Banking Laws and Regulations | Netherlands | GLI (2024)

Introduction

Regulatory architecture: Overview of banking regulators and key regulations

Dutch regulatory framework

In the Netherlands, the most important act for financial services and financial products is the Dutch Act on Financial Supervision (Wft). The aim of the Wft is the proper functioning of the financial markets and the protection of investors and consumers. This cross-sectoral act consists of seven chapters: (1) a general part containing rules relevant for prudential as well as behavioural supervision, such as a long list of definitions, the position and mandate of the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) and articles on the cooperation between the financial supervisors; (2) the rules relating to market access for financial companies, such as licence obligations; (3) prudential rules for financial companies; (4) behavioural rules for financial companies; (5) behavioural rules for financial markets; (6) special measures relating to the stability of the financial system; and (7) some final provisions.

The Wft has a layered structure. Various ‘lower’ rules have been set pursuant to the Wft. These lower rules are set out in Decrees and Rules of the Dutch Minister of Finance. These ‘second-level rules’ further detail the principles laid down in the Wft. For instance, the Decree on Behavioral Supervision for Financial Companies contains detailed rules on the professional competence of employees, the structure and governance of financial companies, outsourcing and the handling of customer complaints. An important Ministerial Rule is the Exemption Scheme Wft, which limits the scope of the Wft for certain services and activities; for instance, when offering securities to the public for a total yearly value of less than EUR 5 million, or when providing investment advice or the reception and transmission of orders in participation rights under the ‘Dutch National Regime’. Certain rules set by supervisors AFM and DNB form a third level of legislation, which is relatively limited. An important rule, however, is the AFM’s Further Rule on Behavioral Supervision of Financial Companies that, amongst others, sets out detailed information rules relating to certain financial products and rules in relation to the segregation of client funds and client money. Policy Rules issued by DNB and the AFM are also important to take into account, such as the AFM’s Policy Rule on the provision of client information and the AFM’s and DNB’s Policy Rule on Suitability. Lastly, discussion and guidance documents issued by DNB and the AFM, as well as those issued by EU supervisors such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), form an important source of ‘soft law’.

EU Directives, such as the Markets in Financial Instruments Directive (MiFID2), the Payment Services Directive (PSD2), the Investment Firms Directive (IFD) and the Capital Requirements Directives (CRD4 and CRD5), are implemented in the Wft to have legal effect in the Netherlands. EU Regulations such as the Prospectus Regulation, the Market Abuse Regulation and the Investment Firms Regulation have direct effect in the Netherlands and do not need to be implemented in Dutch law.

Regulatory authorities in the Netherlands

In the Netherlands, the AFM and DNB are both entrusted with financial supervision. This is sometimes called the Dutch ‘twin peaks model’. The AFM has a focus on behavioural supervision, while DNB has a focus on prudential supervision. DNB and the AFM share information and work together, for instance, in case of the assessment of policymakers. The AFM issues licences to, amongst others, MiFID2 investment firms, managers of investment funds (UCITS and AIFMD) and ‘financial services providers’ such as credit and insurance intermediaries. The AFM also approves prospectuses under the Prospectus Regulation. DNB issues licences to, amongst others, insurers, payment services providers (PSPs) and electronic money institutions (EMIs). Crypto services providers looking to provide their services on the Dutch market need to register with DNB. The European Central Bank (ECB) is the licensing authority for banks in the Netherlands (whether significant or not).

Recent regulatory themes and key regulatory developments in the Netherlands

Digitisation of financial services

The use of ICT has gained a pivotal role in finance. Digitisation covers, for instance, payments, securities clearing and settlement, electronic and algorithmic trading and credit rating. To further facilitate the EU’s digital strategy, the Digital Operational Resilience Act (DORA) will enter into force on 17 January 2025. DORA sets rules for ICT risk management of financial companies and establishes EU-level supervision of providers of critical ICT services. Compliance of non-critical Dutch banks with DORA will be entrusted to DNB, while compliance of critical Dutch bank with DORA will be entrusted to ECB.

Another important piece of new EU legislation that relates to the digitisation of financial services is the proposed EU Regulation on Artificial Intelligence (AI Act). This Act, which is expected to enter into force in 2025/2026, introduces a regulatory framework for AI systems that have a high risk of damaging health and safety or a negative effect on fundamental rights and those that directly interact with natural persons (such as chatbots). The AI Act takes on a risk-based approach. Most importantly, persons that offer or use AI systems that are deemed ‘high risk’, but also persons distributing or importing such AI systems, will have to abide by the strict rules set forth in the AI Act. Although financial companies using AI systems already fall under several Dutch financial law provisions, financial companies working with AI systems should monitor the legislative developments of the AI Act closely, not least because the AFM, DNB and the International Organization of Securities Commissions have issued (discussion) papers reflecting detailed responsibilities for financial companies using AI that already closely resemble the provisions of the AI Act. To enhance consistency between the AI Act and current banking legislation, the EU Commission deems it appropriate to integrate the AI Act’s conformity assessment procedure and some of the providers’ procedural obligations in relation to risk management, post-marketing monitoring and documentation into the existing obligations and procedures under the CRDs.

Sustainability

Banks are required to play their part in financing a sustainable society. At the EU level, this is described in the Sustainable Finance Action Plan. Banks are required to be transparent in the composition of their balance sheet and general strategy as well as the financial services and financial products they offer. In the supervision of banks, sustainability risks will play an important part. Several products and services provided by banks fall under the Sustainable Finance Disclosure Regulation (SFDR) and the Taxonomy Regulation. On 1 April 2020, DNB published its ‘Good Practice Integration of climate-related risk considerations into banks’ risk management’. This guidance document provides (non-binding) suggestions on how banks can organise their processes and procedures to manage climate-related risks related to their activities. Any material climate-related risks should be governed in a way that is consistent with sound risk management similar to any other type of material risk. DNB’s interpretation of how existing regulation applies to climate-related risk management is further detailed in its related Q&A document.

Anti-money laundering

Since the implementation of the fourth AML Directive in the Dutch AML Act (Wwft), DNB and the AFM have intensified their AML supervision, and combatting financial economic crime has been at the top of their agenda for years. According to the Dutch supervisors, banks must structurally improve their ‘gatekeeping function’. The supervisors’ focus on AML compliance has resulted in an increase in enforcement measures in the form of warnings, orders for incremental penalty payments and fines. In 2018, ING paid a settlement of EUR 775 million and in 2021, ABN AMRO paid a settlement of EUR 480 million. This resulted in an increase in AML costs. In October 2021, the Dutch Financial Times reported that EU banks spend EUR 151 billion on AML checks and client investigations, roughly four times more than US banks. In practice, this also resulted in banks tightening their client acceptance policies and terminating existing relationships with high-risk clients, often in sectors that make use of large amounts of cash. However, refusing a client or terminating a relationship with a client is not that easy. In the Netherlands, banks have a legal duty to offer a (basic) payment account to consumers. Dutch banks may also have the obligation to offer a payment account to business clients (non-consumers) on the basis of the bank’s social position in society. The Dutch Supreme Court ruled in 2021 that non-consumers must also be able to participate in social traffic, which requires a bank account. Taking into account the interests of the bank and the client (an adult club), the Dutch Supreme Court ruled that the bank was not required to accept large cash deposits. Terminating a relationship with a client can, in principle, be based on the Dutch general banking terms, which contain a generic termination clause. However, making use of this termination right can be deemed unacceptable according to standards of reasonableness and fairness. Therefore, terminating a relationship with a banking client, and determining an acceptable notice period, always requires a case-by-case assessment.

Amendments to MiFID2 to help the recovery from COVID-19

The Netherlands, like all EU Member States, had to implement the amendments made to MiFID2, as set forth in Directive (EU) 2021/338. These amendments, which should help the recovery from the COVID-19 pandemic, apply in all EU Member States as per 28 February 2022. Information should no longer be provided on paper but should, as a default option, be provided electronically. Non-professional clients can still request information on paper. Services provided to professional clients and eligible counterparties shall be exempted from the costs and charges disclosure requirements, except with regard to investment advice and asset management. A third mentionable amendment is that it shall no longer be a requirement to provide eligible counterparties with mandatory service reports. Professional clients will have the possibility to opt in.

Bank governance and internal controls

Banks in the Netherlands are subject to strict governance and internal control requirements. A brief overview is set forth below.

DNB screening of important individuals

Individuals entrusted with day-to-day management (daily policymakers) and individuals entrusted with the supervision of the bank’s general affairs (internal supervisors) are screened on their suitability by DNB. This normally includes statutory directors and members of the supervisory board. In principle, banks themselves assess whether their second-tier senior officers are suited for their positions. These ‘second echelon managers’ are the managers directly under the policymakers, responsible for natural persons performing functions that can influence the risk profile of the bank. DNB and the AFM have decided to amend their Policy Rule on Suitability and a consultation version was presented to the market in July 2022. The consultation closed in September 2022.

The above-described individuals and individuals that have a substantial influence on long-term policy and decision making (co-policymakers) are also screened on integrity. All administrative, criminal, financial and other supervision-relevant antecedents must be disclosed. The integrity of second echelon managers must first be investigated by the bank itself, after which DNB will perform an additional screening.

Banks having their registered offices in the Netherlands need prior approval from DNB, in the form of a ‘Declaration of No Objection’, for various actions (significant banks need ECB approval). These actions are, in brief: (i) acquiring or expanding qualifying holdings in a financial company or a non-financial company; (ii) the acquisition of assets or liabilities, or both, of another company, as this does not constitute a legal merger but rather an assets/liabilities transaction only; (iii) mergers; (iv) financial or corporate restructuring operations; and (v) if a managing partner wants to join the bank (this requirement only applies to banks that are limited partnerships).

All individuals having an employment agreement with the bank or performing a function that is part of banking business or an essential process supporting banking business must take the Dutch banking oath. With this mandatory, moral-ethical oath, the individual declares to not make abuse of its function, put the interests of clients first and retain trust in the financial sector. All individuals who take the oath submit themselves to the Dutch banking disciplinary rules. Individuals who breach the oath can be brought before the Disciplinary Committee of the Dutch Foundation for Banking Ethics Enforcement. This Committee can impose sanctions such as warnings but also professional bans that extend to the whole Dutch banking sector. As an example, in November 2022, the Committee imposed a professional ban of no less than eight months on a seconded employee working for a Dutch bank because the individual shared confidential information outside the bank (by sending emails to his private email address and the email address of his son).

Specific Dutch remuneration regime

For banks, a stricter remuneration regime applies than in the rest of the EU, based on CRD4 and CRD5. Since 2015, the Netherlands has gold-plated several EU remuneration provisions. The most important are the following:

• Bonus cap. A bonus cap of 20% of fixed pay applies. In the EU, this is 100%, or 200% with shareholder approval. Some exceptions to the 20% cap apply, e.g. for staff members not in scope of a Collective Labor Agreement (CLA) or foreign staff members.
• Non-financial criteria. A minimum of 50% of the bonus should be based on non-financial criteria, such as compliance, sustainability, customer satisfaction, etc.
• Severance pay cap. A severance pay cap of 100% of fixed pay applies in respect of daily policymakers.
• Malus and clawback. Malus and clawback of bonuses are mandatory in case of (i) staff members participating in or being responsible for conduct that resulted in significant losses to the bank, or (ii) staff members failing to meet appropriate standards of fitness and propriety. In those instances, the bank will have to apply malus or clawback regarding paid out and/or outstanding bonuses.
• All staff. The remuneration rules apply to all staff. In the EU, most remuneration rules only apply to higher management and material risktakers (so-called ‘identified staff’).
• Group-wide application. The remuneration rules apply to all (indirect) subsidiaries of the bank. If the ultimate parent company is based in the Netherlands, all group companies of the bank are in scope.

As of 2023, new rules have been implemented that are relevant for banks and that make the existing Dutch remuneration regime even stricter:

• Bonus cap tightened. Exceptions to the 20% bonus cap in the Netherlands have been further restricted, with no deviations from the 20% bonus cap permitted for non-CLA personnel in case of internal control functions (risk management, compliance, internal audit) and for staff directly engaged in providing financial services to consumers (B2C). For all other functions, a cap of maximum 100% of fixed pay is allowed only in the event of an ‘exceptional function’, which should be reported and demonstrated to the regulator. The rule that the average ratio of all functions not in scope of a CLA should not exceed 20% of fixed pay will remain.
• Retention period instruments. Fixed pay awarded in equity or equity-like instruments should be retained for at least five years. Staff members are therefore not allowed to sell or exercise these instruments during the five-year retention period.
• Social function of the bank. The remuneration policy should contain a description of (i) the ratio between the remuneration of executive board members, supervisory board members and employees and the social function and position of the bank, and (ii) the manner in which this ratio is established.

For 2023, transitional law applies. More specifically, a transitional period of one year exists for personnel in service on 1 January 2023 with respect to (i) the limitation of the possibility to deviate from the bonus cap, and (ii) the five-year retention period for fixed pay awarded in equity or equity-like instruments. In addition, shares or options that have already been granted before this date will be respected. The idea behind the transitional period is to give parties the opportunity to consult with each other and, where necessary, to amend employment conditions or other existing agreements.

Conduct business with integrity

Banks are required to implement adequate policies and procedures that ensure that their business is conducted with integrity and control. The general aims of these policies are to prevent (i) conflicts of interest, (ii) the bank or its employees from committing criminal offences or other violations of the law, and (iii) trust in the bank or the financial markets from becoming damaged due to actions of the bank or its clients. Dutch banks must have an internal control framework. The control function plays an important role in the assessment of the efficiency of this internal control framework within the bank. In organisational terms, the control functions must be separate from the units over which they exercise control, and the executive board must be able to rely on the work of the control functions. These control functions are (i) the chief risk officer (responsible for the risk control function), (ii) the compliance function, (iii) the risk management function, and (iv) the internal audit function.

Outsourcing

Banks that outsource activities must comply with various laws and regulations, such as the Wft and the Decree on Prudential Rules for Financial Companies. In addition, EBA has published Guidelines on Outsourcing. These Guidelines aim to minimise the risks that could emerge from outsourcing activities. Banks must have an outsourcing strategy in place. When planning to outsource activities, banks are required to perform a risk analysis and take appropriate measures to mitigate risks. If activities are outsourced, the bank remains responsible for the operational management of these activities. Banks must therefore actively monitor service levels. Some functions, in particular formulating policies and strategy and the management of risk control and internal supervision, may not be outsourced.

Bank capital requirements

Capital requirements for Dutch banks are set forth in the CRDs, as implemented in the Wft, the Capital Requirements Regulation (CRR) and several technical standards and guidelines. Prudential supervision is based on three pillars.

An essential part of Pillar 1 is formed by the bank’s own fund requirement. The applicable prudential rules result in a layered structure of the bank’s own funds, each having their own quantitative and qualitative criteria. The first distinction can be made between Tier 1 capital and Tier 2 capital. Tier 1 capital can absorb risks, while Tier 2 capital can absorb risks under special circ*mstances, such as a financial restructuring or even bankruptcy. A second distinction within Tier 1 capital can be made in Common Equity Tier 1 capital (CET1) and, as a second layer, Additional Tier 1 capital (AT1). CET1 capital often consists of share capital from a BV or NV. CRR also describes under what circ*mstances capital can qualify as AT1 capital and Tier 2 capital. These rules are less far-reaching as is the case for CET1 capital, as a result of which Tier 2 capital, for instance, can consist of subordinated bonds with a certain duration. With the exception of the absolute amount of minimum starting capital, quantitative requirements are expressed as a percentage: the capital ratio. This concerns the ratio between the risk-weighted assets and the own funds of the bank (Tier 1 capital and Tier 2 capital combined).

Pillar 2 sets additional requirements for banks to cover the risks that are not covered or are insufficiently covered by Pillar 1. They are tailored to the risk profile of the bank in question and may therefore vary per bank. In order to determine the additional capital requirements for non-significant Dutch banks, DNB uses the Supervisory Review and Evaluation Process (SREP). The main objective of the SREP is to perform sound risk assessments, pursue a level playing field and ensure high supervisory standards. The SREP forms the core of DNB’s banking supervision and is therefore also referred to as ‘micro prudential supervision’. As far as capital risks are concerned, the review is focused on the ‘internal capital adequacy assessment process’ (ICAAP). With this ICAAP, the bank can assess whether the amount and composition of the internal capital matches the nature and size of current and future risks. As far as liquidity risks are concerned, the effectiveness of the ‘internal liquidity adequacy assessment process’ (ILAAP) is assessed. The SREP will result in the decision of DNB (or ECB for significant banks) to require additional capital requirements: the ‘Pillar 2 requirement’. Pillar 3 consists of reporting obligations for banks. In brief, the reports – relating to the numbers, ratios and topics mentioned above – must be reported to DNB and/or ECB and published on a yearly basis.

Rules governing banks’ relationships with their customers and other third parties

Duty of care

Dutch banks have a contractual duty of care towards their clients. They also have a duty of care towards their clients based on the Wft. The level of protection importantly depends on whether the client is a retail client or a professional client. Due to their social function in society, banks in the Netherlands also have a special duty of care towards non-clients whose interests they must observe. In such cases, it is not the contractual terms that determine the level of care the bank must demonstrate, but rather the circ*mstances of the matter. One of these circ*mstances is that the aim of the Wft is to protect investors and consumers. This special duty of care towards third parties regularly results in civil claims from non-clients arguing that the bank is liable in its role as provider of a bank account, therewith facilitating investment fraud or other unlawful acts. The Dutch Supreme Court ruled that the bank can only be liable on the basis of this special duty of care when the bank possesses actual knowledge or has other reasons to suspect there is something wrong and, despite this knowledge, did not take appropriate action (in the form of an investigation, blocking a bank account, etc.).

Payment services

Important financial services provided by Dutch banks are payment services. PSPs (as well as EMIs) are licensed and supervised by DNB. Licensed PSPs are authorised to provide one or more of the payment services listed in Annex I of PSD2, including payment initiation services and account information services. As electronic money qualifies as ‘money’ within the meaning of the Wft, it can be the subject of a payment transaction and therefore of a payment service. A payment services agreement must comply with the rules laid down in the Wft (implementing PSD2) and Book 7 of the Dutch Civil Code (DCC). The liability regime for payment services derives from PSD2 and is set out in Book 7 of the DCC. As a main rule, the (bank in its capacity as a) PSP must reimburse the (paying) client in case of an unauthorised transaction, under the condition that the client timely informs the PSP of the unauthorised transaction. This is different when the (paying) client acts fraudulently or with gross negligence.

Consumer credit

Another core activity of banks is offering credit and mortgage loans. Business credit (credit offered to non-consumers) is not regulated under the Wft. The AFM does not supervise business credit. Offering credit and mortgage loans to Dutch consumers, on the other hand, is highly regulated in the DCC and the Wft (some forms of consumer credit are exempt). The Wft explicitly prohibits the ‘over crediting’ of consumers and requires credit offerors to provide consumers with information before entering into an agreement, enabling the consumer to make an adequate assessment of the financial product. The rules applicable to consumer credit will be amended as a result of the proposed revision of EU Directive 2008/48/EC. The scope of the Directive will be broadened, the information provisions will be improved (with an extra information document), rules will be added to prevent nudging, and the creditworthiness test will be clarified and supplemented. It is also proposed to have a cost ceiling for consumer credit, similar to the maximum credit fee already applicable in the Netherlands.

Investment services

A third mentionable activity is providing investment services, such as investment advice, discretionary asset management and the reception and transmission of orders in financial instruments. Banks that provide investment services must comply with the MiFID2 legislative framework, which is partly implemented in the Wft and in ‘lower’ acts pursuant to the Wft. The obligations of the bank in an investment services relationship depends on the specific investment service and the ‘MiFID status’ of the client, being (i) a non-professional client, (ii) a professional client, or (iii) an eligible counterparty.

Dutch anti-money laundering legislation

Since 2008, the rules that banks must follow to prevent money laundering and the financing of terrorism are laid down in the Wwft. The Wwft was amended in 2020 in order to implement the changes made to the EU’s AML Directive. The Wwft takes on a risk-based approach, which means that banks are, to an extent, free to decide on the degree of risk they want to take. Customer due diligence is an important part of the bank’s gatekeeping function. Banks must perform customer due diligence in all cases. Unusual transactions, when noticed, must be investigated and notified to the Dutch Financial Intelligence Unit. Banks that are negligent to take appropriate action in case of noticed unusual transactions risk enforcement measures from DNB but also civil claims from victims of payment or investment fraud that argue the bank could and should have intervened earlier. DNB has published a guidance document (which is legally non-binding but nonetheless important) in relation to the Wwft and the Sanctions Act. The guidance document discusses topics such as the risk-based approach of integrity regulations, customer due diligence, transaction monitoring, reporting of unusual transactions and the regulatory framework for sanctions.

Deposit Guarantee Scheme and Investor Compensation Scheme

Money placed in Dutch bank accounts is legally protected by the Dutch Deposit Guarantee. If a bank goes bankrupt, DNB refunds the account holders up to a maximum of EUR 100,000 per person, per bank. Banks contribute to the Deposit Guarantee Fund, provide data to DNB for the execution of the Deposit Guarantee Scheme (DGS), and provide customers with mandatory information about the DGS. DNB has detailed the banks’ DGS obligations in Policy Rules and guidance documents. Furthermore, the Investor Compensation Scheme protects customers when a bank or investment firm cannot repay its customers, for instance, due to bankruptcy. Financial companies that keep client money and assets are under a statutory obligation to segregate their own funds and assets from their client’s funds and assets. This should ensure that client’s assets and funds are kept safe. However, if a failing company does not comply with its segregation obligations, client’s funds and assets could fall in the bankrupt estate. The Investor Compensation Scheme compensates investors for such losses. Investors can get their money back up to EUR 20,000 per person, per bank/firm. If investors hold an investment account with their partner, the combined maximum compensation is EUR 40,000. The Investor Compensation Scheme is available to private investors and small companies that are permitted to publish a summary balance sheet (with exceptions).

Customer complaints

Almost all financial companies in the Netherlands must register with the Dutch Financial Complaints Committee (KiFiD) in The Hague. Consumers can bring their disputes before this special arbitration tribunal after having followed the internal complaints procedure of the financial company. KiFiD also provides mediation services and has a complaints committee and an appeal committee. KiFiD’s verdicts can be binding or non-binding. Binding verdicts cannot be challenged before a Dutch Court, other than a marginal challenge. Most cases brought before KiFiD are settled.