a governance problem, not a technology problem. Advanced systems fail without clear accountability and documented decision processes.
- No single person owns enterprise-wide financial crime risk in most organizations. Responsibility disperses across departments. When failure occurs, everyone points to someone else.
- Risk assessments function as annual paperwork exercises instead of event-driven analysis. Business changes. Documentation doesn’t.
- Dutch business owners are personally accountable under the Wwft. You can’t delegate this responsibility to bookkeepers or accountants.
- Effective controls require separation of duties, documentation of rationale, event-driven reassessment, and regular testing. Design alone proves nothing.
- Operational pressure overrides control discipline. Small exceptions accumulate into structural weakness over time.
- Structure is cheaper than recovery. Building governance before problems occur costs less than remediation after enforcement action.
