EBA ¦ Guidelines to ensure the Implementation of Union and National Restrictive Measures
EBA Guidelines on Internal Policies, Procedures and Controls to Ensure the Implementation of Union and National Restrictive Measures
Introduction to the Guidelines
On November 14, 2024, the European Banking Authority (EBA) finalized two essential sets of guidelines aimed at standardizing how financial institutions and payment service providers (PSPs) comply with Union and national restrictive measures. These measures are critical in enforcing sanctions and other financial restrictions that support EU values, international peace, security, democracy, and human rights. Due to inconsistencies across Member States regarding supervisory expectations, these guidelines seek to harmonize internal policies and controls to ensure effective compliance throughout the EU financial sector. The guidelines emphasize reducing legal and reputational risks while ensuring legitimate customers are not unfairly impacted.
Background and Rationale for the Guidelines
The necessity for these guidelines stems from the recognition that the enforcement of restrictive measures across the EU lacks uniformity. This uneven implementation exposes financial institutions to various risks, including potential criminal penalties for breaches, reputational harm, and operational disruptions. Moreover, divergent supervisory approaches make it difficult for institutions to adopt consistent and effective compliance frameworks. The European Commission’s legislative reforms, such as Regulation (EU) 2023/1113 and Directive (EU) 2024/1226, mandate stricter controls on transfers of funds and crypto-assets to combat money laundering and terrorism financing while ensuring restrictive measures are respected. However, these regulations do not specify how institutions should organize their internal controls. The EBA’s guidelines fill this gap by providing a comprehensive framework for governance, risk assessment, screening, and reporting that addresses the complexities of restrictive measures implementation.
Overview of the Two Sets of Guidelines
The EBA issued two complementary sets of guidelines to address different sectors within the financial industry.
The first set, EBA/GL/2024/14, targets all financial institutions within EBA’s supervisory remit under various EU directives. It focuses on establishing robust governance frameworks, conducting risk exposure assessments, and maintaining adequate policies and controls proportionate to each institution’s exposure to restrictive measures.
The second set, EBA/GL/2024/15, specifically addresses payment service providers and crypto-asset service providers. This set details operational requirements for screening systems, due diligence on alerts, freezing of funds or crypto-assets, and reporting obligations.
Both sets emphasize proportionality relative to the institution’s size, complexity, and risk profile while demanding thorough compliance with applicable restrictive measures.
Governance Framework and the Role of Management
A core principle of the guidelines is that the management body of each institution assumes ultimate responsibility for ensuring compliance with restrictive measures. They must approve the compliance strategy and oversee its implementation through sound policies and controls. Every member of the management body should be aware of the institution’s exposure to restrictive measures and vulnerabilities to circumvention. In cases where a single person directs business operations, they may delegate supervisory functions to a senior manager. For groups comprising multiple entities, the parent company’s management body must coordinate exposure assessments and compliance efforts across subsidiaries to ensure consistency while respecting legal boundaries. The guidelines also require appointing a senior staff member responsible for restrictive measures compliance who possesses sufficient expertise and authority to implement policies effectively and report directly to the management body.
Conducting Restrictive Measures Exposure Assessments
The guidelines mandate that financial institutions undertake comprehensive exposure assessments to determine which parts of their business are vulnerable to restrictive measures non-compliance or circumvention. This assessment covers geographic risks such as operating jurisdictions known for sanctions evasion, customer-related risks including beneficial ownership links to sanctioned entities, product and service risks based on their nature and complexity, and delivery channel risks involving intermediaries or correspondent relationships that may obscure transaction transparency. These assessments must draw from diverse sources like customer due diligence data, intelligence from supervisory authorities and law enforcement, open-source information, and commercial risk reports. Institutions are required to review and update their assessments at least annually or whenever significant changes occur in regulatory regimes or business activities.
Screening Systems and List Management
For PSPs and CASPs, an effective screening system is vital for identifying individuals or entities subject to restrictive measures before processing transfers of funds or crypto-assets. The choice of screening system should be informed by the institution’s exposure assessment and tailored to its operational complexity. Systems must be regularly reviewed at least once a year or when concerns arise about their effectiveness. List management procedures require immediate updating of internal datasets upon adoption or modification of restrictive measures. Institutions must define which data elements — such as names, dates of birth, beneficial ownership details, wallet addresses — are screened against authoritative restrictive measures lists. To reduce false positives while maintaining accuracy, calibration techniques such as fuzzy matching algorithms should be applied prudently.
Customer and Transaction Screening Procedures
PSPs and CASPs should perform regular screening not only on all customers but also on all relevant parties involved in transfers of funds or crypto-assets. Screening must occur at onboarding as well as triggered by events like changes in customer data or updates in restrictive measures lists. For transactions, screening extends beyond sender and recipient names to include transaction details such as originator/beneficiary information, purpose codes, intermediaries involved, and any relevant free-text fields that provide context about goods or services linked to sectoral sanctions. The guidelines acknowledge some technical limitations in real-time screening for crypto-assets but emphasize best efforts including blockchain analysis where feasible. Institutions are encouraged to implement procedures that minimize delays while ensuring thorough due diligence.
Alert Handling and Due Diligence Measures
When screening generates alerts indicating potential matches with designated persons or entities under restrictive measures, institutions must promptly investigate these alerts through clearly defined policies. Alert analysis requires skilled personnel who can access additional information beyond initial screening data to verify or dismiss matches accurately. Different levels of review may be established depending on risk exposure; higher-risk situations typically require multiple reviewers. If uncertainty remains after additional checks, institutions should refrain from providing services until resolution is achieved. Detailed documentation of alert decisions is mandatory both for internal control purposes and regulatory oversight.
Freezing Funds or Crypto-assets and Reporting Obligations
Upon confirming a true positive match with a designated person or entity subject to restrictive measures, PSPs must immediately freeze corresponding funds and suspend transfer executions to prevent unauthorized transactions. CASPs are required to block crypto-assets in suspense accounts pending instructions from competent national authorities. Institutions must have clear procedures for reporting these actions without delay or within specified timelines as mandated by applicable laws. Reporting includes notifying authorities about violations, suspicious activities indicating possible circumvention attempts, and any failures or malfunctions in screening systems that could lead to breaches. Cooperation with competent authorities is essential throughout investigations.
Training Programs for Staff
To maintain effective compliance with restrictive measures regimes, institutions must provide ongoing training tailored to employees’ specific roles. Training content should cover applicable restrictive measures regimes, findings from exposure assessments, internal policies for compliance, alert handling procedures, and updates on regulatory changes. Documentation of training plans is required to demonstrate adequacy and effectiveness upon request by supervisory authorities. Within groups, parent companies may coordinate or deliver training programs centrally.
Interaction with Other Regulatory Frameworks
These guidelines complement existing EBA guidelines addressing anti-money laundering/counter-terrorism financing (AML/CFT), internal governance, outsourcing arrangements, ICT risk management, and information requirements related to transfers of funds and crypto-assets (Travel Rule). They align with new regulations such as Regulation (EU) 2024/886 on instant credit transfers in euro (SEPA Regulation) and Regulation (EU) 2024/1624 concerning AML prevention entering into force in July 2027. Amendments will follow post-2027 to reflect evolving regulatory requirements pertaining especially to targeted financial sanctions.
Impact Assessment and Public Consultation Feedback
The impact assessment conducted by EBA concluded that while implementing these guidelines will incur costs related primarily to IT upgrades, staffing, training, and process adjustments, these are outweighed by substantial benefits including reduced legal risks and enhanced alignment across Member States. Public consultation revealed strong support for harmonized standards but also highlighted concerns over proportionality for smaller institutions and clarity regarding roles like the senior staff member responsible for compliance. Feedback also emphasized the importance of aligning with evolving regulations on instant payments and AML frameworks while requesting flexibility in screening frequency and alert handling procedures.
Conclusion
The EBA’s guidelines represent a significant step toward harmonizing how financial institutions across the EU implement Union and national restrictive measures. By requiring sound governance structures, rigorous risk assessments, effective screening methods, diligent alert handling, prompt freezing/reporting actions, and comprehensive staff training, these guidelines aim to strengthen compliance frameworks uniformly across Member States. Effective implementation will protect the EU’s financial system integrity while safeguarding legitimate customer interests. These guidelines take effect from December 30, 2025, with anticipated updates following AML regulatory changes in 2027.
Dive deeper
- EBA ¦ EBA/GL/2024/14 Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures ¦ Link