BSN Masking: Dutch Customer Identity Verification [Privacy & KYC Rules]

Find out about BSN masking and why it’s unique to the Netherlands. Learn how to onboard Dutch citizens while optimizing the identity verification experience without cutting corners on KYC compliance or data privacy rules.

Gabija Stankevičiūtė
· 11 min read

June 18, 2026

BlogRegulations by Country

Table of Contents

What is the BSN, and What is its Purpose in Dutch IDV?
Which Dutch Law Doesn’t Allow Processing BSN Data?
How Does Customer Identity Verification with BSN Masking Work in the Netherlands?
What is KopieID?
Common Dutch Customer ID Verification Limitations that Result in Drop-Offs
Tips For a Compliant and User-Friendly ID Verification Flow in the Dutch Market
Is there a Non-Document Onboarding Option that Doesn’t Require BSN Masking?
How iDenfy Can Help With Dutch Customer Identity Verification

Know Your Customer (KYC) in the Netherlands follows the same unified framework, defined by Anti-Money Laundering (AML) compliance rules. It requires verifying new business relationships, both with individual customers and corporate clients, as a way to assess risks before onboarding and on an ongoing basis. Yet, while this might all sound familiar, identity verification and document verification using the standard government-issued ID capture are different in the Netherlands, compared to other EU countries, for instance. 

Stricter privacy and data protection rules require businesses not to collect and store the customer’s BSN, or the Burgerservicenummer (also referred to simply as the Citizen Service Number) without a specific legal basis to do so. Older ID documents in the Netherlands had the BSN appear in plain text on every Dutch national passport, business passport, and national identity card. This meant that older documents had personal details written within the Machine Readable Zone (MRZ). 

And for some of the private companies that offer identity verification services, that legal basis doesn’t exist. This means that they apply the same rules for all documents, including for Dutch customers, and don’t mask or store personal KYC data despite the country-specific framework. This is a known issue, especially on platforms where KYC rules are generally less strict, but still require ID verification after the onboarding, like before a higher-risk payout due to the requirements that the payment provider has. Then, if the Dutch user doesn’t feel comfortable and doesn’t feel safe sharing their data, they’re more likely to drop off. 

From the business perspective, it’s hard to make the onboarding process completely custom and transparent, especially if you pick a global IDV vendor and want to stick to a single KYC solution in all of the markets that you operate. So, how to solve this issue and to offer a compliant Dutch customer identity verification with BSN masking? I look into this below. 

What is the BSN, and What is its Purpose in Dutch IDV?

The Burgerservicenummer, or the BSN, is a nine-digit unique citizen identifier in the Netherlands. It’s assigned to every resident registered in the Dutch Personal Records Database (Basisregistratie Personen, BRP). The BSN has different functions: a tax number, a social security number, and a national identity number in the process of document verification, often used for KYC onboarding. 

-> The BSN appears on Dutch passports, business passports, and national identity cards.

-> Diplomatic passports, service passports, refugee travel documents, and aliens’ travel documents don’t include a BSN. 

-> Dutch driving licences are issued under a separate framework and don’t have a BSN in a machine-readable form. 

Identity Verification

Automate your KYC process

iDenfy verifies customers from 200+ countries in seconds. AI-powered, compliant, and trusted by 1,000+ companies.

Explore KYC Solution

What You Should Know About the BSN and the 2021 Redesign

In August 2021, the Dutch government introduced a redesigned national passport, with the BSN printed on the reverse side of the document.  The most relevant change for businesses running KYC on Dutch customers: the BSN was moved out of the MRZ or the chip and into a QR code

It’s encoded on the back of the biographical data page, with the nine-digit number also printed in plain text alongside it. You can review more examples here

Source: Rijksdienst voor Identiteitsgegevens

Per RvIG’s official features specification, this change fulfilled a commitment to the House of Representatives and was accompanied by design updates across all Dutch travel document formats to improve consistency and reduce fraud risk.

Which Dutch Law Doesn’t Allow Processing BSN Data?

Dutch law treats the BSN as sensitive data with its own set of rules. Under the Algemene Verordening Gegevensbescherming (UAVG), the Netherlands’ implementation of GDPR, private companies can only process a BSN when a specific legal obligation requires it. Article 87 of the GDPR permits member states to specify the conditions under which national identification numbers may be processed. The BSN is classified as a special category of personal data

How Does Customer Identity Verification with BSN Masking Work in the Netherlands?

A typical customer identity workflow in the Netherlands, if compliant, uses BSN masking. That means it redacts the number either automatically at the infrastructure level or by accepting a document that the customer has already masked themselves. This way, the KYC session’s result is a completed IDV process with no BSN in the record. In other words, the BSN isn’t kept or processed at all. 

The KYC flow for the Dutch market can consist of these standard steps:

  1. Document submission. The customer uses their Dutch passport or national ID card, and the system automatically captures the personal details. 
  2. BSN detection. The KYC system identifies if the provided document matches the requirements and if it has the BSN field, like the QR code on the back of the biographical data page and the printed numerical BSN alongside it. 
  3. BSN masking. Sensitive information and the BSN are hidden by the verification software for Dutch ID documents before they are processed. The customer doesn’t need to add anything or add text input manually. 
  4. Final KYC results. The client’s identity is confirmed using the remaining document data (name, date of birth, document number, nationality, and expiry info). This can be done using another database, taken from official government registries, for example, to cross-match it and see if there are any inconsistencies. Selfie verification is also another popular method for a full KYC workflow, not just ID doc verification. 

The business that has processed data has no legal right to hold BSN details. This isn’t standard practice, since there are markets that use global identity verification providers, and the same workflow for KYC onboarding for different countries. Then, the goal of their document extraction pipelines is to capture as much data as possible from a submitted identity document.

For example, if the user’s IP dictates that they are in Spain, they don’t need to select their document’s issuing country; they only press on the document type and move further. The same would go for another EU country, but not for the Netherlands. However, if the KYC vendor is customizable, like iDenfy, you can use different workflows for different countries and enable BSN masking for the Netherlands. The same goes for other aspects in the onboarding flow, like the U/X language (non-Latin scripts, for example). 

Related: How to Improve KYC Verification? Tips For a Frictionless User Experience

What is KopieID?

As a way to solve the sensitive information sharing issue in the Netherlands, particularly the situation regarding BSN and its masking, the Dutch government presented the KopieID app. It allows users to capture their ID doc and apply a digital overlay, masking the BSN before sharing the copy online. In other words, the app allowed for Dutch citizens to have the legal right to hand over a document with the BSN obscured and have an official, easily accessible tool to do so. 

Yet, for KYC conversions, an extra step like redirecting the user to another page/app or an extra step that isn’t frictionless and takes extra time, even a minute, prolongs the KYC session:

  • The user must know the requirement exists, obtain or know how to use the app, apply the mask correctly, and then re-upload. 
  • If the masking is applied incorrectly or the document edges are clipped, the verification fails, the user drops off, and the business loses the conversion.

And then, businesses have a lower conversion rate, especially if there are other, more native options in the Netherlands, even among global IDV vendors and their offerings. So, when choosing a new ID verification software or when switching providers or scaling to the Dutch market, always assess if there aren’t any hidden costs and if the software is capable of complying with local requirements. Elevated rejection rates, user abandonment at the ID upload step, or compliance exposure are real risks that some businesses do not catch until they go live.

Common Dutch Customer ID Verification Limitations that Result in Drop-Offs

There isn’t a universal rule for every business out there, but there are patterns that KYC in the Netherlands is known for. And apart from compliance obligations, user experience is extremely important, especially in industries where the audience is tech-savvy, know how a good customer identity verification process should work. Users unknowingly compare KYC solutions, and if the journey isn’t as expected, they leave for a competitor and possibly never return, especially if this is their first impression of the brand.

That’s because:

  • Some globally operating businesses straight up don’t know how to onboard Dutch customers and do this incorrectly, leading to outright abandonment or long manual review queues that could be avoided with the right, tailored KYC software for that jurisdiction. 
  • Private-sector businesses can’t process the BSN, so customers do that on their own (even though there are no instructions on the app) and mask it themselves before submission, then the system, which isn’t aligned with this standard, rejects the document and marks it as failed KYC verification

-> The practical implication: your KYC system must either not extract the BSN, or must delete it from the verification record before storage.

In contrast, ignoring compliance requirements and accepting unmasked Dutch ID documents with BSN data can lead to unwanted outcomes after an audit that will surface this approach immediately. With a proper solution that supports BSN masking, you can remove this issue and simply create an onboarding experience that’s efficient and equivalent to a standard document ID document capture, which is typical in other markets. 

Tips For a Compliant and User-Friendly ID Verification Flow in the Dutch Market

Apart from the obvious, or the integration of a government-issued ID document flow that has BSN masking capabilities, you need to adjust your onboarding workflows. This includes adding extra measures that complete the whole picture, including AML requirements. For regulated, high-risk businesses, like real estate, gambling, crypto, fintech, banking, etc., this is mandatory. Age-restricted service/item providers implement KYC verification as well, via document capture and DOB extraction or as a separate age verification workflow. For the Dutch market, even in such a case, the BSN masking feature is required. 

Other tips you should consider and then apply to assess a potential vendor:

  • Design the onboarding flow around your customer. For example, if it’s an eSIM app, and you need to onboard a Dutch user before they can activate their eSIM, the U/X should be optimized for a seamless mobile experience because they are already waiting and expecting a swift onboarding. On a fintech platform, for instance, an average client knows that the onboarding consists of more steps, possibly a Proof of Address check (in crypto, for example) or Proof of Funds verification, so there are other factors to consider, like supporting different document types and giving real-time feedback during a liveness check. 
  • Apply the risk-based approach. Tailor the KYC onboarding process not just to the country or its regulatory rules, but also to the overall risk profile. If it’s a new user accessing your service for the first time, you can use behavioral biometrics or data like their IP to detect blacklisted users or those that are doing multi-accounting and have already committed fraud and are just trying to bypass ID verification under a different identity. Low-risk users move through faster. High-risk users require Enhanced Due Diligence (EDD). 
  • Use the same vendor for AML checks (if applicable). For high-risk industries, managing the same dashboard for AML screening and KYC onboarding is simpler for analysts. It’s also easier to implement and often cheaper. For example, if your onboarding requires checks against sanctions or you need adverse media to run it in the background, factors like false positives or access to government agencies matter. The same RegTeck vendor is ideal for all compliance-related tasks because it helps close the regulatory gaps and keep a compliant audit log. For corporate compliance, Know Your Business (KYB) is also required, so a vendor like iDenfy that has KYC/KYB and AML tools under the same platform is worth considering. 

Finally, pair every element with a proper ongoing monitoring system, rather than treating verification as a one-time event. For reverification in the Dutch market, consider not asking to upload the ID, but rather submit a selfie and then compare it with the records that you already have (BSN isn’t required as well in this case). This smooths out the experience and is still a compliant workflow in most cases. 

For e-commerce merchants, consider no-code IDV apps and integrations that also help you automate KYC compliance, including in the Netherlands. This helps save hours on implementation, which is also directly linked to your KYC budget (less costs, more saved time, for example, a few hours in total vs two weeks). 

Is there a Non-Document Onboarding Option that Doesn’t Require BSN Masking?

Yes. An alternative workflow to the standard KYC document check is one that doesn’t require the user to have a physical ID on them. These are popular methods, also known as digital IDs or eIDs, especially in the EU. It’s required for eIDAS compliance and other use cases. For example, for an age-restricted alcoholic beverage online shop in a local market in Sweden, Bank ID is the non-doc option, which verifies user age before they can check out.  In the Netherlands, the equivalent is iDIN. 

No document means there’s nothing to mask because the data is already logged in the system. This improves conversions, sometimes even up to 20%, based on our in-house research at iDenfy. 

How iDenfy Can Help With Dutch Customer Identity Verification

iDenfy offers an end-to-end customer identity verification solution, with all the tools that you pick and then use for your custom onboarding process:

-> Government-issued ID verification

-> Biometric verification (active/passive liveness & face-matching)

-> Database verification and automated access to registries 

-> Custom KYC reports easily downloaded in PDF format

-> Risk-scoring and pre-made onboarding templates (based on industries)

-> AML screening (PEPs & sanctions, watchlists, adverse media)

-> KYB verification with built-in AI agent and dynamic workflows 

-> Face authentication for re-verification at any stage

-> Other fraud prevention tools & ongoing monitoring

White-labeling and custom branding, language options, and country-specific compliance requirements, like the BSN masking feature, are also available through iDenfy’s suite without extra coding or manual effort that takes up your team’s time. 

You can test out both document-based and digital ID workflows for free, or book a demo to see how the dashboard works with our Sales team to get a more personalized offer. 

Gabija Stankevičiūtė

Gabija’s a consistent writer for the blog and the first ever in-house copywriter at iDenfy, who joined the company in 2021. With a background in journalism, she covers all things related to the RegTech ecosystem and its innovations.

Verify Users in the Netherlands in Less Than 50 Seconds On Average

Add age verification, government-issued ID verification, or any local digital ID verification to your platform.

Try for free

Read more articles

Blog Identity Verification

June 16, 2026

Identity and Age Verification for eSIM Providers [Guide]

Get the expert insights on the hype of eSIMs, their advantages and user-related behavioral patterns that reflect the high level of expectations when it comes to the user onboarding process. See what practical steps are required for a compliant, efficient ID and age verification workflow for eSIM providers.

Written by Gabija Stankevičiūtė
Blog KYB/AML

June 16, 2026

KYB for Import/Export: How to Verify Business Partners 

In international trade, trust often moves faster than certainty – and that gap is where costly mistakes happen. Shipping on credit to an unverified business partner can mean chasing unpaid invoices across jurisdictions with little practical recourse.

Written by Andrius Juodis
Blog

June 12, 2026

Sanctions Screening for Luxury Goods Retailers

Luxury retailers are now a primary sanctions enforcement target – and the regulatory record makes that unmistakably clear. This piece breaks down why the sector is uniquely exposed, what OFAC and EU rules actually require, and what a defensible compliance program looks like before regulators come knocking.

Written by Andrius Juodis

Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.

Talk to us
Image of salesmens
LLOYDS

All iDenfy’s products are protected with the number one cyber insurance package and the Technology Errors & Omissions insurance.

GDPR ready badge CCPA compliant badge SOC certificate ISO 27001 standard iBeta ISO 30107 standard