The Landscape of Compliance Investigations: Employment Law Investigations: The Investigative and Legal Side

Employment law investigations after suspicions of misconduct in the workplace: how do you approach them, what sanctions do you apply?

By Dennis van der Meer and Lydia Milders (employment lawyer)

Introduction

You suspect that your employee is sharing confidential company data with third parties or is competing unlawfully – what are the research possibilities? And what disciplinary measures do you take prior to, during, and after the investigation? 

Employment law investigations form the link between compliance signals about misconduct in the workplace and concrete personnel measures. A report about unauthorized side activities, theft of confidential information, or transgressive behavior ultimately leads to the question: which sanction is appropriate, and does it hold up in a procedure? 

In this fifth article in our series Compliance Investigations, we describe how these investigations proceed in practice. Dennis van der Meer highlights the forensic and factual side, while Lydia Milders (Milders law) sets out the legal frameworks and pitfalls. Together, we provide as complete a picture as possible of what HR, compliance, and management must know to allow an employment law investigation to proceed successfully – and which disciplinary measures can be applied. 

From signal to employment law investigation

Employment law investigations often start as a logical follow-up to earlier reports: a manager who passes information to competitors, an integrity signal about unauthorized side activities, or a finding that an employee has copied customer data. As soon as the facts are sufficiently concrete, the focus shifts to the individual employee and the employment law consequences. 

That transition is not self-evident. A trade-off must be made: is there enough to investigate further, and if so, how deep do you dig? In this regard, two central tensions play a role: 

Proportionality versus depth

The investigation must be firm enough to be able to support a possible sanction – from warning to dismissal. But it may not go further than necessary. A too-invasive investigation can be deemed disproportionate, certainly if it appears afterwards that the suspicion was unfounded. The art is to align the research means with the seriousness of the suspicion. 

Speed versus diligence

In the case of serious suspicions – for example, of fraud or theft – you want to act quickly to prevent further damage. At the same time, the investigation must be diligent: the employee must be heard, findings must be recorded, and the file must withstand the test of the judge. He who shifts gears too quickly risks an incomplete file; he who waits too long can be blamed for not having intervened adequately. 

And the GDPR? Employment law investigations by definition process personal data, so GDPR-awareness is required. In employment law practice, however, this rarely forms an obstacle. Below we go further into that. 

The end result of the investigation must in any case be resistant to legal testing. That means: a clear file, a traceable investigation process, and findings that hold stand in a possible procedure at the Subdistrict Court (kantonrechter). 

Three typical scenarios

Employment law investigations often revolve around concrete behaviors that damage the employment relationship. Three common situations: 

Scenario 1: Unauthorized sharing of company secret and competition-sensitive information

A sales manager is suspected of funneling confidential customer data and pricing information to a new employer. The investigation focuses on the use of an own device for work mail, downloads of CRM data, correspondence with external parties, and possible side activities. 

Scenario 2: Dereliction of duty through side activities

A controller runs, alongside his employment, his own consultancy firm in the same industry and advises customers who also work for the employer. It is investigated whether the side position was reported, whether working hours were used for private purposes, whether there is overlap with the customer base, and whether confidential information was leaked. 

Scenario 3: Transgressive behavior

Reports about inappropriate remarks, abuse of power, or (sexually) intimidating behavior from a manager toward juniors. Here, the investigation revolves around patterns: are there multiple reporters, WhatsApp groups, witness statements, and HR interviews? 

In all these scenarios, privacy questions also play a role. The legal framework for that is addressed further on. 

The forensic approach in employment law investigations

Financial investigation and data analysis

In breach of trust cases, investigators check expense claims, travel and accommodation costs, and use of company resources. Data analysis detects unusual patterns in hour registration or claims that point to side activities. 

Digital forensic investigation

Mail traffic, chat history, CRM access, and device use are secured. In employment law investigations, forensic imaging of work devices is often essential, but immediately raises privacy questions. Mailboxes at external IT-administrators form a practical problem: without clear agreements, access can cause delay. 

In the case of larger volumes, eDiscovery comes into view: WhatsApp groups, Slack channels, and email around incidents are filtered with keyword searches and AI clustering. Privacy infringement is minimized by a focus on work-related data and redaction of private messages. 

Interviews and hearing/rebuttal (hoor/wederhoor)

Conversations with the suspect, reporters, and witnesses are crucial, but ask for finesse. The suspect is presented with concrete accusations with hearing and rebuttal. Recordings only with explicit permission. 

It is of importance that the accused is presented with accusations as concrete as possible, so that he or she can defend themselves well. That is generally not possible with anonymous reports, unless the report contains sufficiently concrete facts that can be presented without revealing the reporter. Anonymous reports can therefore usually form no independent basis for a person-oriented investigation, but can give cause for a general culture or signals investigation. 

Open source investigation

Investigation can be performed in various open sources, whereby among other things side positions, Chamber of Commerce (KvK) registrations, LinkedIn, and media are screened to test statements made. 

Legal framework on the basis of scenarios

  1. Violation of confidentiality obligation

Inthe case of suspicions of sharing company secret information with third parties, the contractual confidentiality obligation is usually central. Often, high fines are set on violation. Additionally, good employership (Art. 7:611 Dutch Civil Code) plays a large role: the employee owes loyalty to the employer and may not just share confidential company information with third parties, certainly not with competitors. 

The legal route depends on the seriousness of the violation. In the case of proven violation of the confidentiality clause or theft of company data, summary dismissal (Art. 7:677 jo. 7:678 DCC) is obvious, provided the urgency requirement is met. In the case of less serious violations – or when the employer wants to avoid the risk of a failed summary dismissal – he can choose dissolution due to culpable acting (e-ground) or a disrupted employment relationship (g-ground). 

The burden of proof lies with the employer. He must demonstrate that the shared information concerns company secrets and that the employee has acted culpably. 

  1. Side activities and conflict of interest

Side activities are not by definition prohibited, but are limited by the employment contract, possible side-work clauses, and the doctrine of conflict of interest. Since the Implementation of EU Directive on Transparent and Predictable Working Conditions Act (August 2022), it applies that a side-work clause is only valid if the employer can put forward an objective justification ground. A general prohibition on side-work is therewith no longer tenable.

When side activities lead to conflict of interest – for example because the employee serves customers of the employer via an own enterprise – this can yield dereliction of duty and be ground for dismissal due to culpable acting (e-ground). In serious cases, such as actively competing with the employer or funneling away customers, an urgent reason can even exist. 

  1. Transgressivebehaviour

Transgressive behaviour falls under the statutory duty of care of the employer for a safe working environment (Art. 7:658 DCC and the Working Conditions Act). The employer is obliged to take (preventative) measures against unwanted behaviour and must do (or have done) investigation in the case of signals. 

The appropriate sanction depends on the seriousness of the behaviour, the context, possible repetition, and the position of those involved. A one-time inappropriate remark generally justifies no dismissal, but structural intimidating behaviour by a manager can justify firm disciplinary measures, including dismissal. 

The burden of proof is often complex: it usually concerns contradictory statements – word against word. A diligent investigation with multiple witnesses, documentation of patterns, and application of hearing and rebuttal is essential to be able to take disciplinary measures that also hold stand in law. 

Privacy and GDPR

In an internal investigation into fraud or other abuses, privacy always comes around the corner. In employment law practice, however, the impact is usually not too bad. In the case of concrete signals of fraud, conflict of interest, or other serious integrity violations, the employer is generally given a lot of space by the judge to do investigation. 

The Supreme Court made this clear already in 2001 in the Wennekes Lederwaren judgment (HR 27 April 2001). An employer had hung up a hidden camera because of a suspicion of embezzlement. The employee appealed to privacy and wanted the images to be left out of consideration. The Supreme Court did not go along with that: the employer had a justified interest, the suspicion was concrete, and the evidence could not be obtained in another way. Even in the case of an infringement on privacy, that does not yet mean that the evidence may not be used. 

That line has since then been maintained. In 2014, the Supreme Court formulated the general rule: in civil cases, unlawfully obtained evidence is in principle not excluded. The interest of truth-finding weighs heavier. Evidence exclusion is only an issue in the case of additional circumstances, and that threshold lies high. 

The GDPR of course just applies, but does not stand in the way of an investigation. The basis is usually the justified interest of the employer (Art. 6 paragraph 1 sub f GDPR). In fraud cases, that balancing of interests almost always turns out in favour of the employer. 

In short: document the investigation well, record the GDPR-basis, and perform the investigation decently. But do not let yourself be paralyzed by privacy concerns if there are serious signals on the table. The chance that a judge keeps the evidence outside the door is – provided the investigation is performed diligently and proportionally – very small. 

Suspension as an interim measure

Consider placing the employee on non-active status immediately after the first serious signal, with retention of salary. This gives space for investigation without the employee having access to systems or colleagues, and emphasizes that the employer takes the matter seriously. 

The employee can challenge the suspension via preliminary relief proceedings (kort geding). The judge then assesses whether the suspicion is sufficiently concretely substantiated, whether hearing and rebuttal has been applied, whether the measure is proportional, whether the suspension has come about procedurally diligently, whether alternatives have been considered (such as coaching, warning, or a conversation), and whether the employer is not unacceptably anticipating a dismissal procedure. 

Dismissal routes: which do you choose when?

The choice between the different dismissal routes depends on the seriousness of the misconduct, the strength of the evidence, and the risk appetite of the employer. 

Summary dismissal (urgent reason)

Summary dismissal is the most drastic sanction and requires an urgent reason (Art. 7:677 jo. 7:678 DCC). Examples from the law are theft, embezzlement, threat, and gross insult, but also serious violation of the confidentiality obligation or unlawful competition can yield an urgent reason. The employer must communicate the urgent reason to the employee without delay; this means as quickly as possible after the person authorized to make decisions has become familiar with the facts. 

The risk of summary dismissal is considerable: if the judge rules that no urgent reason existed or that it was not acted upon without delay, the employee can have the dismissal annulled. This can lead to reinstatement of the employment agreement with back pay. If the employee does not choose annulment but acquiesces in the dismissal, he can instead make a claim to a fair compensation (billijke vergoeding) which, in the case of an unjustified summary dismissal, is often substantial. 

Dissolution due to culpable acting (e-ground)

When the behavior is culpable but possibly insufficiently serious for summary dismissal – or when the employer wants to avoid the risk of a failed summary dismissal – he can choose a dissolution request at the Subdistrict Court due to culpable acting (e-ground, Art. 7:669 paragraph 3 sub e DCC). The judge tests whether the acting or omitting is so culpable that it cannot in reasonableness be required of the employer to let the employment agreement continue. In the case of seriously culpable acting, the judge can rule that no transition payment is due; in the case of “normal” culpable acting, this is due. 

In the case of doubt about the seriousness of the misconduct or about the expeditiousness of the investigation, the employer often chooses a dissolution request via the Subdistrict Court: less risk, more procedural certainty. 

Cumulation ground (i-ground)

Since 2020, the employer can make an appeal to the cumulation ground (Art. 7:669 paragraph 3 sub i DCC) when there is a combination of circumstances from multiple dismissal grounds that are individually insufficient, but together do justify a dismissal. Upon allocation on the so-called “i-ground,” the judge can award an extra compensation of maximum 50% of the transition payment. 

The i-ground is especially useful when the employer has multiple “half” grounds – for example, partly culpable acting and partly a disrupted employment relationship. The disadvantage is the possible extra compensation, but that sometimes outweighs the certainty of dissolution. 

Settlement Agreement (VSO)

In practice, a large part of employment law disputes is resolved via a VSO. The strength of the investigation file determines the negotiation position: a watertight file generally leads to a quick VSO on terms favorable to the employer, while a weaker file gives the employee more negotiation space. 

Investigation duration and the urgency requirement

An important point of attention in summary dismissal is the tension between investigation duration and the urgency requirement. The employer does not have to act overhastily – a diligent investigation is precisely required to establish the facts well. However, the employer must act expeditiously during the investigation and be able to account for why the investigation took the time that it took. 

Concretely this means: document the investigation timeline accurately, avoid unnecessary pauses, and consider suspension as an interim measure. The “without delay” (onverwijldheid) starts to run at the moment that the employer (usually: the person who is authorized for dismissal) has sufficient certainty about the facts. The obtaining of legal advice or the waiting for an investigation report can suspend this term, provided this happens expeditiously. 

The hearing of the employee prior to the dismissal is not a statutory requirement, but is strongly recommended. Giving the employee the opportunity to react to the findings strengthens the legal position. 

Judges accept investigation periods of several weeks, sometimes even months in complex fraud cases, provided the employer can demonstrate that he acted expeditiously. 

From findings to employment law decision

An employment law investigation ends with a report that meets three requirements. Firstly, factual separation: hard facts are separate from interpretation and without legal interpretation (which is reserved for the legal advisors). Secondly, reproducibility: the methodology must be traceable for the Subdistrict Court. Thirdly, privacy-proof: which data was processed, on which basis, and how is it secured? 

The report forms the basis for the decision-making of the employer. That decision-making follows a sanction ladder: from written warning, via salary suspension and dismissal with mutual consent, to dismissal via the Subdistrict Court or summary dismissal. The central question is always: is the file strong enough for an urgent reason (summary dismissal) or for culpable behavior (dissolution)? Alternatives such as mediation, redeployment, or temporary adjustment of the function always remain in view. 

Trends and points of attention

Professional investigation, prevent paying fair compensation: from much case law it follows that employers drop stitches in (having done) good investigation, and the correct application of hearing and rebuttal. With the consequence that a high fair compensation must be paid to the employee because of seriously culpable behavior of the employer (think of on average 4 – 12 monthly salaries, or more). This emphasizes the importance of a thorough and independent investigation, in the case of suspicions of (serious) misconduct in the workplace. 

Whistleblowers Protection Act (Wbk): it occurs that a whistleblower who reports an abuse, himself also becomes subject of investigation – for example because he is suspected of involvement in the reported facts, or because his report is seen as an attempt to mask own misconduct. This yields a particular area of tension. The Wbk protects reporters against disadvantage, but that protection is not absolute: if the reporter himself has acted culpably, the employer can do investigation into that and if necessary impose sanctions. The art is to keep both tracks – the protection of the reporter and the investigation of possible misconduct – procedurally pure and to document well why certain measures are taken. 

AI and data-analysis: advanced tools make it possible to detect patterns faster in large datasets, but ask for awareness of the limits. 

Hybrid working: the use of private devices and working from home makes the forensic boundaries more difficult to guard and asks for clear agreements beforehand (in code of conduct, handbook etc.). 

Forensic readiness remains crucial: logging on, clear IT-contracts, protocols for incidents, and training of key users in data preservation. 

Finally

For employment law practice it applies; take the time that is necessary for a sound investigation, but let no gaps fall. Document every step and be able to explain afterwards why the investigation had the lead time that it had. Disciplinary measures (including dismissal) can only be applied after diligent investigation and sound application of hearing and rebuttal, and serve always to be proportional. 

Outlook: due diligence investigations

In the sixth article, the focus shifts to due diligence and reputation research: how do you screen external parties before acquisitions, partnerships, or large contracts? Forensic methods, OSINT, and integrity checks come together in a preventative approach. 

 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Whistleblower Investigations: From Report to Real Change

Whistleblowers are indispensable for exposing (serious) wrongdoing. Yet it is the follow-up to a report that determines whether an organization is truly acting with integrity or merely maintaining a paper reality. Since the introduction of the Dutch Whistleblower Protection Act (Wet bescherming klokkenluiders, Wbk), the playing field has become more strictly regulated. But how do you translate an ‘unexpected’ report into a sound fact-finding investigation and, ultimately, into lasting change?

Whistleblower Investigations: From Report to Real Change

Whistleblowers are indispensable for exposing (serious) wrongdoing. Yet it is the follow-up to a report that determines whether an organization is truly acting with integrity or merely maintaining a paper reality. Since the introduction of the Dutch Whistleblower Protection Act (Wet bescherming klokkenluiders, Wbk), the playing field has become more strictly regulated. But how do you translate an ‘unexpected’ report into a sound fact-finding investigation and, ultimately, into lasting change?

A Legal Patchwork: Wbk, Wwft, and Sector-Specific Legislation

The Wbk requires organizations with 50 or more employees to establish an internal reporting procedure and an appropriate investigation process. However, for many sectors, the Wbk is merely the baseline. A lex specialis applies: specific laws that often impose even stricter requirements on reporting channels. Consider, for example:

  1. Law: Wwft (Anti-Money Laundering and Anti-Terrorist Financing Act)
    Sector: Financial institutions, legal profession, accountancy, etc.
    Focus: Money laundering and terrorist financing.
  2. Law: Wft (Financial Supervision Act)
    Sector: Financial institutions, insurers, investment firms, etc.
    Focus: Financial integrity and market abuse.
  3. Law: Wta (Audit Firms Supervision Act)
    Sector: Audit firms
    Focus: Breach of professional rules and independence.
  4. Law: AVG (GDPR)
    Sector: All sectors
    Focus: Data breaches and privacy violations. 

The risk for organizations is a fragmented landscape of different “counters.” The trend is therefore to deploy a single centralized, multi-compliant reporting platform that routes reports based on their subject matter directly to the appropriate expert (such as the Compliance Officer or an external whistleblower officer), while safeguarding anonymity and statutory deadlines.

Looking Beyond Your Own Organization

Forward-thinking organizations are now also opening their reporting channels to supply chain partners, such as suppliers and self-employed contractors. Although strict reporting obligations such as the CSRD and CSDDD have been pushed to the background for some companies due to the introduction of the Omnibus Directive, the societal necessity remains as pressing as ever.

From the perspective of social responsibility, there is every reason to maintain visibility over integrity beyond one’s own walls. For insurers, this is even a bitter necessity: under the Wft, they are co-responsible for the integrity of business operations throughout their entire distribution chain (such as authorized agents).

A fundamental question remains: how do you ensure that all those signals, from both inside and outside the organization, actually come to light? Social responsibility and legal frameworks create the duty to listen, but they do not yet guarantee that people will actually dare to speak up. That requires more than a policy choice; it requires trust in the reporting process itself.

This brings us to the starting point of every whistleblower investigation. Whether wrongdoing occurs within the organization or in the chain surrounding it, everything hinges on that first step: the report. How it is made, received, and followed up determines whether a signal grows into real change or remains unheard.

From Report to Real Change

I. The Report: How Do You Get Employees to Speak Up?

Every whistleblower case begins with a moment of doubt. An employee sees something that is not right, feels that something must be done, but hesitates. The biggest hurdle is seldom the substance of the report; it is the fear of what comes next. Reputational damage, a disrupted working relationship, or subtle forms of retaliation are ever-present risks. The Whistleblower Protection Act seeks to remove that fear through the reversal of the burden of proof: if a reporter suffers a disadvantage, the employer must demonstrate that this had nothing to do with the report. That provides a foothold, but it is far from convincing for everyone.

Anyone who truly wants to encourage employees to speak up must look beyond legal safeguards alone. Practice shows that trust is primarily built through the way reporting is designed. Accessible, well-considered technology plays a key role in this.

Modern reporting platforms act as quiet guides during that first, vulnerable stage. They ensure that a report does not get stuck in a general email inbox but is immediately routed to the right specialist: compliance, HR, or an independent whistleblower officer. This gives the reporter the feeling that their signal is being taken seriously from the very first moment.

Equally important is the ability to remain anonymous without disappearing into silence. Secure systems make it possible to report fully anonymously while still maintaining a dialogue. Through a shielded chat function, investigators can ask clarifying questions and gather additional information. In this way, an initial signal develops into a complete account, rather than a report that stalls because essential details are missing.

It is precisely in this initial phase that the tone is set. When employees experience that speaking up is safe, accessible, and meaningful, space is created for the next step: an investigation that not only establishes what went wrong but also paves the way for real change.

II. The Investigation: Independent Fact-Finding

After the report, a decisive moment follows. Receipt must be confirmed within seven days, but in reality, the real work only begins at that point. From here, more is at stake than truth-finding alone. The way the investigation is structured and conducted determines whether the case is resolved internally or instead grows into a matter that finds its way to the media or regulators such as the Dutch Authority for the Financial Markets (AFM) or De Nederlandsche Bank (DNB).

In this phase, independence is not an abstract principle but a hard prerequisite. An investigation conducted by someone with a hierarchical, personal, or organizational relationship to the accused quickly raises questions. Even if the conclusions are substantively correct, the appearance of conflicts of interest can undermine trust. It is therefore essential that investigators are visibly detached from internal power dynamics. Independence protects not only the reporter but also the organization itself.

In addition, a sound investigation revolves around transparency in its approach. Those involved must be able to follow how conclusions are reached. Are all relevant facts being gathered? Has the right of hearing and the right to reply (hoor en wederhoor) been applied carefully and in a balanced manner? A traceable methodology, based on verifiable evidence, prevents the investigation from later being dismissed as subjective or biased. The narrative must hold up, not only in terms of substance but also in terms of process.

A particular area of tension arises when the investigation no longer focuses exclusively on the report but also on the reporter. In practice, it regularly occurs that a so-called ‘counter-report’ surfaces: criticism of the performance or behaviour of the reporter. This can be legitimate but also poses a risk. When these lines become blurred, attention shifts imperceptibly from the content of the report to the person who made it.

A thorough investigation strictly guards that boundary. The facts surrounding the report are examined on their own merits; any HR matters follow a separate track. Only in this way does the investigation remain pure and is it prevented from degenerating into a battle over credibility rather than a search for the truth.

It is precisely in this phase that an organization demonstrates how seriously it takes reports. Independent, thorough fact-finding forms the bridge between speaking up and resolution, and thereby the foundation for lasting change.

What makes whistleblower investigations unique is that they take place at the intersection of facts, trust, and power. Unlike regular internal investigations, it is not only the what that is central but also the who and why. The reporter is not a neutral source but is often part of the same organizational culture that is under scrutiny. This demands of investigators a keen sense of context, dynamics, and timing. Every signal, every choice in the process can be read by those involved as confirmation or denial of their position. Precisely for this reason, whistleblower investigation is more than a technical exercise: it is a ‘test’ of the organization’s own integrity, in which thoroughness and independence are decisive for the credibility of the outcome.

III. The Change: Impact and Culture

A whistleblower investigation does not end with the report. In fact, that is where the most exciting part begins. Facts can be established, conclusions carefully formulated, but without follow-up, an investigation remains a paper reality. The true measure of success is the question of whether the organization demonstrably learns from it and manages to restore its integrity.

This requires a translation of findings into structural lessons. Sometimes a report turns out to concern a one-time incident caused by individual choices. More often, however, it exposes something more fundamental: unclear responsibilities, deficient internal controls, or a culture in which dissenting signals have been ignored for too long. It is precisely at that point that real change occurs, not by pointing out those at fault and moving on, but by critically examining processes, governance, and behavior, and adjusting them where necessary.

Equally decisive is what this phase does for the sense of safety within the organization. Psychological safety does not grow through policy documents but through visible action. When the board and management communicate openly about what has happened with the report, within the boundaries of confidentiality, and demonstrate that wrongdoing actually has consequences, perceptions change. Especially when those consequences also reach the top, a powerful signal is sent: integrity applies to everyone.

It is in these visible choices that the long-term impact of whistleblower investigations lies. They determine whether employees remain silent the next time or dare to speak up. And with that, whether reporting is seen as a risk or as an essential part of a healthy organizational culture.

Conclusion

Whistleblower investigations require a balance between legal precision and human safety. It is a process from report to improvement that forms the backbone of an organization with integrity.

Invitation to Consultation

We can imagine that, after reading this article, you may have questions or wish to exchange views on certain topics. Or perhaps you are dealing with a concrete case and would like to discuss it. We invite you to contact us without obligation for an introductory conversation about you and/or your case. Our contact details can be found at the end of this article or on our website.

Preview of the Fifth Article: Employment Law Investigations

In the next article in this series, the focus shifts from whistleblowers to employment law investigations. This is where many threads converge: what happens when a report or integrity issue leads to a serious suspicion of dereliction of duty, breach of trust, or (serious) integrity violations by an individual employee? We will address the role of fact-finding within employment law proceedings, the tension between investigation and privacy, and the question of how organizations prevent a poorly prepared investigation from later boomeranging during a dismissal or disciplinary procedure.

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Tackling ML/TF risks in crypto-asset services through supervision

A comprehensive summary of the EBA report as published in October 2025

General overview

The report published by the European Banking Authority (EBA) analyses how crypto-asset service providers (CASPs) have attempted to evade anti-money laundering and counter-terrorist financing (AML/CFT) supervision, and how such practices can be addressed under the Markets in Crypto-Assets Regulation (MiCA) and the EU AML legislative package (AMLR, AMLD6 and AMLAR). The report draws on concrete supervisory cases to identify vulnerabilities and formulate lessons for effective implementation.

The report is structured around two core observations. First, the crypto-asset sector has experienced rapid technological and economic growth, which increases its vulnerability to misuse for money laundering and terrorist financing. Second, prior to the application of MiCA, national supervisory approaches across Member States diverged significantly. This fragmentation enabled firms to exploit regulatory gaps, thereby undermining the integrity of the EU financial system.

MiCA seeks to address these issues by replacing fragmented national entry regimes with a single EU authorisation framework, supported by passporting and coordinated supervision. Together with the AML legislative package, MiCA promotes more consistent AML/CFT requirements across the Union. However, the report stresses that consistent enforcement remains essential.

Regulatory context

The regulatory framework examined in the report consists of MiCA, the Anti-Money Laundering Regulation (AMLR), the Sixth Anti-Money Laundering Directive (AMLD6), and the Anti-Money Laundering Authority Regulation (AMLAR). Under this framework, supervisory responsibilities are divided between ESMA (authorisation and supervision of CASPs), the EBA (issuers of asset-referenced tokens and e-money tokens, and AML/CFT coordination until end-2025), and AMLA, which will assume central AML/CFT supervisory powers from the end of 2025.

MiCA governs who may enter the crypto-asset market and under which conditions. CASPs must meet requirements relating to governance, operational resilience, transparency and consumer protection, and demonstrate adequate systems, qualified management and clear organisational structures.

AMLR introduces directly applicable AML/CFT rules, including customer due diligence, transaction monitoring, sanctions screening and risk management. AMLD6 strengthens supervisory cooperation, clarifies powers of national authorities and improves access to beneficial ownership information. AMLAR establishes AMLA and enables direct supervision of selected high-risk entities and coordination of national supervisors.

Evasion of supervision

The EBA identifies six evasion strategies observed before and immediately after the entry into application of the new regulatory framework in December 2024.

1. Operating without authorization

Entities provided crypto-asset services in Member States without the required registration, licence or authorisation, including from other EU jurisdictions without host permission or from third countries with weaker supervisory frameworks.

Risk: The absence of supervision facilitates illicit financial flows and leaves customers unprotected. It also distorts competition, as authorized firms experience significant compliance costs that unauthorised firms avoid.

Response: Article 143 MiCA provides transitional arrangements until July 2026. After this period, unauthorised entities must exit the EU market. Competent authorities are expected to monitor residual unauthorised activity and enforce cessation.

2. Forum shopping

Prior to MiCA, firms strategically selected jurisdictions perceived as having lighter supervision. When challenged, they withdrew applications and reapplied elsewhere. Some obtained national licences shortly before MiCA entered into application to benefit from longer transitional periods.

Risk: Forum shopping enables regulatory arbitrage, allowing ML/TF risks to spread across the Single Market through cross-border activity. It also increases the likelihood that high-risk entities with weak AML/CFT controls obtain market access and distorts competition by enabling artificially inflated profit margins.

Response: MiCA introduces a single authorisation regime with passporting. Enhanced supervisory cooperation and information-sharing reduce the ability of firms to reapply elsewhere after refusal. The report also highlights a risk that, depending on national law, some firms may continue operating while appealing rejected authorisation decisions.

3. Exploitation of the reverse solicitation exemption

Third-country providers falsely claimed that EU clients initiated contact, while actively marketing services through targeted online strategies.

Risk: This enables unsupervised market entry by high-risk offshore entities and creates blind spots in AML/CFT enforcement.

Response: Supervisors are expected to strictly enforce the narrow interpretation of reverse solicitation in line with ESMA guidelines. Any form of active or indirect marketing voids the exemption and subjects the provider to full authorisation requirements.

4. Weak AML/CFT compliance and risk management

Licensed entities displayed serious deficiencies, including inadequate customer due diligence, outsourcing of AML functions abroad without effective oversight, and unstable or underqualified compliance officers.

Risk: These weaknesses directly facilitate money laundering and undermine supervisory effectiveness.

Response: Robust AML/CFT systems are a precondition for authorisation. Supervisors may withdraw licences for AML/CFT breaches. Clear requirements on outsourcing, governance and staff competence are mandated by EBA and ESMA regulatory technical standards.

5. Opaque beneficial ownership and governance

Complex offshore structures were used to obscure ultimate beneficial owners, with inconsistencies between public records and supervisory filings.

Risk: Opaque structures conceal control, enable shell companies and obscure illicit sources of capital.

Response: AMLD6 mandates centralised beneficial ownership registers. MiCA and AMLR require disclosure of ownership and governance structures at authorisation stage, supported by suitability (fitness and propriety) requirements.

6. Multi-entity arrangements with high-risk partners

Firms used affiliated entities, including payment institutions, e-money institutions or banks, to maintain market access while avoiding scrutiny.

Risk: These arrangements enable banned or unfit entities to re-enter the market, spread poor compliance cultures across groups, and complicate attribution of AML/CFT responsibility.

Response: Supervisors are expected to assess linked entities and group structures during authorisation, apply fit-and-proper checks to cross-border ownership and outsourcing arrangements, and engage in joint supervision where appropriate.

Safeguards and implementation

MiCA introduces key safeguards: a single authorisation and passporting regime; strict limits on reverse solicitation; enhanced enforcement powers; strengthened governance and transparency requirements; and improved cross-border cooperation, including public registers of authorised CASPs.

The report highlights several supervisory priorities to ensure effective implementation, including managing the grandfathering period, planning orderly exits for unauthorised entities to protect client assets, monitoring the regulatory perimeter, resolving AML/CFT issues before authorisation, maintaining dynamic risk awareness, ensuring governance transparency, reassessing fitness and propriety, supervising linked entities, strengthening cross-border cooperation, and requiring central contact points for cross-border firms.

Conclusion

The EBA concludes that while the new regulatory framework significantly strengthens EU defences against ML/TF risks in the crypto-asset sector, effective implementation and supervisory cooperation remain critical. Although the EBA will transfer its standalone AML/CFT powers to AMLA by the end of 2025, it will continue to contribute under its MiCA mandate to promote supervisory convergence and early risk detection.

 

Read more articles here.

The Landscape of Compliance Investigations: Integrity Investigations

Integrity investigations form a substantial part of compliance-related inquiries. They do not focus solely on financial fraud but cover a broad range of issues: conflicts of interest, abuse of position, ancillary activities (side business or job), and violations of codes of conduct. While a fraud investigation often revolves around hard numbers and financial trails, integrity issues are usually more subtle. They concern human relationships, motives, and grey areas where rules and ethics intersect. 

Integrity is the foundation of trust within organizations. Yet integrity risks often go unnoticed, with far-reaching consequences for reputation, compliance, and business continuity. In this third article in our series, the focus is not on investigative techniques, but on what integrity investigations mean in practice: which themes recur, and which patterns emerge from recent cases. We discuss not only well-known integrity risks, but also the less obvious threats. 

We begin with a brief overview of the trends that shaped integrity investigations in 2025. We also briefly highlight the differences between integrity investigations and fraud investigations, discussed in the previous article. We then turn to practice: which cases recur, and how can signals be recognized? By doing so, we also shed light on several underexposed indicators. 

Trends in Integrity Investigations 

Integrity issues are shifting from a narrow focus on corruption and fraud toward broader domains such as conflicts of interest, reputational risk, and moral dilemmas. Recent developments show that: 

  • Conflicts of interest and their appearance are increasingly being reported, often in relation to ancillary activities, procurement processes, or decision-making where personal relationships play a role. 
  • Codes of conduct for board members, supervisory board members, and political officeholders are being tightened, with a strong emphasis on transparency regarding secondary interests and cooling-off periods. 
  • Supervisory authorities such as the AFM and DNB require reliability assessments for board members and supervisory board members, with explicit attention to integrity-related antecedents. 

These trends make integrity investigations more relevant than ever. They are not only reactive but also play a preventive role in promoting sound governance and an ethical organizational culture. Later in this article, we will see one of these trends reflected in a case example. 

What Makes Integrity Investigations Different from Fraud Investigations 

Compared to the forensic fraud investigation discussed in our second article, integrity investigations differ in several important ways: 

  • Greater normative discussion: While fraud investigations often focus on the question “Is there financial damage, and who is responsible?”, integrity investigations more frequently revolve around norm-setting: what could reasonably be expected of someone, which behavioral standards apply, and how heavily the appearance of impropriety and reputational risk should be weighed? 
  • Fewer hard figures, more context: Relationships, organizational culture, and power dynamics play a much larger role in integrity cases. A single email or expense claim rarely tells the whole story; only when combined with statements, behavioral patterns, and internal policies, a coherent picture emerges. 
  • Greater sensitivity regarding privacy and reputation: Investigations often involve individuals in visible or senior positions. This makes careful handling of personal data, communication, and the principle of hearing both sides particularly important. 

It is precisely this mix that makes integrity investigations both challenging and valuable for boards, HR, and compliance: they force organizations to articulate their values in concrete terms. 

Integrity Investigations: When Behavior Is Under the Microscope 

Where fraud investigations often focus on falsified documents, financial loss, and potential criminal elements, integrity investigations mostly operate in grey areas. They address questions such as which interests are at play, which norms apply, and what can reasonably be expected of a professional or manager? 

In practice, reports of potential conflicts of interest, ancillary activities, inappropriate conduct, and breaches of codes of conduct have been increasing for years, in both public and private organizations. To make this more tangible, we present a case example below. 

“You Don’t Want to Create an Uncomfortable Work Atmosphere, Do You?” 

A large family-owned logistics company is known for its reliability and customer focus. This sense of stability is disrupted when an anonymous report is submitted to the compliance officer. An employee in the procurement department is suspected to regularly accept expensive gifts from a supplier, ranging from lavish dinners to tickets for exclusive events. In isolation, this might seem harmless, except for the fact that this employee is responsible for awarding transport contracts. 

Further investigation reveals that the employee also holds a secondary position at a start-up operating in the same market. This start-up appears to be using competitively sensitive data, possibly obtained through informal conversations with the employee. 

But that is not all. Deeper investigation shows that the employee not only accepted gifts, but also subtly pressured colleagues to be “realistic” when reporting performance figures. Minor adjustments to reports, just enough to meet bonus targets. Colleagues had noticed signals but remained silent: “it wasn’t their department” and “you don’t want to create an uncomfortable work atmosphere.” 

What began as a simple report about gifts quickly unfolds into a web of conflicts of interest, a culture of looking the other way, and subtle data manipulation to justify performance bonuses. 

This case is not an exception. It illustrates precisely the trends mentioned earlier and shows how integrity risks often do not present themselves as such but grow gradually within the daily routines of organizations. It also demonstrates how different risks, such as conflicts of interest, ancillary activities, group pressure, and data manipulation, can become intertwined. 

In investigations of such situations, decision-making processes around procurement, documentation of bids and award decisions, email or calendar records, and publicly available information on ancillary activities are examined. These sources are analyzed collectively to answer three core questions: 

  1. Were there personal or business interests that could have influenced decisions? 
  2. Were these interests disclosed or made transparent, for example through a gift, activity register or integrity declaration? 
  3. Were decisions demonstrably different from what could reasonably have been expected, given price, quality, and internal policy? 

Outcomes are rarely black and white. Sometimes investigations show that no formal rules were violated, yet an appearance of a conflict of interest emerged, calling for clearer agreements to roles. In other cases, policies were deliberately circumvented or information withheld, making the violation of norms more explicit. 

Practical Indicators from Integrity Investigations 

Beyond the above case, other recurring types of integrity issues frequently arise in investigations. Some of the usual suspects include: 

  • A Culture of “Don’t Ask, Don’t Tell”: Perhaps the most damaging risk is a culture in which employees prefer to look away rather than ask questions. Many employees still hesitate to speak up for fear of repercussions or because they do not want to be seen as “complaining”. A typical example: an employee notices signals of misconduct but remains silent because “it’s not my department”. 
  • Data Manipulation: The Silent Saboteur: In the pursuit of targets and bonuses, there can be a strong temptation to present figures slightly more favorably than they are. At a financial institution in Rotterdam, a team leader was found to have adjusted customer satisfaction scores for months. “Everyone does it,” was his defense. The consequences, however, were significant: customer and supervisory trust eroded, and the organization was forced into a costly remediation process. With the rise of AI tools performing data analyses, this risk is only increasing. Who controls the controller? 
  • Conduct and Power Dynamics: Reports of inappropriate behavior, offensive remarks, or pressure from managers also fall under the scope of integrity, even if there is no financial component. These cases concern social safety, use of power, and whether behavior aligns with codes of conduct and professional standards. Investigations focus primarily on patterns: is the behavior incidental, or has it been known for years? 
  • Handling Confidential Information: A former employee is accused of taking confidential documents to a new employer. Key questions include whether confidentiality agreements were breached, whether files were copied without authorization, and whether sensitive information has surfaced where it should not be. Legal, technical, and behavioral issues intersect in such cases. 

These examples show that integrity investigations are not merely about “rules”. They are about trust, role modelling, and the credibility of commitments to integrity. Next to these more generally known integrity issues, we would like to address some underestimated issues. 

Underestimated Risks: What You Don’t See, but May Still Encounter 

Some less obvious, yet in our view highly relevant, risks deserve attention: 

  • Loyalty Conflicts: A growing phenomenon involves employees who run side businesses, perform consultancy work, or even hold secondary jobs with competitors. This is not inherently wrong, but it becomes risky when confidential information or conflicting interests are involved. Consider the IT employee who develops an app in their spare time using data from their primary job, or the procurement officer who also “coincidentally” works for a competitor. Organizations often fail to adequately monitor this, despite potentially severe consequences ranging from data breaches to legal claims. 
  • Group Pressure and Groupthink: Decisions are (often) made collectively, but what happens when critical voices are ignored? At a tech start-up in Amsterdam, pressure to scale rapidly led to ethical objections against a new data sales strategy being dismissed. The result was a breach of the GDPR, and a fine imposed by the Dutch Data Protection Authority. Group pressure can lead to tunnel vision, where alternatives and risks are no longer considered. A simple but effective solution? Explicitly appoint a “devil’s advocate” during meetings to challenge assumptions. 
  • Greenwashing: The Pitfall of Social Claims: Sustainability and corporate responsibility are high on the agenda. But what if reality falls short of promises? A clothing brand claiming to be “100% circular,” while in reality using only 10% recycled materials, risks not only reputational damage but also legal action. External verification of sustainability reporting is no longer a luxury, but a necessity. 

These examples show that integrity risks are not always visible, yet they have real impact. They often arise in grey areas where rules and ethics intersect. The danger is that organizations focus on well-known risks, while the true threats play out in everyday practice, informal agreements, unspoken expectations, and well-intentioned but poorly considered decisions.  

The good news? By consciously addressing these underestimated risks, and by fostering a culture in which employees feel safe to ask questions, many problems can be prevented. Open dialogue, regular risk assessments, and clear agreements regarding ancillary activities, decision-making, and communication are essential. Integrity is not a matter of luck, but of awareness and action. The earlier risks are recognized, the better they can be managed before they escalate. 

Growing Attention to Integrity 

Recent reports and governance codes encountered in our work show that integrity is increasingly linked to concrete standards, assessments, and practical guidance. Examples include: 

  • Tightened codes of conduct for board members and supervisory board members, with emphasis on transparent disclosure of secondary positions and interests; 
  • Local and sector-specific codes of conduct (for example in municipalities, education, and housing corporations) that explicitly define how to deal with gifts, ancillary activities, and decision-making in situations of doubt; 
  • Clear guidelines for safe reporting procedures (whistleblowing) and independent handling, ensuring that reporters feel protected and that investigations are conducted independently of operational management. 

Integrity investigations directly support these frameworks: they are the instruments used to assess whether these standards are genuinely upheld in practice. 

Invitation to Consultation 

We can imagine that, after reading this article, you may have questions or wish to exchange views on certain topics. Or perhaps you are dealing with a concrete case and would like to discuss it. We invite you to contact us without obligation for an introductory conversation about you and/or your case. Our contact details can be found at the end of this article or on our website.  

Looking Ahead to the Fourth Article 

The risks discussed, ranging from loyalty conflicts to group pressure, often remain hidden until someone has the courage to report them. In the fourth article of our series, we therefore take a deeper dive into whistleblowing investigations: how should organizations handle internal (or external) reports? How can employees be encouraged to speak up? And how can a report and the investigation results be translated into genuine, lasting change? 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Combatting Fragmentation and Stimulating Harmonisation Through EU Supervision of Crypto-Asset Services

Crypto-asset activities have expanded rapidly across the European Union (EU). This growth has increased the risk of money laundering and terrorist financing (ML/TF), especially in situations where regulatory oversight was fragmented or incomplete. The European Banking Authority (EBA) published a report in the fall of this year which explains how certain crypto-asset businesses created vulnerabilities and how the Markets in Crypto-Assets Regulation (MiCA) and AML frameworks (AMLR and AMLD6) aim to improve supervision. This article provides a brief insight in the key takeaways from this report.

Supervisors observed that some crypto businesses operated without approval, moved between EU countries to avoid oversight, or misused legal exemptions. Many had weak systems for checking customers, detecting suspicious transactions, or following sanctions. Some firms used complicated ownership structures or partner companies to stay active despite earlier supervisory issues. These behaviours limited authorities’ ability to manage risks and created openings for money laundering and terrorist financing.

MiCA and the new EU anti-money-laundering regulations introduce stronger safeguards to address these problems. All crypto-asses service providers (CASPs) must now apply for one EU authorisation based on harmonised rules, which removes differences between Member States and prevents firms from seeking out weaker jurisdictions. Providers must show clear ownership, sound internal governance, and reliable customer- and transaction-monitoring systems before they can operate. The AML Regulation and AMLD6 further strengthen cooperation between national supervisors, improve transparency on who controls a company, and require more consistent risk assessments. The future EU Anti-Money Laundering Authority (AMLA) will also oversee high-risk firms directly, creating an additional layer of control.

These changes help create a safer and more predictable environment for crypto activities in the EU. The main lesson from recent cases is that strong, coordinated supervision and consistent rules across all Member States are necessary to limit financial crime risks. Clear standards, early information-sharing, and firm enforcement give supervisors the tools to identify problems quickly and ensure that only responsible businesses can enter or remain in the European market. The EBA formulates nine points of focus that should be established to treat authorisation as a true gatekeeping process, to close loopholes and build strong cooperation mechanisms across the EU.

Although the role of the EBA will partially transfer to AMLA by the end of 2025, the EBA will continue contributing under its MiCA mandate to maintain supervisory convergence and early risk detection.

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

The Landscape of Compliance Investigations: Fraud Investigations Today

What do we mean by forensic fraud investigations?

When we talk about fraud investigations, we often refer to forensic investigations. In the private sector, forensic investigations focus on the independent and in-depth analysis of financial, administrative, and digital data. The aim is to identify potential fraud, misconduct, or irregularities within organizations. This type of investigation combines accounting and financial expertise with investigative skills. In this way, investigators can reconstruct facts, recognize patterns, and gain insight into causes and consequences. The outcomes are not only used to prove or rule out fraud, but also to support organizations in decision-making, internal control, and potential civil proceedings.

A new reality and growing risks for organizations

Fraud remains a real and growing risk for organizations in the private sector. Digitalization, hybrid working, and international corporate structures create opportunities for efficiency, but at the same time increase vulnerability to financial and other forms of fraud. Where fraud was once often limited to simple embezzlement or false expense claims, we now see more complex constructions. These increasingly involve a combination of digital traces, internal processes, and human factors (online).

Studies show that online fraud and scams have increased significantly since 2014, particularly in the areas of purchase fraud, misuse of online payment methods, and identity fraud. At the same time, trend reports indicate that more than three-quarters of companies in the Benelux have faced fraud attempts in the past two years. The financial impact of these incidents continues to grow.

Fraud remains one of the most persistent risks within organizations. Remarkably, the way fraud is detected has hardly changed over the years. Various international studies, including the annual ACFE Report to the Nations, show that approximately 40% of fraud cases are still uncovered through tips and whistleblower reports. Employees, customers, and suppliers therefore play a crucial role in identifying misconduct, often earlier than internal controls or audits.

Although the way fraud is detected has barely changed, the execution of forensic investigations has evolved significantly. The work has become almost entirely digital. eDiscovery (the legal review of digital data) and AI play a central role in this process. At the same time, requirements relating to privacy and evidentiary standards have become stricter than ever. Below, we first outline these trends. We then provide a detailed description of what a forensic investigation looks like in today’s practice, from engagement letter to reporting.

New trends in forensic investigations

Fraud can increasingly no longer be captured in simple accounting errors or isolated transactions. Due to digital traces, complex organizational structures, and rapidly growing volumes of data, forensic investigations in the private sector are also changing. Investigators must work faster, smarter, and with greater technological expertise to identify hidden patterns and subtle signals. These developments are driving significant changes in how organizations detect, investigate, and attempt to prevent fraud.

Three clear trends stand out:

  • Online and hybrid forms of fraud are increasing. Examples include phishing and fake payment requests, misuse of online trading platforms, concealing fraud through corporate structures, and improper declarations within healthcare and subsidy schemes. These forms of fraud increase complexity and require an integrated approach. Investigators therefore combine financial investigation with digital analysis and open-source intelligence (OSINT) to make relationships, money flows, and involved parties visible.
  • eDiscovery is developing into a key discipline for reducing and analyzing enormous volumes of electronic data. AI and language models help investigators quickly identify relevant documents, conversations, and patterns.
  • Forensic readiness is gaining a more prominent place on the agenda. Studies and practical cases show that organizations without proper logging, appropriate retention periods, clear access rights, and solid agreements with external IT service providers struggle to reconstruct a complete and reliable picture after an incident.

Against this background, it is relevant to examine step by step how a forensic fraud investigation unfolds in practice. At the same time, we provide insight into how we approach such investigations.

From engagement to investigation plan

An investigation usually starts with a signal. This may be an internal finding from controls, a report via a whistleblower channel, a remarkable transaction, or a request from an external party, such as a regulator or subsidy provider. The first (or second) contact with the forensic investigator takes place during an intake meeting. In this meeting, the facts, context, and legal framework are clarified. This includes what exactly has been identified, which period and systems may be affected, and whether there is a risk of criminal implications or regulatory enforcement.

Based on this intake, the parties prepare an engagement letter and an investigation plan. These documents define the objective, scope, roles, planning, and deliverables. They also address conditions related to data processing and privacy. This includes the categories of personal data likely to be processed, the applicable legal basis under the GDPR, any restrictions on access to mailboxes and private devices, and whether a DPIA is required. In practice, this aspect often proves to be a weak point. Organizations want investigations to be carried out, but do not always have a clear process in place to act quickly and lawfully when an incident occurs, especially when IT is partly outsourced.

Financial forensic investigation

Financial forensic investigation often forms the backbone of the factual analysis. Investigators analyze, among other things, general ledger entries, project administration, payment flows, procurement and sales files, expense claims, and contracts. The aim is to identify unusual patterns. In cases involving misuse of subsidy schemes or healthcare budgets, investigators may, for example, compare declared hours with services actually delivered. Illogical money flows through intermediary entities also receive attention.

Using data analytics, investigators identify anomalies such as unusual journal entries, round amounts just below authorization limits, fictitious or duplicate suppliers, abnormal margins, and circular transactions between related parties. Visualizations of money flows and network analyses of relationships between legal entities and natural persons help make complex constructions understandable. This is particularly relevant when companies are used as a front for money laundering or VAT carousel fraud.

It is essential that investigators properly document the analytical methods they use and ensure that these methods are reproducible. Only then can findings withstand scrutiny by auditors, regulators, or courts. When deploying new AI techniques, it is therefore crucial to understand the underlying models to meet reproducibility requirements.

Digital forensic investigation and eDiscovery

Digital traces play a role in almost every investigation. Examples include email traffic, chat messages, access logs, document versions, CRM or ERP data, cloud storage, and sometimes mobile phones. Digital forensic investigation focuses on securing, analyzing, and interpreting this data, with strict attention to chain of custody, data integrity, and privacy.

For large datasets, investigators use eDiscovery to search through vast amounts of user-generated data, particularly email traffic. This process reduces data volumes and brings the most relevant subset to the surface. eDiscovery is the process of systematically identifying, preserving, searching, and analyzing electronically stored information for use in investigations, disputes, or legal proceedings. Platforms such as Relativity and Reveal support deduplication, metadata filtering, keyword searches, concept and topic clustering, and increasingly AI-driven prioritization of documents and conversations.

In practice, a lack of proper forensic or litigation readiness often becomes apparent at this stage. When mailboxes are fully managed by an external IT service provider without clear agreements on incident access, when logging is disabled to save storage costs, or when retention periods are set too short, crucial evidence may simply be lost. At the same time, investigators must handle privacy with care. They collect only data that may be relevant, limit access to a small authorized team, apply encryption and logging, and remove or anonymize irrelevant personal data where possible.

Interviews and conversations

In addition to analyzing financial data and digital evidence, interviews remain an essential part of forensic investigations. Conversations with involved employees, managers, key process owners, and, where relevant, external parties help explain the story behind the data. In investigations into, for example, subsidy misuse or complex expense fraud, interviews may reveal that certain practices “had always been done this way,” that there was implicit pressure to meet targets, or that individuals relied on instructions from others without independently verifying them.

Beforehand, investigators determine the order in which individuals are interviewed, what information they receive about the reason and scope of the investigation, and how their rights and obligations are explained. Notes or recordings are carefully documented and stored, with clear agreements on confidentiality and use. Statements are continuously tested against the “hard” data from financial, digital, and open-source investigations. Inconsistencies between narratives and factual evidence often provide valuable leads, but they also require careful interpretation. Experience plays a major role here.

Open-source intelligence (OSINT)

Open-source intelligence is often a standard component of forensic investigations into fraud. Investigators consult trade registers, sanctions lists, case law, news archives, sector publications, and publicly available online information to identify relationships, corporate structures, and reputational indicators.

OSINT activities are always carefully documented. Investigators record which sources were consulted, which filters were used, and what limitations apply to the reliability of the information found. Tools can support this process, for example by recording visited websites and indexing collected information.

Privacy considerations also apply here. Not all personal information found online is relevant or may be processed indiscriminately in an investigation.

Analysis of all collected information

An investigation is an iterative process. Based on new information from earlier investigative steps, analysts reassess the data and determine whether it can be further enriched. It is common to take a step back during an investigation before moving forward again. For example, open-source research may reveal new individuals or entities that play a role as problematic suppliers. This can trigger further analysis of specific transactions in the financial records. These names may also serve as additional search terms in the eDiscovery process.

Reporting: bringing all lines together

At the end of the investigation, investigators present all relevant facts in a report. The report starts with a clear description of the engagement, scope, methodology, and any limitations. Investigators then present the factual findings per investigation stream in a structured way, covering financial investigation, digital investigation, interviews, and open-source research. This is followed by an analysis that connects the different lines of inquiry.

For example, financial data may show unusual money flows, while digital logs indicate that certain changes were made from specific accounts or locations. eDiscovery may reveal relevant communications between involved parties, and OSINT may confirm that certain entities or individuals have previously been linked to similar schemes. Together, this forms a coherent picture supported by data and clear source references.

A modern investigation report always includes an explicit explanation of how personal data and confidential information were handled. Investigators describe which data was collected, on what legal basis, and which limitations applied. They also explain how security measures were implemented and which forms of data minimization were applied. This is not only important for regulators and courts, but also for maintaining trust among employees and other stakeholders.

Not always forensic ready

A key theme from our recent practical experience is that many organizations are willing to cooperate substantively with investigations, but are not always technically, contractually, or practically prepared for a forensic approach.

This can lead not only to unnecessary delays and higher costs, but sometimes also to irreparable gaps in the reconstruction of events. Against this background, one lesson is already clear—even before discussing improvement programs: a solid forensic investigation starts long before the first signal, with how data, IT, contracts, and privacy are organized today.

Invitation to consult

We can imagine that after reading this article, you may have questions or wish to exchange thoughts on certain topics. You may also be dealing with a concrete case that you would like to discuss. We invite you to contact us without obligation to get acquainted with us and/or discuss your case. Our contact details can be found on our website.

Looking ahead: from fraud to broader integrity investigations

In the next article in this series, the focus shifts from strictly forensic fraud investigations to broader integrity investigations. The attention will not only be on financial damage or clear fraud indicators, but on a wider spectrum of integrity issues. These include conflicts of interest, abuse of position, secondary activities, and inappropriate behavior.

In this third part, we show what fact-finding investigations into integrity reports look like. We also discuss the central research questions and explain how organizations can find the right balance between due care, confidentiality, and transparency.

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Blockrise is MiCAR approved

We want to congratulate Blockrise for obtaining the MiCAR license!

This is truly a big milestone and an achievement to be proud of!
Congratulations with this achievement Jos Lazet and Jasper Hu.

We’re very happy that we were able to offer our support over the last year and to have played a part in your journey to this incredible milestone.

Here’s to continued innovation and leadership in the industry!

The Transparency Test: How Crypto-Asset Service Providers Can Survive MiCAR, DORA and DAC8 (CARF)

Read more

The landscape of compliance investigations: an introduction 

Compliance investigations are becoming increasingly important for organizations as the scope of compliance work expands due to new laws and regulations. Reliability, integrity, and adherence to those laws and regulations are essential to maintaining the trust of customers, regulators, and employees. 

At Compliance Champs, we offer various types of compliance investigations. These investigations share many similarities but also have clear distinctions. 

In this blog series, we will walk through the different types of compliance investigations step by step: from exploratory to forensic, from data-driven to people-focused, what they deliver, and most importantly, when to use them. 

This first article provides an overview of the different types of compliance investigations conducted today, their objectives, and how they contribute to a healthy and future-proof organization. 

What are compliance investigations? 

Compliance investigations are structured processes designed to determine whether and how rules, laws, internal procedures, and codes of conduct are being followed within an organization. They provide insight into potential violations, risks, and areas for improvement. The focus is not only on hard facts (such as fraud or misreporting) but also on soft factors such as culture, behavior, and leadership. 

Types of compliance investigations 

There are various types of investigations, each with its own focus and purpose: 

  • Fraud investigations: Focused on detecting and establishing fraud or financial misconduct. These often begin with reports or irregularities and typically require a combination of data analysis, interviews, and forensic techniques. 
  • Integrity investigations: Focused on identifying possible conflicts of interest, corruption, abuse of position, or other breaches of integrity. This type of investigation often also looks at behavioral patterns within the organization. 
  • Labor law compliance investigations: These investigations focus on workplace-related issues such as non-competition clauses, theft of company information, or sexual harassment, with strong emphasis on privacy and legal frameworks. 
  • Due diligence and reputation research: Prior to mergers, acquisitions, or investments, in-depth research is conducted to identify integrity risks, sanctions risks, and reputation issues. 
  • AML and KYC investigations: Primarily relevant for organizations in the financial sector, these focus on preventing money laundering and understanding customers, using thorough client reviews and ongoing monitoring. They can also be valuable for companies not subject to AML regulations. 
  • Compliance audits: These audits assess compliance with anti-money laundering (AML) and customer identification (KYC) requirements. They evaluate whether processes effectively manage risks related to customer acceptance, risk classification, transaction monitoring, and reporting procedures. Policies, procedures, and practices are reviewed to identify gaps and strengthen compliance and risk management. 
  • Whistleblower investigations: Initiated in response to reports, these independent fact-finding investigations are conducted with strong safeguards for anonymity and careful follow-up. 
  • Culture and behavior measurements: Investigations that measure the effectiveness of soft controls, such as reporting culture, ethical behavior, and leadership. These are often carried out through surveys and analytical tools. 

Coherence and integrated approach

Organizations sometimes choose to combine different types of investigations in integrated compliance and governance programs. This provides broad insight into risks and offers opportunities to strengthen compliance structurally—both in terms of processes and organizational culture.

What else can you expect? 

In this blog series, we will take a closer look at each of these types of compliance investigations. We will discuss methodologies, best practices, current developments, and lessons learned from real-world practice. In doing so, we aim to help you navigate this complex and dynamic field with greater confidence. 

 

Would you like to learn more about how to effectively prepare your office for these upcoming changes? Compliance Champs has extensive knowledge, experience, and expertise to provide advice and support during implementation. Contact us for a free introductory consultation.



Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Compliance Champs is FD Gazelle 2025!

We are proud to announce that Compliance Champs has been named one of the fastest-growing companies in the Netherlands, in the West region and Small Business category.

This recognition from Het Financieele Dagblad is a reflection of our continued growth and the impact we achieve together. It has been made possible by the dedication and expertise of our team, the trust placed in us by our clients and partners, and our ongoing commitment to advancing organizations with integrity in compliance risk management.

We look forward to celebrating this success together on November 25 at the official FD Gazellen Awards 2025 ceremony.