The EBA’s New Guidelines: Integrating Sanctions Compliance into Governance and Risk Management Frameworks of EU Financial Institutions

Key Takeaways for Financial Institutions

1. Harmonised Standards for Sanctions Compliance:
   The European Banking Authority (EBA)’s new guidelines on internal policies, procedures and controls to ensure the implementation of EU and national restrictive measures set consistent EU-wide industry standards for financial institutions on how to integrate European sanctions compliance into their governance and risk management frameworks.
2. Broad Scope:
   The guidelines cover restrictive measures including (i) EU financial as well as trade sanctions and (ii) national sanctions imposed by EU Member States. Compliance programs must address both.
3. Special To-Dos for Payment Service Providers (PSPs) and Crypto-Asset Service Providers (CASPs):
   In addition to the general standards applicable to all financial institutions, PSPs and CASPs face additional standards for transfers of funds and crypto-assets.
4. Deadline for Implementation: 
   Financial institutions should plan for full compliance with the guidelines by 30 December 2025.

EBA Guidelines Within the EU Sanctions Framework

On 14 November 2024, the EBA issued two landmark guidelines to ensure EU-wide consistency in how financial institutions comply with sanctions (restrictive measures). So far, there had been significant differences in the way authorities in various jurisdictions expect financial institutions to tackle sanctions compliance. The new guidelines provide common practical standards for policies, procedures and controls that financial institutions must implement to address risks associated with EU and EU Member State sanctions. 

What Are They?

The first set of guidelines (adopted by the EBA on its own initiative) establishes minimum standards for financial institutions, which must especially:

• carry out (and keep up to date) a sanctions exposure assessment, which should inform about how their business is exposed to sanctions and risks of circumventions and breaches as well as their impact;
• incorporate sanctions compliance into governance and risk management frameworks by putting in place, maintaining and implementing policies, procedures and controls which are proportionate to the size, nature and complexity of the financial institutions and their sanctions exposure; 
• clearly define responsibilities for sanctions compliance, with the management body being responsible for approving the strategy for sanctions compliance and for overseeing its implementation, and with a specifically appointed senior staff member performing a number of sanctions compliance related tasks;   
• allocate appropriate human and technical resources to sanctions compliance and provide for regular sanctions compliance training; 
• ensure compliance of any outsourcing arrangements; and
• to the extent that they are parent undertakings of a group, observe compliance with these standards also within the group. 

The second set of guidelines (adopted pursuant to a specific EBA mandate under the Funds Transfer Regulation) provides that PSPs and CASPs should:

• take measures to ensure that they do not make any funds or crypto-assets available to any person, entity or body subject to sanctions and that they do not perform transactions prohibited by sanctions;
• choose a screening system that is adequate and reliable to allow them to meet sanctions obligations, define the dataset to be screened, the EU and national sanctions to be screened against (list management) and the frequency and trigger events for such screening, and run such screening across customers, their representatives and beneficial owners as well as transactions; 
• have in place policies, procedures and controls for analysing, dealing with and documenting alerts;  
• take action to manage related sanctions risk, in particular the risk of breaches or circumvention of sanctions; and ensure compliance of any outsourcing arrangements.
   

Who Do They Apply To?

• National competent authorities (NCAs): The guidelines apply to NCAs in EU Member States, which should integrate the EBA’s supervisory expectations into their regulatory frameworks and supervisory practices and assess compliance by financial institutions. 
• Financial institutions: All entities subject to regulation and supervision pursuant to the Capital Requirements Directive, Payment Services Directive 2 or E-Money Directive, including especially credit institutions, PSPs and e-money institutions, as well as CASPs in the sense of the Markets in Crypto-Assets Regulation are subject to the first set of guidelines on general policies, procedures and controls for sanctions compliance.
• PSPs and CASPs: PSPs and CASPs additionally fall under the second set of guidelines on specific sanctions compliance measures in the context of transfers of funds and crypto-assets.

Are They Binding?

While legally non-binding, the guidelines operate under a “comply or explain” mechanism, so NCAs must either follow the guidelines or justify their non-compliance within two months of the publication of the official translations, making them a supervisory benchmark. As such, the guidelines are expected to be observed by the industry, which should make every effort to comply therewith.

Impact for Financial Institutions

1. Practical Implementation in Governance, Risk Management and Compliance Frameworks:
   Financial institutions should:
   • conduct a gap analysis of their current governance, risk management and compliance frameworks, including any outsourcing arrangements, against the new guidelines;
   • revise their existing policies, procedures and controls and, where necessary, contracts to cover all EU and national sanctions and to reflect the guidelines. This may also involve upgrading (IT and other) systems for screening, monitoring and reporting as well as transaction stops and asset freezes; 
   • revisit their HR set-up with a view to responsibilities, resource allocation and training; and
   • ensure senior management oversight to mitigate risks of breaches or circumvention.
      
2. Specific To-Dos for PSPs and CASPs:
   PSPs and CASPs should additionally comply with sanctions when performing transfers of funds or crypto-assets and implement specific measures in this respect, in line with the guidelines.
    
3. Risks of Non-Compliance:
   We already see intense investigations and enforcement regarding sanctions compliance by supervisors, including at the intersection of sanctions and anti-money laundering (AML) compliance. As a result of the new guidelines, we would expect enhanced regulatory scrutiny in this space. Depending on supervisors’ powers under national law to address sanctions-related governance, risk management and compliance issues, failure to comply with the guidelines might have various consequences, potentially including corrective actions, fines or public “naming and shaming”, implying reputational damage (amongst others).
    

Concluding Remarks: A Space to Watch

Overall, the guidelines are in line with the general trend of increased harmonisation and intensification of EU regulation and the closer link between sanctions compliance and financial regulatory (including AML) compliance. 

The latter can also be seen from the EU AML package under which the implementation of a sanctions compliance management system will become a hard-coded legal obligation as of 10 July 2027. Check out our EU AML package navigator for further information. 

Our sanctions and financial regulatory teams continue to monitor developments in this area and are happy to support. Please reach out if you would like to discuss any of the topics raised herein.

For full details, please refer to the EBA guidelines here.