The EBA issues final guidance on internal policies, procedures and controls to ensure the implementation of Union and national sanctions

The European Banking Authority (EBA) today published two sets of final Guidelines that, for the first time, set common EU standards on the governance arrangements and the policies, procedures and controls financial institutions should have in place to be able to comply with Union and national restrictive measures.

Weaknesses in internal policies, procedures and controls expose financial institutions to legal, reputational risks, and undermine the effectiveness of the EU's restrictive measures regimes, leading to potential circumvention and affect the stability and integrity of the EU's financial system.

The first set of Guidelines is addressed to all institutions within the EBA's supervisory remit. They include provisions that are necessary to ensure that financial institutions' governance and risk management systems are sound and sufficient to address the risk that they might breach or evade restrictive measures.

The second set of Guidelines is specific to payment service providers (PSPs) and crypto-asset service providers (CASPs) and specify what PSPs and CASPs should do to be able to comply with restrictive measures when performing transfers of funds or crypto-assets.

Legal basis and Background

In July 2021, the European Commission issued a legislative package with four proposals to reform the EU's legal and institutional anti-money laundering and countering the financing of terrorism (AML/CFT) framework. The legislative package included a proposal for a new Regulation (EU) on information accompanying transfers of funds and certain crypto-assets. This Regulation (EU) 2023/1113 was adopted on 9 June 2023 and applies from 30 December 2024.

Article 23 of this Regulation requires the EBA to issue guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets under this Regulation.

The EBA complements the Guidelines under Regulation (EU) 2023/1113 with own-initiative Guidelines to address wider internal controls and risk management issues, based on Articles 74 of Directive 2013/36/EU, 11(4) of Directive (EU) 2015/2366 and 3(1) of Directive (EC) 2009/110/EC. These Guidelines clarify how restrictive measures policies and procedures interact with financial institutions' wider governance and risk management frameworks, to avoid operational and legal risks for financial institutions and ensure an effective implementation of restrictive measures.

The deadline for competent authorities to report whether they comply with the Guidelines will be two months after the publication of the translations into the official EU languages. The amending Guidelines will apply from 30 December 2025.

Guidelines Final and awaiting translation into the EU official languages

Topic