Ruling [CJEU] ¦ EU Court Limits Member States’ Ability to Tie Corporate AML Penalties to Individual Guilt

A landmark ruling on legal person liability under the AML framework

On 29 January 2026, the Court of Justice of the European Union delivered an important judgment in Case C‑291/24 concerning the enforcement of anti‑money laundering obligations against financial institutions. The ruling clarifies how Member States may attribute AML breaches to legal persons and draws a clear line between corporate liability and the individual liability of managers or employees. The case arose from administrative penalty proceedings brought by the Austrian Financial Market Authority (FMA) for failures in customer due diligence (CDD). The Austrian Federal Administrative Court asked whether national rules that effectively require the prior prosecution and formal conviction of an identified natural person are compatible with Directive (EU) 2015/849.

Background of the dispute

Austrian law transposing the EU AML Directive allows fines to be imposed on legal persons where AML obligations are breached for their benefit by individuals in leading positions or where failures of supervision make such breaches possible. However, Austrian administrative case‑law adds further conditions. Before a company can be fined, a specific natural person must be treated as an accused party, named in the operative part of the decision, and found to have acted unlawfully and culpably. Only then can that conduct be attributed to the legal person.

The referring court questioned whether these additional requirements undermine the effectiveness and deterrent effect of AML enforcement, especially given the complexity of financial crime cases and relatively short limitation periods.

Bastian Schwind-Wagner _Follow

"The Court’s judgment confirms that corporate AML liability under EU law stands independently from the personal liability of managers or employees. By rejecting national rules that make fines conditional on prior individual guilt, the Court reinforces the effectiveness and deterrent force of AML enforcement.

At the same time, the ruling respects Member States’ procedural autonomy by accepting reasonable limitation periods. Together, these findings strengthen supervisory action against financial institutions while preserving legal certainty within national systems."

The Court’s interpretation of Directive 2015/849

The Court recalled that the primary objective of Directive 2015/849 is preventive. It seeks to protect the integrity of the EU financial system through effective and dissuasive measures against money laundering (ML) and terrorist financing (TF). Obligations under the directive apply directly to obliged entities, including credit institutions as legal persons.

According to the Court, nothing in Article 58 or Article 59 of the directive suggests that a legal person’s liability depends on the prior establishment of a natural person’s liability. Articles 60(5) and 60(6) merely define whose acts or omissions may trigger corporate liability. They do not require that those individuals be formally prosecuted or found guilty before a sanction can be imposed on the company.

The Court stressed that making corporate penalties conditional on the prior identification, prosecution, and culpability finding of an individual would risk weakening enforcement. Such a system could make sanctions less effective and less dissuasive, particularly in complex AML cases where responsibility is diffused or difficult to pinpoint.

Comparison with GDPR enforcement

The judgment explicitly aligns anti-money laundering (AML) enforcement with the Court’s earlier reasoning under the General Data Protection Regulation (GDPR). In that case, the Court rejected national rules that made fines for companies dependent on an infringement being attributed to a specific individual beforehand. The same logic applies in the AML context, despite differences between the two regulatory frameworks.

This confirms a broader EU approach to administrative sanctions. Corporate liability is autonomous and does not depend on the procedural fate of individual managers or employees, even though Member States remain free to sanction individuals in parallel.

Limitation periods remain a national matter

On limitation periods, the Court reached a different conclusion. It confirmed that, in the absence of EU rules, Member States retain procedural autonomy, subject to the principles of equivalence and effectiveness.

Limitation periods of three years to initiate proceedings and five years to impose penalties were considered, in principle, compatible with EU law. The Court found no indication that such time limits make enforcement practically impossible or excessively difficult. As a result, Austrian rules on limitation periods were not precluded by the directive.

Practical impact for financial institutions and regulators

The ruling has significant implications for AML enforcement across the EU. Member States may not shield legal persons from liability by requiring the prior prosecution or formal culpability of individuals. Regulators can proceed directly against institutions where AML obligations are breached, provided the conditions in the directive are met.

For financial institutions, the message is clear: Corporate responsibility for AML compliance stands on its own. Internal governance failures, weak supervision, or misconduct by senior staff can lead to substantial penalties, even if no individual manager is ultimately sanctioned.

At the same time, the Court confirmed that reasonable limitation periods remain acceptable, offering some legal certainty. The overall effect of the judgment is to strengthen the effectiveness of EU AML enforcement while preserving national procedural autonomy where it does not undermine EU objectives.

Dive deeper

• InfoCuria ¦ Case C-291/24 ¦ Link
• EUR-Lex ¦ Case C-291/24, Judgment of the Court (Fourth Chamber) of 29 January 2026 ¦ Link
• EUR-Lex ¦ Directive (EU) 2015/849 ¦ Link