The laws and regulations in our country are subject to many changes. What are the latest developments and what exactly do you have to comply with? We are all aware of the fact that complexity is increasing. Our specialists in compliance have a lot of relevant experience and are always up to date. They can therefore optimally unburden you so that you have all the necessary and current knowledge.


Compliance has many facets and BrightStone Group is widely applicable. We think along and help you further. Our compliance advice is effective and proactive. We ensure that the rules are complied with in the specified period. This is important, because that way your good reputation is preserved.


Is a project under pressure? BrightStone Group is happy to join in and ensures a good and fast completion.

We always go for the best advice and solutions. We guarantee effective first and second line compliance support. Think of KYC and CDD. After all, a well-executed Know Your Customer and / or Customer Due Diligence process results in an investment portfolio tailored to the risk profile of the client for an audited and verified client.

One of the aspects in which we specialise is compliance advice on the implementation of new laws and regulations. But there is more. Awareness, culture and support are just as important.

Regulatory Compliance

Our compliance advise consists of the following expertise:

The Dutch Bank supervises the financial sector to guarantee financial stability and confidence. Part of this supervision is integrity supervision, which is aimed at a clean and honest financial sector. DNB’s supervision therefore focuses on combating Financial Economic Crime (FEC).

Recently, DNB identified Financial Economic Crime as one of the six greatest risks and challenges for the financial sector in the coming years. That is why financial economic crime is one of the spearheads for 2018-2022 within the Vision on Supervision 2018 of the DNB. The DNB is of the opinion that the management of integrity risks, such as preventing the (unintentional) facilitation of money laundering, terrorist financing and violations of sanctions legislation, can and must be improved. This will require constant attention and supervision in the coming year.


DNB aims to ensure that financial institutions take responsibility for ensuring ethical business operations and preventing involvement in financial and economic crime. In this area, the law requires institutions to establish policies, processes and procedures that enable them to identify financial and economic crime in a timely manner and to manage other integrity risks. In particular, institutions must be able to prevent criminals from laundering money, terrorists and sanctioned entities from having access to financial resources and that individuals can profit from corrupt practices.


The DNB sees that there has been improvement in the financial sector in recent years, but also states that a great deal of effort will still be needed across the sector. To make this improvement, they are in constant dialogue with various institutions within the banking sector. Outside the banking sector, supervision is expected to be further scaled up during 2018-2022.

BrightStone Group

As BrightStone Group we have a proven track record within the Financial Economic Crime domain. In addition to fulfilling temporary capacity issues, we are also able to enter into a dialogue with our customers as a knowledge partner. For example, we fulfill complex consultancy assignments and are involved in the complete completion and management of projects within the FEC domain. In addition, we are in close contact with the DNB and AFM, that way we are always aware of the latest developments. Are you curious about what we can do for your organization? Then feel free to contact us.

The Systematic Integrity Risk Analysis (SIRA) of financial institutions is the basis for guaranteeing ethical business formation and preventing involvement in financial-economic crime. The Dutch Bank (DNB) expects financial institutions to draw up policies based on the identified risks and to take effective measures to mitigate and control these risks. An effective and efficient SIRA contributes to this, according to the DNB.

In the past, the Dutch Bank has conducted several investigations into the SIRA. These studies have shown that the translation of the SIRA into practice is not always sufficient. The DNB is of the opinion that the SIRA is currently insufficiently used for the actual assessment and management of integrity risks. The DNB still too often observes that there is a discrepancy between the structure of the SIRA on the one hand and the implementation of ethical business operations and the gatekeeper function on the other.

Supervision of the SIRA

During the second half of 2016, DNB investigated the content of various SIRAs and how they work in practice. This investigation has led, among other things, to further guidance on the “integrity risk appetite”.

Last year (2017), the DNB started four investigations into the SIRA of various (financial) institutions. Within these investigations, DNB looked at the use, operation and control policy of the SIRA from various perspectives. The main purpose of these four studies was to further map out to what extent the SIRA leads to a correct risk assessment and an appropriate control policy.

In order to further map this out, DNB has investigated the effect of the risk analysis on:

  • the culture of integrity at banks, insurers and trust offices insofar as they are dealing with radical organizational changes;
  • the development of new products. This survey was conducted at a selection of banks;
  • the initiatives in the field of fintech at banks and payment institutions (resulting from the upcoming PSDII);
  • managing the risk of conflicts of interest in a selection of pension funds and health insurers.

Supervisory focus 2018

In 2018, DNB will conduct further research into the practical implementation of the SIRA. The DNB uses this to test how (financial) institutions allow the results of the SIRA to affect practice. This will look at both the risk assessment and the control measures taken. The focus of the DNB will mainly be on the main risks associated with the unique profile of the selected institutions.

The aforementioned investigation will explicitly focus on all supervised sectors and on the basis of the different risk profiles, DNB will determine, per sector, which risks and which financial institutions are involved in the investigation. In addition to an investigation into the documentation regarding the SIRA, DNB also intends to conduct an “on sight” investigation into the actual operation of the control framework.

Would you like to know more about SIRA or matters related to it? BrightStone Group is happy to think along with you. Please do not hesitate to contact us.

Some time ago the European Commission approved the fourth directive on anti-money laundering and terrorist financing (AMLD4). The AMLD4 is largely inspired by the recommendations and points for improvement of the Financial Action Task Force (FATF).

The introduction of the fourth anti-money laundering directive will have consequences for the laws and regulations that (financial) institutions must comply with. In particular, this will have consequences for the Money Laundering and Terrorist Financing Prevention Act (Wwft). Logically, a changed interpretation of the Wwft will mean that procedures and processes in the operational management of (financial) institutions will have to be re-examined.

Risk-based approach

The basis for proper management of all money laundering and terrorism risks is a complete risk assessment. From AMLD4 this is required for the European Union, the member states (national level) and at the organisational level.

The Anti Money Laundering Law (AML) calls the above the “three-taper missile of risk management”. This risk-based approach requires that every organisation first looks at the source, the risks, and then takes the correct measures to control the risks of money laundering and terrorist financing. This risk assessment must be documented according to the guideline, up-to-date and available for an audit.

Tightening PEP and UBO

The term Politically Exposed Persons (PEP) has been further expanded. In the AMLD4, the scope of the concept of PEP is further broadened to include local PEP’s. For the AMLD4, it was sufficient to identify foreign PEP’s residing outside and within the Netherlands. This has significant consequences for companies, as this tightening will significantly increase the number of PEP’s. All PEP’s, both locally and internationally, will now have to undergo mandatory and extensive due diligence, with no exceptions. In addition, in this case, an investigation will also have to be conducted into the origin of the assets of these PEP’s.

One of the most important changes as a result of the AMLD4 will probably relate to the Ultimate Beneficial Owner (UBO) of a legal entity. Previously, it was defined by law that only UBO’s that own more than 25% of the shares are eligible for identification and verification. This requirement is adjusted to a minimum requirement under the AMLD4. As a result, lower percentages may also serve as a basis for the qualification of UBO’s.

UBO register

Another major change that deserves to be dealt with separately here is the introduction of a “UBO register”. The Financial Intelligence Unit (FIU) of each member state will have to keep a register in which all UBO’s are registered. This register can then be consulted by financial companies, among others, to make it easier to identify UBO’s. The exact form this register will take and which institutions and authorities will have access to it remains to be seen. The register will in any case be accessible to government agencies, FIU’s, reporting entities and persons with a different legitimate interest.

Expansion of the scope of the Directive

In addition, the scope of the AML in AMLD4 has been further expanded. One of the most radical changes is that the predicate offenses for money laundering will be expanded to include tax offenses. This means that throughout the EU, tax crimes, just like arms and drugs trafficking, are also seen as a crime that can generate criminal assets that can be laundered.

The number of reporting entities that fall under the Anti-Money Laundering Directive has also been further expanded. This concerns, among others, the providers of games of chance and dealers in high-value cases who accept cash amounts of € 10,000 (previously € 15,000).

Sanctions by regulator(s)

The updated AMLD4 gives regulators more options to sanction institutions that do not comply with the directive. If CDD requirements are not complied with several times, the regulator can impose fines of up to 1,000,000 euros. For financial institutions, the fine can be up to EUR 5,000,000 or 10% of the annual turnover.

Are you already prepared?

Have you thought about the consequences of AMLD4 for your organisation? Or do you currently have too little knowledge or capacity and would you like to get in control? BrightStone Group is happy to be of service. 

The payment services market has changed rapidly in the last couple of years. For this reason, the European payment directive was re-examined in 2016. Payment Service Directive 2 (PSD2) is therefore a revision of the previous Payment Services Directive from 2007 (PSD1). This is a European directive that regulates the payment traffic of consumers and businesses. These European regulations will have to be incorporated into national legislation by each EU country. Furthermore, the PSD2 is also further elaborated in technical standards and guidelines for banks and other companies that offer payment services.

What is regulated in PSD2

The PSD2 obliges payment service providers to make private payment account(s) accessible to businesses if customers give their consent. If these companies have the correct license, customers can then also make payments through these companies. In concrete terms, this means that when an online purchase is made, the company where this purchase is made can immediately make a payment without the intervention of or referral to a bank. This makes information about payment accounts transparent to third parties. A natural consequence is that the identification of the account holder, the security of the transaction and the safeguarding of the privacy of the account holder will be subject to stricter regulations.

License PSD2

Payment service providers that currently have a PSD1 license will have to comply with the new requirements set by PSD2. If payment service providers want to offer the new services, they will also have to apply for a license. The DNB will actively inform the current payment institutions that have a license under PSD1 about the additional requirements that PSD2 imposes on business operations.

Supervision PSD2

DNB recognizes that competition in the payment services market is currently very fierce. As a result, those profit margins within this market are under great pressure. The great growth that is currently taking place within the payment services has meant that supervision has been further expanded. The DNB mainly looks at how the systematic risks that payment institutions run are addressed and which control measures have been taken for this. This development started during the second half of 2017 and will continue in 2018. In addition, as in other sectors, the DNB is seeking periodic consultation with the various payment institutions.

The European Markets Infrastructure Regulation (EMIR) is a European regulation that ensures that trading in Over The Counter (OTC) derivatives becomes more transparent and safer. The regulations apply to all derivative contracts and to all contracting parties in a derivative contract.

The EMIR has been in effect since August 16, 2012 and BrightStone Group can help you to comply with these regulations. 

On May 25, 2018, the new General Data Protection Regulation (AVG) / EU General Data Protection Regulation (GDPR) has come into effect. In view of these new rules and as a logical extension of its own services in Finance, Risk, Data and Compliance, Brightstone Group has started a sister company called Lumen Group that specialises in Privacy & Data Protection services.

Below is a description of what Lumen Group offers.

GDPR Consultancy: consultancy work by our consultants;
GDPR Project management and implementation: management, coordination and / or application of compliance by multidisciplinary project teams;
GDPR Interim, recruitment & selection: the best Privacy & Data Protection professionals based on an interim, fixed service or subscription form. Also for a Data Protection Officer (DPOs and DPOs).

A closer look on GDPR 

GDPR is a new regulation on privacy and security of personal data as regulated by the European Commission. The new data protection will make important changes to Europe’s privacy legislation. It will also replace the outdated Data Protection Rule from 1995. The new law has been passed to give individuals more power over their own data and how it is processed and used.

Under the new rules, individuals will soon have the “right to be forgotten.” This means that they can ask companies to delete their data that is no longer needed or correct. The regulations also want to simplify the legal framework. In addition to the right to be forgotten, the legislation also contains means that give users more rights over their own data. However, there is a grey area about how this will be done in reality. For example, freedom of speech laws will ensure that “the right to be forgotten” does not apply to news stories.


The GDPR is therefore good for consumers, but it can result in hefty fines for you as an organisation if you are not compliant. These fines can run up to 4% of your turnover or 20 million euros – whichever is greater. Reason enough for most companies to study the regulations and the way in which they handle data.

Maximum security

Do you have too little time and knowledge for GDPR or do you simply need maximum security in this area? Lumen Group is happy to be of service. Feel free to contact Lumen Group.

CDD (Customer Due Diligence), or KYC (Know Your Customer), has become an indispensable part of ethical business operations.

CDD Obligations

Certain institutions are required by law to identify customers and report unusual actions. In the Netherlands, CDD obligations are enshrined in the Financial Supervision Act (Wft), the Sanctions Act 1997 and the Money Laundering and Terrorist Financing Prevention Act (Wwft). It differs per institution and company whether they fall under the Wwft or the Sanctions Act.

What is your CDD policy like? This depends on whether you fall under the Sanctions Act or the Wwft Act. You may also need to obey both laws.

The Sanctions Act

The Sanctions Act applies to banks, insurers, exchange institutions, pension funds, trust offices, lease companies and casinos, among others. Are you covered? Then you must identify your relationships and take appropriate action if these relationships appear on a sanction list. In contrast to the Wwft, you do not have to make a risk estimate for certain business partners. The law is complex and has many requirements, but BrightStone Group’s CDD and KYC consultants are happy to help you.

The Wwft Act

Banks, insurers, investment institutions, administration offices, accountants, tax advisers, trust offices, lawyers, brokers and civil-law notaries, among others, fall under the Wwft Act. They are mainly engaged in making a well-founded risk estimate of certain relationships, based on identification, determination of the “ultimate beneficial owner” (UBO) and a screening for various risks. This law is designed to promote “decent” business and is seen by the government as an important tool in the fight against organised crime. We are also very familiar with this legislation and our consultants are happy to assist you.

Less risks, no fines?

BrightStone Group helps companies and institutions to set up a solid CDD policy to control integrity and reputation risks and possible fines. Our services are therefore aimed at ethical policy, whereby your organisation knows with whom you are doing business.

Would you like to know more about our CDD Compliance and / or KYC Compliance services? Feel free to contact us.

Managing Director

Contact with BrightStone Group

Fill this out and get a call from one of our colleagues as soon as possible. 

Contact Professional-EN

By clicking this button you agree to our privacystatement .