27 January 2026
Most payment traffic in the Netherlands now takes place electronically. Virtually every resident has a bank account and uses a debit card, mobile banking app, or internet banking on a daily basis. Dependence on banking services is therefore great. Without access to payment traffic, full participation in social and economic life is practically impossible.
Against this background, the legislature has required financial institutions to take active measures against conduct that may undermine the integrity and security of the financial sector. Safeguarding that integrity and combating sector-related crime are among the core responsibilities of banks, insurers, and other financial undertakings. In this article, the term financial institution means: a bank, insurer, mortgage institution, or financing company.
An important instrument within this integrity policy is the Incident Warning System for Financial Institutions (IFI). [1] This system consists of the Internal Referral Register (IVR) and the External Referral Register (EVR). The IFI aims to prevent and combat crime within the financial sector and to limit risks of fraud and other integrity breaches. The processing and exchange of personal data within the IFI are regulated by the Protocol Incident Warning System for Financial Institutions (PIFI), for which the Dutch Data Protection Authority has granted permission.[2] A registration in the IVR or EVR can have far-reaching consequences for those concerned, such as the refusal or termination of a payment account. This article discusses the legal framework for IVR and EVR registrations, their consequences for those concerned, and the available possibilities for legal protection.
Legal framework IVR and EVR registration
Internal Referral Register (IVR)
If a (legal) person is involved or has been involved in an incident at a financial institution, the financial institution may include the relevant data of that (legal) person in its own IVR. Central here is the concept of incident, which is defined in the PIFI as:
“an event that has as a result, could have, or has had the effect that the interests, integrity or security of the clients or employees of a Financial Institution, the Financial Institution itself or the financial sector as a whole are or may be at risk, such as falsifying invoices, identity fraud, skimming, embezzlement in employment, phishing and intentional deception”[3]
The IVR is an internal register that is accessible only to authorised employees of the relevant financial institution. No substantive information about the incident is included in the register.[4] The IVR contains only identifying data: for natural persons this is the name and date of birth, and for legal persons the Chamber of Commerce number, possibly supplemented by the trade name and postcode.
Case law shows that strict requirements apply to an IVR registration.[5] The processing of personal data must comply with the General Data Protection Regulation (GDPR) and the PIFI. The lawfulness of the processing is in principle based on Article 6(1)(f) GDPR: the processing must be necessary for the legitimate interests of the financial institution. This requires a concrete and careful balancing of interests.
External Referral Register (EVR)
If there is a serious incident, the financial institution is obliged to include the personal data of the relevant (legal) person in the EVR. According to the PIFI, this is the case if the following conditions are cumulatively met:
the conduct forms, has formed, or may form a threat to (i) the (financial) interests of clients and/or employees of a financial institution, or the organisation of the financial institution itself, or (ii) the continuity and/or integrity of the financial sector;
it is sufficiently established that the relevant (legal) person was involved in that conduct (in principle, a report or complaint is then made to an investigating officer); and
the principle of proportionality is observed.[6]
According to settled case law, for an EVR registration it is required that there are such concrete facts and circumstances that they could support a conviction in the sense of Article 350 of the Dutch Code of Criminal Procedure. The suspicion must be stronger than a reasonable suspicion of guilt. A criminal conviction is, however, not required. It is up to the financial institution to substantiate and concretise the registration decision properly.[7]
Access, duration, and consequences of registration
Personal data included in the EVR are accessible to all financial institutions affiliated with the IFI.[8] Consultation takes place through the External Referral Application (EVA), which works with a so-called hit/no-hit system. In the event of a hit, it becomes visible that a person is listed in a register, without direct access to substantive information about the incident.[9]
Registrations in both the IVR and the EVR have a maximum duration of eight years, counted from the date of registration. Financial institutions must, with due regard to the principle of proportionality, explain why a particular registration period was chosen. The registration must also be terminated as soon as the conditions justifying it are no longer met.[10]
The practical consequences of a registration are considerable. Financial institutions may decide not to provide new services, such as opening a payment account, granting credit, or concluding insurance, or may terminate existing customer relationships. This directly affects the ability of the person concerned to participate fully in social life.
Legal protection of the registered person
Right of access, rectification, and deletion
A registered person has the right to access the personal data processed about them.[11] The financial institution may only grant access after the person concerned has identified themselves.[12] Within one month after receipt of the request, the institution must indicate whether personal data are being processed and, if so, which data. This period may be extended by up to two months in the case of complex or extensive requests, provided that the person concerned is informed in time. [13]
If the data provided prove to be inaccurate or incomplete, the person concerned has the right to rectification. In addition, a request for deletion of personal data may be made under Article 17 GDPR. Access may be refused in exceptional cases, for example if this is necessary to prevent, investigate, or prosecute criminal offences or to protect the rights and freedoms of third parties.[14]
Right of objection
In addition to access and rectification, the person concerned may at any time object to the processing of their personal data in the IVR or EVR on the basis of special personal circumstances.[15] This may arise, for example, in cases of identity fraud or where the factual basis for the registration is absent or insufficient. The financial institution must in principle respond to the objection within one month.[16] This period may, if the complexity of the case justifies it, be extended by up to two months, provided that the person concerned is informed within the original period.[17]
If the person concerned cannot agree with the outcome, they may submit the matter to the board or management of the financial institution.[18] If no solution is reached, the matter may be submitted to the Financial Services Complaints Institute, the Foundation for Complaints and Disputes in Health Care, the Dutch Data Protection Authority, or the civil court.
Opening an account with Dutch and foreign banks
EVR registration and banks within the EU
The IFI is a national registration system that applies only to financial institutions affiliated in the Netherlands.[19] Banks established outside the Netherlands, including within the European Union, are in principle not affiliated. This means that a (legal) person registered in the EVR in the Netherlands can, in theory, still open a payment account with a bank in another EU Member State.
Right to a basic payment account
The right to a basic payment account is regulated in the Financial Supervision Act (Wft). Under Article 4:71f Wft, every bank that offers payment accounts to consumers in the Netherlands is obliged to offer a basic payment account to anyone lawfully residing in the European Union. A bank must refuse an application if, when opening the account, it cannot comply with the obligations under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).[20] A bank may refuse a basic payment account if the applicant:
cannot demonstrate a genuine interest in opening a basic payment account in the Netherlands;
has an application pending for a basic payment account with a bank established in the Netherlands or already maintains a payment account with another bank established in the Netherlands (unless that account will be closed);
was convicted less than eight years ago by a final judgment for an offence such as forgery, knowingly providing false information, embezzlement, bankruptcy fraud, or money laundering;
had a basic payment account terminated less than two years ago because the applicant knowingly used it to commit criminal offences; or
refuses, if asked, to sign the declaration referred to in paragraph 3.[21]
The bank may check in advance with other banks whether the applicant already has a payment account and may ask the applicant to sign a declaration that they do not have, or have not applied for, an account elsewhere.[22] A registration in the EVR does not constitute an independent statutory ground for refusal, but in practice it will weigh heavily in the assessment of whether the Wwft obligations can be met.
Basic Bank Account Convention
For persons who no longer have access to a regular payment account, such as EVR-registered persons, the Basic Bank Account Convention provides an additional safety net. With the implementation of Directive 2014/92/EU, the basic payment account was indeed legally anchored at EU level, but the Convention remains socially relevant because it offers a second chance to persons who would otherwise fall through the cracks.[23]
The Convention provides for a private payment account package that in any case includes:
- holding and using a payment account;
- access via internet banking and/or a mobile banking app;
- the ability to receive incoming transfers;
- having a debit card;
- consulting and storing statements digitally; and
- the ability to give direct debit authorisations.
Conditions are attached to opening and maintaining a basic bank account. The applicant must, among other things, not have another payment account in the Netherlands, must fully inform the bank, and must grant permission to obtain information from other banks.[24] In addition, obligations apply such as preventing unauthorised overdrafts, complying with the applicable bank conditions, and timely reporting of changes of address and contact details; where accompanied by a social support institution, the applicant must also be accompanied by an employee of that institution for certain banking matters.
The bank may refuse an application for a basic bank account if the applicant is or has been involved in fraud, abuse of trust, fraudulent bankruptcy, forgery, money laundering, and/or fraud.[25] These are often persons who are listed in the IVR or EVR.
An exception to this rule applies when the request is made through a recognised social support institution.[26] In that case, the payment account must be managed by the social support institution.[27]
The bank may also terminate the basic bank account for compelling reasons, such as misuse. In principle, a notice period of 30 days applies so that the account holder can find an alternative bank, unless there are such serious facts or such gross negligence or intent that immediate termination is justified.[28] Misuse of an account opened under the Convention leads to termination, after which the person concerned can no longer claim a new account under the same Convention.[29]
Banks' duty of care
Although banks in principle enjoy contractual freedom, their special social position entails a far-reaching duty of care. Without a bank account, participation in economic and social life is hardly possible. The European legislature expressly recognised this interest when implementing Directive 2014/92/EU.[30]
For consumers, access to a basic payment account is legally guaranteed. For legal persons, this obligation does not apply directly. This does not mean, however, that the contractual freedom of banks in relation to legal persons is unlimited. Case law has accepted that, in special circumstances, banks may be obliged to enter into a contractual relationship, partly in view of their social function and duty of care.[31]
Conclusion
IVR and EVR registrations are an essential, but intrusive, instrument within the integrity policy of the financial sector. Strict requirements apply to registration: it requires a concrete factual basis and compliance with the principles of necessity and proportionality under the GDPR, the PIFI, and the applicable case law.
By contrast, the consequences for those concerned are far-reaching, such as long-term registration, refusal of banking services, and the risk of social exclusion. This makes carefully reasoned decision-making and periodic reassessment indispensable. The available legal remedies, as well as the statutory basic payment account and the Basic Bank Account Convention, serve as necessary safeguards for minimum access to payment services. In this tension, the special duty of care of banks becomes clear: with every registration decision, the interest in protecting integrity must be carefully balanced against the fundamental interest in financial inclusion.
[1] Art. 3.1.1 & art. 3.1.3 PIFI.
[2] Art. 1.3 PIFI.
[3] Art. 2 PIFI.
[4] Hof Leeuwarden 7 november 2023, ECLI:NL:GHARL:2023:9394, r.o. 3.19.
[5] Gerechtshof Amsterdam 13 juni 2017, ECLI:NL:GHAMS:2017:2284.
[6] Art. 5.2.1 PIFI.
[7] Rechtbank Rotterdam 25 januari 2021, ECLI:NL:RBROT:2021:1518, r.o. 4.6.
[8] Art. 4.3.3 & 5.3.2 PIFI.
[9] Art. 4.3.3 & 5.3.2 PIFI.
[10] Art. 4.3.1 & 5.3.1 PIFI.
[11] Art 9.3.1 PIFI.
[12] Art 9.3.2 PIFI.
[13] Art 9.3.3 PIFI.
[14] Art. 9.3.4 PIFI.
[15] Art. 9.5.1 PIFI.
[16] Rechtbank Rotterdam 25 januari 2021, ECLI:NL:RBROT:2021:1518, r.o. 4.10 & 4.11.
[17] Art. 9.5.2 PIFI.
[18] Art. 10.1 PIFI.
[19] Art 1.2 PIFI.
[20] Art. 4:71f lid 1 Wft.
[21] Art. 4:71g lid 2 Wft.
[22] Art. 4:71g lid 3 Wft.
[23] Het Convenant verwijst naar het Convenant inzake primaire betaaldiensten. De betaalvereniging Nederland is de beheerder van dit Convenant.
[24] Art. 3 Convenant.
[25] Art. 4.1 Convenant.
[26] Art. 4.1 Convenant.
[27] Art. 4.1 Convenant.
[28] Art. 12 Uitvoeringsinstructie convenant.
[29] Art. 12 Uitvoeringsinstructie convenant.
[30] Kamerstukken II, 34480, nr. 3, p. 2.
[31] Hoge Raad 5 november 2021, r.o. 3.2.