EBA Sanctions Guidelines

EBA Sanctions Guidelines
EBA Sanctions Guidelines

EBA Sanctions Guidelines: Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures

The European Banking Authority (EBA) has issued two landmark sets of Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.

The Guidelines fundamentally reshape how financial institutions, payment service providers (PSPs) and crypto-asset service providers (CASPs) must implement sanctions compliance across the European Union.

This is no longer merely about sanctions list screening.

The new framework establishes a comprehensive supervisory architecture covering:

  • governance,
  • management accountability,
  • restrictive measures risk assessments,
  • KYC and beneficial ownership,
  • transaction screening,
  • sanctions circumvention detection,
  • crypto-asset monitoring,
  • freeze and escalation procedures,
  • and operational effectiveness testing.

At the same time, the Guidelines have exposed a growing regulatory conflict between:

  • the EBA’s push for EU-wide harmonisation,
  • and national competent authorities defending proportionality and national supervisory autonomy.

This conflict has become particularly visible through BaFin’s formal partial non-compliance declaration regarding EBA/GL/2024/15.

The Two EBA Guideline Packages

The EBA adopted two separate but interconnected Guideline frameworks.

EBA/GL/2024/14: Governance and Internal Controls

The first Guideline addresses financial institutions and prudential supervisors.

It establishes common EU expectations regarding:

  • governance,
  • sanctions risk management,
  • internal controls,
  • management body responsibilities,
  • compliance functions,
  • training,
  • monitoring,
  • escalation procedures,
  • and restrictive measures exposure assessments.

The EBA explicitly elevates sanctions compliance to a board-level governance issue.

EBA/GL/2024/15: PSPs and CASPs under Regulation (EU) 2023/1113

The second Guideline specifically targets:

  • payment service providers (PSPs),
  • electronic money institutions,
  • crypto-asset service providers (CASPs).

This framework focuses heavily on operational sanctions controls, including:

  • transaction screening,
  • transfer screening,
  • wallet address screening,
  • blockchain analytics,
  • sanctions circumvention detection,
  • freeze obligations,
  • and crypto-asset transfer controls.

The Guidelines apply from:

30 December 2025

and will significantly influence the future supervisory environment under the AML Regulation (AMLR) and AMLA.

Why the EBA Issed These Guidelines

The EBA identified major weaknesses across the European sanctions control landscape.

According to the EBA, institutions and supervisors across Europe showed:

  • inconsistent sanctions frameworks,
  • fragmented supervisory expectations,
  • weak governance,
  • inadequate screening controls,
  • poor data quality,
  • insufficient beneficial ownership analysis,
  • and growing exposure to sanctions circumvention risks.

The EBA therefore aims to create:

A harmonised EU sanctions compliance framework.

This is particularly relevant following:

  • the expansion of EU sanctions regimes,
  • increased geopolitical tensions,
  • Russia-related sanctions,
  • crypto-asset risks,
  • and concerns regarding sanctions evasion.

Restrictive Measures Exposure Assessment: The Core Innovation

One of the most important innovations is the mandatory:

Restrictive Measures Exposure Assessment

This functions as a sanctions-specific business-wide risk assessment.

Institutions must assess:

  • customer risks,
  • geographic risks,
  • product risks,
  • delivery channel risks,
  • beneficial ownership complexity,
  • sanctions circumvention vulnerabilities,
  • transaction exposure,
  • and operational weaknesses.

Importantly, the EBA explicitly distinguishes sanctions risks from traditional AML/CFT risks.

A jurisdiction may present:

  • high sanctions risk but low ML/TF risk,
  • or high ML/TF risk but low sanctions exposure.

This means institutions cannot simply reuse their AML risk assessment unchanged.

The assessment must be:

  • documented,
  • periodically reviewed,
  • updated after trigger events,
  • and available for supervisory inspection.

Governance Requirements Become Much Stronger

The Guidelines significantly increase management accountability.

The management body must:

  • approve the sanctions strategy,
  • oversee implementation,
  • understand sanctions risks,
  • ensure sufficient resources,
  • monitor effectiveness,
  • and review control deficiencies.

This elevates restrictive measures compliance into the core governance framework of financial institutions.

Mandatory Senior Staff Member for Restrictive Measures

The EBA also requires institutions to appoint a:

Senior Staff Member Responsible for Compliance with Restrictive Measures

This individual must oversee:

  • sanctions controls,
  • screening systems,
  • escalation procedures,
  • internal reporting,
  • training,
  • and supervisory interaction.

The role may be combined with the AML Compliance Officer function, provided independence and proportionality are maintained.

This requirement already foreshadows the future AMLR governance structure under AMLA supervision.

Screening Requirements Become Much More Intensive

The EBA Guidelines establish highly detailed expectations for screening systems.

Institutions must ensure:

  • immediate sanctions list updates,
  • fuzzy matching,
  • calibration governance,
  • regular testing,
  • effective alert handling,
  • free-text screening,
  • and ongoing effectiveness monitoring.

The EBA specifically criticises:

  • outdated sanctions lists,
  • weak calibration,
  • poor fuzzy matching,
  • overreliance on vendors,
  • and insufficient understanding of screening systems.

This creates substantial operational implementation pressure for PSPs and CASPs.

KYC and Beneficial Ownership Become Central to Sanctions Compliance

The Guidelines strongly connect sanctions compliance with KYC quality.

Institutions must screen:

  • customers,
  • beneficial owners,
  • authorised representatives,
  • counterparties,
  • intermediaries,
  • wallet addresses,
  • and payment messages.

The EBA also confirms that sanctions ownership assessment generally follows:

The “more than 50%” ownership threshold

rather than the traditional 25% AML beneficial ownership threshold.

However, institutions must also assess:

  • indirect control,
  • management influence,
  • ownership chains,
  • and control through other means.

This significantly increases operational complexity for cross-border groups and complex legal structures.

Sanctions Circumvention Detection Is a Major Focus

The Guidelines move far beyond traditional sanctions list screening.

Institutions are expected to detect possible circumvention attempts such as:

  • altered payment messages,
  • hidden beneficial ownership,
  • routing through intermediaries,
  • proxy structures,
  • layered transactions,
  • structuring,
  • fraudulent documentation,
  • and suspicious crypto-asset transfers.

The EBA also encourages:

  • blockchain analytics,
  • geolocation tools,
  • IP analysis,
  • aggregated payment-flow analysis,
  • and sectoral sanctions controls.

This is especially important for CASPs and cross-border PSPs.

Immediate Freeze and Reporting Obligations

Once a true positive match is confirmed, institutions must:

  • freeze assets immediately,
  • stop prohibited transactions,
  • report without delay,
  • notify competent authorities,
  • and escalate circumvention attempts.

The EBA repeatedly emphasises that sanctions compliance is:

An obligation of result, not merely an obligation of means.

This significantly increases operational and governance expectations.

The Emerging Conflict Between the EBA and National Supervisory Authorities

While the Guidelines aim for EU-wide harmonisation, several national competent authorities have formally challenged parts of the framework.

This conflict became particularly visible in the compliance declarations regarding EBA/GL/2024/15.

BaFin’s Partial Non-Compliance

On 10 April 2025, BaFin formally declared that it “does not comply and does not intend to comply with parts of the guidelines”.

BaFin intends not to comply with EBA/GL/2024/15 in terms of the screening of domestic transfers because it will not bring any added value while causing an unproportionate administrative burden for the obliged entities. The goal of ensuring the implementation of restrictive measures will be fully achieved because the domestic originators and the beneficiaries are constantly screened every night, which is an obligation for institutions in the context of their customer stock safeguarding systems. A duplication by real time-screening of domestic national is therefore not necessary. FATF acknowledged this procedure to be adequate in the 4th round of country assessments.
Additionally, BaFin intends not to adopt the assignment of competences in the German supervisory framework as provided by EBA/GL/2024/15. EBA does not have the mandate to govern competences within a national authority landscape. In Germany the supervision of Union and national restrictive measures has grown and been carried out over decades under the competence of the German Central Bank (Deutsche Bundesbank). Deutsche Bundesbank and BaFin work strongly together in supervising the financial sector. It is inefficient to restructure and to destroy such well-established and functioning system.
These points have been communicated in the consultation phase, in the AMLSC discussions and in the BoS to be treated equally effective, however differently, from the precise wording of EBA/GL/2024/15.”

BaFin rejected two core elements.

Real-Time Screening of Domestic Transfers

BaFin argued that mandatory real-time screening of purely domestic transfers:

  • creates disproportionate administrative burden,
  • adds no meaningful sanctions value,
  • duplicates existing controls.

According to BaFin, German institutions already perform:

  • nightly customer stock screening,
  • continuous customer safeguarding,
  • ongoing sanctions list checks.

BaFin therefore concluded that additional real-time domestic transfer screening is unnecessary.

Importantly, BaFin also referenced:

FATF 4th Round Assessments

stating that FATF had already considered the German approach adequate.

This creates a direct tension between:

  • FATF adequacy,
  • and EBA harmonisation ambitions.

EBA Influence on National Supervisory Competences

BaFin also rejected the EBA’s proposed allocation of supervisory competences.

BaFin explicitly argued that:

The EBA does not have the mandate to govern national supervisory competences.

Germany’s sanctions supervision historically operates under a shared framework involving:

  • Deutsche Bundesbank,
  • and BaFin.

BaFin argued that this decades-old system is:

  • effective,
  • well-established,
  • and should not be restructured through EBA Guidelines.

This is an important institutional boundary-setting statement against EU supervisory centralisation.

Other National Authorities Also Show Diverging Positions

The supervisory landscape across Europe is fragmented.

Several authorities:

  • comply,
  • intend to comply,
  • or partially do not comply

with EBA/GL/2024/15.

Authorities showing compliance or intended compliance include:

  • ACPR (France),
  • CSSF (Luxembourg),
  • Central Bank of Ireland,
  • Lietuvos Bankas,
  • Austrian FMA,
  • Finansinspektionen Sweden,
  • and many others.

At the same time, some authorities show:

  • partial non-compliance,
  • or proportionality reservations.

This creates a complex operational environment for cross-border financial groups.

Why Passporting Changes Everything

This supervisory conflict becomes particularly important for:

  • PSPs,
  • EMIs,
  • CASPs,
  • cross-border banks,
  • and pan-European financial groups.

A financial institution may simultaneously operate through:

  • passporting,
  • branches,
  • subsidiaries,
  • agents,
  • distributors,
  • or centralized processing hubs

across multiple EU jurisdictions.

This means that:

BaFin’s position does not create an EU-wide safe harbour.

If another relevant competent authority fully complies with EBA/GL/2024/15, the institution may still need to implement the stricter framework.

The Real Operational Reality for Cross-Border Groups

In practice, most cross-border institutions do not build sanctions frameworks around the most relaxed supervisory interpretation. Instead, they usually implement controls based on:

The strictest relevant supervisory expectation within their operating perimeter.

This is operationally necessary because fragmented sanctions controls create:

  • inconsistent screening,
  • governance fragmentation,
  • audit complexity,
  • transaction handling conflicts,
  • operational risk,
  • and supervisory exposure.

This is especially true for:

  • instant payments,
  • crypto transfers,
  • centralized sanctions engines,
  • and pan-European processing environments.

As a result:

One stricter supervisor can effectively raise the baseline for the entire group.

The Broader Regulatory Conflict: Harmonisation vs Proportionality

The EBA Guidelines expose a fundamental EU supervisory tension.

The EBA Position

The EBA pushes for:

  • harmonised EU sanctions controls,
  • supervisory convergence,
  • standardized screening expectations,
  • and stronger operational consistency.

The National Authority Position

Several national authorities defend:

  • proportionality,
  • operational practicality,
  • existing national effectiveness,
  • and national supervisory autonomy.

This conflict will likely intensify further under AMLA.

Interaction with AMLA and the Future AMLR Framework

The Guidelines also prepare the market for the future EU AML framework under:

Regulation (EU) 2024/1624 (AMLR)

From July 2027 onward:

  • targeted financial sanctions become integrated into AML supervision,
  • AMLA will drive supervisory convergence,
  • sanctions governance will increasingly merge into AML governance,
  • and cross-border institutions will face growing pressure for harmonised controls.

Even where national authorities currently diverge, the long-term EU direction remains clear:

  • more harmonisation,
  • stronger centralisation,
  • more technology-driven controls,
  • and increased operational sanctions scrutiny.

Key Takeaways

The EBA restrictive measures Guidelines fundamentally transform sanctions compliance in Europe.

The future sanctions framework is:

  • governance-driven,
  • operationally intensive,
  • data-dependent,
  • technology-focused,
  • and deeply integrated into AML supervision.

At the same time, the Guidelines reveal growing tensions between:

  • EU supervisory harmonisation,
  • and national proportionality and competence concerns.

For cross-border institutions, the key lesson is clear:

National deviations do not eliminate EU implementation pressure.

Because of passporting, branches, subsidiaries and pan-European operating models, many institutions will ultimately need to align with the strictest relevant supervisory expectation across their EU footprint.

This makes the EBA Guidelines not only a sanctions compliance framework, but also a major test case for the future balance between:

  • AMLA centralisation,
  • EBA harmonisation,
  • and national supervisory sovereignty.

Downloads

Final Report Guidelines restrictive measuresDownload
EBA GL 2024 15 – Guidelines on internal policies to ensure restrictive measures under Regulation (EU) 2023 1113Download

Sources:

https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/anti-money-laundering-and-countering-financing-terrorism/guidelines-internal-policies-procedures-and-controls-ensure-implementation-union-and-national

https://www.bafin.de/DE/unternehmen-maerkte/recht-regelungen/leitlinien-qa-esa/nicht_uebernommene_leitlinien/nicht_uebernommene_leitlinien_node.html

Leave a Reply

Your email address will not be published. Required fields are marked *