EBA Guidelines on the Implementation of EU and National Sanctions Measures

EBA Guidelines on Sanctions: New Obligations for Financial Institutions from 30 December 2025

On 14 November 2024, the European Banking Authority (EBA) published new guidelines setting out clear requirements for financial institutions to implement restrictive measures (sanctions) imposed by the EU and its Member States. Guidelines EBA/GL/2024/14 and EBA/GL/2024/15 will enter into force on 30 December 2025 and aim to ensure a consistent, risk-based approach to sanctions compliance – a task that is becoming increasingly important in light of geopolitical tensions and growing regulatory requirements.

Responsibility of the Management Body: Governance Starts at the Top

At the heart of the guidelines is the accountability of the management body. It must not only approve a sanctions implementation strategy but also monitor its effective implementation and execution. This responsibility goes beyond formal endorsement – the management body is expected to actively steer the implementation and ensure it is regularly reviewed for effectiveness.

Another core element is the appointment of a responsible senior manager who ensures operational execution and compliance with sanctions regimes and requirements. In practice, this role is often assigned to the money laundering reporting officer (MLRO) or the compliance officer, depending on the institution’s setup and risk profile. It is expected that comparable requirements will be included in the upcoming EU Money Laundering Directive from July 2027.

New Risk Analysis: A Supplement to the traditional AML Risk Assessment and Analysis

Particular focus is placed on the introduction of an institution-specific risk analysis with regard to sanctions risks. This analysis must be prepared in addition to the existing money laundering risk analysis, updated at least annually and reviewed in the event of significant changes (e.g. geopolitical developments, new business areas or customer portfolios).

Specifically, the following risk dimensions must be assessed:

• Geographical risks (e.g. business relationships with high-risk countries)
• Customer risks (e.g. beneficial owners with links to sanctioned countries)
• Product and distribution channel risks (e.g. payment systems with cross-border links)

Requirements for Screening Systems: More Than Just Technology

The EBA also emphasises the importance of screening systems that are fit for purpose and tailored to the institution’s risk profile. In addition to appropriate calibration, the ability to identify reliable hits is required.

Financial institutions are required to:

• screen all customers and transactions,
• analyse hit reports promptly,
• take immediate action on confirmed hits,
• report suspicious cases to the competent authorities.

In addition, institutions must regularly review and document the performance of their systems, especially regarding the timely integration of sanctions list updates, which must be implemented immediately upon entry into force. Credit institutions are already required to regularly review the adequacy, suitability and functionality of the data processing systems and software systems they use in accordance with BaFin's interpretation and application guidelines BT section 6 (AML/CFT).

Operational Implementation: Governance, Processes and Documentation

The practical implementation the guidelines requires a structured, systematic approach across several dimensions:

• Governance structure: Establish a clear accountability framework, including reporting lines and escalation procedures.
• Risk analysis: Integrate into existing risk management systems and close coordination with the AML framework.
• Control systems: Design risk-based controls tailored to business lines, customer segments, and products.
• Documentation: Ensure full traceability of all measures – from risk assessment and screening to suspicious activity reporting (SAR).

Conclusion: Sanctions Compliance Becomes a Top Priority

The new EBA guidelines may not be revolutionary, but they significantly raise the bar in terms of structural and procedural requirements. Especially the institutionalised risk analysis, the clear allocation of responsibilities, and the technically and organisationally sound design of the screening framework reflect a new level of regulatory expectations and requirements.

Financial institutions are well advised to engage early, evaluate existing structures, and make necessary adjustments. Because one thing is clear: failure to comply with or inadequate implementation of sanctions requirements can have significant consequences, not only in terms of regulatory compliance.

View the official EBA Guidelines (PDF)