Reporting crime still matters, but small firms need their own evidence trail before the trail goes cold.
On Monday morning, a founder opens the bank account and sees a supplier payment she does not recognise. The invoice looks familiar. The bank account does not. Someone in the company clicked, approved, and paid. Now the business needs the bank, the police, perhaps the insurer, and later maybe a lawyer. The money has already left.
The signal has to become readable
A 19 June Accountant.nl report on Algemene Rekenkamer concerns about serious crime reports revived a harder business question. What must a company still prove when a report, investigation, or prosecution route moves slowly, takes another form, or stops?
CBS recorded 815,940 registered crimes in 2024 and 816,210 in 2025, both provisional. CBS counts registered crime as crime recorded by the police in a complaint report or an official police report. That is the starting line. Investigation, prosecution, conviction, and recovery sit further down the chain.
The first mistake is waiting
Small firms often treat the police report as the central act. Something happens, the owner reports it, and the company waits. That reflex is understandable. A report matters for the bank, the insurer, a later civil claim, and the official record.
The wider official picture says the state works under pressure. Rijksoverheid’s 2025 police accountability report describes tight investigation capacity and pressure in the criminal justice chain. It also shows more use of alternative or supplementary interventions in digitised crime. The 2026 Justice and Security budget frames OM production around available capacity and budget. Serious investigation and undermining cases are described there as long, complex, and large.
For a founder, the practical message is simple. The state may act, but not always through the route or speed the company expects. The company still needs its own evidence trail.
That is where administration stops being back-office work. Dates, bank records, screenshots, email headers, supplier master data, access logs, approval notes, and loss calculations can decide whether the business still has usable options after the first report.
What to save in the first hours
Return to the Monday payment. The bank will want timing, account numbers, transaction details, and who authorised what. The police need a clear story and identifiers. If the incident is digital, Rijksoverheid says cybercrime can be reported at any police bureau and advises asking whether a digital expert can be present.
What the signal changes
That conversation is easier when the business preserves the trail before systems are cleaned. The first instinct should be to secure the evidence, not to tidy away the mess.
KVK’s invoice-fraud guidance is plain. Fake invoices often seem to come from known suppliers. KVK points entrepreneurs back to the administration: did the company order this, do invoice or order numbers match, does the sender match the supplier record, and is the bank account already known?
If payment has already been made, KVK points to a police report, bank contact, and keeping the report for possible court recovery. The lesson is not dramatic. It is accounting discipline. One email should not be able to change where money goes.
Fraud does not stay in one lane
The business exposure is wider than invoice fraud. CBS reported that in 2025, 17 percent of people aged 15 and older said they had been victims of online crime. Online fraud was 10.3 percent and purchase fraud 7.9 percent. These are personal victimisation figures, but they describe the same environment in which staff buy, sell, approve, and communicate.
For smaller employers, the control gap is visible in another CBS signal. In 2025, 86 percent of businesses with 250 or more employees had ten or more of twelve surveyed cyber precautions. Among firms with 2 to 9 employees, it was 13 percent. Small companies are busy, close to the customer, and often built on trust. That trust needs a few hard edges.
Some companies also carry formal gatekeeper duties. Where the Wwft applies, Rijksoverheid states that unusual transactions must be reported to FIU-Nederland, and failure to report is punishable. That route has its own logic and its own record.
Cash-heavy businesses have a separate 2026 point to absorb. Belastingdienst states that from 1 January 2026, cash payments of €3,000 or more are banned for pawnbrokers, art dealers, and traders in goods, including car dealers, jewellers, electronics shops, furniture shops, and retailers. Splitting transactions to avoid the ban also falls within the rule.
When legal business becomes criminal infrastructure
The 2026 Dreigingsbeeld Ondermijning Nederland, published through Rijksoverheid, gives another reason for small firms to take records seriously. It describes organised crime using legal companies and services for illegal activity. Legal companies and legal persons are increasingly a crucial link in criminal networks. FIU-Nederland received almost 3.5 million unusual transaction reports in 2024.
What founders should check
The right lesson is proportion. Ordinary business structures can be misused: a BV, a delivery address, a lease, a warehouse, a cash sale, a bank account, a fake supplier, a payroll relationship, or a professional service. The honest company then needs to show what it checked, what it knew, and when it acted.
Here the Monday founder returns. With a clean sequence of events, she can call the bank with precision, make a clearer report, notify an insurer if relevant, block access, warn the real supplier, and calculate the loss.
If the criminal route stops, Rechtspraak explains that a directly interested party can complain to the court of appeal under article 12 Sv when the OM does not prosecute or does not continue prosecution. A lawyer is not mandatory. Practical identifiers matter: a police mutation number, parket number where available, offence description, suspect details where known, and reasons for disagreement.
That is a reason to keep the trail alive.
Keep the trail before the incident
A small company does not need a thick manual for every risk. It needs ownership. Who calls the bank? Who preserves screenshots and logs? Who locks accounts? Who keeps the police number, bank case number, insurer correspondence, and internal decision note together? Who checks whether a Wwft or cash rule is in scope?
The answers should be boring before the incident. After the incident, boring becomes valuable.
The Dutch picture is one of selective enforcement in a high-volume environment. CBS shows registered crime remains large and stable. Police and OM documents show capacity, priority, complexity, and alternative handling are part of the system. KVK, Belastingdienst, Rijksoverheid, and Rechtspraak point to the same practical truth from different angles: a business cannot outsource its memory to the police report.
So report crime when reporting is the right route. But do not let the report become the only record. The company’s own evidence trail protects cash, staff, customers, suppliers, insurance position, tax explanation, compliance duties, and sometimes the last recovery route left.
For the small entrepreneur, that is adult business discipline. The first question after an incident is still what happened. The second is whether the company can prove it tomorrow morning.
Sources
- CBS source
- Rekenkamer: tienduizend ernstige misdrijven uit 2024 niet behandeld
- CBS – Victimisation and online crime pressure
- Rijksoverheid – Police investigation capacity and 2026 priorities
- Rijksoverheid – 2025 police results and alternative interventions
- Rijksoverheid – Openbaar Ministerie workload and serious case capacity
- Rechtspraak – Legal route when prosecution stops
- Rijksoverheid – Cybercrime reporting routes
Referenced in the article
Column | Ledger & Tax
Family Mortgages Need Market Rates Before Trust Can Work
The 2023 Belastingdienst examples show the method. A 2026 family loan needs its own current market comparison.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
