error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content

      The EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures set the standard for financial institutions to demonstrate their compliance with sanctions regulation.

      With these Guidelines, the EU aims to harmonise the divergent regulatory expectations across its Member States and, together with the sanctions-specific requirements introduced by the AML Regulation, establish a Single European Rulebook for sanctions compliance.

      The Guidelines will apply as of December 30, 2025. Financial institutions must act now to ensure they comply with the new requirements and prepare themselves for the upcoming changes introduced by the Single European Rulebook.

      Niclas-Andreas Mueller
      Niclas-Andreas Mueller

      Director, KPMG AMLA Office

      KPMG in Ireland

      Establishing a common EU standard

      EU restrictive measures, or sanctions, are a tool under the Common Foreign and Security Policy to uphold international law, fight terrorism and tackle the proliferation of weapons. 

      Sanctions most commonly consist of assets freezes, travel bans, and the prohibition to make funds and economic resources available to listed entities or individuals. All individuals and entities operating in the Union, as well as EU citizens and companies operating outside the Union must comply with EU sanctions.

      The recent adoption of the 19th sanctions package against Russia is the latest in a series of measures taken against the state in response to its actions in Ukraine. With almost 20 packages in less than four years, the EU’s sanctions regime against Russia aptly represents the complex and dynamic environment companies find themselves in when trading their goods and services internationally. This also applies to financial institutions that enable this trade with offerings such as export finance or currency exchange services.

      Although sanctions are set at the Union level, there are significant differences in the way national competent authorities expect financial institutions to comply. These divergent expectations make it difficult for financial institutions to adopt an effective approach, exposing them to legal and reputational risks, and bearing the potential to undermine the implementation of the EU’s restrictive measures regime.

      To address these challenges, the European Banking Authority (EBA) has, on November 14, 2024, issued two sets of Guidelines that set a common EU standard on the governance arrangements and the policies, procedures and controls that financial institutions should have in place to be able to comply with restrictive measures.

      In response to these changes, sanctions compliance will move from a strict liability regime, under which institutions were penalised only for the violation of restrictive measures, to a procedural system that focuses on the mitigation of non-implementation or circumvention risks through the establishment of appropriate and effective policies, processes, and controls. 

      As a result, institutions may in the future be penalised for non-compliance with the expectations set out in these Guidelines. Financial institutions should take this opportunity to review their existing capabilities and redesign their operating model to adapt to the changing regulatory environment.

      Guidelines on structural elements of sanctions compliance

      The first set of Guidelines is addressed to all financial institutions. It contains provisions that are necessary to ensure that governance and risk management systems are sound and sufficient to address the risk of breaches or evasion of restrictive measures. The key elements of these Guidelines are:

      • Financial institutions should put in place a governance framework to ensure that policies, procedures and controls for the implementation of restrictive measures are adequate and implemented effectively.

      • The management body should be responsible for approving the financial institution’s strategy for compliance with restrictive measures and for overseeing its (group-wide) implementation.

      • Financial institutions should also appoint a senior staff member (at group level) with responsibility for designing, implementing and maintaining the institution’s policies, procedures and controls, exposure assessment, and management information system, and for reporting all violations of restrictive measures to the national competent authority. This role may be assigned to a senior staff member who already has other duties, such as the head of AML/CFT or the chief compliance officer. 

      • Financial institutions should conduct a (group-wide) assessment to understand the extent to which each area of their business is exposed to restrictive measures and vulnerable to their circumvention. The assessment should enable the institution to identify and assess the restrictive measures regimes applicable to them, the likelihood of non-implementation or circumvention of restrictive measures, and the impact of sanctions breaches.

      • Financial institutions should document their methodology for conducting and reviewing this assessment as well as its outcome.

      • The restrictive measures exposure assessment should be reviewed at least annually. Certain events, such as the adoption of new restrictive measures or the introduction of new products, delivery channels, or geographical areas, may require the institution to perform an ad hoc review of its assessment. 

      • A financial institution should be able to fully and properly implement all applicable restrictive measures without delay.

      • To achieve this objective, its policies, procedures and controls should ensure, among others, that the institution has up-to-date information on the applicable restrictive measures, updates its screening lists as soon as new restrictive measures enter into force, investigates all potential matches without delay, and responds to confirmed matches with appropriate actions, such as freezing funds and submitting a report to the national competent authority.

      • Financial institutions should provide training to all staff members on a regular basis to ensure that they are aware of the applicable restrictive measures, the outcome of the exposure assessment, and the policies, procedures and controls to comply with applicable restrictive measures.

      Guidelines on specific elements of sanctions compliance for the transfer of funds or crypto assets

      The second set of Guidelines is specific to payment service providers (PSPs) and crypto-asset service providers (CASPs) and specifies what these firms should do to be able to comply with restrictive measures when performing transfers of funds or crypto assets.

      They aim to help firms identify subjects of restrictive measures, to ensure they do not make funds or crypto-assets available to such subjects, or carry out transactions prohibited by sanctions, and to enable firms to manage their risks of circumvention. The key elements of these Guidelines are:

      • PSPs and CASPs should put in place an effective screening system to reliably identify targets of restrictive measures. The Guidelines include provisions for the choice and calibration of the screening system, the approach to list management, the determination of the data set, transactions and customers to be screened, and the rules around outsourcing to third parties.

      • PSPs and CASPs should select the screening system based on the result of their exposure assessment and continuously monitor its performance. Firms should also determine how to (periodically) calibrate the settings of their screening system to maximise alert quality while ensuring compliance with restrictive measures.

      • Customers should be screened regularly with the frequency determined by the exposure assessment. Screening should also take place when specific trigger events occur, such as the onboarding of a new customer or a significant change to an existing customer’s data. While whitelisting customers is permitted to avoid repeated false alerts, such decisions must be documented and reviewed upon the introduction of new sanctions or the change of customer information.

      • Transactions should be screened before their execution with CASPs additionally being encouraged to consider the incorporation of blockchain analysis technology into their existing transaction monitoring framework.

      • PSPs and CASPs should have in place policies and procedures to investigate alerts in relation to restrictive measures, particularly for the treatment of cases where it is not possible to conclude an unambiguous determination of the potential match.

      • PSPs and CASPs should also set out in their policies and procedures how they will assess whether a legal person or entity is owned or controlled by a listed person or entity and consider engaging with the national competent authority in case of inconclusive assessments.

      • Additional, PSPs and CASPs should implement controls and due diligence measures to comply with sectoral restrictive measures, such as geolocation tools and tools to detect the use of proxy services, and due diligence measures to detect attempts to circumvent restrictive measures, e.g., by omitting or altering information in payment messages, or concealing the beneficial ownership or control of assets.

      • The Guidelines outline provisions for suspending the execution of transfers and the freezing of funds or crypto assets, the applicable reporting requirements, the appropriate handling of exemptions or derogations, and the approach to handling funds or crypto assets following the lifting of sanctions.

      • A PSP’s or CASP’s policies, procedures and systems should ensure, among others, that the firm reliably detects positive matches, responds to confirmed matches with appropriate actions, such as blocking the transfer, freezing the funds, and submitting a report to the national competent authority.

      • PSPs and CASPs should regularly test their screening system settings, including, among others, the system’s calibration, the accuracy of the list management, the complete and accurate scoping of the data set, transactions and customers to be screened, and the adequacy of the resourcing available for alert analysis and reporting.

      Towards a Single European Rulebook for sanctions compliance

      Under the EBA’s comply or explain approach, the Central Bank of Ireland (CBI) has acknowledged its compliance with the Guidelines on July 24, 2025, making them applicable to financial institutions in the State. The Guidelines will apply from December 30, 2025.

      Firms should assess their readiness to comply with the new requirements ahead of this date and urgently take any remedial actions required to uplift their existing policies, procedures, and controls.

      The Anti-Money Laundering (AML) Regulation, adopted in May 2024, sets out the future requirements on business-wide risk assessments, internal policies, procedures and controls, and customer due diligence measures to ensure the implementation of targeted financial sanctions. It empowers the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) to issue, by July 10, 2026, standards and guidelines to further specify these obligations. 

      The AML Regulation covers only targeted financial sanctions, which is a subset of Union restrictive measures, including asset freezing and prohibitions to make funds or other assets available to listed persons and entities.

      By contrast, restrictive measures under the EBA Guidelines include all Union restrictive measures as well as national restrictive measures adopted by Member States in compliance with their national legal order to the extent that they apply to financial institutions. Firms should clearly delineate between these scopes ahead of the Regulation’s date of application on July 10, 2027, and demonstrate compliance with the respective requirements.

      How can KPMG help?

      • Exposure assessment

        KPMG can help you stand up a methodology for your organisation’s restrictive measures exposure assessment, execute the assessment and document its results.

      • Policies, procedures and controls

        KPMG can help you design, test and implement your policies, procedures and controls to ensure full compliance with restrictive measures along the entire customer and transaction lifecycle.

      • Systems and Analytics

        KPMG can help you configure and calibrate your existing screening system and introduce a layer of data analytics to provide full transparency over your system and operational performance.

      • Remediation

        KPMG can help you design and implement remedial actions to close out gaps in your existing sanctions compliance framework and provide temporary resources to cover spikes in alert volumes driven by system changes.

      • Managed service

        KPMG can take on the servicing of your organisation’s sanctions compliance risk operations, including alert investigation and reporting to allow your staff to focus on high-value activities, such as risk intelligence and business advisory.

      • Assurance testing

        KPMG can provide assurance over the compliance of your framework with applicable legal and regulatory requirements, identifying potential gaps and giving actionable recommendations based on our regulatory expertise and knowledge of industry best practices.

      Get in touch

      The new guidelines under the Single European Rulebook will soon take effect, and financial institutions must act now to stay compliant. 

      Don’t wait until the deadline - reach out to our team today to discuss what these changes mean for your organisation and how we can help you prepare. 

      Let’s discuss how to best safeguard compliance and stay ahead of regulatory requirements.

      Ian Nelson
      Ian Nelson

      Head of Regulatory, Head of Financial Services

      KPMG in Ireland

      Patrick Farrell
      Patrick Farrell

      Partner, Head of Advisory Markets

      KPMG in Ireland

      Niamh Lambe
      Niamh Lambe

      Managing Director, Risk and Regulatory Consulting

      KPMG in Ireland

      Niclas-Andreas Mueller
      Niclas-Andreas Mueller

      Director, KPMG AMLA Office

      KPMG in Ireland

      Read more in Consulting

      Something went wrong

      Oops!! Something went wrong, please try again

      Consulting

      Improving business performance & making effective use of IT
      Explore our Consulting services
      Four people watching a presentation