Introduction: Why Your AML/CFT Audit May Fall Short 

The AML/CFT audit is complete. The report looks good. Compliance has finished its annual reviews, and collectively the conclusion is: we’re in control. 

And yet… several clients turn out to be part of a money laundering network worth hundreds of millions of euros. Your monitoring tool missed transactions that a competitor did flag. An employee has been approving PEP transactions for years without any enhanced due diligence measures in place. 

How is that possible? 

In practice, AML/CFT audits are frequently vulnerable to a number of fundamental blind spots: organizational culture, human behaviour under pressure, and the way data is used and interpreted. 

In this article we unpack: 

• Blind spot 1 – Culture: Why a “compliance tick-box culture” masks real risk. 

• Blind spot 2 – People: The psychology behind ignoring red flags. 

• Blind spot 3 – Data: Why your monitoring tools miss more than they catch. 

 

Blind Spot 1: The “Compliance Tick-Box Culture” – Why Your Organization Thinks It’s Compliant When It Isn’t 

In many organizations, AML/CFT compliance has gradually shifted from a risk-driven discipline to an administrative process. What was once designed to make risks visible and manageable has in practice often been reduced to following steps and ticking checklists. Employees do what is asked of them but rarely pause to consider what it means — for risks, for the organization, or for overall effectiveness. The result? 

• Reports full of confirmations that processes exist and have been implemented, but with little concrete evidence that they work. 

• Audits that focus on the “easy” components (such as client onboarding and policy checks), while complex risks (such as transaction monitoring and culture) are ignored. 

• A false sense of security: “We’re compliant because we follow the rules.” 

Real-world example:

In 2025, de Volksbank was fined €20 million by the DNB because their compliance system was not up to date and risks were not being effectively mitigated. The problem? The bank had processes in place, but they were never critically assessed for effectiveness. Employees followed the rules but didn’t understand why — and so they missed signals that pointed to potential money laundering.

 

Why is this a blind spot?

Culture determines the depth of compliance

In organizations where compliance is seen as an obligation, a minimal approach quickly takes hold: “do just enough to get through the check.” Employees follow processes but don’t feel responsible for the underlying goal. Identifying risks requires curiosity, ownership, and often courage. When those elements are absent, deviations go unnoticed — not because they don’t exist, but because no one is actively looking, raising concerns, or speaking up. 

No personal accountability

When compliance is positioned as a separate department, an implicit divide emerges: “they handle the rules, we handle the business.” In theory, everyone remains responsible, but in practice that accountability erodes. Risk management becomes something you can pass along rather than something that is an integral part of daily work. The result is that signals get lost between teams or simply aren’t acted on because no one truly feels ownership. 

Fear of conflict

Asking critical questions about clients, transactions, or internal processes requires space and psychological safety. In many organizations, employees feel that space is limited. Those who push back questions are sometimes seen as difficult, causing delays, or “not commercial enough.” In high-pressure environments with a strong focus on targets, this effect can be amplified. The rational choice then becomes to stay within the lines and avoid discussion — even when there is doubt. 

How to address this: 

✔ Make compliance everyone’s responsibility: Explain why rules exist and why they matter to the organization (e.g. “This prevents us from being used for money laundering”) and what each person’s role should be. In your next audit, examine the sense of accountability across different teams.

✔ Create a compliance KPI: Encourage employees to report red flags, even when it’s uncomfortable. Compliance training is essential to help them recognize those flags. As an auditor, it is also important to investigate how compliance is incentivized.

✔ Test the culture: Run anonymous employee surveys: Do employees feel comfortable voicing criticism? Do they feel safe reporting irregularities?

✔ Let senior management set the tone: If management ignores compliance, the rest will too. As an auditor, be willing to address the impact of management’s tone. 

 

Blind Spot 2: Human Behavior – The Psychology Behind Ignoring Red Flags

We are not rational — including in compliance. Even if systems and processes are perfect, people make mistakes. And those mistakes are often caused by psychological pitfalls: 

 

Psychological Bias	How It Works	Example
Confirmation bias	We seek information that confirms our existing beliefs.	An auditor sees that a client looks fine “on paper” and ignores signals that suggest otherwise.
Overconfidence bias	We overestimate our own ability to recognise risks.	“We know our clients, so we know which transactions are safe.”
Groupthink	Group pressure suppresses dissenting opinions.	A team ignores a red flag because “everyone agrees there’s no risk here.”
Alert fatigue	Too many false alarms lead to all signals being ignored.	Employees automatically click “safe” because 99% of alerts turn out to be nothing.
Authority bias	We blindly trust authority figures (e.g. senior management).	An employee doubts a transaction but does nothing because the manager says: “This is fine.”

This vulnerability — these biases — doesn’t reside in systems or procedures, but in human behavior. And that is precisely what makes it so persistent. 

People are not machines

Even the most experienced auditors and compliance officers are constantly making judgements based on incomplete information. Unconscious assumptions and cognitive biases play a larger role than is often acknowledged — think of confirmation bias, but also “normalization of deviance” (deviations that occur often enough start to feel normal). In an audit context, this means signals that don’t immediately fit the expected pattern are more likely to be filtered out or rationalized away. 

Culture amplifies biases

This natural tendency is reinforced by the environment in which people work. Culture — the first blind spot — is a key factor here. In organizations where mistakes are primarily seen as something to be punished, hesitancy sets in. Employees become more cautious about asking critical questions or escalating uncertain cases. Not because they don’t see the risks, but because the personal or organizational cost of “being difficult” feels higher than the potential benefit. The result is that risks may be noticed but not always voiced. 

Pressure to deliver results

On top of this, incentives within organizations are not always aligned with risk management. When speed, commercial targets, or customer satisfaction carry more weight in assessments and rewards, tension arises. Employees who are evaluated throughput times or volumes will — consciously or unconsciously — tend to be less rigorous in their assessments. Not necessarily out of bad intent, but because the system nudges them in that direction. A compliance KPI could help to rebalance this. 

Together, these factors create an environment where risks don’t necessarily disappear but do become less visible. And that makes this one of the most insidious blind spots: everyone is doing their job, and yet a structural underestimation of what is really happening emerges. 

 

How to address this: 

✔ Train on behavior, not just rules: Teach employees to think critically and challenge assumptions. When auditing, review training materials with this theme in mind.

✔ Use red teaming: Have a team deliberately try to circumvent your systems. What works? Where do they hit obstacles? As an auditor, explore how an organization can guard against biases.

✔ Reward reporting mistakes: Build a culture where reporting errors is rewarded, not punished. Always worth probing this in interviews and walkthroughs.

✔ Automate where possible: Replace human judgement with objective criteria where feasible (e.g. “If a transaction has characteristics X, Y, and Z, always escalate”).

✔ Measure the quality of decisions: Analyze retrospectively how often human assessments were wrong and learn from them. 

 

Question for you:

What psychological pitfalls do you recognize in your own team? And how do you ensure that employees feel comfortable expressing their doubts?

 

Blind Spot 3: Data – Why Your Monitoring Tools Miss More Than They Find

Organizations rely on sophisticated monitoring tools to detect suspicious transactions. But what if those tools are not calibrated to the actual risks of your organization? Or if the data fed into the system is incomplete, outdated, or even misinterpreted? 

Real-world examples:

• Bunq (Dutch neobank) was fined €2.6 million by the DNB in 2025 because their AML controls repeatedly fell short. One of the problems: monitoring tools missed patterns that were suspicious because they had not been calibrated to the specific risks of a fintech.

• De Volksbank was unable to properly monitor customer activity between 2020 and 2023 because their systems did not keep pace with new money laundering methods (for example, structuring via small amounts).

On paper, data-driven monitoring appears to be one of the strongest lines of defense in AML/CFT. In practice, this is precisely where a fundamental vulnerability lies — not because there is too little data, but because the way we use that data has limitations that are often underestimated. 

 

False Negatives

A first problem lies in what is not seen: so-called false negatives. Monitoring tools are by definition based on models, scenarios, and historical patterns. They recognize what has previously been identified as a risk. But money laundering and fraud evolve constantly. New methods often fall outside existing parameters and therefore remain invisible. The system generates no alert, even though something is genuinely happening. And because “no alert” is often interpreted as “no risk,” a dangerous form of false assurance emerges. 

False Positives

On the other side is the opposite problem: false positives. Many systems generate large volumes of alerts, a considerable portion of which ultimately prove irrelevant. This creates an operational reality where employees must assess enormous volumes daily. Inevitably, alert fatigue sets in. Signals that were initially investigated carefully are increasingly dismissed as “probably nothing again.” Not out of negligence, but out of efficiency. The risk is clear: the one genuine signal can get lost in the noise. 

Data Silos

On top of this, data rarely forms a coherent whole. In many organizations, information is spread across different systems: client data in one platform, transaction data in another, risk assessments somewhere else. These silos make it difficult to connect the dots. A transaction may appear harmless on its own, as may a client profile. But in combination — across time and systems — a pattern may well become visible. If those puzzle pieces never come together, the bigger picture remains hidden. 

 

How to address this: 

✔ Validate your data: Ensure your monitoring tools detect the risks that are relevant to your organization. Test regularly with realistic scenarios. In an audit, dig deeper into how the rules (and their associated scenarios) were developed.

✔ Combine humans and machines: AI and data analysis are powerful, but human judgement is needed to add context (e.g. “This director is a PEP, but their assets are unrelated to the client organization”).

✔ Monitor effectiveness: Measure how many real risks your tool identifies and how many it misses. As an auditor, examine the monitoring tool’s statistics.

✔ Integrate data: Ensure that client data, transaction data, and risk data are connected, so that patterns can surface. Include data types in your audit scope.

 

Conclusion: From Blind Spots to Clear Vision

The three blind spots — culture, human behavior, and data — do not exist in isolation. They reinforce each other. An organization with a tick-box culture will be less critical about the effectiveness of its monitoring. People under pressure or driven by speed will be quicker to trust systems without questioning them. And systems that don’t work effectively but are still used in turn to feed the conviction that “everything is under control.” This creates a closed loop of false assurance. 

The uncomfortable reality is that many audits do not break this dynamic. They confirm that processes exist, that controls have been performed, and that reporting is accurate. But they rarely ask the sharp question: Does this system actually work when it really matters? 

An effective AML/CFT audit therefore looks not only at what has been set up, but above all at how it functions in practice — under pressure, when in doubt, and at the moments when it counts. That demands something different from auditors: 

• Not just testing, but asking deeper questions 

• Not just checking, but understanding 

• Not just reporting, but also confronting 

Because ultimately the difference does not lie in even better policies or even more data. It lies in the willingness to see what you’d rather not see. The question, therefore, is not whether your organization has blind spots. 

 The question is: do you dare to truly make them visible? 

If you ignore these blind spots, you remain reactive rather than proactive. Your organization is not badly protected — but it is vulnerable in places where you least expect it. The 20% that truly makes an impact understands that a good AML/CFT audit is not about ticking regulatory boxes, but about exposing vulnerabilities before they can be exploited. 

 

Invitation to Consult

If this article has raised questions or prompted topics you would like to discuss further — or if you have a specific case, you would like to explore — we welcome you to reach out for an informal introductory conversation. Our contact details can be found on our website. 

 

Next Article

In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress — and how to change that. 

 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

In mergers, acquisitions, major client relationships, and investments—both domestic and international—the emphasis has traditionally been on financial and legal due diligence. Balance sheets are scrutinized, contracts are reviewed, and tax structures are analyzed. However, in practice, it often turns out that integrity issues, sanctions risks, and reputational damage, rather than numbers, are the true dealbreakers.

This article focuses on Integrity Due Diligence (IDD)—also known in international practice as Reputational Due Diligence. IDD does not replace legal, tax, or financial DD; rather, it serves as a complementary layer that answers a different question: “Do we actually want to be associated with this party?”

 

Why Financial and Legal DD Are Not Enough

Financial, tax, and legal DD are indispensable. They map out whether the figures are accurate, which contractual obligations exist, and which hard claims, securities, and tax risks are at play. Furthermore, regulators and legislators expect organizations to have their financial and legal houses in order.

At the same time, the bar is shifting. Sanctions regimes are becoming stricter, AML (Wwft/Wft) expectations are becoming more concrete, and media, NGOs, and regulators are looking more closely at ESG, human rights, and supply chain responsibility. Consequently, board members are increasingly told they “should have known” that a potential acquisition or key partner had integrity issues.

Additionally, reputational damage is difficult to repair. The traditional notion that legal, tax, and financial DD constitute “the” due diligence—and that integrity research is merely an optional add-on—no longer aligns with modern business realities.

The Blind Spot: In transactions, we often see a single total budget agreed upon for due diligence. This amount is usually consumed by standard components first. Anything outside of that is quickly dismissed as “nice-to-have” and is the first to be cut. This is precisely where blind spots are created.

 

The Foundation: Standard DD with IDD as a Complementary Layer

Modern due diligence has long evolved beyond the classic trio of financial, tax, and legal. While these remain the foundation—one cannot close a responsible deal without insight into figures and obligations—a whole generation of “supplementary” DD streams has emerged. Cyber and IT DD, technical DD, commercial and ESG DD, and sector-specific variants like environmental or regulatory DD are increasingly set up as separate workstreams.

In this article, we zoom in on Integrity Due Diligence (IDD). IDD is not a competing alternative to financial or legal DD, but a conscious broadening of scope. While traditional research focuses on the formal side of the enterprise, IDD looks at the behavior, integrity, and reputation of the organization and the people surrounding it.

This process combines:

• Open Source Intelligence (OSINT): Registers, sanctions lists, court rulings, and regulatory sites.

• Background Checks: Analyzing the track record of directors, UBOs (Ultimate Beneficial Owners), and key personnel.

• Media Analysis: Reviewing NGO reports, social media, and international press.

The result is a cohesive picture that shows not only if the company is formally compliant, but whether you, as a buyer or investor, actually want to stand beside them.

 

Cross-Pollination Between Legal, Tax, Financial, and IDD

On paper, legal, tax, financial DD, and IDD complement each other perfectly. However, in practice, these streams often run too far apart, meaning important facts are not cross-referenced.

Consider an illustrative example: a standard question is whether directors or shareholders have ever been involved in a bankruptcy. In a legal Q&A, this question was answered in the negative. However, the IDD research—searching trade registers and media—revealed that one of the individuals had indeed been a director of a bankrupt company. This information was available in public sources. The discrepancy was only noticed by placing the legal Q&A answers alongside the OSINT findings from the IDD.

Similar cross-pollination is possible with financial and tax DD:

• Public Annual Reports: Provide a high-level check on turnover, profit, and solvency to compare with data room figures.

• Bankruptcy Reports & Litigation: Reveal past liabilities or seizures relevant to both legal and financial teams.

• Tax Disputes & Fines: Visible in case law and news media, these can be reconciled with tax DD findings.

The goal is not to “replicate” a full financial DD using open sources, but to see if the internal image aligns with the public trail and identify where gaps or tensions exist. This requires a conscious “information bridge”: granting the IDD team access to relevant Q&A topics and systematically feeding IDD findings back to the legal, tax, and financial teams.

 

In-depth Anti-Corruption DD: Beyond the FCPA

For groups operating internationally with significant government contact or activities in high-risk countries, a generic IDD is sometimes insufficient. In these cases, it is supplemented by an explicit anti-corruption stream.

The FCPA (U.S. Foreign Corrupt Practices Act) is a well-known reference, but it is not the only one. The UK Bribery Act, France’s Sapin II law, and Brazil’s Clean Company Act all impose strict standards regarding bribery, anti-money laundering, and internal controls.

In practice, this translates into an in-depth DD track:

1. Analyzing high-risk payments (gifts, hospitality, facilitation).

1. Reviewing the role of agents and consultants.

1. Evaluating approvals and monitoring in high-risk jurisdictions.

The aim is to assess whether the integrity and control levels align with the jurisdictions where the party is active and with the risk appetite of the buyer or financier.

 

The IDD Report as a “Living” Dossier

A high-quality IDD report has value throughout the entire lifecycle of a deal, not just at the moment of signing.

• Phase 1: Supports the go/no-go decision.

• Phase 2: Used for (re)financing with banks who conduct their own integrity checks.

• Phase 3: Demonstrated to grant providers or funds to prove that integrity and sanctions risks have been carefully vetted.

Case Study: In a project involving a new data center, extensive screening was conducted on a party intended to be the center’s largest tenant. While the immediate goal was the client relationship, the investor looked further ahead: the real estate and client portfolio might be resold in the future. A robust IDD report serves as evidence for future buyers that risks were consciously accepted or mitigated, making the IDD a recurring building block in the asset’s documentation chain.

 

Red Flags and Risk Translation

IDD often produces a mix of hard facts, allegations, and “noise.” Not every negative report is a dealbreaker. The art lies in determining when a finding constitutes a true Red Flag.

Patterns of recurring corruption, involvement in sanctions evasion via dubious intermediaries, or repeated regulatory interventions point to structural integrity problems. Long-standing controversies regarding human rights or environmental issues in the supply chain also fall into this category.

The next step is always the same: translating fact into risk.

• How old is the issue and how was it resolved?

• Was it an isolated incident or a pattern?

• What remediation measures have been taken since?

• What does this mean for strategy, permits, and stakeholders?

This analysis determines whether to proceed, under what conditions, and with what additional safeguards.

 

Roles: Board, Compliance, and Researchers

A successful IDD requires clear responsibilities:

• Board/M&A Teams: Define the risk appetite and make the final go/no-go decision.

• Compliance & Legal: Translate that appetite into concrete research questions and reporting formats.

• External Forensic Researchers: Conduct in-depth OSINT and reputational research, including anti-corruption tracks (FCPA/UKBA/Sapin II).

• Financiers: Expect projects to be demonstrably tested against integrity, ESG, and governance standards.

 

Conclusion: From Deal DD to KYC

IDD is the “front end” of the same field where integrity investigations and whistleblower cases form the “back end.” What you do not sufficiently investigate before saying “yes,” you are likely to encounter later as an incident, investigation, or crisis.

In the next article in this series, we will shift the focus from one-time deal DD to daily practice: KYC (Know Your Customer) screening and CDD (Customer Due Diligence). We will explore how to translate the principles of IDD into ongoing monitoring, UBO verification, and PEP screening throughout the entire customer relationship.

 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

 

AML/CFT internal audit is more critical than ever. Not because the regulator says so, but because the cost of failure has become unbearable. Massive fines, ruined reputations, and intrusive supervisors are no longer just “risks”—they are realities. 

And yet, it’s striking how conversations about AML/CFT audits always seem to get stuck in… theory. Regulatory frameworks. Best practices. Core principles everyone already knows. It’s safe. It’s correct. And frankly: it’s meaningless.

In the real world, things rarely fall apart because someone didn’t know the rules. Things fall apart because audits aren’t sharp enough. Because risks are overlooked. Because no one dares to ask the uncomfortable questions. 

That is exactly what this series is about. Not how it should work on paper, but where it actually goes wrong in the trenches.

Behind many audit reports lies a hidden reality: organizations that look “compliant” but are structurally missing the mark. Audits that neatly check every box while completely ignoring what actually matters.

Over the coming weeks, we will expose this reality in our series:
“AML/CFT Internal Audits – The Invisible Battle” 

No dry theory. No standard corporate talk. Just the patterns we see time and again that determine whether an audit adds value… or merely creates a false sense of security. 

 

We’re kicking off with four topics that will likely feel painfully familiar: 

1. Why 80% of AML/CFT audits fail (and how to be part of the 20%):
   On the illusion of compliance—and why “good on paper” is often dangerous.
2. The 3 Biggest Blind Spots in AML/CFT Audits:
   Culture, data, and human behavior—the risks your audit report rarely captures. 
3. The Uncomfortable Truth: Internal Audit vs. The Business:
   What happens when critical findings collide with commercial reality? Who really wins? 
4. AML/CFT Audits in 2026: Why the old ways are dead:
   New forms of financial crime—and audits that simply aren’t equipped to fight them. 

And after that?

We go even deeper. We’ll dive into the hidden consequences no one prepares for, the behind-the-scenes forces that influence audit outcomes, and why solid findings often lead to zero action. 

This series is for everyone in the AML/CFT space who dares to ask: 

“Are we doing the right thing… or just what’s expected of us?” 

Follow the series and start by asking yourself that very question. 

 

 

What’s next in this serie

In the next article, we analyze the three biggest blind spots in AML/CFT audits and why risks are consistently overlooked in these areas

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Whistleblowers are indispensable for exposing (serious) wrongdoing. Yet it is the follow-up to a report that determines whether an organization is truly acting with integrity or merely maintaining a paper reality. Since the introduction of the Dutch Whistleblower Protection Act (Wet bescherming klokkenluiders, Wbk), the playing field has become more strictly regulated. But how do you translate an ‘unexpected’ report into a sound fact-finding investigation and, ultimately, into lasting change?

Whistleblower Investigations: From Report to Real Change

Whistleblowers are indispensable for exposing (serious) wrongdoing. Yet it is the follow-up to a report that determines whether an organization is truly acting with integrity or merely maintaining a paper reality. Since the introduction of the Dutch Whistleblower Protection Act (Wet bescherming klokkenluiders, Wbk), the playing field has become more strictly regulated. But how do you translate an ‘unexpected’ report into a sound fact-finding investigation and, ultimately, into lasting change?

A Legal Patchwork: Wbk, Wwft, and Sector-Specific Legislation

The Wbk requires organizations with 50 or more employees to establish an internal reporting procedure and an appropriate investigation process. However, for many sectors, the Wbk is merely the baseline. A lex specialis applies: specific laws that often impose even stricter requirements on reporting channels. Consider, for example:

1. Law: Wwft (Anti-Money Laundering and Anti-Terrorist Financing Act)
   Sector: Financial institutions, legal profession, accountancy, etc.
   Focus: Money laundering and terrorist financing.
2. Law: Wft (Financial Supervision Act)
   Sector: Financial institutions, insurers, investment firms, etc.
   Focus: Financial integrity and market abuse.
3. Law: Wta (Audit Firms Supervision Act)
   Sector: Audit firms
   Focus: Breach of professional rules and independence.
4. Law: AVG (GDPR)
   Sector: All sectors
   Focus: Data breaches and privacy violations. 

The risk for organizations is a fragmented landscape of different “counters.” The trend is therefore to deploy a single centralized, multi-compliant reporting platform that routes reports based on their subject matter directly to the appropriate expert (such as the Compliance Officer or an external whistleblower officer), while safeguarding anonymity and statutory deadlines.

Looking Beyond Your Own Organization

Forward-thinking organizations are now also opening their reporting channels to supply chain partners, such as suppliers and self-employed contractors. Although strict reporting obligations such as the CSRD and CSDDD have been pushed to the background for some companies due to the introduction of the Omnibus Directive, the societal necessity remains as pressing as ever.

From the perspective of social responsibility, there is every reason to maintain visibility over integrity beyond one’s own walls. For insurers, this is even a bitter necessity: under the Wft, they are co-responsible for the integrity of business operations throughout their entire distribution chain (such as authorized agents).

A fundamental question remains: how do you ensure that all those signals, from both inside and outside the organization, actually come to light? Social responsibility and legal frameworks create the duty to listen, but they do not yet guarantee that people will actually dare to speak up. That requires more than a policy choice; it requires trust in the reporting process itself.

This brings us to the starting point of every whistleblower investigation. Whether wrongdoing occurs within the organization or in the chain surrounding it, everything hinges on that first step: the report. How it is made, received, and followed up determines whether a signal grows into real change or remains unheard.

From Report to Real Change

I. The Report: How Do You Get Employees to Speak Up?

Every whistleblower case begins with a moment of doubt. An employee sees something that is not right, feels that something must be done, but hesitates. The biggest hurdle is seldom the substance of the report; it is the fear of what comes next. Reputational damage, a disrupted working relationship, or subtle forms of retaliation are ever-present risks. The Whistleblower Protection Act seeks to remove that fear through the reversal of the burden of proof: if a reporter suffers a disadvantage, the employer must demonstrate that this had nothing to do with the report. That provides a foothold, but it is far from convincing for everyone.

Anyone who truly wants to encourage employees to speak up must look beyond legal safeguards alone. Practice shows that trust is primarily built through the way reporting is designed. Accessible, well-considered technology plays a key role in this.

Modern reporting platforms act as quiet guides during that first, vulnerable stage. They ensure that a report does not get stuck in a general email inbox but is immediately routed to the right specialist: compliance, HR, or an independent whistleblower officer. This gives the reporter the feeling that their signal is being taken seriously from the very first moment.

Equally important is the ability to remain anonymous without disappearing into silence. Secure systems make it possible to report fully anonymously while still maintaining a dialogue. Through a shielded chat function, investigators can ask clarifying questions and gather additional information. In this way, an initial signal develops into a complete account, rather than a report that stalls because essential details are missing.

It is precisely in this initial phase that the tone is set. When employees experience that speaking up is safe, accessible, and meaningful, space is created for the next step: an investigation that not only establishes what went wrong but also paves the way for real change.

II. The Investigation: Independent Fact-Finding

After the report, a decisive moment follows. Receipt must be confirmed within seven days, but in reality, the real work only begins at that point. From here, more is at stake than truth-finding alone. The way the investigation is structured and conducted determines whether the case is resolved internally or instead grows into a matter that finds its way to the media or regulators such as the Dutch Authority for the Financial Markets (AFM) or De Nederlandsche Bank (DNB).

In this phase, independence is not an abstract principle but a hard prerequisite. An investigation conducted by someone with a hierarchical, personal, or organizational relationship to the accused quickly raises questions. Even if the conclusions are substantively correct, the appearance of conflicts of interest can undermine trust. It is therefore essential that investigators are visibly detached from internal power dynamics. Independence protects not only the reporter but also the organization itself.

In addition, a sound investigation revolves around transparency in its approach. Those involved must be able to follow how conclusions are reached. Are all relevant facts being gathered? Has the right of hearing and the right to reply (hoor en wederhoor) been applied carefully and in a balanced manner? A traceable methodology, based on verifiable evidence, prevents the investigation from later being dismissed as subjective or biased. The narrative must hold up, not only in terms of substance but also in terms of process.

A particular area of tension arises when the investigation no longer focuses exclusively on the report but also on the reporter. In practice, it regularly occurs that a so-called ‘counter-report’ surfaces: criticism of the performance or behaviour of the reporter. This can be legitimate but also poses a risk. When these lines become blurred, attention shifts imperceptibly from the content of the report to the person who made it.

A thorough investigation strictly guards that boundary. The facts surrounding the report are examined on their own merits; any HR matters follow a separate track. Only in this way does the investigation remain pure and is it prevented from degenerating into a battle over credibility rather than a search for the truth.

It is precisely in this phase that an organization demonstrates how seriously it takes reports. Independent, thorough fact-finding forms the bridge between speaking up and resolution, and thereby the foundation for lasting change.

What makes whistleblower investigations unique is that they take place at the intersection of facts, trust, and power. Unlike regular internal investigations, it is not only the what that is central but also the who and why. The reporter is not a neutral source but is often part of the same organizational culture that is under scrutiny. This demands of investigators a keen sense of context, dynamics, and timing. Every signal, every choice in the process can be read by those involved as confirmation or denial of their position. Precisely for this reason, whistleblower investigation is more than a technical exercise: it is a ‘test’ of the organization’s own integrity, in which thoroughness and independence are decisive for the credibility of the outcome.

III. The Change: Impact and Culture

A whistleblower investigation does not end with the report. In fact, that is where the most exciting part begins. Facts can be established, conclusions carefully formulated, but without follow-up, an investigation remains a paper reality. The true measure of success is the question of whether the organization demonstrably learns from it and manages to restore its integrity.

This requires a translation of findings into structural lessons. Sometimes a report turns out to concern a one-time incident caused by individual choices. More often, however, it exposes something more fundamental: unclear responsibilities, deficient internal controls, or a culture in which dissenting signals have been ignored for too long. It is precisely at that point that real change occurs, not by pointing out those at fault and moving on, but by critically examining processes, governance, and behavior, and adjusting them where necessary.

Equally decisive is what this phase does for the sense of safety within the organization. Psychological safety does not grow through policy documents but through visible action. When the board and management communicate openly about what has happened with the report, within the boundaries of confidentiality, and demonstrate that wrongdoing actually has consequences, perceptions change. Especially when those consequences also reach the top, a powerful signal is sent: integrity applies to everyone.

It is in these visible choices that the long-term impact of whistleblower investigations lies. They determine whether employees remain silent the next time or dare to speak up. And with that, whether reporting is seen as a risk or as an essential part of a healthy organizational culture.

Conclusion

Whistleblower investigations require a balance between legal precision and human safety. It is a process from report to improvement that forms the backbone of an organization with integrity.

Invitation to Consultation

We can imagine that, after reading this article, you may have questions or wish to exchange views on certain topics. Or perhaps you are dealing with a concrete case and would like to discuss it. We invite you to contact us without obligation for an introductory conversation about you and/or your case. Our contact details can be found at the end of this article or on our website.

Preview of the Fifth Article: Employment Law Investigations

In the next article in this series, the focus shifts from whistleblowers to employment law investigations. This is where many threads converge: what happens when a report or integrity issue leads to a serious suspicion of dereliction of duty, breach of trust, or (serious) integrity violations by an individual employee? We will address the role of fact-finding within employment law proceedings, the tension between investigation and privacy, and the question of how organizations prevent a poorly prepared investigation from later boomeranging during a dismissal or disciplinary procedure.

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Integrity investigations form a substantial part of compliance-related inquiries. They do not focus solely on financial fraud but cover a broad range of issues: conflicts of interest, abuse of position, ancillary activities (side business or job), and violations of codes of conduct. While a fraud investigation often revolves around hard numbers and financial trails, integrity issues are usually more subtle. They concern human relationships, motives, and grey areas where rules and ethics intersect. 

Integrity is the foundation of trust within organizations. Yet integrity risks often go unnoticed, with far-reaching consequences for reputation, compliance, and business continuity. In this third article in our series, the focus is not on investigative techniques, but on what integrity investigations mean in practice: which themes recur, and which patterns emerge from recent cases. We discuss not only well-known integrity risks, but also the less obvious threats. 

We begin with a brief overview of the trends that shaped integrity investigations in 2025. We also briefly highlight the differences between integrity investigations and fraud investigations, discussed in the previous article. We then turn to practice: which cases recur, and how can signals be recognized? By doing so, we also shed light on several underexposed indicators. 

Trends in Integrity Investigations 

Integrity issues are shifting from a narrow focus on corruption and fraud toward broader domains such as conflicts of interest, reputational risk, and moral dilemmas. Recent developments show that: 

• Conflicts of interest and their appearance are increasingly being reported, often in relation to ancillary activities, procurement processes, or decision-making where personal relationships play a role. 
• Codes of conduct for board members, supervisory board members, and political officeholders are being tightened, with a strong emphasis on transparency regarding secondary interests and cooling-off periods. 
• Supervisory authorities such as the AFM and DNB require reliability assessments for board members and supervisory board members, with explicit attention to integrity-related antecedents. 

These trends make integrity investigations more relevant than ever. They are not only reactive but also play a preventive role in promoting sound governance and an ethical organizational culture. Later in this article, we will see one of these trends reflected in a case example. 

What Makes Integrity Investigations Different from Fraud Investigations 

Compared to the forensic fraud investigation discussed in our second article, integrity investigations differ in several important ways: 

• Greater normative discussion: While fraud investigations often focus on the question “Is there financial damage, and who is responsible?”, integrity investigations more frequently revolve around norm-setting: what could reasonably be expected of someone, which behavioral standards apply, and how heavily the appearance of impropriety and reputational risk should be weighed? 
• Fewer hard figures, more context: Relationships, organizational culture, and power dynamics play a much larger role in integrity cases. A single email or expense claim rarely tells the whole story; only when combined with statements, behavioral patterns, and internal policies, a coherent picture emerges. 
• Greater sensitivity regarding privacy and reputation: Investigations often involve individuals in visible or senior positions. This makes careful handling of personal data, communication, and the principle of hearing both sides particularly important. 

It is precisely this mix that makes integrity investigations both challenging and valuable for boards, HR, and compliance: they force organizations to articulate their values in concrete terms. 

Integrity Investigations: When Behavior Is Under the Microscope 

Where fraud investigations often focus on falsified documents, financial loss, and potential criminal elements, integrity investigations mostly operate in grey areas. They address questions such as which interests are at play, which norms apply, and what can reasonably be expected of a professional or manager? 

In practice, reports of potential conflicts of interest, ancillary activities, inappropriate conduct, and breaches of codes of conduct have been increasing for years, in both public and private organizations. To make this more tangible, we present a case example below. 

“You Don’t Want to Create an Uncomfortable Work Atmosphere, Do You?” 

A large family-owned logistics company is known for its reliability and customer focus. This sense of stability is disrupted when an anonymous report is submitted to the compliance officer. An employee in the procurement department is suspected to regularly accept expensive gifts from a supplier, ranging from lavish dinners to tickets for exclusive events. In isolation, this might seem harmless, except for the fact that this employee is responsible for awarding transport contracts. 

Further investigation reveals that the employee also holds a secondary position at a start-up operating in the same market. This start-up appears to be using competitively sensitive data, possibly obtained through informal conversations with the employee. 

But that is not all. Deeper investigation shows that the employee not only accepted gifts, but also subtly pressured colleagues to be “realistic” when reporting performance figures. Minor adjustments to reports, just enough to meet bonus targets. Colleagues had noticed signals but remained silent: “it wasn’t their department” and “you don’t want to create an uncomfortable work atmosphere.” 

What began as a simple report about gifts quickly unfolds into a web of conflicts of interest, a culture of looking the other way, and subtle data manipulation to justify performance bonuses. 

This case is not an exception. It illustrates precisely the trends mentioned earlier and shows how integrity risks often do not present themselves as such but grow gradually within the daily routines of organizations. It also demonstrates how different risks, such as conflicts of interest, ancillary activities, group pressure, and data manipulation, can become intertwined. 

In investigations of such situations, decision-making processes around procurement, documentation of bids and award decisions, email or calendar records, and publicly available information on ancillary activities are examined. These sources are analyzed collectively to answer three core questions: 

1. Were there personal or business interests that could have influenced decisions? 
2. Were these interests disclosed or made transparent, for example through a gift, activity register or integrity declaration? 
3. Were decisions demonstrably different from what could reasonably have been expected, given price, quality, and internal policy? 

Outcomes are rarely black and white. Sometimes investigations show that no formal rules were violated, yet an appearance of a conflict of interest emerged, calling for clearer agreements to roles. In other cases, policies were deliberately circumvented or information withheld, making the violation of norms more explicit. 

Practical Indicators from Integrity Investigations 

Beyond the above case, other recurring types of integrity issues frequently arise in investigations. Some of the usual suspects include: 

• A Culture of “Don’t Ask, Don’t Tell”: Perhaps the most damaging risk is a culture in which employees prefer to look away rather than ask questions. Many employees still hesitate to speak up for fear of repercussions or because they do not want to be seen as “complaining”. A typical example: an employee notices signals of misconduct but remains silent because “it’s not my department”. 
• Data Manipulation: The Silent Saboteur: In the pursuit of targets and bonuses, there can be a strong temptation to present figures slightly more favorably than they are. At a financial institution in Rotterdam, a team leader was found to have adjusted customer satisfaction scores for months. “Everyone does it,” was his defense. The consequences, however, were significant: customer and supervisory trust eroded, and the organization was forced into a costly remediation process. With the rise of AI tools performing data analyses, this risk is only increasing. Who controls the controller? 
• Conduct and Power Dynamics: Reports of inappropriate behavior, offensive remarks, or pressure from managers also fall under the scope of integrity, even if there is no financial component. These cases concern social safety, use of power, and whether behavior aligns with codes of conduct and professional standards. Investigations focus primarily on patterns: is the behavior incidental, or has it been known for years? 
• Handling Confidential Information: A former employee is accused of taking confidential documents to a new employer. Key questions include whether confidentiality agreements were breached, whether files were copied without authorization, and whether sensitive information has surfaced where it should not be. Legal, technical, and behavioral issues intersect in such cases. 

These examples show that integrity investigations are not merely about “rules”. They are about trust, role modelling, and the credibility of commitments to integrity. Next to these more generally known integrity issues, we would like to address some underestimated issues. 

Underestimated Risks: What You Don’t See, but May Still Encounter 

Some less obvious, yet in our view highly relevant, risks deserve attention: 

• Loyalty Conflicts: A growing phenomenon involves employees who run side businesses, perform consultancy work, or even hold secondary jobs with competitors. This is not inherently wrong, but it becomes risky when confidential information or conflicting interests are involved. Consider the IT employee who develops an app in their spare time using data from their primary job, or the procurement officer who also “coincidentally” works for a competitor. Organizations often fail to adequately monitor this, despite potentially severe consequences ranging from data breaches to legal claims. 
• Group Pressure and Groupthink: Decisions are (often) made collectively, but what happens when critical voices are ignored? At a tech start-up in Amsterdam, pressure to scale rapidly led to ethical objections against a new data sales strategy being dismissed. The result was a breach of the GDPR, and a fine imposed by the Dutch Data Protection Authority. Group pressure can lead to tunnel vision, where alternatives and risks are no longer considered. A simple but effective solution? Explicitly appoint a “devil’s advocate” during meetings to challenge assumptions. 
• Greenwashing: The Pitfall of Social Claims: Sustainability and corporate responsibility are high on the agenda. But what if reality falls short of promises? A clothing brand claiming to be “100% circular,” while in reality using only 10% recycled materials, risks not only reputational damage but also legal action. External verification of sustainability reporting is no longer a luxury, but a necessity. 

These examples show that integrity risks are not always visible, yet they have real impact. They often arise in grey areas where rules and ethics intersect. The danger is that organizations focus on well-known risks, while the true threats play out in everyday practice, informal agreements, unspoken expectations, and well-intentioned but poorly considered decisions.  

The good news? By consciously addressing these underestimated risks, and by fostering a culture in which employees feel safe to ask questions, many problems can be prevented. Open dialogue, regular risk assessments, and clear agreements regarding ancillary activities, decision-making, and communication are essential. Integrity is not a matter of luck, but of awareness and action. The earlier risks are recognized, the better they can be managed before they escalate. 

Growing Attention to Integrity 

Recent reports and governance codes encountered in our work show that integrity is increasingly linked to concrete standards, assessments, and practical guidance. Examples include: 

• Tightened codes of conduct for board members and supervisory board members, with emphasis on transparent disclosure of secondary positions and interests; 
• Local and sector-specific codes of conduct (for example in municipalities, education, and housing corporations) that explicitly define how to deal with gifts, ancillary activities, and decision-making in situations of doubt; 
• Clear guidelines for safe reporting procedures (whistleblowing) and independent handling, ensuring that reporters feel protected and that investigations are conducted independently of operational management. 

Integrity investigations directly support these frameworks: they are the instruments used to assess whether these standards are genuinely upheld in practice. 

Invitation to Consultation 

We can imagine that, after reading this article, you may have questions or wish to exchange views on certain topics. Or perhaps you are dealing with a concrete case and would like to discuss it. We invite you to contact us without obligation for an introductory conversation about you and/or your case. Our contact details can be found at the end of this article or on our website.  

Looking Ahead to the Fourth Article 

The risks discussed, ranging from loyalty conflicts to group pressure, often remain hidden until someone has the courage to report them. In the fourth article of our series, we therefore take a deeper dive into whistleblowing investigations: how should organizations handle internal (or external) reports? How can employees be encouraged to speak up? And how can a report and the investigation results be translated into genuine, lasting change? 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.