Project XBY

Europe · GDP rank #16

Netherlands

NL · EUR @ 1.1595/USD

Cards — specifically Maestro and its debit successors — dominate at the point of sale, while e-commerce runs almost entirely through iDEAL, the domestic bank-transfer scheme owned by a consortium of Dutch banks and being migrated into the pan-European Wero wallet. Cash usage is among the lowest in the euro zone. Regulatory posture is EU-compliant with a DNB emphasis on AML vigilance after the 2020s ING-ABN scandals.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

€32M −11% vs 2023

EUR · 2024

Loss rate

1.9bp

basis points on transaction value · 2024

Among the lowest in Europe; attributed to PSD2 SCA maturity plus aggressive industry-shared scam-detection.

CNP share of fraud

68%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (e-commerce)68%
  • Social engineering / phishing (iDEAL + bank app)22%
  • Lost/stolen / counterfeit10%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

44%

% · 2024

3DS coverage · CNP

91%

% · 2024

Biometric mobile wallet txns

98%

% · 2024

Consumer protection

Framework
Wft (Wet op het financieel toezicht) + PSD2 transposition
Max consumer liability
€50 pre-notification; €0 post-notification
Liability rules
Consumer liability capped at €50 for unauthorised transactions before notification, zero after. Banks must refund immediately and may chargeback only with proof of fraud or gross negligence.

Source · DNB

Security standards

  • PSD2 SCA (in force 14 September 2019)
  • PCI DSS 4.0 (mandatory March 2025)
  • DORA operational-resilience (Jan 2025)
  • AP (Autoriteit Persoonsgegevens) data-protection rules atop GDPR
  • DNB Good Practice on Information Security