Key guidelines from the European Banking Authority on sanctions compliance
Locations
On November 14, 2024, the European Banking Authority (EBA) released two sets of final guidelines. These guidelines establish, for the first time, common EU standards for governance arrangements, as well as the policies, procedures, and controls that financial institutions must implement to comply with EU and national restrictive measures. Both The guidelines will apply from 30 December 2025 providing institutions with ample time to adjust their policies and systems.
This initiative by the EBA underscores its dedication to enhancing the EU's regulatory framework for sanctions compliance, while also aiding financial institutions in managing the complexities of compliance.
The first set of guidelines: Governance and risk management
These guidelines (EBA/GL/2024/14) apply to all financial institutions under the EBA's supervisory remit. They establish a framework to ensure that governance structures, internal controls, and risk management systems are robust enough to address risks related to breaches or circumvention of restrictive measures. The guidelines emphasise the importance of regularly assessing exposure to restrictive measures and tailoring compliance processes to the size, nature, and complexity of the institution.
The second set of guidelines: Payment service providers and crypto-Assets
These guidelines (EBA/GL/2024/15) focus on payment service providers (PSPs) and crypto-asset service providers (CASPs). They outline targeted measures to prevent funds or crypto-assets from reaching designated persons or entities, emphasizing the need for reliable screening systems and thorough transaction monitoring.
The guidelines also highlight the importance of managing risks related to the circumvention of restrictive measures through proactive due diligence and continuous updates to compliance systems.
Don't miss a thing, subscribe today!
Stay up to date by subscribing to the latest International Trade insights from the experts at Fieldfisher.
Subscribe nowEU aims for crypto stability with rigorous screening
To comply with the EBA Guidelines, CASPs will need to put in place policies, procedures and controls to ensure compliance with restrictive measures.
These must be proportionate to the nature and size of the CASP, the nature, scope and complexity of their activities, and their exposure to restrictive measures. The Guidelines introduce detailed requirements including:
Reliable and adequate screening systems: CASPs must choose a screening system that is both adequate and reliable to meet their restrictive measures obligations. This includes ensuring they have the necessary resources to effectively utilise the chosen system.
Establish accurate screening datasets: CASPs must establish the dataset to be screened against restrictive measures adopted by the EU under EU Treaties and, where applicable, national restrictive measures. The data must be accurate, up-to-date, and detailed enough to identify if a party to the transfer, their beneficial owner, or any authorized representative is subject to restrictive measures. CASPs' internal systems should ensure this dataset is promptly updated whenever a new restrictive measure comes into force, or an existing measure is updated or lifted.
Frequency and triggers: CASPs should regularly screen their entire customer database and determine the frequency of these screenings, including appropriate trigger events, based on their assessment of exposure to restrictive measures. The EBA Guidelines outline the minimum customer information that should be screened. The screening process should include:
- Verifying whether a person, entity, or body is designated;
- Managing the risks of violating restrictive measures; and
- Managing the risks of circumventing restrictive measures.
CASPs should screen all crypto-asset transfers before making them available to the beneficiary, regardless of whether the transfer is part of a business relationship or a one-off transaction. The EBA Guidelines outline the minimum data that must be screened to determine if a transaction is subject to applicable restrictive measures.
CASPs must establish internal policies and procedures to freeze crypto-asset transfers when an internal analysis confirms that the alert matches a designated person or entity, or is owned, held, or controlled by a designated person.
Responsibilities in Outsourced Screening: When CASPs plan to outsource screening activities, the EBA Guidelines outline the key principles that should govern these outsourcing arrangements. However, the ultimate responsibility for complying with restrictive measures remains with the CASP.
Unified implementation of restrictive measures
The new guidelines reflect the EBA's initiative to address broader governance and risk management issues within financial institutions, promoting a unified and effective implementation of restrictive measures across the EU.
The importance of compliance and mitigating risks
Failure to comply with restrictive measures can lead to serious legal, financial, and reputational repercussions for financial institutions, potentially destabilising the EU's financial system. By introducing common standards, these guidelines aim to mitigate such risks, offering clarity and consistency for both institutions and their supervisory authorities.
Vivien Davies, Fieldfisher's Head of Sanctions emphasises the importance of these new guidelines:
"The new guidelines underline the renewed focus on the efficacy of sanctions, particularly against Russia. They seek to ensure financial institutions and payment service providers do not unwittingly become conduits for evasion or circumvention, encouraging a review of standard compliance and AML practices to ensure they are fit for the specific challenges sanctions bring".
If you require any assistance with UK sanctions compliance, please get in touch with Vivien Davies in our market leading sanctions team or your usual Fieldfisher contact.