On 14 November 2024, the European Banking Authority ("EBA") released two sets of guidelines relating to the handling of European and national sanctions by financial institutions and payment service providers. This note provides an overview of key take-aways from these new guidelines. While certain financial institutions are now receiving some regulatory guidance, other companies are facing the challenge of having to establish effective sanctions compliance programs for the very first time. Though not directly applicable, the EBA guidelines might provide some ideas that can be put into practice.
Why the EBA guidelines on sanctions?
Under the amended European Fund Transfer Regulation ("FTR" – Regulation (EU) 2023/1113) EBA was mandated to issue guidelines to assist payment service providers ("PSPs") and crypto-asset service providers ("CASPs") put in place internal policies, procedures and controls that will ensure implementation of both European and national restrictive measures when they perform transfers of funds and crypto-assets. EBA fulfilled this mandate by publishing guidelines EBA/GL/2024/15 ("EBA PSP/CASP Sanctions Guidelines").
On top of that mandate under FTR, EBA saw the need to provide guidance for all financial institutions within its supervisory remit regarding compliance with sanctions. EBA therefore at its own initiative also issued guidelines applicable to banks and investment firms regulated under CRD, payment service provider in scope of PSD II and e-money institutions (EBA/ GL/2024/14 – "EBA General Sanctions Guidelines").
... and why two and not one set of guidelines?
EBA was mandated under FTR to develop guidelines addressed only to PSPs and CASPs concerning the performance of transfers of funds and of crypto-assets. However, in stark contrast to the rather detailed organizational requirements for obliged entities under European AML legislation, regulations on how financial institutions must implement compliance with financial sanctions are lacking in European legislation to date. Admittedly, the new European AML Regulation (EU) 2024/1624 ("AML-R") will remedy this situation to an extent, but it is not set to take effect until 10 July 2027.
EBA recognizes that there are significant differences in what national regulators expect from financial institutions to comply with sanctions. Furthermore, EBA acknowledges that obliged entities' compliance with sanctions differs across member states. The EBA General Sanctions Guidelines are EBA's response to these perceived deficiencies. Their scope of application is broader than that of the EBA PSP/CASP Sanctions Guidelines and covers all financial institutions within EBA's purview
When do the new guidelines take effect?
Both the EBA PSP/CASP Sanctions Guidelines and the EBA General Sanctions Guidelines will apply starting 30 December 2025.
What is new in the EBA General Sanctions Guidelines?
The EBA General Sanctions Guidelines essentially set out three major requirements:
(1) the implementation of policies, procedures and controls for sanctions compliance,
(2) the establishment of governance structures that clearly allocate responsibility for sanctions compliance and
(3) the performance and periodic update of "restrictive measures exposure assessments". Each of these requirements understands sanctions compliance to mean measures taken by institutions alongside the provision of their services to ensure that they are monitoring their customers and their transactions properly
Who is responsible for sanctions compliance?
According to the EBA General Sanctions Guidelines, the management body of every obliged entity should be responsible for approving the institution's strategy for complying with sanctions and for overseeing that strategy's implementation. Additionally, a "senior staff member" should be appointed in charge of the measures taken to ensure compliance with restrictive measures. However, this position can in principle be combined with other, already existing functions, such as the anti-money laundering officer ("AML/CFT compliance officer"). In fact, AML-R provides that AML/CFT compliance officers as a rule are to be responsible for compliance with targeted financial sanctions, such as asset freezes and prohibitions on making funds and other assets available to designated persons.
... and what's in there for German supervisory boards?
The EBA General Sanctions Guidelines lay out certain requirements for the "management bodies" of financial institutions "in their supervisory function". EBA specifies that this body should be responsible for overseeing and monitoring the controls and governance framework that the institution has implemented to comply with sanctions in order to ensure that it is effective. One measure stipulated for fulfilling that responsibility is the performance of an assessment at least once per year that, among other things, examines the appropriateness of the technological and human resources allocated to compliance with restrictive measures.
What exactly is the "restrictive measures exposure assessment"? Can it be combined with the AML/CFT risk assessment?
The EBA General Sanctions Guidelines provide that financial institutions should perform a restrictive measures exposure assessment ("RMEA"). In the RMEA, the financial institution is to assess:
1. which restrictive measures apply to it,
2. the likelihood of non-implementation of sanctions,
3. the likelihood of circumvention of sanctions,
4. the impact of breaches of sanctions and
5. the risk factors set out in the guidelines.
EBA prescribes that financial institutions review their RMEA at least once a year. While the RMEA exhibits some similarities with the AML/CFT risk assessment, they are not identical. EBA leaves it up to financial institutions whether to keep both assessments separate or in a single document.
Do the EBA General Sanctions Guidelines apply on top of the EBA PSP/CASP Sanctions Guidelines?
Yes. The two sets of guidelines are complementary, not mutually exclusive. Thus, both documents are relevant for PSPs and CASPs.
Do the EBA PSP/CASP Sanctions Guidelines also apply to credit institutions engaging in payment services?
Yes. The EBA PSP/CASP Sanctions Guidelines do not apply just to "payment institutions" authorized under PSD II but to all financial institutions providing payment services as defined in Art. 1 (1) PSD II
What are the key topics addressed in the EBA PSP/CASP Sanctions Guidelines?
The EBA PSP/CASP Sanctions Guidelines mainly cover the following topics:
1. sanctions screenings requirements, which cover such areas as the management of sanctions lists, types of data sets to be screened, events triggering screening procedures, the calibration settings of screening systems and reliance on third parties,
2. due diligence requirements and verification measures for alert analysis, for instance relating to the ownership and control of entities by a sanctioned person as well as measures to detect attempts to circumvent sanctions an
3. freezing and reporting measures, ensuring in particular that funds are automatically and immediately frozen and that fund transfers are stopped upon confirmation of a positive match.
... and how does this all fit with AMLA?
From 10 July 2027 onwards, AML-R will regulate internal policies, procedures and controls that ensure the implementation of targeted financial sanctions. The newly established European Anti-Money Laundering Authority ("AMLA") will then also monitor compliance with that regulation by financial-sector entities under its direct supervision. These will be (up to) 40 yet-to-be selected entities operating on a cross-border basis and presenting a high risk of money laundering and terrorism financing. National AML/CFT supervisors will remain competent for all other financial-sector entities. EBA is therefore already acknowledging that the guidelines are to be updated after July 2027 to reflect these future changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.