The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.

’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.

Based on the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), reporting entities are under an obligation to report any unusual transaction, whether completed or intended. If you fail to do so, you are in breach of the Wwft. If, whether intentionally or unintentionally, you do not meet the obligation to report, you commit an economic crime that has certain consequences. Further information on failure to report an unusual transaction can be found on the page Obligation to report.

If your organization is registered with FIU-the Netherlands, it has a unique identity number for submitting reports: the Reporting ID. You can find the Reporting ID in the reporting portal under ‘My Reporting Details’.