Frank Oranje stole €9.1 million from the Pels Rijcken law firm over 15 years by exploiting a single vulnerability: a single person controlled payments without routine verification.
Small businesses face a higher fraud risk than large firms because trust replaces controls.
External detection systems react after damage occurs. Internal controls, including payment reviews, dual authorization, and separation of duties, stop fraud before it starts.
How One Person Stole €9 Million: The Core Facts
- The method: Oranje forged documents, created fake foundations, and exploited derdengeldenrekeningen. These are third-party accounts where client funds are held during transactions.
- The gap: One person approved payments, executed transfers, and recorded transactions. No routine verification for fifteen years.
- The detection: Banks flagged suspicious transactions to FIU-Nederland (the Financial Intelligence Unit). By then, damage had already exceeded 9 million.
- The lesson: Trust without structural safeguards creates opportunities for fraud. Small businesses lose more to fraud than large ones. Median €185,000 vs. €96,000. Why? Because 42% of small business fraud stems from a lack of controls.
- The fix: Install monthly payment reviews, dual authorization above your threshold, separation between approval and execution, and quarterly reconciliation.
Frank Oranje was managing partner at Pels Rijcken, one of the Netherlands’ most prestigious law firms. Over fifteen years, he siphoned €9.1 million from client accounts.
The amount grabs headlines. But the mechanism matters more.
The gap allowing 9 million to leave Pels Rijcken is the same gap threatening your business: trust carrying the full load of financial control without structural safeguards.
What Happened: The Fraud Mechanism Explained
How the Theft Worked
Oranje executed no dramatic heist. He used forged documents and established foundations with misleading names. He exploited derdengeldenrekeningen, third-party accounts where client money sits during transactions. Dutch law requires these accounts to remain separate from operational funds, as mixing them creates risk.
The tuchtrechter called his methods “more brutal than brilliant”. Translation: This wasn’t sophisticated fraud. It was a systematic exploitation of unregulated familiarity.
One person controlled payments. One person held authority. One person faced no routine verification.
For fifteen years, that was enough.
Bottom line: Fraud doesn’t need sophistication. It needs unchecked access plus time.
How External Systems Detect Fraud (And Why That’s Too Late)
The Detection Timeline
Banks flagged suspicious transactions to FIU-Nederland (the Financial Intelligence Unit).
The Public Prosecutor started an investigation with FIOD in 2019. By then, damage had accumulated over a decade.
Why External Detection Fails Prevention
External detection systems are reactive, not preventive.
Your bank monitors patterns throughout thousands of accounts. They detect deviations from normal behavior, but only after they occur. FIU-Nederland analyzes atypical transactions to determine whether there are sufficient grounds to declare them suspicious. If declared suspicious, the reporting entity gets informed.
By then, you’re managing damage, not preventing it.
Internal prevention means knowing what “normal” looks like in your own cash flow before external systems notice something’s off.
Bottom line: Banks detect fraud after it happens. Internal controls prevent it before it starts.
Why Small Businesses Face Higher Fraud Risk Than Large Organizations
The Data on Small Business Fraud
You might think institutional fraud doesn’t apply to your operation.
The data says otherwise.
Small businesses (under 100 employees) globally experience a median annual loss of €185,000 to fraud. Larger organizations lose a median of €96,000.
More concerning: 42% of fraud in small businesses stems from a lack of controls, compared with 25% in larger organizations.
The reason? Owners of small businesses put too much trust in employees.
This is the exact vulnerability Oranje exploited at an institutional scale.
The Cost in Real Numbers
Organizations lose an average of 5% of annual revenue to fraud. For a Dutch micro-enterprise with 200,000 annual revenue, you’re looking at 10,000 annually. That’s part-time help or growth investment.
The typical fraud lasts 12 months before it is detected. In small businesses, the median loss reaches €130,000. Often enough to threaten survival.
How Status Delays Detection
Oranje held the title of bestuursvoorzitter (managing partner). Ultimate authority.
Professor Leen Paape of Nyenrode Business School noted: “If the chairman of the board gets away with stealing millions for years, then obviously something is wrong.”
Small businesses face the inverse problem: a lack of official structure makes everything seem casual, so nothing is systematically questioned.
Owners and executives account for the largest fraud losses (a median of €425,000) because they have unchecked control. Employees are responsible for smaller but more frequent frauds (median €55,000).
The solution isn’t hierarchy. It’s routine.
Bottom line: Small businesses lose more to fraud because trust replaces controls. The solution is routine verification, not hierarchy.
What Derdengeldenrekeningen Teach About Separation of Concerns
How Third-Party Accounts Work
Derdengeldenrekeningen exist because Dutch law recognizes a fundamental principle: client money must stay separate from operational money.
No shortfalls are allowed because these accounts serve as safe parking places. The system recently introduced segregated bank accounts as an alternative. Funds are segregated by law from the financial institution’s own funds. This creates a segregated pool protecting third-party rights even in bankruptcy.
This separation of concerns is what Oranje violated.
The Principle Applied to Micro-Enterprises
Micro-enterprises ought to replicate this principle in their own payment processes. Not through formal third-party accounts, but through the principle itself: Separate roles. Separate accounts. Separate authorization.
When one person approves payments, executes transfers, and records transactions, you’ve eliminated the friction that catches errors and prevents intentional misconduct.
Bottom line: Separation of concerns isn’t bureaucracy. It’s the friction needed to catch mistakes and deter fraud.
The Reputational Cost That Exceeds Financial Loss
What Happened to Pels Rijcken
Pels Rijcken divested its entire notarial branch.
The fraud caused considerable reputational damage within the notariaat and advocatuur. The firm reimbursed third-party accounts and compensated clients. Oranje’s actions caused damage far beyond the €9.1 million.
Why This Matters for Dutch SMEs
For Dutch SMEs operating in local markets where reputation is everything, the true cost goes beyond stolen euros.
Your business doesn’t have multiple divisions to sacrifice. One incident erases years of careful relationship-building.
Preventive control isn’t bureaucracy. It’s insurance for your market status.
Bottom line: Damage to reputation often exceeds financial loss. Your business has no divisions to sacrifice.
What Pels Rijcken Changed After the Fraud
The Post-Fraud Measures
Following the fraud, Pels Rijcken commissioned a forensic investigation by Deloitte.
The resulting measures were simple:
Payments of large amounts will be checked with the recipient first. The firm will verify if notaries are involved with foundations unknown to the firm.
These aren’t expensive technology solutions or complex systems. They’re routine checking steps.
Verification routines stop fraud, not trust in hierarchy.
Control Points You Install This Week
Monthly Payment Review
Spend 30 minutes reviewing all payments over €500.
Ask yourself: “Do I have proof of this decision in six months?”
If the answer requires context only you possess, your documentation is too weak.
Dual Authorization for Significant Payments
Set a threshold. €1,000, €2,500, whatever makes sense for your revenue. Above your threshold, two people approve.
This doesn’t mean you distrust your bookkeeper. You’ve installed measures to catch friction and deter misconduct.
Separate Payment Execution from Payment Approval
The person who says “yes, pay this invoice” shouldn’t be the same person who initiates the bank transfer.
If you’re a solo founder, schedule payment batches and review them before execution. Even if you’re reviewing your own decisions.
Document the “Why” for Irregular Transactions
Large one-time payments, payments to new vendors, and payments outside normal patterns all need a note.
Not for the Belastingdienst. For you. Six months from now. When you’re trying to reconstruct what happened.
Quarterly Reconciliation
Match your bank statements to your bookkeeping. Look for payments that left your account but don’t appear in your books, or vice versa.
This catches both errors and intentional gaps.
Bottom line: These controls cost a few hours per month. They prevent problems that cost you your business.
The Question That Prevents Most Fraud
The Discipline Line
Here’s the discipline line that changes behavior:
“Do I have proof of this decision in six months?”
If the answer is no, you don’t have governance. You have memory.
Memory fails. Documentation doesn’t.
The Pels Rijcken case shows that even distinguished institutions with professional staff failed this test for fifteen years. You don’t have their buffer. You need the discipline they lacked.
Bottom line: Documentation is proof. Memory is not governance.
What This Means for Expat Entrepreneurs in the Netherlands
Additional Scrutiny for Foreign Owners
If you’re operating a micro-business in the Netherlands, you face additional scrutiny.
Belastingdienst examines structures they don’t immediately recognize. Dutch banks ask more questions about payment patterns from foreign-registered entities or owners without long Dutch financial histories. Partners and clients need additional confidence in your processes.
Documentation becomes external communication, not internal record-keeping.
When you demonstrate clear authorization trails, separation of duties, and routine verification, you’re building credibility with the institutions that decide whether you operate smoothly in the Dutch market.
Bottom line: For expat entrepreneurs, documentation proves legitimacy to Dutch institutions.
The Unpleasant Truth About Trust-Based Culture
Dutch Business Culture and Control Gaps
Dutch business culture emphasizes trust in relationships and casual agreements.
This facilitates collaboration. It also creates blind spots where questioning feels like distrust.
The Pels Rijcken case suggests that as regulatory scrutiny increases (European banking regulations, anti-money laundering directives, enhanced KvK reporting requirements), the gap between informal practices and formal requirements will become a growing liability.
Trust is human. Control is structural. You need both.
Installing controls doesn’t mean you distrust your team. You’ve built a system protecting everyone, including the people you trust, from situations in which trust alone isn’t enough.
Bottom line: Trust facilitates collaboration. Controls stop exploitation. You need both.
Why This Matters More for Micro-Enterprises
The Cash Flow Visibility Problem
Large firms absorb gradual leakage. They have buffers, reserves, and multiple revenue streams.
You don’t.
For micro-enterprises, cash flow visibility equals business continuity. When 5,000 leaves your account unexpectedly, you feel it immediately. You might miss payroll. You might postpone a supplier payment. You might lose the ability to grab an opportunity calling for quick capital.
This makes real-time financial awareness an existential business discipline.
The control points listed above aren’t meant to catch sophisticated criminals. They’re about catching drift: the slow accumulation of informal decisions creating exposure.
Bottom line: For micro-enterprises, cash flow visibility equals survival. Controls catch drift before it becomes a crisis.
Key Takeaways
- The mechanism: Frank Oranje’s fraud lasted fifteen years because one person controlled payments without routine verification. Your business has this same vulnerability.
- Small businesses face a higher risk: the median fraud loss is €185,000, compared with €96,000 for large organizations, because 42% of small-business fraud stems from inadequate controls.
- External detection is reactive: Banks and FIU-Nederland catch fraud after it happens. Internal controls prevent it before it starts.
- Trust without structure creates exposure: Dutch business culture emphasizes trust, but trust alone isn’t enough. You need role separation, dual authorization, and routine verification.
- Reputation exceeds financial cost: Pels Rijcken divested its entire notarial branch. Your business has no divisions to sacrifice.
- Install controls this week: Monthly payment reviews, dual authorization above your threshold, separation between approval and execution, and quarterly reconciliation. These routines cost a few hours per month. They stop problems that cost you your business.
- Documentation is proof: The question that prevents fraud is: “Do I have proof of this decision in six months?” Memory is not governance.
Frequently Asked Questions
What are derdengeldenrekeningen and why do they matter?
Derdengeldenrekeningen are third-party accounts where client money sits during transactions. Dutch law requires these accounts to remain separate from operational funds because mixing them creates risk. The principle applies to all businesses: separate client money from operational money, separate roles from authorization, separate approval from execution.
How long does fraud typically last before detection?
The typical fraud lasts 12 months before it is detected. In the Pels Rijcken case, fraud lasted fifteen years because one person controlled payments without routine verification. External systems (banks, FIU-Nederland) are reactive and catch fraud after it happens. Internal controls prevent it before it starts.
What is the median fraud loss for small businesses?
Small businesses (under 100 employees) experience a median annual loss of €185,000 to fraud. Larger organizations lose a median of only €96,000. Organizations lose an average of 5% of annual revenue to fraud. For a Dutch micro-enterprise with €200,000 annual revenue, that’s €10,000 annually.
Why do small businesses face higher fraud risk than large organizations?
42% of fraud in small businesses stems from a lack of controls, compared with 25% in larger organizations. Owners of small businesses put too much trust in employees. The lack of an official framework makes everything feel casual, so nothing is systematically questioned. Owners and executives account for the largest fraud losses (median of €425,000) because they have unchecked control.
What controls prevent fraud in micro-enterprises?
Monthly payment review (30 minutes reviewing all payments over 500), dual authorization for significant payments (requires two people to approve above your threshold), separate payment execution from payment approval (the person who approves shouldn’t execute), document the “why” for atypical transactions, and quarterly reconciliation (match bank statements to bookkeeping).
How do I implement dual authorization if I’m a solo founder?
Schedule payment batches and review them before execution. Even if you’re reviewing your own decisions. The goal is to create friction to catch mistakes. Ask yourself: “Do I have proof of this decision in six months?” If the answer is no, you don’t have governance.
What did Pels Rijcken change after the fraud?
Payments of large amounts will be checked with the recipient first. The firm will verify if notaries are involved with foundations unknown to the firm. These aren’t expensive technology solutions. They’re routine authentication steps preventing fraud.
Why does documentation matter for expat entrepreneurs in the Netherlands?
The Belastingdienst examines structures it doesn’t immediately recognize. Dutch banks ask more questions about payment patterns from foreign-registered entities. Documentation becomes external communication, not internal record-keeping. When you demonstrate clear authorization trails, separation of duties, and routine verification, you’re building credibility with institutions that decide whether you operate smoothly in the Dutch market.
