AFM Fines bunq €170k for Late Fraud Complaint Responses
On 2 June 2026, the Dutch Authority for the Financial Markets (AFM) issued a €170,000 administrative fine against bunq B.V. for failing to respond to seven customer fraud complaints within the statutory 15-working-day window. The decision is a pointed reminder that consumer-protection obligations apply to payment service providers with the same force as prudential rules, and that operational gaps in complaint-handling workflows carry real regulatory cost.
What the AFM Found
The timeline of non-compliance
The AFM investigated bunq's handling of complaints submitted by customers who had fallen victim to online fraud, some of whom had lost tens of thousands of euros. The regulator identified two distinct periods in which bunq failed to meet the legal response deadline: 10 November 2023 to 12 December 2023, and 23 April 2024 to at least 1 August 2024. Across both periods, seven complaints went unanswered within the required timeframe, leaving affected customers in prolonged uncertainty while they waited for a substantive reply that Dutch law requires within 15 working days of receipt.
What the rules require
Payment service providers operating in the Netherlands are legally required to provide a full, substantive response to every point raised in a customer complaint within 15 working days of receiving it. The obligation is not merely procedural: it is part of a broader consumer-protection framework designed to ensure that customers of essential financial services, including payment accounts, receive timely recourse when something goes wrong. The AFM's investigation confirmed that bunq's responses in the affected cases arrived weeks after that deadline had already passed.
How the Fine Was Calculated
From base amount to final penalty
The base penalty for the type of violation the AFM identified is €500,000. The regulator reduced this to €200,000, citing bunq's conduct after the complaints were filed: despite clarifying that the customers involved were not legally entitled to compensation under Dutch law, bunq chose to compensate them fully or largely in any case. The AFM treated that voluntary remediation as a mitigating factor. A further 15% reduction was then applied because the case was resolved through a simplified procedure, bringing the final fine to €170,000. The simplified settlement closes the matter, meaning no further regulatory proceedings will follow from this specific enforcement action.
Jos Heuvelman, an AFM board member, stated in the published decision that timely complaint handling is essential to maintaining trust in the financial sector, and that customers who have suffered fraud must be able to rely on their concerns being taken seriously. The regulator made clear it will continue monitoring whether institutions embed proper complaint-handling processes into their operations.
Compliance Implications for Firms
Complaint-handling as a supervisory priority
This enforcement action sits alongside the AFM's broader supervisory focus on consumer conduct. For compliance teams, auditors, and CFOs advising payment service providers or digital asset businesses, the bunq case illustrates a pattern regulators across the EU are pursuing: even where a firm ultimately does the right thing for customers, the process failure that preceded remediation remains sanctionable. Voluntary compensation does not erase the original breach; it merely reduces the penalty.
Firms that handle customer funds, particularly those operating at the intersection of payments and digital assets where fraud exposure is acute, need to ensure their complaint workflows are mapped against regulatory timelines and tested regularly. The AFM found a gap that spanned multiple months across two separate periods, which suggests a systemic process weakness rather than an isolated oversight. Auditors reviewing payment service providers should be asking for evidence that complaint receipt is logged automatically, that escalation triggers are built into case-management systems, and that response-deadline monitoring is someone's named responsibility.
Relevance for digital asset and crypto-adjacent businesses
While bunq is a regulated payment institution rather than a crypto-asset service provider under MiCA, the enforcement principle transfers directly. As the MiCA transitional period closes and CASP authorization becomes mandatory across the EU, newly licensed crypto businesses will find themselves subject to the same consumer-protection supervisory expectations that the AFM applied here. Complaint-handling procedures will be part of authorization assessments and ongoing supervision. Firms using crypto accounting software or digital asset accounting software to manage client records should ensure their compliance infrastructure extends to operational conduct metrics, not just financial reporting outputs. The AFM's Distance Marketing Financial Services Directive requirements for crypto service providers in the Netherlands signal the same supervisory direction.
More broadly, the case reinforces a principle visible across European enforcement: regulators are not waiting for large-scale misconduct to act. Seven complaints, across two discrete periods, were sufficient for the AFM to open a formal investigation and impose a six-figure fine.
Key Takeaways for Compliance Professionals
Practical steps to reduce exposure
The bunq decision points to three concrete areas where firms should audit their current position. First, complaint receipt and acknowledgment should be automated so that the 15-working-day clock is logged from the moment a complaint arrives, not when it is manually assigned. Second, substantive response means substantive: the AFM's standard requires each point in the complaint to be addressed, not a generic holding reply. Third, voluntary remediation is a mitigating factor in Dutch enforcement practice, but it is not a substitute for having the process right in the first place. Regulators will give credit for it at the penalty-calculation stage, but the fine still lands.
For firms building or reviewing compliance programmes under MiCA, the AFM's approach here is also useful calibration for what the broader crypto compliance reporting environment looks like in a leading EU supervisory jurisdiction. The Netherlands has one of the more active national regulators in this space, and its enforcement decisions tend to set a tone that other member-state authorities observe.
Frequently Asked Questions
Why did the AFM fine bunq if bunq compensated its customers?
Compensation was a mitigating factor that reduced the fine from the €500,000 base to €200,000, and the simplified procedure brought it down further to €170,000. But the violation, failing to respond to complaints within the 15-working-day statutory deadline, had already occurred. Dutch enforcement practice distinguishes between the breach itself and subsequent remediation. The two are assessed separately.
What is the 15-working-day rule and where does it come from?
Payment service providers in the Netherlands are required by law to give a substantive, point-by-point response to customer complaints within 15 working days of receipt. The obligation stems from Dutch financial services consumer-protection legislation that implements broader EU payment services rules. It is not discretionary: the clock runs from receipt regardless of the complexity of the complaint.
Does this enforcement action affect crypto-asset service providers?
Bunq is a payment institution, not a CASP. But the AFM supervises both categories, and the consumer-conduct principles it applied here extend to any regulated firm handling customer funds or complaints. As MiCA-authorized CASPs come under Dutch AFM oversight, complaint-handling standards will form part of the supervisory framework they operate within.
What does the simplified procedure mean for the finality of this case?
The AFM confirmed that the simplified settlement closes the matter. Bunq accepted the reduced fine without pursuing a full administrative-law procedure, and no further regulatory action will follow from this specific enforcement decision. The trade-off is the additional 15% reduction applied to the penalty.
How should compliance teams use this decision in their own risk assessments?
Use it as a benchmark. If your complaint-management system cannot produce a timestamped log of every complaint received, track the 15-working-day deadline automatically, and flag cases approaching that limit, you have a gap that this decision shows regulators will identify and fine. The AFM found a multi-month failure across two separate periods, which points to the kind of systemic weakness that appears in supervisory reviews and audits.
