From 1 July 2026, Financial Intelligence Unit Nederland (FIU-NL) will receive a new power: the power to postpone transactions. Under the new Article 17a Wwft, FIU-NL may require reporting institutions to temporarily postpone one or more transactions if there are signs of money laundering, related criminal activity or terrorist financing. 

The word temporarily is important. 

This is not a general freezing power. A postponement may last for up to five working days. If the request is made on behalf of a foreign FIU, it may last for up to ten working days. The aim is to create a short period in which suspicious value can be stopped before it disappears. 

The Anti Money Laundering Centre, the knowledge and expertise centre of the FIOD, has described the new power in similar terms. It is a temporary tool with clear limits. It is not an open-ended freeze. 

Why crypto makes this more complex

For crypto, this distinction matters. 

FIU-NL’s new power does not extend to stopping a blockchain network in its entirety. Unlike a bank transfer that may sometimes be recalled, or a payment instruction that may still be intercepted, on-chain transactions are settled by the network itself. Once crypto assets have been broadcast to and confirmed on a blockchain network, the transaction is generally final in practice. It cannot usually be reversed by a regulated platform or by a government authority. 

There is one practical point to keep in mind. A crypto withdrawal request is not always the same as a completed blockchain transaction. Before confirmation, a transaction may still be pending. It may still be inside the platform’s own systems, or it may be waiting for confirmation by the network. At that stage, it may still be possible to stop it. 

Once the transaction has been confirmed on chain, the original transfer is effectively out of reach. 

Where the pause button can still work

This makes exchanges, brokers and custody providers important control points. They may still be able to stop a pending withdrawal, restrict crypto assets held in custody, or block a customer’s balance before value leaves the platform. 

FIU-NL’s new power can therefore help in two practical situations: where crypto assets are still held in a custodial account at a regulated platform, and where fiat proceeds or other customer balances remain available. 

However, the new power does not solve the crypto’s speed and finality problem. If the relevant transaction has already been confirmed on chain, the pause button comes too late for that transaction. 

Why this matters for regulated platforms and their customers

For regulated platforms, such as exchanges and custody providers, FIU-NL’s new power has direct operational consequences. When a platform receives a postponement request from FIU-NL, it must act immediately. It must also be able to document its response afterwards. 

This means the issue is not only legal. Platforms need clear internal procedures. These procedures should explain how FIU-NL requests are received, escalated, and handled. They should also make clear who is authorized to act on such requests, how the relevant assets or balances are identified, and how each step is recorded. 

The effectiveness of the new power will also depend heavily on the quality and speed of the platform’s transaction monitoring. Suspicious activity that is only identified after a withdrawal has been confirmed on chain cannot be postponed or reversed. Platforms should therefore assess whether their monitoring, alert handling and withdrawal controls are fast enough. 

This also matters for customers. A delayed withdrawal or temporarily restricted balance should be handled quickly, consistently and in line with the legal requirements. If the platform is allowed or required to communicate with the customer, it should be able to explain the situation clearly without harming the legal process. 

There is also a risk that bad actors will adapt. They may try to move assets away from regulated platforms more quickly, because those platforms are the main point where transactions can still be stopped. This makes fast monitoring, clear escalation and effective withdrawal controls even more important. 

Part of a broader AML trend

The Dutch change should not be seen on its own. Similar intervention tools already exist in other European AML frameworks. FIU-NL has also noted that many foreign FIUs already have comparable powers, and that the Dutch addition should support international cooperation. 

The direction is clear. AML is moving beyond reporting suspicion after the event. Increasingly, the focus is on stopping suspicious value flows before they disappear. 

Crypto tests the limits of this approach. 

The legal power to pause a transaction only matters where there is still practical control. Platforms can freeze, delay, or block. Blockchains do not rewind. 

Conclusion

FIU-NL’s new power is useful, but it is not a full solution for crypto. It can help stop suspicious asset while that asset is still inside a regulated platform. The same applies where related fiat proceeds or other customer balances remain available.

A confirmed blockchain transaction, however, generally cannot be reversed.

For regulated platforms, the main compliance challenge is speed. They need fast monitoring, clear escalation routes, practical procedures and strong withdrawal controls 

Invitation to Consult

If this article has raised questions or topics you would like to discuss further, we welcome you to reach out. If you have a specific case you would like to explore, we are happy to arrange an informal introductory conversation. Our contact details can be found here.

Read more updates and articles here.

Almost every organisation says the same thing: 

“Compliance is important.” “We take AML/CFT seriously.” “We want to manage our risks.” 

Investments are made in policies, monitoring tools, awareness training, and periodic audits. On paper, things often look solid: processes exist, controls are in place, and reports are neatly discussed in governance meetings. Yet in practice, we continue to see the same problems resurface. Large files in which money laundering risks go undetected for years, transactions that were never critically reviewed, or organisations caught entirely off guard when a regulator concludes that their controls fall seriously short. 

That rarely happens because no one knew what the rules were. Far more often, the problem has a different root cause: the tension between Internal Audit and the business. 

That tension is usually not openly visible. No one explicitly says that risks are unimportant or that compliance gets in the way. But as soon as audit findings touch on commercial objectives, client relationships, capacity, or revenue, the dynamic often shifts quickly. Findings get nuanced, priorities change, and discussions suddenly revolve less around risk and more around feasibility, timing, or “the reality of the business.” 

And that is precisely where a vulnerability arises that many organisations underestimate. 

When Internal Audit and the business end up on opposing sides, risks do not disappear. They simply become less visible. This dynamic is not limited to internal audit departments. It also surfaces regularly in external internal audit engagements, where independence can come under pressure the moment conclusions become commercially or organisationally uncomfortable. 

In this article, we explore that tension. We look at why it is so persistent, and how organisations can prevent audit from becoming a process in which everyone participates but no one truly listens. 

The Core of the Problem: Audit and Business Often Speak a Different Language 

On paper, Internal Audit and the business share the same objective: a commercially sound, safe, and sustainable organisation. In practice, however, the two functions are often evaluated against entirely different interests. 

Internal Audit is expected to make risks visible, critically assess processes, and independently evaluate whether controls are genuinely effective. The business, by contrast, is primarily driven by growth, client satisfaction, speed, and commercial results. As long as those interests remain balanced, audit and the business complement each other well. The problem arises when risk management directly conflicts with commercial reality. 

An audit finding rarely represents just a theoretical risk. In practice, it often means additional work, stricter controls, delays in onboarding, difficult client conversations, or higher operational costs. And that is precisely why resistance emerges. 

That resistance is not always conscious. In fact, many business managers are genuinely convinced they take risks seriously. At the same time, they feel pressure to keep processes workable, meet targets, and stay ahead of competitors. This gradually creates a situation in which risks are not actively ignored, but are systematically downplayed or relativised. 

This tends to manifest in three recurring tensions. 

Three Areas of Tension Between Internal Audit and the Business 

The Gap Between Theory and Practice

One of the biggest frustrations from the business side is the feeling that audit does not sufficiently understand how processes work in practice. Auditors examine files, procedures, and regulations, while commercial teams deal daily with client pressure, deadlines, revenue targets, and operational constraints. As a result, audit findings are regularly experienced as theoretical or difficult to implement. 

That frustration is sometimes understandable. An audit recommendation may be entirely logical on paper but lead to longer onboarding trajectories, more escalations, or additional workload for operational teams. The risk, however, arises when feasibility is consistently placed above risk management. 

When that happens, organisations begin to make concessions, whether consciously or not. Findings are “reprioritised,” deadlines are pushed back, or shortcomings are framed with arguments such as “we’ll lose clients if we do this” or “this is operationally not feasible.” In the short term, that may feel pragmatic. In the longer term, it creates precisely the conditions in which risks can grow without anyone truly intervening. 

Audit as Police Officer Rather Than Partner

A second area of tension emerges when audit is primarily seen as a function that comes to point out mistakes. Many organisations claim that audit is a “business partner,” but in practice employees still frequently experience it as a controller, police officer, or box-ticking machine. 

That perception tends to develop when audits are heavily focused on deviations, shortcomings, and reporting, without sufficient attention to the underlying causes of behaviour or process issues. As a result, employees feel assessed rather than supported. 

The consequences often show up subtly in behaviour. Doubts are raised less readily, escalations are withheld, and risks are resolved internally rather than formally reported. Not because employees are deliberately hiding risks, but because people naturally become more defensive in an environment where mistakes appear to carry primarily negative consequences. 

Within AML/CFT, this is a serious problem. Many major incidents do not arise because signals were entirely absent, but because employees no longer felt safe raising concerns or gradually came to see irregularities as normal. When audit is exclusively associated with control and accountability, the very openness needed to surface risks in time begins to disappear. 

Overconfidence and the Belief That “It’s Fine Here”

The third area of tension may be the most insidious: organisational overconfidence. Many organisations that later face serious AML/CFT deficiencies were convinced for years that their controls were essentially in good order. 

That perception is most common in organisations that have never received a significant fine, have relied on the same processes for years, or place their trust in existing monitoring tools and experienced staff. Over time, a conviction forms that the organisation understands its risks and that serious incidents are something that happens to others. 

That is precisely where the danger lies. 

Risks typically develop gradually. Temporary workarounds become permanent, alerts become routine, exceptions become normal, and systems slowly become outdated. Because incidents do not occur, it feels as though the controls must be effective. That feeling persists until a regulator, enforcement agency, or internal investigation reveals that certain signals were missed for years. 

In hindsight, it often turns out that the signals were there all along. Audit findings had been flagged earlier, employees had raised concerns, or systems had been underperforming for some time. Yet no one felt sufficient urgency to look at the situation critically. 

And that is precisely why overconfidence is so dangerous within AML/CFT. It causes organisations not to actively ignore risks, but simply to take them less and less seriously. 

External Internal Audit: Independence Remains Complex 

Some organisations use external parties for their internal audit function. In those cases, these tensions often become even more complex. An external party must operate independently, while simultaneously remaining dependent on the client for budget, contract renewals, and the commercial relationship. 

This does not mean that external auditors consciously report more leniently, but it does create a tension that is difficult to fully ignore in practice. Particularly where organisations are sensitive to critical conclusions, pressure can emerge to soften formulations, reprioritise findings, or direct audits toward “safer” topics. 

It is also not uncommon for organisations to seek auditors that better align with their expectations or culture. That need not be problematic in itself, but it can lead to situations where independence gradually shifts from critical assessment to relationship management. 

That is precisely why effective external internal audit requires more than technical expertise. It also requires the willingness to keep naming uncomfortable conclusions, even when those conclusions are commercially or organisationally sensitive. 

How to Prevent Audit and Business from Remaining at Odds 

The solution does not lie in less audit or softer findings. The problem does not disappear by framing risks more gently. Organisations become stronger when audit and the business understand each other better without losing sight of their respective roles. 

That starts with auditors who have a genuine feel for the practical realities of the business. An audit that fails to account for operational context quickly loses credibility, however strong the substantive findings may be. At the same time, the business must accept that risk management is sometimes uncomfortable, time-consuming, or commercially inconvenient. 

It also helps when audit conversations focus less on blame and more on underlying causes. The question “what went wrong?” is valuable, but asking “why does this behaviour occur?” and “what incentives drive these choices?” often yields far more actionable insights. 

Finally, effective collaboration requires a culture in which employees feel safe raising doubts. The most vulnerable organisations are usually not those where mistakes are made, but those where no one feels able to name them. 

Conclusion: The Real Struggle Is Not Between Audit and Business 

Ultimately, the real struggle is not between Internal Audit and the business. It is between short-term and long-term thinking, between commercial pressure and risk awareness, and between comfort and confrontation. 

That is precisely why audit plays a difficult but important role. Not as a police officer or a box-ticking machine, but as a function that makes visible where organisations are becoming vulnerable. That matters most at the moments when commercial interests, time pressure, or organisational sensitivities are at their greatest. 

Because ultimately, the largest problems rarely arise because organisations lack rules. They arise when organisations gradually convince themselves that the risks will probably turn out to be manageable after all. 

And that is precisely where good audit needs to cut through. 

Next Article

In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress, and how to change that. 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

Introduction

Where previous articles in this series primarily focused on investigations into incidents, reports, or specific transactions, AML and KYC investigations are centred on the front end of the relationship. The objective is not primarily to determine after the fact what went wrong, but to assess — before and during the relationship — who the organisation is doing business with, what risks are involved, and whether its services could be misused for money laundering, terrorist financing, or sanctions evasion. In a world where armed conflicts and geopolitical tensions directly impact trade flows, payment systems, and ownership structures, that is more relevant than ever. 

That makes AML and KYC investigations fundamentally different from many other compliance investigations. They are not one-off exercises, but ongoing in nature. Client due diligence starts during onboarding, but it does not end there. The relationship, transactions, and risk profile must be monitored throughout the entire client lifecycle and reassessed where necessary. 

Why AML and KYC Investigations Are About More Than Onboarding

In practice, KYC is still often treated as a mandatory part of client onboarding: collect identification documents, establish the UBO, screen sanctions lists, and close the file. That approach does not do justice to the structure and intent of anti-money laundering legislation. The law requires regulated institutions to apply a risk-based approach, looking not only at who the client is, but also at the purpose of the relationship, the nature of the services provided, the origin of funds, and the expected transaction profile. 

As a result, the focus of the investigation shifts. The question is no longer simply: “Who is this client?” but rather: “Does this client — with this structure, these activities, and these financial flows — fit within the organisation’s integrity and risk framework?” 

That requires analysis, interpretation, and periodic reassessment, not just document collection.

The Foundation: AML, CDD, and KYC 

AML is the broader anti-money laundering framework. KYC sits within that framework as the process of “knowing your customer,” while CDD — customer due diligence — is the practical investigation through which that process is carried out. In the Netherlands, this is legally embedded in anti-money laundering legislation. Regulated entities are required, among other things, to identify and verify clients, establish ultimate beneficial owners, understand the purpose and intended nature of the business relationship, monitor transactions, and report unusual transactions. 

On paper, that may sound straightforward. In practice, however, the real investigation often only begins once the structure behind the client turns out to be more complex than initially visible. Behind a corporate entity may sit foreign holding companies, foundations, nominee arrangements, trusts, or UBOs that are only indirectly visible. It is precisely in these types of files that AML and KYC reveal themselves as more than administrative processes and become investigative disciplines in their own right. 

KYC Beyond Regulated Sectors: The Shifted Compliance Pressure from Banks 

The importance of KYC is not always fully recognised by non-regulated businesses. In international trade especially, there is still sometimes an assumption that KYC is primarily a matter for banks, payment service providers, and other regulated institutions. Formally, that distinction may be correct, but in practice the reality has changed significantly. Banks increasingly shift part of their compliance pressure onto their clients. They are held accountable for the risks within their own portfolios.

As a result, even non-regulated companies are increasingly confronted with questions about their customer base, trade flows, UBO structures, source of funds, involved jurisdictions, and internal controls. This is particularly visible in internationally operating trading companies, import-export structures, and businesses with complex supply chains. In those cases, banks may request additional information or expect the company itself to have implemented at least a basic compliance or KYC framework. 

For many organisations, the urgency only becomes real once the bank starts asking difficult questions and signals that the existing documentation is insufficient. At that point, KYC shifts from an abstract compliance topic to an operational issue with immediate consequences. Banks may impose additional requirements, insist on the implementation of a compliance framework, apply stricter transaction monitoring, or in the most severe cases put the relationship under pressure through de-risking or offboarding. 

That is precisely why non-regulated businesses should not wait until a bank forces the issue, but should proactively consider how they assess and document their customers, trade flows, and counterparties. 

Source Selection: Data Providers Versus Local Registrers 

An important — but often underestimated — aspect of AML and KYC investigations is the question of where client information originates. In practice, many organisations rely on international commercial data providers such as Dun & Bradstreet or Bureau van Dijk/Moody’s because they offer fast, scalable, and user-friendly access to information on companies, shareholder structures, and group relationships. Especially in international investigations, these tools are valuable because they consolidate data from multiple jurisdictions into one environment. 

At the same time, there is an important consideration here. In many cases, these databases are derived from underlying primary sources such as local trade registers, publication registers, or other official records. This means there may be a delay between a change in the local register and its appearance in a commercial database. That difference can become highly relevant in cases involving changes in management, ownership structures, registered offices, or ultimate beneficial ownership. 

For institutions with a higher risk appetite, relying on a data provider may be a defensible choice. This is especially true in low-risk and large-scale onboarding environments with many new clients. In these cases, speed, scalability, and operational efficiency often carry significant weight. However, as risk levels increase, organisations should rely more on primary sources. These sources include local trade registers or other official registries in the relevant jurisdiction. Those sources often contain the most current and legally authoritative information, even if they are less user-friendly to access. 

The core question is not whether data providers are “good” or “bad.” The key issue is whether the chosen source fits the client’s risk profile and the organisation’s risk appetite. In low-risk processes, relying on a reliable data provider may be entirely proportionate. In complex, international, or high-risk files, additional verification is often advisable. In some cases, it may even be necessary to verify commercial data against local registers or other primary documentation.

From Identification to Risk Assessment 

A proper AML or KYC investigation does not consist of a single action, but of a sequence of investigative steps. First, the client is identified and verified. After that, the organisation assesses who acts on behalf of the client, who the ultimate beneficial owners are, whether PEPs, sanctions risks, or heightened geographical risks are involved, and how the services are expected to be used. 

Ultimately, this results in a risk assessment. Not every client requires the same level of scrutiny. A local company with a straightforward structure and predictable activities presents a very different profile from an internationally active group with layered ownership structures, cross-border financial flows, and exposure to high-risk jurisdictions. That is precisely why AML and KYC operate on a risk-based approach: the higher the risk, the deeper the investigation and the stronger the justification required. 

In practice, however, the question from clients or internal stakeholders rarely stops there. They do not only want to know whether a party should be classified as green, orange, or red; they primarily want to understand what that classification means for the business decision itself. In other words: can — or should — we still do business with this party? That is an understandable question, but not a purely technical exercise. 

A risk classification is not an automatic go/no-go decision. It forms the basis for a broader assessment in which compliance, business teams, legal, and sometimes senior management must determine whether a risk is acceptable, under what conditions, and which mitigating measures may be required.

This is often where a strong KYC investigation provides its greatest value. Not merely by identifying elevated risks, but by helping organisations understand the practical consequences. In some cases, this may lead to enhanced monitoring, additional documentation, or stricter contractual safeguards. In others, the conclusion may be that the relationship falls outside the organisation’s risk appetite or creates too much pressure on its banking relationships, licences, or reputation to proceed responsibly.

Ongoing Monitoring and Transactions 

One of the biggest misconceptions in KYC is that the process ends after onboarding. In reality, that is only the beginning of the second phase. Anti-money laundering legislation requires organisations to continuously monitor both the business relationship and transactions against the profile established during onboarding. If a client suddenly begins operating in different jurisdictions, processing unusual transaction volumes, or carrying out activities inconsistent with its known business profile, that should trigger reassessment.

Within AML and KYC investigations, sanctions screening now deserves particular attention. Due to current geopolitical tensions and armed conflicts, sanctions regimes are changing more rapidly, sanctions lists are updated more frequently, and attention for circumvention structures involving third countries, intermediaries, and complex trade chains has increased significantly. As a result, it is no longer sufficient to perform a one-time sanctions screening during onboarding. Particularly where international clients, trade flows, or payments involving high-risk jurisdictions are concerned, organisations must remain continuously alert to changes involving counterparties, countries, goods flows, and ultimate beneficial ownership. 

Sanctions screening therefore extends beyond the question of whether a name appears on a sanctions list. Increasingly, the issue is whether transactions, counterparties, or structures indicate an elevated risk of sanctions evasion. In sectors involving international trade, logistics, commodities, or complex supply chains, this can have major implications for both transaction assessments and overall client acceptance.

That makes AML and KYC investigations inherently dynamic. New directors, changes in ownership structures, amended sanctions regimes, or adverse media can all justify reopening a file. A client initially classified as low risk may present a completely different profile a year later.

At that point, client due diligence begins to overlap with transaction monitoring and, in some cases, reporting obligations. Where irregularities cannot be adequately explained, or where transactions qualify as unusual, the investigation may shift from routine compliance management into a more in-depth integrity or AML investigation.

Common Challenges in Practice

In many organisations, the greatest challenge lies not in the rules themselves, but in their execution. Files are incomplete, information from different systems does not align, commercial pressure conflicts with compliance requirements, and periodic reviews are postponed. Clients themselves frequently experience questions about source of wealth, ownership structures, or foreign entities as burdensome or difficult to understand. This is especially true when additional information is requested repeatedly.

Another recurring issue is that KYC is sometimes designed too much as an administrative process. As a result, the investigation deteriorates into document collection, while the real value should lie in the analysis itself. A file is only truly robust if it demonstrates not merely that documents are present, but also why a client was considered acceptable or unacceptable and how that conclusion aligns with the identified risks. 

Source usage also plays an important role here. Organisations that rely blindly on a single data provider or screening tool risk incorporating outdated or incomplete information into their files. Particularly in international investigations, the difference between a commercial database and a local register may determine whether a file remains sufficiently current and reliable.

The Role of Compliance, Business, and External Parties 

AML and KYC investigations are not owned exclusively by compliance departments. The business understands the client, sales teams and relationship managers often identify irregularities first, compliance establishes the framework and second-line controls, and onboarding or operations teams process and verify documentation. 

In complex investigations, organisations increasingly rely on external data providers, screening tools, legal specialists, and investigative firms. This is particularly common in cases involving international structures, sanctions risks, or escalations surrounding account closures.

Because AML and KYC continue throughout the entire client relationship, collaboration is essential. A strong file is not created through one successful onboarding exercise, but through consistent documentation, periodic reassessment, and timely escalation whenever signals no longer fit the client profile. That applies not only to regulated institutions, but increasingly also to companies confronted with indirect compliance pressure from banks, financiers, or commercial partners.

Conclusion

and Looking Ahead: From Client Investigations to Compliance Audits 

In many ways, AML and KYC investigations represent the operational day-to-day equivalent of the due diligence and integrity investigations discussed earlier in this series. At their core, they revolve around the same fundamental question: who are we doing business with, and what risks does that create? The objective is to prevent the organisation from becoming part of a larger integrity issue.

Where due diligence often focuses on a one-time decision-making moment, AML and KYC are about continuous vigilance. This places AML and KYC at the intersection of prevention and detection: from client acceptance to transaction monitoring, from file management to potential reporting obligations, and sometimes ultimately to more in-depth internal investigations. 

In the next — and final — article in this series, the focus shifts to compliance audits. AML and KYC investigations focus on individual clients, files, and transactions. Compliance audits assess the design, operation, and effectiveness of the overall compliance framework. That final article therefore forms the logical conclusion of this series: from incidents and files to systems and control. 

Invitation to Consult

If this article has raised questions or topics you would like to discuss further, we welcome you to reach out. If you have a specific case you would like to explore, we are happy to arrange an informal introductory conversation. Our contact details can be found on our website.

Next Article

In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress — and how to change that. 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

Introduction

Platforms such as Pump.fun are attracting growing attention from regulators and politicians. They are often presented as a new danger in crypto. In reality, they mainly expose a much older problem: an online culture where speculation, hype, and influence increasingly blur the line between investing and manipulation. 

I saw that culture from the inside. I joined Telegram groups to find coins early, because that seemed to be where the real money was made. Returns of 20x or even 200x felt possible if you entered early enough. Groups reinforced this constantly through screenshots of huge gains and the suggestion that the next opportunity was always close. 

That created a permanent sense of urgency. Not participating did not feel cautious. It felt like missing out. 

How the System Works 

Inside these groups, pump and dump schemes were often organised in a simple pattern: a public group generated excitement, while a smaller inner circle got access to the coin first. By the time the larger group started buying, early participants were already preparing to sell. 

What stood out most was how normal this seemed. Many knew some people had an advantage, but few questioned it. It was simply accepted as part of the system. 

Over time, it stopped feeling like investing and started feeling like a game: fast, addictive, and constant. Gains and losses happened so quickly that the money barely felt real. When you win, your expectations rise. When you lose, you compare yourself not to where you started, but to your highest point. That creates the urge to win it back. 

That is where rational decision making begins to disappear. 

Why Pump.fun Matters

Pump.fun fits naturally into this environment. It did not invent pump and dump schemes, but it makes them easier, faster, and more visible. 

Creating a coin has become easy. They can be launched in minutes, traded instantly, tracked in real time, and promoted across social media. Speculation is no longer limited to niche communities. It has become part of the system itself. 

The consequences go beyond financial loss. Many users believe they are investing when they are actually entering a system designed to reward early insiders. This can lead to financial harm, addictive behaviour, unrealistic expectations about money, distrust in markets, and greater risks for younger users. 

Regulation and Solutions 

Regulators are responding. The Authority for the Financial Markets classifies pump and dump schemes as market abuse and states that such practices are prohibited under European rules.[1]

The Dutch government has also raised concerns about Pump.fun, particularly regarding young investors and the role of online influencers [2].

In the United Kingdom, the Financial Conduct Authority warned that Pump.fun is not authorised and that consumers should be cautious [3]. 

Simply banning or restricting a platform is rarely sufficient to address the underlying issue. When demand remains high, users often move elsewhere through private groups, new tools, or technical workarounds such as VPNs. Reports about Polymarket showed that some restricted users continued accessing the platform through VPNs, demonstrating how digital restrictions are often bypassed rather than respected [4]. 

Removing one platform does not remove the behaviour behind it. 

A more realistic response would combine enforcement, education, and prevention: detecting suspicious trading patterns, intervening faster, warning users inside apps, tightening influencer rules, and improving financial education for younger audiences. 

Conclusion 

The uncomfortable reality is that platforms like Pump.fun do more than enable speculation. They depend on it. As long as that remains profitable, they are unlikely to disappear. The real question is whether we are willing to accept a system in which speculation, hype, and unequal access are normalised, and in which the line between market participation and exploitation becomes increasingly difficult to see. 

Get in touch

Please reach out to us on: info@compliancechamps.com

Read more articles here.

[1] AFM. (n.d.). Pump and dump. Dutch Authority for the Financial Markets. 

[2] CoinDesk. (2024). Polymarket’s probe highlights challenges of blocking U.S. users and their VPNs. 

[3] FCA. (2024). Warning: Pump.fun. Financial Conduct Authority. 

[4] Rijksoverheid. (2025). Answers to parliamentary questions about Pump.fun. Dutch Government. 

The Illusion of Compliance 

Imagine the following: Your organization has a seemingly perfect AML/CFT audit program. Everything is meticulously documented, reports are delivered on time, and the regulator leaves after the latest inspection with a reassuring verdict. On paper, everything is correct. 

And yet—one year later—a multi-million dollar fine follows. Or worse: your organization hits the headlines due to involvement in a money laundering scandal that went unnoticed for years. 

What went (likely) wrong?  

The uncomfortable truth is that it is rarely a lack of rules, processes, or even expertise. The problem lies in the fundamental approach. Our market observation shows that approximately 80% of audits have subconsciously started believing in false security: treating compliance as an administrative end goal rather than risk management as a continuous process. The result? Audit programs that revolve around checkmarks and tickets, but fail to detect real risks and deviant behavior. 

In this article, we unravel: 

• Why audits often remain superficial (and how to pierce through that surface). 

• The three biggest pitfalls for audit teams. 

• How to make the shift to the 20% of organizations that actually add value. 

1. False Security: “We Are Compliant”

In practice, an AML/CFT audit is still too often viewed as a mandatory “check-the-box” exercise. This mindset leads to audits that primarily prove that processes exist, but not whether they hold up under pressure. 

Reports are filled with confirmations that policies are in place, controls are set up, and procedures are followed. But the question that is rarely truly answered is: does it actually work in practice? Furthermore, audits often focus on the “low-hanging fruit,” such as the administrative completeness of customer onboarding. More complex subjects—such as the effectiveness of advanced transaction monitoring or the integrity of decision-making regarding abnormal behavioral patterns—often remain underexposed. 

The 20% who make an impact shift the focus from process compliance to effectiveness compliance. An effective program is not about checking off rules; it’s about exposing vulnerabilities before a criminal finds them. 

2. The Three Biggest Pitfalls in AML/CFT Audits

I. Tunnel Vision: Looking at What You Already Know

Auditors often focus on known risks and existing checklists. This provides a sense of security but creates significant blind spots. New threats—such as complex fraud structures, crypto-related risks, or advanced laundering methods—remain out of sight. When an audit concludes with “no significant findings,” it is often not a sign that everything is in order, but a signal that the audit did not look deep enough. 

How to tackle this:

• Steer toward ‘Event-driven’ scopes: Stop auditing just “because it’s on the annual plan.” Focus on areas where the market or the organization is changing (e.g., new product-market combinations). 

• Use technology as a mirror: Use data analytics to discover patterns that manual sampling misses, but remain critical of data quality. 

• Broaden the perspective: Involve external specialists (e.g., SIRA or sanctions experts) to challenge your own assumptions. experts) to challenge your own assumptions.

II. Paper Compliance: The Gap Between Policy and Practice

Many organizations have excellently documented processes. On paper, it all adds up. But in practice, deviations occur. Employees skip steps because processes are too cumbersome; monitoring tools generate so many alerts that real signals get lost in the noise; training is completed but does not lead to a change in behavior. 

How to tackle this: 

• Mystery Shopping / Walk-through tests: Test the process by guiding a fictitious, high-risk customer through onboarding. How easily do they slip through? 
• Measure ‘Output Quality’: Don’t just look at whether an alert was handled, but whether the handling actually mitigated the risk. 
• Feasibility Check: If a rule is not followed, the employee is often not the problem—the process is. Dare to name this. 

III. The “Audit as End Point” Pitfall 

An audit report is delivered, discussed, and then filed away. Recommendations fade into the background, follow-up is lacking, and the organization returns to business as usual. In such an environment, audit is seen as a control mechanism rather than an improvement tool. 

How to tackle this: 

• Make audit findings SMART: Specific, Measurable, Achievable, Relevant, and Time-bound. 

• Involve the business in the solution: Let those who execute the process help think of improvements. Additionally, appoint someone responsible for the solution. 
• Communicate results: Show that audit is not just about “checking” but also about adding value. 

3. How to Reach the 20%: Practical Steps for an Effective Audit 

Step 1: Prioritize Impact, Not Completeness Not every risk deserves the same attention. Effective audit teams make sharp choices. They focus on the areas where probability and impact are highest: high-risk customers, complex or abnormal transactions, and behavior within the organization that puts rules under pressure. This requires daring to abandon standard checklists. 

Step 2: Use Data to Discover Blind Spots Many audits confirm what is already known. The real value lies in discovering blind spots. By actively using data analysis, patterns can become visible that otherwise remain hidden—such as unusual transaction flows or structural exceptions in processes. 

Step 3: Make Audit a Continuous Process, Not a One-time Check Risks change constantly, but audits often only take place periodically. By continuously monitoring critical processes and conducting shorter, thematic ‘deep dives,’ audit becomes an integral part of risk management rather than an annual exam. 

• Tip: Create an ‘audit roadmap’ with priorities and deadlines, and communicate this to management. 

Step 4: Measure the Impact of Your Audit Ultimately, it is not about delivering reports, but about realizing improvement. Ask: Are risks identified faster? Do signals lead to action? Does behavior within the organization actually change? 

4. Conclusion: From Superficiality to True Risk Awareness 

In this approach, audit shifts from a monitoring function to a strategic partner in risk management. Most AML/CFT audits fail because they only check boxes, focus on paper rather than behavior, and result in no action being taken. 

The solution? An audit program that: 

• Truly exposes risks (not just checking if they are “documented”). 

• Uses technology and data to find blind spots. 

• Stimulates business engagement and enforces action. 

Invitation for Consultation 

We can imagine that after reading this article, you may have questions or wish to exchange thoughts on specific topics or a concrete case. We invite you to contact us without obligation. Our contact details can be found on our website. 

Preview of the Next Article:

In the next article, we dive deeper into the three biggest ‘blind spots’ that even the sharpest AML/CFT auditor can overlook: culture, data, and human behavior. How is it that organizations think they are compliant while criminals find their greatest opportunities right here? Prepare for an honest check: which blind spot do you recognize in your team? 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

Read more articles here.