2025-08-18
Added · Updated
The CSSF has adopted the European Banking Authority's guidelines to standardize internal policies, procedures, and controls for implementing Union and national restrictive measures. These requirements mandate that credit institutions, financial institutions, payment service providers, and crypto-asset service providers establish robust governance, conduct regular exposure assessments, and implement effective screening systems to prevent sanctions circumvention. The guidelines become applicable on 30 December 2025, requiring institutions to freeze assets and report matches immediately while ensuring proportionate compliance frameworks.
Circular CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions)
CIRCULAR CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures 2/6 Circular CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (sanctions) To all credit and financial institutions, payment service providers (“PSPs”) and crypto-assets service providers (“CASPs”) as further defined in Section 2 Luxembourg, 18 August 2025 Ladies and Gentlemen, The purpose of this circular is to inform you that the CSSF, in its capacity as competent authority, applies the European Banking Authority’s guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (“Guidelines”), further detailed below. The CSSF has integrated the Guidelines into its administrative practice and regulatory approach with a view to promoting supervisory convergence in this field at European level.
CIRCULAR CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures 3/6 1.1. Pursuant to EBA/GL/2024/14 on general Internal Policies, Procedures and Controls, key requirements include points on: • Governance Structure: Establish a clear governance and control framework, including regarding responsibilities for approval, oversight and monitoring of policies, procedures and controls for the implementation of restrictive measures to ensure that they are adequate and implemented effectively and the risk of circumvention mitigated. In addition to the roles to be taken by the management body, a senior staff member in charge of compliance with restrictive measures shall be appointed. The Guidelines envisage proportionality and flexibility for the appointment of this role. • Restrictive measures exposure assessment: Conduct assessments to identify and assess areas where restrictive measures are applicable to the financial institution and importantly, where they are exposed to non-implementation or circumvention of restrictive measures, and implement proportionate controls. The institutions should carry out/review such a restrictive measures exposure assessment at least once a year and when certain situations occur, as defined by the Guidelines. • Policies and Procedures: Pursuant to the institution’s strategy for compliance with restrictive measures, it should develop, implement and maintain up-to-date policies, procedures and controls to ensure ongoing effective compliance with restrictive measures. Identification, investigation and application of restrictive measures must be without delay. • Training: Provide and document regular and timely training to staff on applicable restrictive measures, the financial institution’s exposure to them and relevant internal compliance policies, procedures and controls. 1.2. Pursuant to EBA/GL/2024/15 regarding specific guidelines for PSPs and CASPs to ensure the effective implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets, key requirements include points on: • Policies and Procedures: PSPs and CASPS should put in place policies, procedures and controls to comply with restrictive measures and manage risks of circumvention of restrictive measures (aligned with EBA/GL/2024/14). • Screening Systems: PSPs and CASPs should implement adequate and reliable screening systems to identify designated individuals or entities. The decision which screening system will be used should be based on the restrictive measures exposure assessment to be conducted in accordance with EBA/GL/2024/14. Regular review of the performance of the screening system to ensure that it remains effective and reliable, is required. • List Management & Data Screening: PSPs and CASPs should maintain updated lists of restrictive measures and integrate changes immediately. They should also define datasets to be screened against restrictive measures, based on accurate and complete data. Whitelisting is possible under certain conditions. • Screening the Customer Base: PSPs and CASPs should define in their policies and procedures, the minimum frequency/trigger events and type of customer information they will screen, in line with their restrictive measures exposure assessment (EBA/GL/2024/14). • Screening of Transfers of funds and of crypto-assets: Except in cases covered in Article 5d of Regulation (EU) 260/2012 regarding instant credit transfers, PSPs should screen all parties to transfers of funds before making the funds available to the payee, and CASPs should screen all parties to transfer of crypto-assets before making the crypto-assets available to the beneficiary, whether they are carried out as part of a business relationship
CIRCULAR CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures 4/6 or as part of a one-off transaction. The Guidelines also define minimum transfer-related data to be screened. • Calibration of Screening Systems: Screening systems must be properly calibrated to: o minimise false positives while detecting true matches; o use fuzzy matching techniques to identify close matches. PSPs and CASPs should document and regularly test the screening settings. • Third-Party Reliance & Outsourcing: outsourcing does not remove liability from PSPs and CASPs. Institutions must: o ensure service providers comply with restrictive measures; o monitor outsourced services to prevent regulatory breaches; o apply the same controls to intra-group outsourcing. • Management and Analysis of Alerts, including Assessing Ownership & Control of Sanctioned Entities: Potential positive matches should be investigated without delay and where it is not possible for the PSPs and CASPs to reach an informed decision, they should refrain from providing financial services to a party to a transfer. PSPs and CASPs should set out in their policies and procedures how they will assess whether a legal person or entity is owned or controlled by a designated person or entity. Policies and procedures should also define the necessary internal review process, in line with the restrictive measures exposure assessment, and foresee at least a review by two people in relation to higher exposure situations. • Compliance with Sectoral Restrictive Measures: These requirements stress the need to screen all underlying information relating to the transfer of funds or crypto-assets, in line with the exposure assessment performed. Specific controls and tools may be warranted for this screening. • Prevention of Circumvention Attempts: PSPs and CASPs should stay informed of relevant trends and typologies, and take into account/detect red flags, such as: altered/deleted transaction details, structuring transactions to hide a designated party’s involvement, misrepresentation of beneficial ownership. An aggregate transaction flow analysis can be relevant for PSPs and CASPs that are particularly exposed to the risk of being used for circumvention purposes. • Freezing & Reporting Measures: If a true match is found: o freeze funds/crypto assets immediately; o suspend the execution of transfers related to sanctioned individuals/entities; o report to relevant national authorities (i.e. the Luxembourg Ministry of Finance and the CSSF in copy) • Testing & Ongoing Monitoring: Regular system testing must ensure: o proper calibration of screening settings; o accuracy of list management; o effectiveness of transaction screening; o immediate suspension of execution, freezing and reporting without delay; and o reporting of suspicious transactions to the FIU (Cellule de Renseignement Financier), where applicable. Institutions must report any deficiencies to senior management and take corrective actions. The two sets of guidelines are annexed to this circular and are also available on the EBA’s website at: Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
CIRCULAR CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures 5/6 Furthermore, institutions in the scope of these Guidelines, shall take into account, among other EBA guidelines, the “ML/TF Risk factor Guidelines” that the CSSF has adopted by way of Circular CSSF 25/878 which complements Circular CSSF 23/842 and Circular CSSF 21/782 and the “Travel Rule Guidelines” that the CSSF has adopted by way of Circular CSSF 25/879. 2. Scope of application 2.1. EBA/GL/2024/14: Internal Policies, Procedures and Controls Scope and Applicability: Credit institutions and investment firms and their internal governance framework as foreseen by the Law of 5 April 1993 on the financial sector; payment institutions and electronic money institutions and their internal governance framework as foreseen by the Law of 10 November 2009 on payment services. 2.2. EBA/GL/2024/15: Specific guidelines for PSPs and CASPs Scope and Applicability: Payment service providers (PSPs) as defined in Article 3(5) of Regulation (EU) 2023/1113 and crypto-asset service providers (CASPs) as defined in Article 3(15) of Regulation (EU) 2023/1113. As regards Virtual asset service providers (“VASPs”): Pursuant to the new Article 24-1 of the Law of 12 November 2004 regarding the fight against money laundering and terrorist financing (“AML/CFT Law”), introduced by the Law of 6 February 20251 , VASPs are still subject to the professional obligations defined in the AML/CFT Law and Regulation (EU) 2023/1113 and should be treated as crypto-assets service providers for the purpose of these guidelines : “Virtual asset service providers that are registered as at 30 December 2024 in accordance with Article 7-1 as applicable on 30 December 2024, shall remain registered within the register of virtual asset service providers established by the CSSF until 1 July 2026 or until they are granted or refused an authorisation pursuant to Article 63 of Regulation (EU) 2023/1114, whichever is sooner.(…). For the purpose of applying Articles 3-2(3a), and 7-1a of this law and Regulation (EU) 2023/1113 and its implementing measures, the virtual asset service providers referred to in the first subparagraph shall be treated as crypto-asset service providers.” Thus, these guidelines are still applicable to them. 3. Date of application The two sets of Guidelines are applicable as of 30 December 2025. This circular shall apply as of 30 December 2025. However, it must be stressed that based on Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the 1 Law of 6 February 2025, adding notably Chapters 4e and 4f into the Law of 16 July 2019 on the operationalisation of European regulations in the area of financial services and implementing Regulation (EU) 2023/1114 on markets in crypto-assets (“MiCAR”) and Regulation (EU) 2023/1113 on information accompanying transfer of funds and certain crypto assets
CIRCULAR CSSF 25/896 Adoption of the EBA guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures 6/6 purposes of money laundering or terrorist financing, any provisions regarding internal policies, procedures and controls to ensure the implementation of targeted financial sanctions will be regulated under that regulation as of 10 July 2027 and the guidelines will need to be adapted to that new framework. Claude WAMPACH Director Marco ZWICK Director Jean-Pierre FABER Director FranÁoise KAUTHEN Director Claude MARX Director General Annex EBA/GL/2024/14 and EBA/GL/2024/15 - European Banking Authority on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
EBA/GL/2024/14 14 November 2024 Final Report Two sets of Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 2 Contents
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 3
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 4 2. Background and rationale 2.1 Background
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 5 EU regulations on restrictive measures do not prescribe how financial institutions should comply with restrictive measures regimes, but the European Commission, in a 2021 Opinion4 , highlights the need ‘to put in place the required due diligence procedures and conduct the appropriate checks in order to avoid breaches of the Regulation’. According to the Commission, these procedures include screening, risk assessment, ‘multi-level based due diligence’ and ongoing monitoring. The EBA found that supervisory expectations and approaches to supervising the implementation of internal policies, procedures and controls for compliance with restrictive measures are not consistent across Member States and they are not always set out in guidance. c. The quality of institutions’ internal policies, procedures and controls to comply with restrictive measures. Information provided by supervisory authorities suggests that weaknesses exist in relation to institutions’ internal governance, screening systems and risk management systems. Consequently, not all institutions understand or address their exposure to risks associated with restrictive measures. 6. Divergent approaches by competent authorities make the adoption by financial institutions of an effective approach to compliance with restrictive measures regimes difficult. Weaknesses in internal policies, procedures and controls expose financial institutions to legal risks, reputational risks and the risk of significant fines for non-compliance. Together, they undermine the effectiveness of the EU’s restrictive measures regimes and affect the stability and integrity of the EU’s financial system. Ineffective approaches to compliance with restrictive measures can also lead to consumer detriment, as legitimate customers may be denied access to their funds or fall victim to unwarranted de-risking. 2.2 Rationale 7. The mandate in the FTR is not sufficiently broad to address wider internal systems and controls issues and ensure the effective management of legal risks relating to the violation of Union restrictive measures. 8. To nevertheless comprehensively address the issues it identified, the EBA decided to issue two sets of guidelines that set common EU standards on the development and implementation of policies, procedures and controls for the implementation of restrictive measures. 9. One set of guidelines5 are own-initiative guidelines under Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC. They address all financial institutions within the EBA’s supervisory remit and specify the governance arrangements and internal policies, procedures and controls these financial institutions should have in place to be able to comply with restrictive measures. 4 https://finance.ec.europa.eu/document/download/1cd09e4a-0187-45bc-b234-1de949933f34_en?filename=210608- ukraine-opinion_en.pdf 5 EBA/GL/2024/14
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 6 10.A second set of guidelines6 , which fulfil the mandate in the FTR, is specific to payment service providers (PSPs) and crypto-asset service providers (CASPs) and specifies what PSPs and CASPs should do to be able to comply with restrictive measures when performing transfers of funds or crypto-assets. 2. Guidelines EBA/GL/2024/14 provide that financial institutions should: a. put in place, implement and maintain up-to-date policies, procedures and controls for compliance with restrictive measures; b. have a sound governance structure where responsibility for compliance with restrictive measures is clearly allocated; c. carry out a restrictive measures exposure assessment, which should inform institutions’ decision on the types of controls and measures they need to apply to comply effectively with restrictive measures. A restrictive measures exposure assessment does not remove or undermine the rule-based obligation for all natural or legal persons in the Union to freeze and not make funds or other assets available, directly or indirectly, to designated persons or entities. It does, however, enable them to ensure that their restrictive measures policies, procedures and controls are commensurate with their restrictive measures exposure and specifically, to determine that all areas have the resources necessary to ensure effective compliance with restrictive measures. 11.Guidelines EBA/GL/2024/15 provide that PSPs and CASPs that carry out transfers of funds or crypto-assets should: d. choose a screening system that is adequate and reliable to comply effectively with their restrictive measures obligations; e. define the dataset to be screened against restrictive measures adopted by the EU on the basis of Article 29 TEU or Article 215 TFEU and, where relevant, national restrictive measures; f. screen information to: i. verify whether a person, entity or body is designated; ii. manage the risks of violation of restrictive measures; and iii. manage the risks of circumvention of restrictive measures. 3. Institutions should apply provisions in both Guidelines in a manner that is effective and proportionate to each institution’s nature and size, the nature, scope and complexity of its activities, and its exposure to restrictive measures. 6 EBA/GL/2024/15
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 7 4. Competent supervisory authorities should refer to both guidelines when assessing the adequacy of institutions’ internal policies, procedures and controls for the implementation of restrictive measures. Interaction with other guidelines 12.The guidelines complement the following EBA guidelines: • Guidelines EBA/2021/02 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’) under Directive (EU) 2015/849; • Guidelines EBA/GL/2024/11 on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (‘The Travel Rule Guidelines’); • Guidelines EBA/GL/2024/14 on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures; • Guidelines EBA/GL/2024/15 on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113; • Guidelines EBA/GL/2022/05 on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849; • Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU; • Guidelines EBA/GL/2019/02 on outsourcing arrangements, to be replaced by Guidelines EBA/GL/XXXX/XX on sound management of third party risks; • Guidelines EBA/GL/2019/04 on ICT and security risk management. Next steps 13.These Guidelines apply from 30 December 2025. 14.As of 10 July 2027, internal policies, procedures and controls to ensure the implementation of targeted financial sanctions will be regulated under Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 8 3. Guidelines
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 9 EBA/GL/2024/14 14 November 2024 Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 10
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 11 2. Subject matter, scope and definitions Subject matter and scope of application 5. These guidelines specify the internal policies, procedures and controls financial institutions that are subject to regulation and supervision pursuant to Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC should put in place in accordance with Article 74(1) of Directive 2013/36/EU, Article 11(4) of Directive (EU) 2015/2366 and Article 3(1) of Directive 2009/110/EC to ensure the effective implementation of Union and national restrictive measures. Addressees 6. These guidelines are addressed to: (i) competent authorities as defined in legislative acts referred to in Article 4, point (2)(i) of Regulation (EU) No 1093/2010; (ii) competent authorities as defined in Article 4, point (2)(vi) of Regulation (EU) No 1093/2010 with regard to Directive (EU) 2015/2366 and Directive 2009/110/EC; (iii) financial institutions that are subject to regulation and supervision pursuant to Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC. 7. Competent authorities that are responsible for assessing internal policies, procedures and controls adopted by financial institutions to ensure the implementation of Union and national restrictive measures, according to the domestic legal framework, may refer to these guidelines when assessing such internal policies, procedures and controls. Definition Unless otherwise specified, terms used and defined in Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC have the same meaning in the guidelines. In addition, for the purposes of these guidelines, the following definition apply:
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 12 Restrictive measures means Union restrictive measures as defined in Article 2, point (1) of Directive (EU) 2024/1226 and national restrictive measures adopted by Member States in compliance with their national legal order (to the extent that they apply to financial institutions). 3. Implementation Date of application 8. These Guidelines apply from 30 December 2025.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 13 4. Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures General provisions
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 14 should ensure that each management body, business line and internal unit, including each internal control function of subsidiaries of the group has the relevant information to be able to comply with restrictive measures. The ultimate responsibility for compliance with restrictive measures lies with each entity of the group. 7. Where a financial institution is the parent undertaking of a group, the management body of the parent undertaking should ensure that the subsidiaries of the group perform their own restrictive measures exposure assessment, as set out Section in 4.2, in a coordinated way and based on a common methodology, reflecting the group’s specificities. 4.1.1 The role of the management body in its supervisory function 8. The management body in its supervisory function should be responsible for overseeing and monitoring the internal controls and governance framework the financial institution has put in place to comply with restrictive measures to ensure that it is effective, pursuant to Section 4.3. 9. In addition to the provisions set out in the Guidelines EBA/GL/2021/059 , the management body of a financial institution in its supervisory function should: a. be informed of the results of the latest restrictive measures exposure assessment, pursuant to Section 4.2; b. oversee and monitor, through the internal controls function, the extent to which the restrictive measures policies and procedures are adequate and effective, pursuant to Section 4.3, in light of the restrictive measures exposure and risks of circumvention of restrictive measures to which the financial institution is exposed and take appropriate steps to ensure remedial measures are taken where necessary; c. at least once a year, assess the effective functioning of the restrictive measures compliance function, including internal policies, procedures and controls, including the appropriateness of the human and technical resources allocated to compliance with restrictive measures. 10.Where a financial institution is the parent undertaking of a group, the management body of that parent undertaking should also perform all the tasks referred to in paragraph 9 at group level. The ultimate responsibility for compliance with restrictive measures lies with each entity of the group. 4.1.2 The role of the management body in its management function 11.In addition to the provisions set out in the Guidelines EBA/GL/2021/05, the financial institution’s management body in its management function should: a. ensure that it is informed of the results of the latest restrictive measures exposure assessment, pursuant to Section 4.2; 9 Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 15 b. adopt an appropriate risk management framework and internal control system that is sufficiently independent from the business it controls; c. approve policies, procedures and controls that are proportionate to the financial institution’s restrictive measures exposure and adequate to ensure the financial institution’s compliance with restrictive measures; d. ensure the effective implementation of the financial institution’s processes to comply with restrictive measures; e. implement the organisational and operational structure necessary to comply effectively with the restrictive measures strategy adopted by the management body; f. ensure that the human and technical resources allocated to the compliance with restrictive measures are appropriate and commensurate with the institutions’ exposure to restrictive measures; g. where operational functions of the compliance with restrictive measures are outsourced, ensure that these arrangements comply with Guidelines EBA/GL/2019/0210 , and receive regular reports on the effectiveness of the system from the service provider to inform the management body. 12.Where the financial institution is the parent undertaking of a group, the management body of that parent undertaking should ensure that all the tasks referred to in paragraph 11 are also performed at the level of subsidiaries and that policies and procedures put in place are aligned with the group’s procedures and policies, to the extent permitted under applicable national law. 4.1.3 The role of the senior staff member in charge of compliance with restrictive measures 4.1.3.1 Appointing the senior staff member 13.Financial institutions should appoint a senior staff member in charge of performing the functions and tasks set out in paragraphs 19 to 21. The management body should ensure that the senior staff member has the knowledge and understanding of restrictive measures necessary to fulfil their functions effectively. 14.The management body may assign this role to a senior staff member who already has other duties or functions within the financial institution (such as the AML/CFT compliance officer or the chief compliance officer) provided that: a. this is justified by the size and complexity of the financial institution and the outcome of the restrictive measures exposure assessment; b. this does not affect the ability of this senior staff member to carry out their duties or functions effectively; and 10 Guidelines EBA/GL/2019/02 on outsourcing arrangements, to be replaced by Guidelines EBA/GL/XXXX/XX on sound management of third party risks.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 16 c. this combination of tasks does not raise any conflicts of interest, such as conflicts between operational and control tasks assigned to this staff member. 15.The management body should allow the senior staff member to assign and delegate the tasks stipulated in paragraphs 19 to 21 to other staff acting under the direction and supervision of the senior staff member, provided that the ultimate responsibility for the effective fulfilment of those tasks remains with the senior staff member. 16.Irrespective of the institutional arrangements, financial institutions should ensure that: a. the senior staff member can coordinate and cooperate effectively with internal control functions; and b. the senior staff member is able to report and has direct access to the management body in the management and supervisory function. 17.Where the financial institution is part of a group, the management body of the parent financial institution should appoint a group-level senior staff member. 4.1.3.2 The role of the senior staff member 18.The senior staff member should develop, put in place and maintain policies, procedures and controls that are adequate to ensure the financial institution’s compliance with restrictive measures and proportionate to the financial institution’s restrictive measures exposure. 19.The senior staff member should: a. take the measures necessary to ensure compliance with Section 4.2 on the restrictive measures exposure assessment; b. take the measures necessary to ensure compliance with Section 4.3 on effective restrictive measures policies and procedures; c. provide regular and adequate information to the management body to enable it to carry out its functions as defined in Section 4.1.1 and Section 4.1.2 Management information should at least include: i) changes to the financial institution’s restrictive measures exposure and the outcome of the financial institution’s restrictive measures exposure assessment; ii) changes to restrictive measures regimes and their impact on the financial institution; iii) statistics and information relating to: ▪ the number of alerts generated; ▪ the number of alerts awaiting analysis; ▪ the number of reports submitted to the relevant national authority competent for the implementation of restrictive measures11 and/or to the competent supervisory authority as required by the applicable laws; 11 https://finance.ec.europa.eu/eu-and-world/sanctions-restrictive-measures/overview-sanctions-and-related-resources_en#contact.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 17 ▪ the average time between the true positive match and the report submitted to the relevant national authority competent for the implementation of restrictive measures and/or to the competent supervisory authority as required by the applicable laws; ▪ the value of frozen funds, frozen economic resources12 and the nature of those assets, held at the financial institution; iv) information on human and technical resources and the adequacy of those resources in light of the financial institution’s restrictive measures exposure; v) deficiencies or shortcomings identified in relation to the financial institution’s restrictive measures policies, procedures and controls, including observations provided by competent authorities for the supervision of policies, procedures and controls for the implementation of restrictive measures; vi) cases of violation and of circumvention of restrictive measures and the reasons for those violation and circumvention; vii) proposals on how to address any changes in regulatory requirements or in restrictive measures exposure, or any deficiencies or shortcomings in the financial institution’s restrictive measures policies, procedures or controls that have been identified and cases of violation and circumvention of restrictive measures that have been identified. d. report all violations of restrictive measures to the relevant national authorities competent for the implementation of restrictive measures and/or to the competent supervisory authority as required by the applicable laws; e. cooperate effectively and constructively with relevant national authorities competent for the implementation of restrictive measures and competent supervisory authority as required by the applicable laws. 20.Where the financial institution is part of a group, the group-level senior staff member should assess the effectiveness of policies, procedures and controls for compliance with relevant restrictive measures across branches, subsidiaries, intermediaries, distributors and agents where applicable. The ultimate responsibility for compliance with restrictive measures lies with each entity of the group. 21.The senior staff member should oversee the preparation and implementation of the training programme as specified in Section 4.4. 4.2 Conducting a restrictive measures exposure assessment 22. Internal procedures of financial institutions should cover the assessment of restrictive measures exposure to understand the extent to which each area of their business is exposed to restrictive measures and vulnerable to circumvention of restrictive measures. 12 See Article 2, point (5) and (6) of Directive (EU) 2024/1226.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 18 23.The restrictive measures exposure assessment should enable the financial institutions to identify and assess: a. which restrictive measures regimes apply to them; b. the likelihood of non-implementation of restrictive measures; c. the likelihood of circumvention of restrictive measures; d. the impact of any breaches of restrictive measures; and e. the following risk factors: a) geographic risk, including: i. where the financial institution conducts its business, i.e. the jurisdictions and territories in which the financial institution is established or operates; ii. the extent to which those jurisdictions and territories are exposed to restrictive measures or are known to be used to circumvent restrictive measures; iii. origin and destination of transactions. b) customer risk, including: i. links of customers and, if applicable, their beneficial owners and controlling shareholders, to countries for which restrictive measures are in place due to a situation affecting this country, or known to be used to circumvent restrictive measures; ii. the number of customers, type of customers and the complexity of those customers, such as the issues with identification of the beneficial owner; iii. activity of its customer base, and complexity of the activity, including any links to industries or sectors that may be subject to economic or any other restrictive measures, as well as frequency and types of transactions. c) products and services risk, including: i. the nature of the financial institution’s products and services; ii. the extent to which providing these products and services exposes the financial institution to the risk of breaches of restrictive measures and circumvention of restrictive measures. d) delivery channels risk, including whether the use of intermediaries, agents, third parties, correspondent banking relationships or other delivery channels creates vulnerabilities, including by: i. limiting the visibility the financial institution has on the parties involved; ii. making the financial institution dependent on the screening processes of third parties; iii. increasing the financial institution’s exposure to geographic risks because they are operating, or based in, countries for which restrictive measures are in place
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 19 due to a situation affecting this country or countries known to be used to circumvent restrictive measures. 24.The assessment referred to in paragraph 22 should be based on a sufficiently diverse range of information sources, including at least the following: a. information obtained as part of the application of the financial institution’s customer due diligence measures, in compliance with the provisions of Article 13 of Directive (EU) 2015/849; b. information from international bodies, government, national competent authorities including AML/CFT supervisors, financial intelligence units (FIUs) and law enforcement authorities (LEAs), such as up-to-date typologies on the circumvention of restrictive measures; c. information from credible and reliable open sources, such as reports in reputable newspapers and other reputable media outlets; d. information from credible and reliable commercial organisations, such as risk reports; e. where this is available, an analysis of previous restrictive measures alerts concerning true positive and false positive matches in order to identify situations where true positive matches are most likely to occur. 25.When performing a restrictive measures exposure assessment, financial institutions should consider whether retroactive screening of their customer database and past transaction records could be useful and proportionate. This may be the case where the financial institution has identified or has reasonable grounds to suspect that its previous screening system was inadequate or ineffective. 26.Financial institutions should ensure that their restrictive measures exposure assessment remains up to date and relevant. To achieve this, financial institutions should review it at least once a year and where necessary, update it. In addition, as necessary, financial institutions should review their restrictive measures exposure assessment in the following situations: a. adoption of new restrictive measures and significant changes to existing restrictive measures; b. before providing new products, offering new product delivery channels, servicing new client groups, entering new geographical areas; c. significant changes to the institution’s activity profile, customer base, organisational structure or business model; d. identification of non-implementation of restrictive measures and circumvention of restrictive measures, which reveals the inappropriateness of the restrictive measures exposure assessment; e. deficiencies in existing restrictive measures exposure assessment as identified by the financial institution or the competent authority responsible for the supervision of internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 20 27.Financial institutions should document their methodology for conducting and reviewing their restrictive measures exposure assessment and the outcome of that assessment and make them available to their competent authority upon request. 28.Where the financial institution is the parent undertaking of a group, the group management body should ensure that the subsidiaries of the group perform its own restrictive measures exposure assessment in a coordinated way and based on a common methodology while reflecting its own specificities. 4.3 Ensuring the ongoing effectiveness of restrictive measures policies, procedures and controls 29.To be effective, a financial institution’s policies, procedures and controls for the implementation of restrictive measures should enable it to fully and properly implement all applicable restrictive measures without delay. 30.Policies, procedures and controls should at least cover: a. processes to ensure that the financial institutions have all up-to-date information concerning the applicable restrictive measures; b. processes to ensure the update of lists and requirements of applicable restrictive measures as soon as they enter into force; c. processes to ensure that the restrictive measures exposure assessment remains relevant and up to date; d. processes to ensure that policies, procedures and controls are commensurate with the restrictive measures exposure assessment; e. processes to ensure that restrictive measures policies and procedures are: i. regularly reviewed; ii. regularly amended and updated when and where necessary; iii. implemented effectively; and iv. designed in a manner that they trigger needed action once shortcomings are identified. f. procedures for starting to investigate without delay all potential matches; g. if there are true positive matches, procedures that trigger follow-up actions in order to ensure compliance with the applicable restricted measures, including immediate rejection suspension, or freezing, and reporting to relevant national authorities competent for the implementation of restrictive measures or to the competent supervisory authority as required by the applicable laws within the timelines specified by those authorities or the applicable restrictive measures Regulation; h. a documented internal organisation that clearly sets out the tasks and responsibilities in relation to restrictive measures, including when outsourcing;
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 21 i. other aspects as specified in Guidelines EBA/GL/2024/15 on internal policies, procedures and controls to ensure the implementation of restrictive measures under Regulation (EU) 2023/1113. 4.4 Training 31.Financial institutions should provide training to their staff members on a regular basis to ensure that they are, and remain, aware of: a. applicable restrictive measures; b. the outcome of the restrictive measures exposure assessment; and c. policies, procedures and controls to comply with applicable restrictive measures. 32.Training should be tailored to staff members and their specific role. It should be timely and adequate to enable the financial institution to comply with restrictive measures. Within a group this activity can be performed – fully or partially – by the parent company. 33.Financial institutions should document their training plan and stand ready to demonstrate upon request to their competent authority that their training is adequate and effective.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 22 5. Accompanying documents 5.1 Cost-benefit analysis / impact assessment As per Article 16(2) of Regulation (EU) No 1093/2010 (EBA Regulation), any guidelines and recommendations developed by the EBA shall be accompanied by an impact assessment (IA), which analyses ‘the potential related costs and benefits’. This analysis presents the IA of the main policy options included in the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (‘the Guidelines’). The IA is high level and qualitative in nature. A. Problem identification and background Restrictive measures are defined in Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673. These measures have been developed, and are still being developed, by Member States, the EU or other international competent jurisdictions to, notably, safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. However, this goal is hampered by the fact that these measures are not applied uniformly within the EU and this lack of uniformity can create situations where prohibitions are circumvented. It is also the EBA’s view that financial institutions’ compliance with the implementation of restrictive measures differs across Member States. In this context, the EBA was given one mandate13. The EBA decided to complement these guidelines with own-initiative guidelines on wider restrictive measures systems and controls, as the mandate in Regulation (EU) 2023/1113 may not be sufficiently broad to address these points. B. Policy objectives Being addressed to both financial institutions subject to regulation and supervision pursuant to Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their prudential supervisors, these Guidelines will support the development of common practices related to restrictive measures and thus more effective compliance with restrictive measures. These Guidelines aim to create a common understanding, among financial institutions, of adequate policies, procedures and controls for the implementation of restrictive measures. 13 Article 23 of Regulation (EU) 2023/1113 mandates the EBA to issue guidelines on the internal policies, procedures and controls PSPs and CASPs need to have in place to ensure compliance with Union and national restrictive measures in the context of transfers of funds and transfers of crypto-assets.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 23 C. Options considered, assessment of the options and preferred options Section C. presents the main policy options discussed and the decisions made by the EBA during the development of the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. Advantages and disadvantages, as well as potential costs and benefits from the qualitative perspective of the policy options and the preferred options resulting from this analysis, are provided. Conducting a restrictive measures exposure assessment The implementation of the restrictive measures is a legally binding requirement and is thus an obligation of results and not of means. Nevertheless, conducting restrictive measures exposure assessments in the context of restrictive measures might be suitable to enable the institution to put in place proportionate and effective policies and procedures and two options have been considered by the EBA in this regard: Option 1a: Adding guidance on restrictive measures exposure assessment Option 1b: Not adding guidance on restrictive measures exposure assessment A restrictive measures exposure assessment serves to foster the institution’s understanding of risks of non-compliance with restrictive measures and risks of circumvention of sanctions, according to the activities and customers of a financial institution. Even though theoretically all the restrictive measures legally apply to all financial institutions, financial institutions can be more exposed to some restrictive measures than to others (given for instance the area of operations of institutions, or the type of products). This evaluation is thus a key and necessary prerequisite for the effective compliance with restrictive measures. This assessment is different from the AML/CFT risk assessment described in the EBA’s Risk Factors Guidelines as the same elements can carry different risks from an AML/CFT and restrictive measures perspective, although some synergies exist. For example, a jurisdiction may be associated with high levels of corruption and thus increased ML risk, but it may present very few risks from a restrictive measures perspective. A need for clarification on this matter is, as such, necessary. Adding guidance on restrictive measures exposure assessment will be beneficial for supporting the financial institutions when complying with the binding restrictive measures in place that ultimately help to notably safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. It is thus the EBA’s view that the potential costs (for instance IT or compliance human resources expenses) incurred by financial institutions by adding guidance on restrictive measures exposure assessment would be exceeded by the benefits. For competent authorities, having access to clear criteria to assess the adequacy of institutions’ restrictive measures exposure assessment and the associated increase in levels of compliance will outweigh any costs associated with the supervision of such assessments.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 24 On these grounds, Option 1a has been chosen as the preferred option and the Guidelines will include guidance on restrictive measures exposure assessment. Senior staff member in charge of compliance with restrictive measures Within the EU, institutions are entitled to nominate, in the compliance area, a chief compliance officer (‘CCO’) but also – where appropriate given the size and nature of the business – an AML/CFT compliance officer. As mentioned previously, AML/CFT and restrictive measures areas are not completely aligned and the question on the need for institutions to appoint a staff member specifically responsible for compliance with restrictive measures was raised. In this regard, two options have been considered by the EBA: Option 2a: Requesting institutions to appoint a senior staff member responsible for compliance with restrictive measures Option 2b: Not requesting institutions to appoint a senior staff member responsible for compliance with restrictive measures Appointing a dedicated senior staff member who will be responsible for compliance with restrictive measures will be beneficial for enhancing the importance and visibility of this subject within institutions and will create one dedicated point of contact for all related questions, issues or projects. Furthermore, instead of just assigning to a senior staff member the tasks related to compliance with restrictive measures, assigning this staff member a specific responsibility in relation to this compliance will naturally increase their implication and enhance the quality of their role of reporting to the management body and developing a framework for policies and procedures. The duty assigned to this senior staff member will incur costs to institutions, but they are mainly implicitly triggered by the institutions’ obligation of compliance with the restrictive measures; for instance, the role of the senior staff member responsible for compliance with restrictive measures to ‘develop, put in place and maintain policies, procedures and controls that are adequate to ensure the financial institution’s compliance with restrictive measures and proportionate to the financial institution’s restrictive measures exposure’ would in any case need to be done by the institutions to respect their obligation of compliance with the restrictive measures. In addition, the Guidelines envisage some proportionality (the appointed senior staff member responsible for compliance with restrictive measures could be a senior staff member who already has other duties or functions within the financial institution – such as the AML/CFT compliance officer or the chief compliance officer) and flexibility (the appointed senior staff member responsible for compliance with restrictive measures could assign and delegate their tasks to other staff acting under their direction and supervision) possibilities allowing institutions to minimise the costs specifically linked with the appointment (and not with the tasks to be performed) of the senior staff member responsible for compliance with restrictive measures. As such, the costs associated with the appointment of the senior staff member responsible for compliance with restrictive measures are exceeded by its benefits.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 25 On these grounds, Option 2a has been chosen as the preferred option and the Guidelines will request institutions to appoint a senior staff member who will be responsible for compliance with restrictive measures. D. Conclusion The development of the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures is deemed necessary to support competent authorities as defined in legislative acts referred to in Article 4, point (2)(i) of Regulation (EU) No 1093/2010, competent authorities as defined in Article 4, point (2)(vi) of Regulation No (EU) 1093/2010 for Directive (EU) 2015/2366 and Directive 2009/110/EC, and, financial institutions that are subject to regulation and supervision pursuant to Directive 2013/36/EU, Directive (EU) 2015/2366, and Directive 2009/110/EC in the context of control, implementation and compliance with restrictive measures. For financial institutions, the costs associated with the implementation of the Guidelines will be mitigated by the fact that the Guidelines will support them in their compliance with the restrictive measures, which should reduce the risk of breaching the Regulation and the related fine probability. The enhancement of compliance with the restrictive measures will help to notably safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. Hence, these new Guidelines should achieve their objectives with acceptable costs. 5.2 Feedback on the public consultation See Section 5.2 Feedback on the public consultation of Guidelines EBA/GL/2024/15 on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 26 4. Guidelines
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 27 EBA/GL/2024/15 14 November 2024 Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 28
1 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p. 12).
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 29 2. Subject matter, scope and definitions Subject matter and scope of application 5. These guidelines specify the internal policies, procedures and controls payment service providers (PSPs) and crypto-asset service providers (CASPs) should put in place to ensure the effective implementation of Union and national restrictive measures when performing transfers of funds and crypto-assets as defined in Regulation (EU) 2023/1113 of the European Parliament and of the Council2 . Addressees 6. These guidelines are addressed to: a. competent authorities responsible for supervising PSPs and CASPs for compliance with their obligations under Regulation (EU) 2023/1113; b. financial institutions as defined in Article 4, point (1) of Regulation (EU) No 1093/2010, which are PSPs as defined in Article 3, point (5) of Regulation (EU) 2023/1113 and CASPs as defined in Article 3, point (15) of Regulation (EU) 2023/1113. Definitions 7. Terms used and defined in Regulation (EU) 2023/1113 have the same meaning in these Guidelines. In addition, for the purposes of these Guidelines, the following definitions apply: Restrictive measures means Union restrictive measures as defined in Article 2, point (1) of Directive (EU) 2024/1226 and national restrictive measures adopted by Member States in compliance with their national legal order (to the extent that they apply to financial institutions). Targeted financial sanctions means both asset freezing and prohibitions to make funds or other assets available, directly or 2 Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (recast) (OJ L 150, 9.6.2023, p. 1.).
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 30 indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 TEU and Council Regulations adopted on the basis of Article 215 TFEU. Sectoral restrictive measures means restrictive measures such as arms and related equipment embargoes or economic and financial measures (e.g. import and export restrictions, and restrictions on the provision of certain services, such as banking services). 3. Implementation Date of application 8. These Guidelines apply from 30 December 2025.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 31 4. Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 General provisions
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 32 5. When taking a decision on their screening system, PSPs and CASPs should consider whether they have access to the resources necessary to use their chosen system effectively. 6. PSPs and CASPs should regularly review the performance of the screening system to ensure that it remains effective and continues to reliably identify targets of restrictive measures. PSPs and CASPs should carry out a review of the used screening system at least once per year and immediately should they have grounds for concern that the system may not be fit for purpose. 7. Pursuant to Article 8 of Regulation (EU) 2022/2554, PSPs and CASPs should understand and document the screening system’s capabilities and limitations. PSPs and CASPs should be able to demonstrate to their competent authority that their screening system is adequate. 4.1.2 List management 8. PSPs and CASPs should specify in their policies and procedures restrictive measures they have to apply. 9. PSPs and CASPs should have policies and procedures to: a. identify when a new set of restrictive measures is adopted, or an existing restrictive measure is updated or lifted; b. update their internal dataset to be screened in compliance with Section 4.1.3 immediately after a new restrictive measure enters into force, or an existing restrictive measure is updated or lifted. 4.1.3 Defining the set of data to be screened 10.PSPs and CASPs should define in their policies and procedures the types of data they will screen for each type of restrictive measure, taking into account the outcome of their restrictive measures exposure assessment and the restrictive measures they have to apply. 11.When deciding on the set of data to be screened according to the type of applicable restrictive measure, PSPs and CASPs should consider all data they hold about their customers, including information obtained: a. when applying customer due diligence measures pursuant to Union law and national law transposing Union law; and b. when complying with Regulation (EU) 2023/1113. 12.In compliance with requirements of Regulation (EU) 2023/1113, PSPs and CASPs should assess whether the data they hold is sufficiently accurate, up to date and detailed to enable them to determine if a party to the transfer, their beneficial owner or any person purporting or being authorised to act on their behalf is subject to restrictive measures. 13.To avoid repeated false alerts concerning a natural or legal person, entity or body that is not subject to restrictive measures but has been falsely identified as such by the existing screening
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 33 system, PSPs and CASPs may decide to include such persons on a specific internal list (whitelisting). The reasons for such a decision needs to be documented. PSPs and CASPs should review such a list immediately after a new or amended restrictive measure enters into force, or if the customer information has changed. 4.1.4 Screening the customer base 14.PSPs and CASPs should set out in their policies and procedures how they will screen their customer base. 15.PSPs and CASPs should screen their entire customer database regularly and determine the frequency of that customer screening based on their restrictive measures exposure assessment. 16.PSPs and CASPs should stipulate in an internal decision trigger events when screening of their customers should always take place and keep such decisions up to date. Trigger events should include at least: a. a change in any of the existing designations or restrictive measures, a new designation or the entry into force of a new restrictive measure; b. at customer onboarding or before a business relationship has been established; c. if significant changes in the customer due diligence data of an existing customer occur, such as change of name, residence, nationality or change of business operations; d. if reasonable grounds exist to suspect that the customer, or any person purporting or being authorised to act on behalf of the customer, is attempting to circumvent restrictive measures. 17.PSPs and CASPs should screen at least the following customer information, in line with the applicable restrictive measures: a. in the case of a natural person: a. the first name and surname, in the original and/or transliteration of such data; and b. date of birth. b. in the case of a legal person: the name of the legal person, in the original and/or transliteration of such data; c. in the case of a natural person, legal person, body or entity: any other names, aliases, trade names, wallet addresses, where available in the restrictive measures related lists. PSPs and CASPs should duly justify through the restrictive measures exposure assessment the choice of not screening such information when available. 18.When screening customers that are legal persons, natural persons, bodies or entities, PSPs and CASPs should, to the extent that this information is available, also screen: a. beneficial owners through ownership interest; b. beneficial owners through control;
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 34 c. any person purporting or being authorised to act on behalf of the customer. 4.1.5 Screening of transfers of funds and crypto-assets 19.Except in cases covered in Article 5d of Regulation (EU) No.260/2012, PSPs should screen transfers of funds before making the funds available to the payee, and CASPs should screen all transfers of crypto-assets before making the crypto-assets available to the beneficiary, whether they are carried out as part of a business relationship or as part of a one-off transaction. 20.PSPs and CASPs should screen all parties to transfers of funds or crypto-assets against applicable restrictive measures. PSPs and CASPs should pay special attention in their restrictive measures exposure assessment to the soundness and reliability of the restrictive measures policies and procedures put in place by PSPs and CASPs with which they are doing business to ensure compliance with restrictive measures. 21.All data that may be relevant for assessing whether a transaction could be affected by applicable restrictive measures should be screened against applicable restrictive measures. Data to be screened should include at least: a. information on the payer and payee pursuant to Article 4 of Regulation (EU) 2023/1113; b. information on the originator and beneficiary pursuant to Article 14 of Regulation (EU) 2023/1113; c. the purpose of the transfer of funds or crypto-assets and if information available and subject to restrictive measures exposure assessment, other free-text fields that provide further information on the actual sender/recipient of funds or crypto-assets; d. details of PSPs and CASPs involved in the transfer of funds or crypto-assets, including intermediate institutions, correspondents, with screening of identification codes such as BIC, SWIFT and other; e. other details of the transfer of funds or crypto-assets, depending on the nature, type of the operation, the supporting documentation received, if information available and subject to restrictive measures exposure assessment; f. wallet addresses of the originator and of the beneficiary of a transfer of crypto-assets, to the extent that this information is available in official lists of wallet addresses linked to restrictive measures. 22.In line with the provisions in Section 4.6 of the Guidelines EBA/GL/2024/11 on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (‘The Travel Rule Guidelines’) any new information obtained subsequently, before or after executing the transfer, should also be screened.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 35 23.Where appropriate based on the volume and number of transfers of crypto-assets, CASPs should consider incorporating blockchain analysis for transaction monitoring purposes into the existing framework. 4.1.6 Calibration 24.PSPs and CASPs should determine how to calibrate the settings of an automated screening system to maximise alert quality and leading to unambiguous identification while ensuring compliance with restrictive measures. Based on their restrictive measures exposure assessment and regular testing, PSPs and CASPs should at least: a. define, for each applicable restrictive measure, the appropriate parameters of matching that is likely to generate a reasonable alert that allows the PSPs and CASPs to comply with their restrictive measures obligation, by checking the thresholds of true positive results associated with different percentages of matching. Calibration should be neither too sensitive, causing a high number of false positive matches, nor insufficiently sensitive, leading to designated persons, entities and bodies not being detected or freeformat information not used for other restrictive measures; b. use a screening system that allows for algorithm-based technique that can match one name or string of words, where the content of the information being screened is not identical, but its spelling, pattern or sound is a close match to the contents contained in a dataset used for screening (‘fuzzy matching’ techniques) and calibrate the degree of ‘fuzzy matching’ in their screening system. 25.PSPs and CASPs should decide on the calibration both before developing a new screening system and periodically, in line with their restrictive measures exposure assessment. They should document their rationale and make it available to competent authorities upon request. 4.1.7 Reliance on third parties and outsourcing 26.PSPs and CASPs should set out in their policies and procedures what action will be taken by the PSPs, CASPs, or by outsourced service providers to ensure compliance with applicable restrictive measures. For outsourcing of services, PSPs and CASPs, considering Guidelines EBA/GL/2019/02 where applicable3 , should apply the following key principles: a. the ultimate responsibility for compliance with restrictive measures, whether or not specific functions are outsourced, lies with the PSPs or CASPs; b. the rights and obligations of the PSPs or CASPs and of the service provider should be clearly allocated and set out in writing; c. the PSPs or CASPs relying on an outsourcing agreement should remain accountable for monitoring and overseeing the quality of the service provided by the service provider; 3 Guidelines EBA/GL/2019/02 on outsourcing arrangements.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 36 d. Intra-group outsourcing should be subject to the same regulatory framework as outsourcing to service providers outside the group. 27.PSPs and CASPs should put in place and apply the controls necessary to ensure that the use of outsourced service providers does not expose them to the risk of breaches of restrictive measures, and document those controls in the outsourcing agreement. 28.Where service providers should update data to be used by PSPs and CASPs concerning natural persons, legal persons, entities and bodies that are subject to applicable restrictive measures, PSPs and CASPs should ensure that a service agreement minimises the risk of breaches of restrictive measures by the PSPs or CASPs. 29.When outsourcing agreements are in place, PSPs and CASPs should carry out a regular control of compliance by the service provider with the duties arising from the agreement, assess the effectiveness of the services covered by an agreement and take any needed mitigating measures, including renegotiating the agreement. 30.Provisions of this section are without affecting duties and tasks of PSPs and CASPs on digital operational resilience as set out in Regulation (EU) 2022/25544 . 4.2 Due diligence and verification measures for alert analysis 4.2.1 Policies and procedures for the management and analysis of alerts 31.PSPs and CASPs should have in place policies and procedures to investigate alerts in relation to restrictive measures. These policies and procedures should enable PSPs and CASPs to confirm whether an alert is a true positive match and, if so, determine the action needed in order to comply with the applicable restrictive measure. 32.Such policies and procedures should include: a. steps for starting to investigate without delay all potential matches, for each transfer of funds or transfer of crypto-assets; b. rules following the general record-keeping policy of the PSPs and CASPs, for the documentation of any decision taken in respect of alerts; c. measures to comply with Section 4.2.2 of these guidelines; 4 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance), OJ L 333, 27.12.2022, p. 1.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 37 d. different levels of review to be carried out in line with the restrictive measures exposure assessment, by implementing at least a review by two people in relation to higher exposure situations. 4.2.2 Due diligence measures for alert analysis 33.The alert generated by the screening system should indicate the element of the respective restrictive measure. Alerts should be analysed by staff members with the needed expertise and who are sufficiently trained5 . 34.When in doubt about the trueness of a match, PSPs and CASPs should use additional information they may hold and/or obtain to support the analysis of alerts to the extent that this information is available, such as: a. identification data of a natural person, legal person, entity or body that was not used at the screening stage; b. information on residence of natural person and information on seat or registered address of legal person, entity or body not used at the screening stage; c. information on nationalities, citizenships of natural persons not used at the screening stage; d. representative, management and organisational structure of legal persons not used at the screening stage; e. contact details not used at the screening stage. 35.PSPs and CASPs should set out in their policies and procedures how to deal with cases where it is not possible to conclude an unambiguous identification after additional due diligence, that a match is a true positive match, a false positive match or a situation of homonyms. PSPs and CASPs should refrain from providing financial services to a party to a transfer before coming to an informed decision. 4.2.3 Assessing whether an entity is owned or controlled by a designated person 36.PSPs and CASPs should set out in their policies and procedures how they will assess whether a legal person or entity is owned or controlled by a designated person or entity. 37.PSPs and CASPs should: 5 See Section 4.4 of Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 38 a. apply the criteria set out in EU Council Sanctions Guidelines6 and in Section VIII EU Council Best Practices7 to determine whether a legal entity is owned or controlled by another person or entity; b. apply the criteria used for the identification of a beneficial owner under the applicable legislation8 ; c. use available public sources of information, such as registers of owned and controlled entities and beneficial ownership registers. 38.If an assessment remains inconclusive, PSPs and CASPs should consider engaging with the national authority competent for the implementation of restrictive measures. The ultimate responsibility for complying with the restrictive measures lies with the PSPs and CASPs. 4.2.4 Controls and due diligence measures to comply with sectoral restrictive measures 39.PSPs and CASPs should take into account the restrictive measures exposure assessment when defining the types of controls they will apply to comply with restrictive measures. As part of this, PSPs and CASPs should determine what available information connected to a transaction will be screened. 40.PSPs and CASPs should pay particular attention to sectoral restrictive measures that are related to a specific jurisdiction or territory. Under such restrictive measures, PSPs and CASPs should screen all underlying information relating to the transfer of funds or crypto-assets to or from that specific jurisdiction or territory or to transfers of funds or crypto-assets initiated by customers who are known to conduct business in that specific jurisdiction or territory. To the extent that this is available, PSPs and CASPs should screen: a. information on the country (ies) of nationality, place of birth; b. information on the usual place of residence or principal place of business through other addresses, in line with the restrictive measures exposure assessment; c. information on the country to or from which the transfer of funds is carried out, where the transfer of funds is executed; d. purpose of the transfer of funds or crypto-assets and other free-text fields that provide further information on the goods, vessels, country of destination or country of origin of the goods for which the payment is made, in line with the restrictive measures exposure assessment. 41.If warranted by the restrictive measures exposure assessment, PSPs and CASPs should consider incorporating in their screening system geolocation tools and tools to detect the use of proxy services to identify and prevent IP addresses that originate from a country for which restrictive 6 https://data.consilium.europa.eu/doc/document/ST-11618-2024-INIT/en/pdf, Brussels, 2 July 2024, 11618/24 (update). 7 Update of the EU Best Practices for the effective implementation of restrictive measures (doc. 11623/24). 8 Article 3, point (6) of the Directive (EU) 2015/849.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 39 measures are taken because of a situation affecting this country from accessing the PSP’s and CASP’s website and services for an activity that is prohibited under restrictive measures regimes. 42.According to their restrictive measures exposure assessment, PSPs and CASPs may consider applying specific controls, such as: a. upon establishing business relations, acquiring the relevant information about the customer’s type of business and countries where the customer is conducting business; b. requesting additional information from the customer, such as a description of dual-use goods or any goods subject to sectoral restrictive measures, information about the appropriate licence for dealing with the dual-use goods, country of origin of the goods, information about the end user of the goods; c. requesting more detailed information from the customer about the purpose of a transfer of funds or crypto-assets; d. using the following data: shipping registers, real estate records and other publicly available datasets (where available). 43.Where PSPs and CASPs use features to automatically read information from documents associated with the transfer of funds or crypto-assets, such as optical character recognition algorithms or machine-readable zone verifications, they should take the steps necessary to ensure that these tools capture information in an accurate and consistent manner. 4.2.5 Due diligence measures to detect attempts to circumvent restrictive measures 44.PSPs and CASPs should stay informed of typologies and trends in the circumvention of restrictive measures. Relevant sources of information to which PSPs and CASPs should always refer include at least reports shared by: a. relevant national authorities competent for the implementation of restrictive measures9 and/or national supervisory authorities; b. FIUs and law enforcement authorities; c. relevant public-private partnerships on a national or EU level; d. EU authorities10 . 45.Due diligence policies and procedures should allow PSPs and CASPs to detect possible attempts to circumvent restrictive measures, such as attempts to: a. omit, delete or alter information in payment messages; 9 https://finance.ec.europa.eu/eu-and-world/sanctions-restrictive-measures/overview-sanctions-and-related-resources_en#contact. 10 See for example https://finance.ec.europa.eu/news/sanctions-commission-publishes-guidance-help-european-operators-assess-sanctions-circumvention-risks-2023-09-07_en.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 40 b. channel transfers through persons connected with a customer who is subject to restrictive measures; c. structure transfers of funds or crypto-assets to conceal the involvement of a designated party; d. conceal the beneficial ownership or control of assets; e. use counterfeited or fraudulent background documentation for the transfer of funds or crypto-assets. 46.PSPs and CASPs that are particularly exposed to the risk of being used for circumvention purposes should also consider carrying out an aggregated analysis of payment flows to or from countries subject to restrictive measures and countries known to be used to circumvent restrictive measures. 4.3 Freezing and reporting measures 4.3.1 Suspending the execution of transfers of funds and freezing funds 47.PSPs should have in place policies and procedures to suspend, without delay, operation triggering an alert of a possible match with a designated person or entity, or owned, held or controlled by a designated person or entity, or whose beneficial owner is a designated person. 48.If PSPs’ internal analysis of such alert confirms that the possible match is the designated person or entity, or owned, held or controlled by a designated person or entity, or whose beneficial owner is a designated person, PSPs should immediately: a. freeze the corresponding funds; b. stop the execution of transfer of funds that would be in violation of restrictive measures. 4.3.2 Freezing of transfers of crypto-assets 49.CASPs should have in place policies and procedures when an internal analysis of an alert confirms that the possible match is the designated person or entity, or owned, held or controlled by a designated person or entity, or whose beneficial owner is a designated person to immediately freeze and block the funds in a suspense account until the relevant national authority competent for the implementation of restrictive measures instructed the CASP on what action to take for those funds. The ultimate responsibility for complying with the restrictive measures lies with the CASP.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 41 4.3.3 Reporting measures 50.Under applicable Union and national requirements, PSPs and CASPs should have clear processes for reporting without delay, or within specified deadline, to the relevant national authority competent for the implementation of restrictive measures and/or to the competent supervisory authority: a. any action taken for a specific transfer related to a restrictive measure; b. the discovery of a violation of restrictive measures; and c. the execution of any transfers of funds or crypto-assets that violates an applicable restrictive measure by providing information on the circumstances, such as an incident in the functioning of the screening system in relation to such transfer. 51.When suspecting a possible circumvention of restrictive measures, or detecting an attempted transfer of funds or crypto-assets by or to a natural person, legal person, entity or body, PSPs and CASPs should: a. report it to the relevant national authority competent for the implementation of restrictive measures if specifically required in an EU Regulation on restrictive measures; b. file the suspicious transaction report if required under the applicable legislation. 4.3.4 Procedures for exemptions or when restrictive measures are lifted 52.PSPs and CASPs should have policies and procedures to determine whether exemptions, licence regimes or derogations apply, and if they apply, how to proceed, in order to comply with applicable Union law or national law. PSPs and CASPs should set out in their policies and procedures which information they will provide to customers who would like to request a derogation to use their frozen funds, if such derogation is allowed under the applicable legal framework. This information should include information about the customer’s rights in such a situation. 53.PSPs and CASPs should have policies and procedures in place that will stipulate action concerning funds and crypto-assets subject to specific restrictive measures once such a measure has been lifted. 4.4 Ensuring the ongoing effectiveness of restrictive measures screening policies, procedures and systems 54.To be effective, a PSP’s and CASP’s restrictive measures screening policies, procedures and systems should enable to: a. reliably detect positive matches; b. upon confirmation of positive matches, immediately suspend the execution of any fund transfers, block any incoming transfers and deposit them in a suspense account, freezing the funds or crypto-assets without delay and reporting such actions to the relevant
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 42 national authority competent for the implementation of restrictive measures for further instructions; c. report frozen assets to the relevant national authorities competent for the implementation of restrictive measures and/or to the competent supervisory authority as required by the applicable laws without delay or within deadlines stipulated by applicable Union law or national law; d. report suspicion of circumvention or attempt of circumvention of restrictive measures to the relevant national authority competent for the implementation of restrictive measures or the national FIU if required under the applicable legislation. 55.PSPs and CASPs should regularly test their screening system settings to determine whether the screening system remains appropriate in light of the PSP’s and CASP’s restrictive measures exposure assessment, and that it remains effective. PSPs and CASPs should determine the frequency of checks based on the restrictive measures exposure assessment and record them in their policies and procedures. 56.When testing their screening system, PSPs and CASPs should: a. test the calibration of the screening system as set out in Section 4.1.6; b. assess the accuracy of the list management with the use of applicable and up-to-date restrictive measures; c. assess whether all customers and transfers of funds and crypto-assets are being screened when required; d. assess the adequacy and relevance of the information fields used in the screening system, such as the scope of the transfers of funds or crypto-assets feeding into the screening system; e. assess the timeliness of the automatic suspension of operations; f. assess whether the processes and resources available for the analysis of alerts makes prompt reporting of true positive matches possible. 57.PSPs and CASPs should report significant weaknesses or deficiencies of the screening system to the management body and take corrective measures without delay.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 43 5. Accompanying documents 5.1 Cost-benefit analysis / impact assessment As per Article 16(2) of Regulation (EU) No 1093/2010 (EBA Regulation), any guidelines and recommendations developed by the EBA shall be accompanied by an impact assessment (IA), which analyses ‘the potential related costs and benefits’. This analysis presents the IA of the main policy options included in this Consultation Paper on the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (‘the Guidelines’). The IA is high level and qualitative in nature. A. Problem identification and background Restrictive measures are defined in the Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673. These measures are being developed by Member States, the EU or other international competent jurisdictions to, notably, safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. However, this goal is hampered by the fact that these measures are not applied uniformly within the EU and this lack of uniformity can create situations where prohibitions are circumvented. In this context, the EBA was given one mandate11 by the European Commission. This new mandate is defined by Article 23 of Regulation (EU) 2023/1113 and requires the EBA to issue guidelines on internal policies, procedures and controls that PSP and CASP shall have in place to ensure the implementation of Union and national restrictive measures. B. Policy objectives Being addressed to both PSPs and CASPs, these Guidelines will create a common understanding, among PSPs, CASPs and their supervisors, of effective systems and controls to comply with restrictive measures and support the convergence of PSPs’ and CASPs’ practices. These Guidelines aim to create a common understanding, among financial institutions, of adequate policies, procedures and controls for the implementation of restrictive measures. C. Options considered, assessment of the options and preferred options 11 In July 2021, the European Commission published an AML/CFT package consisting of four legislative proposals. One of these proposals was the recast of the 2015 Transfer of Funds Regulation (TFR). The co-legislators reached a provisional agreement on the TFR on 29 June 2022. The EBA was given 10 legislative mandates. One of the new mandates is the mandate mentioned here.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 44 Section C. presents the main policy options discussed and the decisions made by the EBA during the development of the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. Advantages and disadvantages, as well as potential costs and benefits from the qualitative perspective of the policy options and the preferred options resulting from this analysis, are provided. Guidance on the choice of a screening system It is worth mentioning that financial institutions’ compliance with the restrictive measures is an obligation of results and not of means. Nevertheless, using a restrictive measures exposure assessment in the context of the choice of a screening system to ensure proportionality and effectiveness might be suitable and two options have been considered by the EBA in this regard: Option 1a: Adding guidance on basing the choice of a screening system on a restrictive measures exposure assessment Option 1b: Not adding guidance on basing the choice of a screening system on a restrictive measures exposure assessment A restrictive measures exposure assessment helps PSPs and CASPs to identify and assess where they are exposed to risks of non-compliance with restrictive measures and risks of circumvention of restrictive measures, based on their activities and customer base. This evaluation is thus a key and necessary element for effective compliance with the restrictive measures. Adding guidance on the consideration of the results of the restrictive measures exposure assessment when choosing a screening system would be beneficial for enhancing the institution’s ability to comply with restrictive measures. It will also ensure that the screening system is fit for purpose and proportionate to the institution’s business, and the complexity of its operations. This guidance would not only support PSPs’ and CASPs’ compliance efforts, but ultimately help to safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. It is thus the EBA’s view that the potential costs incurred by financial institutions by adding guidance on the choice of a screening system based on the restrictive measures exposure assessment would be exceeded by the benefits. On these grounds, Option 1a has been chosen as the preferred option and the Guidelines will include guidance on basing the choice of a screening system on a restrictive measures exposure assessment. KYC information guidance for the financial list-based restrictive measures screening The screening of customers and transactions is the main control that PSPs and CASPs should have in place to be able to comply with restrictive measures. According to the views expressed by com-
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 45 petent authorities in the context of the 2023 EBA Opinion on ML/TF risks affecting the EU’s financial sector12, while most PSPs had screening systems in place, the quality of these systems was a major concern. Competent authorities reported that deficiencies in screening systems are common, with outdated or incorrect lists used and an overreliance on vendors’ screening systems and with a poor understanding of those systems by PSPs and CASPs. Many screening systems are not adequately calibrated, with an inadequate frequency of screening and only limited fuzzy matching. Competent authorities also reported weaknesses in the scope of screening, with not all customers being screened (such as occasional customers) or some transactions or products not covered (like cash deposits or crypto-assets deposits in customers’ accounts or ATMs), and some jurisdictions not included in the scope. In addition to that, during discussions held by the EBA with members of the Technical Expert Group on restrictive measures regimes (TEG-RMRs)13, most of these deficiencies were reported as being the main challenges for the PSPs and CASPs. As a result of the above, technical guidance on the screening system itself (choice of the screening system, screening of customers and transactions, calibration settings of the screening system) has been included in the Guidelines. Nevertheless, competent authorities also highlighted that the technical approach of the screening alone is not sufficient to ensure compliance with restrictive measures, and should be complemented by, notably, a strong related customers / beneficial owners process, and the EBA considered two options in this context for the Guidelines: Option 2a: Complementing the restrictive measures list-based approach guidance with due diligence measures (for customers and beneficial owners) related guidance Option 2b: Not complementing the restrictive measures list-based approach guidance with due diligence measures (for customers and beneficial owners) related guidance Customers / beneficial owners’ data are fed into the screening system where it is checked against the restrictive measures lists. Even if the screening system was technically sound, incomplete or mistaken customers / beneficial owners’ data would lead to inefficient and inaccurate outcomes. A basic example of this issue would be when the name of a customer is wrongly reported in the customer database or reported in an alphabet that is not the alphabet of the restrictive measures list. In this case, the screening system would not mark this customer name as a true positive match and the institution would not take the necessary actions to comply with the restrictive measures. Another example would be, in the case of missing an update of a customer’s shareholder structure, a new beneficial owner not being identified and thus not being screened. During the discussions held by the EBA with them, AML/CFT supervisors and members of the TEG-RMRs identified the quality of data as a challenge and agreed that guidance in this area would be appreciated. The related costs of obtaining the right data in the first place would be mitigated by the fact that the EBA foresees that PSPs and CASPs would face lower risks of breaching restrictive measures, hence a lower risk of being criminally charged for non-compliance. On the other side, the benefit would be the enhancement of the restrictive measures screening. Ultimately this will help to notably safeguard EU values, 12 EBA/REP/2023/18. 13 Technical Expert Groups created by the EBA AML.pdf (europa.eu).
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 46 maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. Based on the above, Option 2a has been chosen as the preferred option and the Guidelines section on the restrictive measures list-based approach will be complemented with KYC (for customers and beneficial owners) related guidance. D. Conclusion The EBA has been given a mandate to develop Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113. For PSPs and CASPs, the costs associated with the implementation of the Guidelines will be mitigated by the fact that the Guidelines will support them in their compliance with the restrictive measures, which should reduce the risk of breaching the Regulation and the related fine probability. Enhancing compliance with the restrictive measures will also help to safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. These new Guidelines should achieve their objectives with acceptable costs.
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 47 5.2 Feedback on the public consultation The EBA publicly consulted on two sets of draft Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. The consultation period lasted for 3 months and ended on 24 March 2024. In all, 21 responses were received, of which 17 were published on the EBA website. This section presents a summary of the key points arising from the consultation responses. The feedback table provides further details on the comments received, the analysis performed by the EBA triggered by these comments and the actions taken to address them, where action was deemed necessary. Where several respondents made similar comments or the same respondent repeated comments in the response to different questions, the comments and the EBA analysis are included where the EBA considers it most appropriate. The EBA made changes to the draft Guidelines as a result of the responses received during the public consultation. Summary of key issues and the EBA’s response Respondents welcomed the proposed Guidelines and commended the EBA for creating a common minimum standard for the internal procedural and control mechanisms of financial institutions concerning restrictive measures. They said that this will save costs related to potential fines for criminal offences for violation of restrictive measures. Respondents also identified points where the Guidelines could benefit from alignment with other standards, especially the following Level 1 texts that were adopted after the draft Guidelines were published:
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 48
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 49 However, the goal of AML/CFT and of restrictive measures policies, procedures and controls are different. As such, policies, procedures and controls to ensure the implementation of restrictive measures should be drafted according to the restrictive measures exposure assessment and cannot be only a subset of AML/CFT policies and procedures. Identifying the beneficial owner Seven respondents asked for clarification of the definition of beneficial owner. They wanted to know whether the definition from the AML framework with 25% threshold was used or the 50% threshold expected as in the restrictive measures context. The threshold of more than 50% is the relevant threshold, as explained in the 2024 update of EU Council Best Practices for the effective implementation of restrictive measures and the EU Council Sanctions Guidelines being updated in 2024. However, financial institutions should also identify persons who may be controlling the legal entity by other means than ownership interest, as detailed in the 2024 update of EU Council Best Practices for the effective implementation of restrictive measures. Interaction between a risk-based approach and a rules-based approach Eight respondents asked the EBA to clarify how the risk-based approach applied in the restrictive measures context. All natural and legal persons in the Union must ensure that they do not make funds or other assets available to designated persons or entities. The extent of the measures obliged entities take to comply with this requirement can be adjusted on a risk-sensitive basis, through a thorough assessment of exposure to applicable restrictive measures. Accordingly, these guidelines provide that restrictive measures policies, procedures and controls should be commensurate with the financial institution’s restrictive measures exposure, as determined through the restrictive measures exposure assessment. Interaction with Regulation (EU) 2024/886 Eleven respondents asked how these guidelines applied in relation to instant credit transfer payments. Regulation (EU) 2024/886, which was adopted after the consultation version of these guidelines was published, impose specific rules on the processing of instant payments. Prohibition of screening The Guidelines align with the requirements set out for the specific cases covered in Article 5d of Regulation (EU) No.260/2012. The first subparagraph of Article 5d point (2) of Regulation (EU) 2024/886 prohibits the screening of SEPA instant payment transactions against the EU targeted financial sanctions list. However, according to the second subparagraph of Article 5d point (2) of Regulation (EU) 2024/886, the prohibition of screening SEPA instant payment transactions is ‘without prejudice to actions taken by PSPs in order to comply with’ national restrictive measures,
GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 50 and EU restrictive measures that are not targeted financial sanctions. In addition, in its answer to question 166 in the Clarification of requirements of the Instant Payments Regulation14, the European Commission explains that if a financial institution needs to assess the possible ownership, management or control of instant credit transfer funds to a person or entity subject to targeted financial sanctions of the European Union, and if such a person or entity is indicated in the payment details and if it is not possible to verify the payment details concerned via the (at least) daily screening of information related to own clients, required by Article 5d(1), that checking of payment details for such purpose is not prevented by Article 5d(2), first subparagraph. Updating restrictive measures lists The two sets of Guidelines provide that institutions should update their lists of restrictive measures ‘as soon as they are published’. Five respondents asked that the guidelines clarify that an immediate update was unrealistic and suggested to use the term ‘as soon as is reasonably practicable’ instead. Article 5d point (1) of Regulation (EU) 2024/886 states that verifications take place ‘immediately after the entry into force’ of restrictive measures. The Regulation does not provide for a period of adjustment. The EBA Guidelines are therefore in line with Regulation (EU) 2024/886. 14 https://finance.ec.europa.eu/publications/clarification-requirements-instant-payments-regulation_en.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 51 Summary of responses to the consultation and the EBA’s analysis Summary of responses to the consultation and the EBA’s analysis Comments Summary of responses received EBA analysis Amendments to the proposals General comment Six respondents asked for a transition period, with some suggesting up to 24 months, to ensure the full implementation of those Guidelines by financial institutions. The application date of Regulation (EU) 2023/1113 is set to 30 December 2024, however a 12-month transition period will be put in place. Date of application amended. General comment Eight respondents asked for clarification of the relationship between a risk-based approach and a rules-based approach in the restrictive measures context. One respondent mentioned that there is no legal requirement to implement a risk-based approach. The risk-sensitive nature of a restrictive measures exposure assessment does not remove the rule-based obligation incumbent upon all natural or legal persons in the Union to freeze and not make funds or other assets available, directly or indirectly, to designated persons or entities. Para. 11 of Rationale and Impact assessments amended. General comment One respondent enquired why the Guidelines were not addressed to the whole financial sector. As the scope of application of the EBA own-initiative Guidelines is Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC, the Guidelines cannot be addressed to the whole financial sector, but only to financial institutions subject to those directives. No change. Responses to questions in Consultation Paper EBA/CP/2023/42 Guidelines EBA/GL/2024/14 2. Subject matter, scope and definitions General comment One respondent asked for clarification on whether Guidelines EBA/GL/2024/14 apply to all situations when a financial institution provides a service, and not just a transfer of funds. The scope of application of this set of Guidelines is not restricted to the provision of transfers of funds and crypto-assets, and applies in all situations when a financial institution provides a service under Directive 2013/36/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 52 Comments Summary of responses received EBA analysis Amendments to the proposals General comment Three respondents requested clarification on the definition of restrictive measures in the two sets of Guidelines. Four respondents requested changes to the definition of Sectoral restrictive measures in Guidelines EBA/GL/2024/15, as they are not only individual measures. Article 2 point (1) of Directive 2014/1226 confirms the definition already used by the EBA: ‘Union restrictive measures’ means restrictive measures adopted by the Union on the basis of Article 29 TEU or Article 215 TFEU. For better clarity, the definition of targeted financial sanctions, and the definition of sectoral restrictive measures were amended in Guidelines EBA/GL/2024/15. Definitions amended, in Guidelines EBA/GL/2024/15. 4.1 Governance framework and the role of the management body General comment One respondent asked to reflect the definition of management body, and in its supervisory function and its management function as in other EBA Guidelines on internal governance under Directive 2013/36/EU. The Guidelines are to be read in conjunction with other EBA Guidelines mentioned in Section 3. Background and Rationale. This list includes the Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU, which provides a definition of the management body in its supervisory function and its management function. No change. Para. 4 and 11 point e Five respondents requested clarification on whether the restrictive measures strategy should emerge exclusively from the restrictive measures exposure assessment. Para. 2 provides that policies, procedures and controls should be proportionate to the size, nature and complexity of the financial institution and to its restrictive measures exposure. Para. 4 explains that the management body is responsible for approving the strategy for compliance with restrictive measures and should be aware of the exposure to restrictive measures. The strategy, stemming from the restrictive measures exposure assessment, feeds the design of policies, procedures and controls, which are proportionate to the size, nature and complexity of the financial institution. The EBA clarified that the strategy for compliance with restrictive measures informs the relevant policies, procedures and controls. Para. 4 amended. Para. 6 and 7 Three respondents asked for a definition of ‘parent undertaking’. Three respondents requested clarifications on the meaning of ‘group management body’. The Guidelines refer to Article 2 point (11) of Directive 2013/34/EU, which provides a definition of the parent undertaking of a group. Regarding the second comment, the EBA clarified that ‘group management body’ refers to the ‘management body of the parent company’. Para. 6 and 7 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 53 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 8 and 9 Two respondents asked how the management body should assess the effective functioning of the restrictive measures compliance function. The EBA underscores that, according to Article 88 of Directive 2013/36/EU, the role of the management body in its supervisory function is to assess the effectiveness of such a compliance framework, but not the effective functioning of the restrictive measures compliance function. Details are provided in Section 5.3 on effective restrictive measures policies and procedures. Para. 8 and 9 amended. Para. 9 Three respondents asked to clarify who and how to avoid conflict of interest. The Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU provide principles on how to avoid conflicts of interest. No change. Para. 11 point g Four respondents asked for clarification on the culture of compliance with restrictive measures. As compliance with restrictive measures is a legal requirement, this provision was removed from the text. Para. 11 former point g deleted. Para. 11 point h One respondent asked for clarification on whether point h, where the outsourcing of operational functions of the compliance with restrictive measures complies with the EBA Guidelines on outsourcing arrangements, only refers to outsourcing outside the group. According to point 27 of the Background sections of the Guidelines EBA/GL/2019/02 on outsourcing arrangements, intragroup outsourcing should be subject to the same regulatory framework as outsourcing to service providers outside the group. No change (now point g). Para. 12 Five respondents asked for clarification on whether tasks apply to all entities of the group and for clarification on the meaning of ‘individual level’. ‘Individual levels’ has the same meaning as in the Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU (Section 7 para. 83): the individual level refers to subsidiary level (parent undertakings and subsidiaries within the scope of prudential consolidation). Para. 12 amended. 4.1.3 The role of the senior staff member in charge of compliance with restrictive measures General comment Six respondents requested more details on the role of the senior staff member, and enquired whether this person can also be the AML compliance officer, or a risk compliance officer. Two respondents expressed that the appointment of a dedicated senior staff member for compliance with restrictive measures should not be mandatory to allow for a risk-based approach. The EBA clarifies that, to the extent that this is justified by the nature of the business of the obliged entity, including its risks and complexity assessed through the restrictive measures exposure assessment, and its size justify it, the functions of the senior staff member responsible for compliance with restrictive measures may be combined with other functions. Para. 14 amended. Para. 13 One respondent enquired about who assesses the suitability and knowledge of the senior staff member responsible for compliance with restrictive measures. In line with the Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU, and as mentioned in para. 13, the management body ensures that the senior staff member responsible for compliance with restrictive measures has the required knowledge and understanding. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 54 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 15 One respondent asked to use the same wording as in the EBA Guidelines on policies and procedures for compliance management and the role and responsibilities of the AML/CFT Compliance Officer, by using ‘should’ rather than ‘may’. The EBA agrees with mirroring the wording of the Guidelines EBA/GL/2022/05 on policies and procedures for compliance management and the role and responsibilities of the AML/CFT Compliance Officer. Para. 15 amended. Para. 17 One respondent asked the EBA to clarify that the senior staff member responsible for compliance with restrictive measures can be considered unique at group level and appointed only at parent company level, according to para. 17. It is suggested to clarify that even for outsourcing of the function within the group, the figure of the Group Manager can be considered unique at group level and coinciding with the figure appointed to the entity to which the function has been outsourced. According to the Guidelines EBA/GL/2021/05 on internal governance under Directive 2013/36/EU, the management body of the parent financial institution is responsible. No change. Para. 18 One respondent asked further guidance on whether the policies, procedures and controls are approved by the senior staff member responsible for compliance with restrictive measures or should be approved by the management body as per para. 11 point c. As mentioned in Para. 11 point c, the policies, procedures and controls are approved by the management body.’ No change. Para. 19 c Six respondents reacted to para. 19 which provides a noncomprehensive list of information about which the senior staff member responsible for compliance with restrictive measures should inform the management body. Respondents indicated that some statistics are difficult to calculate or would duplicate other information. Specific statistical requirements may differ either between financial institutions, or between national authorities’ expectations. They requested simplifying it. In addition, it was requested to clarify that the activity report is an annual report. This specific part of the guidelines has been significantly revised and shortened. Para. 19. c amended. Para. 20 Two respondents asked whether the reference to intermediaries, distributors and agents implies that the review of relevant policies, procedures and control results would include an assessment of the effectiveness of the parties mentioned. Respondents recommended reducing the scope of this requirement to direct branches and subsidiaries, which are legally linked to the group. Financial institutions have to be aware of the legal risks in relation to compliance with restrictive measures to which they are exposed as a result of the distribution channels they use. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 55 Comments Summary of responses received EBA analysis Amendments to the proposals 4.2 Conducting a restrictive measures exposure assessment Para. 23 Four respondents asked for more guidance on the calculation of ‘Likelihood’ to understand if the expectation is to define a level of coverage of the restrictive measures. The same respondents also requested clarification on the ‘impact’, whether there is a reference to economic impact. To determine geographic risk, one respondent asked whether there are published lists of countries often used for circumvention of restrictive measures. The violation of restrictive measures is a criminal offence, as per Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures. The likelihood of non-implementation and circumvention of restrictive measures is about ascertaining how likely it is, given the current operations and controls environment, in which this issue of a criminal offence occurs. Regarding the second comment, the prudential implications of restrictive measures on the risk management function encompass the need to assess the economic impact of restrictive measures on the risk profile of the financial institution. Regarding the third comment, there is no publication of country lists for sanctions, but the EU list of high-risk non-member countries can provide some elements in relation to circumvention of sanctions. Sources of information are listed in para. 24. No changes were applied on that point. No change. Para. 23 Regarding the determination of customer risk, five respondents requested clarification on the definition of beneficial owner in the restrictive measures context. One respondent noted that the requirement to assess geographic links of beneficial owners and shareholders, to countries linked to restrictive measures or circumvention of restrictive measures goes beyond KYC requirements. Four respondents explained that there is no legal requirement as part of the KYC to collect data on the sector the legal customers belong to, and suggested to delete this requirement. Regarding the first comment, the threshold of more than 50% is to be used to assess the ownership through ownership interest in the context of restrictive measures. When assessing beneficial ownership through other means, Section VIII of EU Best Practices for the effective implementation of restrictive measures updated in July 2024 provides detailed examples of such ownership through control. Regarding the second comment, as part of the assessment of geographical risk factors in KYC requirements, financial institutions must obtain information on nationalities and usual place of residence about natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. No changes were applied on that point. Para. 23 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 56 Comments Summary of responses received EBA analysis Amendments to the proposals One respondent suggested that the customer due diligence measures to implement restrictive measures are based on the KYC data gathered within the AML framework (No. 40 of EU Best Practices for the effective implementation of restrictive measures), so should not go beyond them. Two respondents recommended that the EBA add item iv to Section 4.2, para. 23(b) detailing identification of customer’s customer within the context of each particular transaction, where there exists a clear risk of sanction breaches or circumvention. Regarding the third comment, financial institutions must understand the nature of the customers’ business. No changes were applied on that point. Regarding the fourth comment, para. 40 of EU Best Practices for the effective implementation of restrictive measures clearly states that ‘In some instances, the Regulations imposing financial restrictive measures may create additional obligations on economic operators to “know their customers”.’ No changes were applied on that point. Regarding the fifth comment, there is no obligation to screen the customer’s customers in the context of customer due diligence. Para. 24 Three respondents suggested that financial institutions may incorporate the restrictive measures exposure assessment into their existing AML/CFT risk assessment. Four respondents enquired about the sources of information that should be used to make such an assessment, highlighting that points b. to d. are formulated too broadly, so that their scope and the actual sources to be used remain unclear. The assessment of risks of non-implementation and evasion of targeted financial sanctions can be part of the ML/TF businesswide risk assessment. However the scope of the Guidelines refers to restrictive measures, which are broader than just targeted financial sanctions. This means that a ML/TF risk assessment that complies with Regulation 2024/1642 may not be sufficient in the restrictive measures context. Regarding the second comment, sources quoted in c and d allow financial institutions to have flexibility in respect of their sources of information, with some examples quoted. No change. Para. 25 Three respondents asked whether the basis for retroactive screening is the entry into force of the restrictive measure, as financial institutions cannot reasonably suspect that their previous screening system was inadequate or ineffective whereas the sanctioned person was not sanctioned yet. Some respondents underscored that a decision should be made when a system-deficiency is found out and not when performing this annual risk assessment. The EBA confirms that a retroactive screening looks at past transactions after a new restrictive measures regime applies. More guidance on testing a screening system is available in para. 55 of the EBA Guidelines under Regulation (EU) 2023/1113. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 57 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 26 Seven respondents suggested providing a defined frequency to update the restrictive measures exposure assessment and have trigger events considered only if they significantly impact the risks. Two respondents expressed that the review of the restrictive measures exposure assessment before the launch of a new product delivery channel or new geographic area is being considered, is a very far-reaching requirement. The business-wide risk assessment shall be kept updated and regularly reviewed, including where internal or external events significantly affect the risks associated. Para. 26 does not require an institution to undertake a comprehensive restrictive measures exposure assessment at each trigger event, but mentions that the restrictive measures exposure assessment should be reviewed, and only if necessary, updated. Examples of significant changes are provided in point a of para. 26 and an annual update was implemented. Regarding the second comment, financial institutions should, before the launch of new products, services or business practices, identify and assess, in particular, the related money laundering and terrorist financing risks, so the EBA will make no change. Para. 26 amended. Para. 27 and 29 Four respondents stated that requirement in para. 29 appears to conflict with para. 27, and asked for clarification on whether each entity in a group should perform its own restrictive measures exposure assessment based on a common methodology or whether a group-wide restrictive measures exposure assessment should be carried out. Given the variety of client, sector and restrictive measure exposure profiles across the EU, respondents underscored that the common methodology should allow for divergence at a local level within each assessment pillar, e.g. customer risk, product and services risk. The EBA agrees that a common methodology should allow for proportionality. The EBA deleted para. 27 and clarified in para. 29 that the group management body receives and aggregates this exposure assessment from all entities of the group. Para. 27 deleted and para. 29 (now 28) amended. 4.3 Ensuring the ongoing effectiveness of restrictive measures policies, procedures and controls General comment One respondent noted that further guidance in relation to expectations arising as a result of sectoral or other non-listbased restrictive measures would be helpful. The EBA acknowledges that requirements of all restrictive measures regimes would be taken into account, and not only lists of targeted financial sanctions. Para. 31. b was amended accordingly. In addition, Section 4.2.4 of the set of Guidelines under Regulation (EU) 2023/1113 provides details on Controls and due diligence measures to comply with sectoral restrictive measures. Para. 31 b (now 30 b) amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 58 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 30 and 31 point b Eight respondents underscored that an immediate update of lists of restrictive measures ‘as soon as they are published’ was unrealistic, given the technical and personnel restrictions, including labour law, for list updates that are published late at night or on/over week-ends and bank holidays. Respondents suggested to use the term ‘as soon as is reasonably practicable’ instead. The Instant Payments Regulation. Article 5d point (1) of Regulation (EU) 2024/886 states that verifications take place ‘immediately after the entry into force’ of restrictive measures. No change. Para. 31 One respondent stated that the list of processes and procedures might be excessive for financial institutions with very low or limited exposure. Para. 2 provides that policies, procedures and controls should be proportionate to the size, nature and complexity of the financial institution and to its restrictive measures exposure. No change. Para. 31 point f and Para. 32.a of Guidelines EBA/GL/2024/15 Six respondents suggested to add ‘starting’ between swiftly and investigating to address cases which require more time for the investigations to be closed pending the acquisition of necessary information and documentation as necessary. The EBA agrees with the suggestion and amended the two sentences in the two sets of Guidelines. Para. 31 point f (now 30 f) and Para. 32 a (now 31 a) of Guidelines EBA/GL/2024/15 amended. Para. 31 point g Two respondents asked to add the rejection of a transactions and define rejection and suspension, with some suggestions made. Regarding the requirement to report to authorities, six respondents suggested to replace ’without delay’ with ‘within the timelines specified by national competent authorities or the applicable restrictive measures regulation’. Three respondents asked to clarify whether the expectation is for a report to be made to a relevant authority as soon as a possible match is identified or only after such match is identified as a positive match. Point g of para. 31 refers only to true positive matches, so the EBA agrees to add a reference to the rejection of transfers. The EBA removed the reference to suspension of transaction, which is relevant for further investigation of potential matches and referenced in point f of para. 31. However no definitions were added as freezing is already defined in Article 2 point (5) of Directive 2024/1226 and rejection and suspension follows Regulation (EU) 2023/1113. Para. 31 is in line with para. 47 and para. 53 of the set of Guidelines under Regulation (EU) 2023/1113. Regarding the second comment, the EBA agrees with the suggestion and amended the Guidelines accordingly, similar to the amendments made in para. 49 and para. 53 c of Guidelines EBA/GL/2024/15. Regarding the third comment, the EBA confirms that only confirmed positive matches are to be reported. Para. 31 (now 30) amended. Guidelines EBA/GL/2024/15 under Regulation (EU) 2023/1113 2. Subject matter, scope and definitions
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 59 Comments Summary of responses received EBA analysis Amendments to the proposals General comment Two respondents asked whether other services provided by PSPs such as technical services supporting the provision of payment services without entering into possession of the funds to be transferred, or card payments schemes’ infrastructure are out of scope of the Guidelines. According to Art 2 point (3) subparagraph (b) of Regulation (EU) 2023/1113, the Regulation does not apply to transfers of funds carried out using a payment card, provided that the number of that card, instrument or device accompanies all transfers flowing from the transaction. No change. General comment Six respondents noted that the definition of sectoral restrictive measures is not clear as to the scope of the sanctions intended to be covered and suggested deleting ‘against individually designated persons and entities’. The EBA amended the definition accordingly. Definition amended. General provisions Para. 1 One respondent suggested possibly integrating the ‘restrictive measures exposure policies and procedures’ in the same policies and procedures dedicated to AML/CFT. The assessment of risks of non-implementation and evasion of targeted financial sanctions can be part of the ML/TF businesswide risk assessment. However the mandate of the Guidelines refers to restrictive measures, which are broader than just targeted financial sanctions, so business-wide ML/TF risk assessment may not be sufficient to capture all risks relating to restrictive measures. In addition, the goal of AML/CFT and of restrictive measures policies, procedures and controls are different. As such, policies, procedures and controls to ensure the implementation of restrictive measures should be drafted according to the restrictive measures exposure assessment and cannot be only a subset of AML/CFT policies and procedures. No change. 4.1.1 Choice of screening system General comment and Para. 4 Three respondents requested clarification that there is no need to change the whole screening system after each exposure assessment. Respondents suggested that the restrictive measures exposure assessment could help identify any weaknesses in the current screening systems. The EBA does not imply that each review of the restrictive measures exposure assessment should imply the change of the whole screening system. Paras. 54 and 55 provide guidance for PSPs and CASPs to review the performance of the screening system, in line with the updated restrictive measures exposure assessment. Para. 4 amended. Para. 7 One respondent noted that the system’s capabilities and limitations are already to be documented under Regulation (EU) 2022/2554 (DORA). According to Article 3 point (7) of Regulation (EU) 2022/2554 a screening system is considered an ‘ICT asset’, which means a software or hardware asset in the network and information systems used by the financial entity. According to Article 8 point (4), Para. 7 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 60 Comments Summary of responses received EBA analysis Amendments to the proposals financial entities shall identify all information assets and ICT assets and shall map the configuration of the information assets and ICT assets. According to Article 8 point (5), financial entities shall identify and document all processes that are dependent on ICT third-party service providers. The EBA agrees to add a reference to Regulation (EU) 2022/2554. Para. 8 One respondent asked for more granularity and suggested that policies and procedures should also outline specific lists to be implemented, document the procedures of working with the lists and their application, taking into account the products or services involved and locations where the products or services are offered to the customers. Para. 9 provides guidance on the goal of policies and procedures to manage lists. No change. Para. 8 Two respondents asked for greater clarity around the use of the term ‘international restrictive measures’, suggesting that the guidelines should specify the principles under which institutions may apply lists of international sanctions (e.g. USA, UK) that are not directly applicable in EU territory. The EBA agrees to clarify the paragraph with a reference to restrictive measures applicable to a financial institution, bearing in mind that applicable national restrictive measures could also include non-EU countries. Para. 8 amended. 4.1.2 List management Para. 9 point b. One respondent asked how the delay of update of lists should be understood, whether with respect to the date of publication in the EU Official Journal or with respect to the availability of the xml. file. Article 5d point (1) of Regulation (EU) 2024/886 states that verifications take place ‘immediately after the entry into force’ of restrictive measures, which means the date mentioned in the EU Official Journal. This is confirmed in answer to question 161 in the Clarification of requirements of the Instant Payments Regulation28. The EBA proposes to use the same wording as that in the Instant Payments Regulation. Para. 9 amended. 4.1.3 Defining the set of data to be screened General comment One respondent asked to clarify that according to Section 4.1.3, PSPs are required to define in their policies and procedures the types of data they will screen for each type of restrictive measure. However, Section 4.1.4, paras. 17-18, then sets out the information that must be screened. Para. 17 and 18 list the type of basic data to be screened when screening customers, relevant either for natural persons or for legal persons, specifying that those data should be screened according to the type of applicable restrictive measures, which is in line with Section 4.1.3. The objective of Section 4.1.3 is to No change. 28 https://finance.ec.europa.eu/publications/clarification-requirements-instant-payments-regulation_en.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 61 Comments Summary of responses received EBA analysis Amendments to the proposals require the financial institution to determine and document which data categories should be screened against to ensure that the screening results provide the most accurate results. Para. 11 One respondent noted that the term ‘all data’ is too general. Respondent enquired whether it meant only the data saved in the database or also additional data, e.g. organisational charts provided by the client that are not machine readable or filed systematically. The paragraph refers to all data held by the PSP or CASPs on their customers, including the data collected under the applicable AML/CFT legal framework. No change. Para. 11 point b One respondent stressed a technical limitation for CASPs to screen transactions effectively if the data received is not accurate. If there is a big delay in transaction information, CASPs perform the transfer and then perform the screening retrospectively, as real-time screening is also dependent on the timing of when a CASP gets the data from a third party. The paragraph refers to the data to be screened and does not provide any information on the timing of the screening. This timing is addressed in Guidelines 4.1.4 and 4.1.3. No change. Para. 12 One respondent explained that data collection obligations concerning counterparty customers going beyond Regulation (EU) 2023/1113 should be avoided. However, the beneficiary information required under Article 14/2, i.e. name, distributed ledger address and crypto-asset account number, often proves insufficient for reliably assessing whether the beneficiary is subject to restrictive measures. Respondent suggested that CASPs should have the discretion to gather additional information from their own customers, without the obligation to send or receive this additional information to/from the counterparty CASP. Two respondents suggested to insert ‘reasonably’, given that the volume of targets within the population is such that financial institutions should be expected to have the data to enable them to reasonably determine that the person is subject to restrictive measures. The EBA clarifies that when the counterparty customer information collected in compliance with Regulation (EU) 2023/1113 is insufficient for effective compliance with restrictive measures, PSPs and CASPs should follow the guidance under para. 22. Regarding the second comment, guidance is provided in Section 4.2 on Due diligence and verification measures for alert analysis. No change. Para. 12, para. 16 point b. iii. and para. 18 point b Three respondents asked for a definition of proxy, three respondents asked for the meaning of person known to be connected with the customer and five respondents asked for clarification on the meaning of ‘persons authorised to act on behalf of the customer’. The EBA will use the terminology in line with the Update of the EU Best Practices for the effective implementation of restrictive measures from July 2024. Para. 12, 16 and 18 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 62 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 13 Three respondents explained that white lists are automatically reviewed so no manual review would be needed. Three respondents asked to replace ‘immediately’ by without undue delay or as soon as is practicable. The current drafting of the paragraph does not require only a manual review and does not preclude an automatic review. Regarding the second comment, as explained for para. 9, Article 5d point (1) of Regulation (EU) 2024/886 states that verifications take place ‘immediately after the entry into force’ of restrictive measures. This is confirmed in the answer to question 158 of the Clarification of requirements of the Instant Payments Regulation29. Any time elapsed between the entry into force of a new or amended targeted financial restrictive measure and verification of own clients should be as short as possible to ensure compliance of PSPs with their obligations under the EU Council Regulations adopted in accordance with Article 215 TFEU, which impose the ‘obligation of result’ and are in most cases applicable on the day of their publication in the Official Journal. PSPs are expected to change and, to the extent possible, automate their internal processes as necessary to make this time gap the shortest period possible. The policy expectation for the acceptable duration of this time gap is represented by the use of the notion ‘immediately’ as opposed to ‘as soon as possible’ or ‘without undue delay’. Para. 13 amended. 4.1.4 Screening the customer base Para. 16 Three respondents noted that both a) and b) appear to be applicable to ‘all’ customers – rather than only the first and asked for clarification on why a distinction was made between the scenarios. Two respondents underscored that there is no system for customer screening before making a transfer, as the screening of customer is done before onboarding and on an ongoing basis as per point ii) and a.) Both points a and b of para. 16 refer indeed to trigger events that are relevant to all customers, so the EBA clarified accordingly. Regarding the second comment, the EBA acknowledges that screening of customers before a transfer is carried out as part of the screening of transaction, so this point b. i was amended. Para. 16 amended. 29 Clarification of requirements of the Instant Payments Regulation - European Commission (europa.eu).
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 63 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 17 One respondent asked for the EBA to confirm its expectations for screening any third parties involved in the transaction, such as any independent beneficiaries. The respondent noted that access to information concerning unrelated third parties might be difficult to obtain. Eleven respondents explained that international targeted financial lists do not contain the names in the original format (for instance in Chinese letters) but rather in Latin letters. Financial institutions are not able to identify all varieties/transcriptions of customer names and can only rely on the varieties indicated in official sources (e.g. identity document, extract from the register). Six respondents expressed divergent views regarding the screening of date of birth. Half of the respondents explained that screening the date of birth on its own would generate a massive number of false positives in the screening tools. However, those respondents confirmed they use the date of birth in order to validate or discard a screening match. Other respondents explained that the date of birth is used with the name at the beginning of the screening stage. Respondents suggested it should be left to the PSPs/CASPs to decide whether to take the date of birth into account during the screening process or to manually check it during alert handling. Four respondents explained that a requirement to screen aliases, without clarifying what weak or low-quality aliases are, would lead to a significant increase in false positives with no benefit for the objective pursued. Respondents suggested a risk-based approach for screening of aliases, i.e. whether to screen weak or low-quality aliases or not. Similarly, respondents suggested to provide an exception where This paragraph refers only to the screening of customers, and not to the screening of transactions and the relevant parties involved in a transaction. However, para. 18 provides guidance on the persons to be screened as part of the customer screening. No change was applied on that point. Regarding the second comment, the EBA agrees that recording the screening of transliteration is not a mandatory requirement and should be carried out only if available. The text was amended accordingly. Regarding the third comment, the EBA clarifies that the word ‘and’ at the end of subparagraph a of point a means that the screening of the date of birth is not carried out in isolation, but with the screening of the first name and surname. No change was applied on this point. Regarding the fourth comment, the EBA clarifies that PSPs and CASPs can choose not to screen information in point c of para.17 if duly justified through the restrictive measures exposure assessment. This means that the reasons for the decision are clearly stated and are justified (including with testing) and relevant risks that arise from such a decision are outlined. This point was amended accordingly. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 64 Comments Summary of responses received EBA analysis Amendments to the proposals common short names or three-letter acronyms generate high volumes of false matches. Para. 18 Four respondents asked to clarify whether ‘available’ in this context is intended to mean available via the annexes of restrictive measures regulations or via another source. Respondents suggested to amend by ‘available as a consequence of the application of the financial institution’s customer due diligence measures, in compliance with the provisions of Article 13 of Directive (EU) 2015/849’. Seven respondents asked for clarification of the definition of beneficial owner, to know whether the definition from the AML framework with 25% threshold was used or the 50% threshold is expected as in the restrictive measures context. Six respondents suggested to replace ‘persons connected to the customer’ with ‘persons controlling the customer’, with a confirmation of the criteria for assessing control. The use of ‘within the management or ownership structure’ would introduce a new, more onerous, standard. This paragraph refers to the information available as part of the financial institution’s customer due diligence measures. Regarding the second comment, the threshold of more than 50% is to be referred to as explained in the 2024 update of EU Council Best Practices for the effective implementation of restrictive measures and the EU Council Sanctions Guidelines being updated in 2024. Regarding the third comment, former point c of para.18 refers to persons who may be controlling the legal entity by means other than ownership interest, as detailed in the 2024 update of EU Council Best Practices for the effective implementation of restrictive measures. Para. 18 amended. Para. 19 Three respondents asked why only the address of the beneficiary should be screened. One respondent mentioned its appreciation of the reference ‘to the extent that this information is available’ in para. 19, as not every address is available. The EBA agrees that both the address of the customer and the beneficiary should be screened, to the extent that the information on wallet addresses is available in the restrictive measures. The requirement to screen the customer’s wallet address was included in para. 17 on screening customers and added in para. 22 on screening transfers of crypto-assets. Para. 17 and 22 (now 21) amended. Para. 19 deleted. 4.1.5 Screening of transfers of funds and crypto-assets Para. 20 Eleven respondents asked for clarification of the scope of applicability of these guidelines in relation to instant credit transfer payments, as the first subparagraph of Article 5d point (2) of Regulation (EU) 2024/886 specifically prohibits the screening of SEPA IP transactions against the EU sanctions list. The Guidelines align with the requirements set out for the specific cases covered in Article 5d of Regulation (EU) No 260/2012. According to the second subparagraph of Article 5d point (2) of Regulation (EU) 2024/886, the prohibition of screening SEPA instant payment transactions is ‘without prejudice to actions taken by PSPs in order to comply with’ national restrictive Para. 20 (now 19) amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 65 Comments Summary of responses received EBA analysis Amendments to the proposals measures and EU restrictive measures that are not targeted financial sanctions. In addition, answer to question 166 in the Clarification of requirements of the Instant Payments Regulation30 explains that if a financial institution needs to assess the possible ownership, management or control of instant credit transfer funds to a person or entity subject to targeted financial sanctions of the European Union, and if such a person or entity is indicated in the payment details and if it is not possible to verify the payment details concerned via the (at least) daily screening of information related to own clients, required by Article 5d(1), that checking of payment details for such purpose is not prevented by Article 5d(2), first subparagraph. Para. 20, para. 21 and 22 point a Six respondents argued against the screening of all transfers, saying that some exemptions were envisaged in several national legislation not to screen domestic transfers. Respondents suggested amending the obligation so the need for intra-EU screening is based on technical feasibility and the results of the exposure assessment. Respondents noted that while screening ‘all parties to transfers of funds’ is universally accepted as being necessary for cross-border payments (e.g. via the SWIFT system), this requirement is not appropriate for domestic or intra-EU payments. The EBA clarifies that very few EU Member States provide, in line with a risk assessment carried out at national level, clear requirements not to screen some specific national transactions. There is no risk assessment of all kinds of intra-EU transfers of funds that would prohibit the screening of all intra-EU transfers of funds. However, Regulation (EU) 2024/886 prohibits the screening of some specific intra-EU transactions (Article 5d(1)).
No change. Para. 20 Two respondents explained that CASPs cannot screen transfers before completion when a CASP is on the receiving end. Due to the immutability of the blockchain network, it is technically impossible to screen incoming crypto-asset transfers before their execution. While there are technical capabilities to screen the mempool (the queue of transactions yet to be executed on the bitcoin blockchain), this entails numerous complexities and often does not provide certainty. The best effort in the sector will therefore likely result in segregation of assets until information is received to screen all parties. The EBA agrees that there are technical limitations and amends the Guidelines by replacing ‘completion’ with ‘making the funds available’, in line with Regulation (EU) 2023/1113. Para. 20 (now 19) amended. 30 https://finance.ec.europa.eu/publications/clarification-requirements-instant-payments-regulation_en.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 66 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 21 and 22 point c One respondent asked for clarification regarding the responsibilities of individual types of PSP participating in the implementation of the transaction. Regardless of the role a PSP plays in a given transaction, each PSP should recognise and evaluate the risks and controls used by the PSP with which it has a direct relationship. One other respondent on 22.c explained that, considering that all intermediaries are supervised entities required to comply with the same sector regulations, it would be too onerous and ineffective to include the intermediary institutions, correspondents, with screening of identification codes such as BIC, SWIFT and others. According to Regulation (EU) 2023/1113, compliance is the responsibility of the payer’s PSP, the IPSP and the payee’s PSP. Each PSP should recognise and evaluate the risks and controls used by the PSP with which it has a direct relationship. Each PSP should also screen details of the PSP with which it has a direct relationship. No change. Para. 22 Six respondents explained that the mandatory screening of purpose of fund transfer would be too burdensome, claiming that the informative value is often low. Respondents also explained that screening free-text fields which are broadly used across the industry like, standardised codes would lead to a significant increase in false positives. Some respondents suggested that as this free-text information is not always mentioned in payment messages, it should be screened only when provided. Respondents suggested a risk-based approach to screening free-text fields. Three respondents asked for more specific guidance relevant to different types of transactions, such as elements to screen in a trade transaction or an FX settlement. Three respondents explained datasets listed in points b) and d) are not required under Regulation (EU) 2023/1113. They suggested that the supplementary information could then be used to support the analysis of alerts in instances where doubt arises regarding the accuracy of a match, in line with para. 34 of the Guidelines. The EBA acknowledges that information on screening purpose (c) and other details (e) of the transfers, para. 22 are not mandatory information required under Regulation (EU) 2023/1113. However all fields that may be relevant for assessing whether the transaction is affected by restrictive measures should, at least, be compared against the entries in the restrictive measures list or package. The EBA amended those two points to clarify that it is subject to the availability of the information available and subject to the restrictive measures exposure assessment. This is now also in line with para. 39. Regarding the second comment, financial institutions should through their risk exposure assessment understand which elements are relevant to assess, whether a certain type of transaction is affected by restrictive measures. Some guidance is available in Section 4.2.4 on Controls and due diligence measures to comply with sectoral restrictive measures. Regarding the third comment, the EBA agrees with the suggestion. Para. 22. (now 21) amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 67 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 23 Four respondents questioned introducing a data validity requirement into sanction screening and how this requirement can be reconciled with the requirement of Article 4 of Regulation (EU) 2023/1113 which limits the information that is strictly required to be present in intra-EEA transactions. Respondents also noted the need to determine the institution's responsibility in terms of pre-transaction and postfactum screening to ensure reliable fulfilment of such an obligation. Other comments suggested that the Guidelines should require a follow-up and reporting on any info obtained subsequently, and how to provide notifications about such situations (e.g. processing a transaction for which a violation of sanctions was established as a result of post-trade monitoring). Two respondents noted that if the PSP doesn't send information about the transfer, CASPs won't receive it, relying solely on beneficiary details they already have. Despite this, CASPs can't technologically reject the transfer: any refusal would still lead to a refund or a new outgoing payment from the CASPs’ crypto address, even if they choose to for reasons like blockchain analysis or internal risk assessment. The paragraph does not introduce a data validity requirement, in line with requirements under Regulation (EU) 2023/1113, but instructs institutions to screen all information obtained, whether before or after the transfer is executed. This point was clarified accordingly in the text. Regarding the second and third comments, the paragraph does not provide guidance on the liability as the provisions of Regulation (EU) 2023/1113 apply. Para. 23 (now 22) amended. Para. 24 One respondent suggested expanding to consider know your transaction (KYT) and blockchain analysis more fully. KYT analysis software is not limited only to transaction monitoring, but may also undertake wider social and environmental screening. This paragraph refers to a technical specificity for CASPs. The Guidelines are technology neutral regarding the monitoring of transfers of funds and advise PSPs to carry out a full analysis for ongoing monitoring requirements, whether through KYT analysis software or other options. No change. 4.1.6 Calibration Para. 25 Six respondents noted that the Guidelines seem to primarily focus on name screening and would like to highlight the possibility of including more data fields. Some respondents however underscored that fuzzy matching is not appropriate for all fields such as Bank Identifier Codes. In addition, The EBA clarifies that fuzzy matching can be applied to all freeformat information, whether for targeted financial sanctions or sectoral restrictive measures. The EBA confirms that only exact Para. 25 (now 24) amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 68 Comments Summary of responses received EBA analysis Amendments to the proposals respondents explained that not all screening systems use a screening tolerance that is expressed in percentages. Two respondents asked to define true positive and alert quality. matching can apply for structured identifiers (such as ISO country codes, BICs, LEIs). The EBA clarified in the text that the screening tolerance is not always expressed in percentages. Regarding the second comment, the EBA clarifies that a screening system should not only alert on exact match (when an alert is generated if the system is presented with data that exactly matches a data in the screening list), but also when certain manipulations are made. A true positive match refers to an unambiguous identification. 4.1.7 Reliance on third parties and outsourcing Para. 27 Three respondents explained that intra-group outsourcings do not always present the same risks as third party outsourcings given the specifics of an intra-group relationship. Respondents suggested that institutions may adapt the level of requirements that are applied to intra-group outsourcings to take account of the group nature of the relationship. One respondent suggested that current text in para. 27 point b refers instead to existing Guidelines and legislation, such as DORA. According to para. 27 of the Guidelines EBA/GL/2019/02 on outsourcing arrangements, intra-group outsourcing is subject to the same regulatory framework as outsourcing to service providers outside the group. Regarding the second comment, the EBA added in a new para. 30 a reference to Regulation (EU) 2022/2554, but kept the key principles listed in the Guidelines. Para. 27 (now 26) amended and new para. 30 4.2.1 Policies and procedures for the management and analysis of alerts Para. 32 point a One respondent suggested to replace steps for processing an alert ‘without delay’ by ‘without undue delay’. The EBA aligned the wording with the redrafting of para. 31 point f of the Guidelines EBA/GL/2024/14. Para. 32 amended. Para. 32 point d and Para. 33 Nine respondents explained that the four-eye principle is relevant to higher-risk cases, but believe it is disproportionate for dismissing obvious false or for small financial institutions. Respondents suggested adding ‘or other quality assurance measures’ after ‘two people’, or providing for the intervention of a person after an initial exclusively automatic check to make clear it is just being given as an example and is not an expectation. In para. 33 one respondent The EBA agrees to offer more proportionality with the restrictive measures exposure assessment, and clarified that the review by two people should be carried out in higher exposure situations. Regarding the comment in para. 33 about the ‘trained staff’, this sentence refers to the adequate expertise and skills of staff working on the analysis of alerts. The paragraph was clarified. Para. 32 and 33 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 69 Comments Summary of responses received EBA analysis Amendments to the proposals suggested that only serious alerts would need to be reviewed by trained staff, or CASPs could alternatively use a risk-based approach to decide when reviews by trained staff are needed. 4.2.2 Due diligence measures for alert analysis Para. 34 Two respondents suggested replacing ‘may hold’ with ‘may hold and/or obtain’ in order to reduce the number of rejections due to insufficient information. One respondent asked for clarification on the ‘not used at screening stage’, explaining that most of the time, false positives are identified by staff using data screened during the screening stage, but not properly used because of fuzzy matching. The EBA agrees to clarify that additional information can be obtained, as it is in line with Regulation (EU) 2023/1113 and the Guidelines EBA/GL/2024/11 ‘Travel Rule Guidelines’. The paragraph refers to information not used at the screening stage, but the intention is to use all information available so PSPs and CASPs can use information they have several times. Para. 34 amended. Para. 35 One respondent asked to clarify to whom (‘to person’) one should refrain from providing financial services: in customer screening it means the person who is the target of the alert, but in transaction alerts, there are more than one person involved. Eight respondents explained that such interim freezing of assets and rejection of processing payment instructions if there is insufficient information should be set forth in legal EU requirements in order to prevent (civil) liability for financial institutions. It would considerably slow down processing of funds given the high number of false positives generated by the screening tools. Some respondents suggested that the guidelines recognise that firms need to weigh the risks of continuing to proceed with providing services while investigating whether a match is a true positive. Two respondent asked to replace ‘to conclude with certainty’ as CASPs are not enforcement institutions. It is merely possible for them to conclude ‘with utmost care’ instead of ‘with certainty’. The EBA acknowledges that in the case of screening of transaction, the person can be either parties of a transfer. The text was amended accordingly. Regarding the second comment on the suspension of transactions, this requirement is a tool to protect the PSP or CASPs from providing funds to a designated person or entity and avoid the risk of non-implementing restrictive measures. Regarding the third comment, the paragraph refers to a situation when it is not possible to decide whether it is an unambiguous identification or not. Para. 35 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 70 Comments Summary of responses received EBA analysis Amendments to the proposals 4.2.3 Assessing whether an entity is owned or controlled by a designated person Para. 37 Regarding para. 37, two respondents asked that in order to assess whether an entity is owned or controlled by a designated person, PSPs should apply the criteria referred to in (a), and not the criteria under the AML/CFT framework to identify beneficial owners as referred to in (b). Respondents asked to clarify whether criteria listed in para. 37 apply in the alternative or cumulatively. One respondent explained that the requirement to consult relevant beneficial owners registers brings no added value as beneficial owners are already determined and regularly updated as part of the KYC required under the AML framework. Another respondent underscored that access to beneficial owner registers differs from one MS to another. The paragraph refers to the different possibilities of owning and/or controlling a legal entity without an ownership interest. Both the 2024 update of EU Council Best Practices for the effective implementation of restrictive measures and the EU Council Sanctions Guidelines being updated in 2024 provide a list of detailed criteria to take into consideration. Regarding the second comment on the use of beneficial ownership register, Article 10(9) of Directive (EU) 2024/1640 provides that central beneficial ownership registers must check whether information held concerns designated persons and entities and indicate this information in the register. Para. 37 amended. 4.2.4 Controls and due diligence measures to comply with sectoral restrictive measures Para. 40 One respondent suggested providing concrete examples regarding the free-text fields of transactions, such as ‘Examples of screening of other fields requiring particular attention based on reports of suspicious transactions available to national regulators’ and ‘best practices of screening free-text fields, since general screening of these fields does not tend to produce high quality alerts’. Examples of such cases can be found in national guidance. No change. Para. 40 Two respondents requested more details on rules for applying sectoral sanctions (e.g. embargoes, restrictions on the provision of services to particular categories of persons and entities) in the case of payment processing. Respondents also enquired about the responsibility that rests with the financial institution, from two perspectives: 1) obligations related to transaction processing; 2) obligations of the PSP as a risk manager of its client base (for which due diligence procedures are performed). Many of the prohibitions within the definition of ‘sectoral restrictive measures’ do not apply The EBA’s mandate is to draft guidelines on internal policies, procedures and controls to ensure implementation of restrictive measures, not to clarify the implementation of restrictive measures. No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 71 Comments Summary of responses received EBA analysis Amendments to the proposals to fund transfers, e.g. the definition of ‘financing or financial assistance’ specifically excludes payments. Respondents considered that requirement to introduce controls at a funds transfer level therefore does not align with the prohibition. Para. 40 Four respondents asked for clarification as to whether ‘all underlying information’ is to be understood as including the information within the transfer itself. Respondents acknowledged that screening for the involvement of parties subject to non-asset-freeze restrictions but listed in the annexes to EU regulations aligns with standard processes. Respondents suggested also mentioning other types of controls. All underlying information relating to a transfer means all information in the messaging of the transfer and any instructions accompanying the transfer. Para. 42 of the Guidelines already provides types of controls other than screening. No change. Para. 40 Five respondents suggested that the financial institution should decide how to manage the risk associated with sectoral restrictive measures and which information to screen as a consequence. Respondents noted that transfers of funds are screened only on the basis of contained information related to specific jurisdictions and not on the basis of customer activity / exposure on such jurisdictions. Some of the respondents asked for supportive indicators to help for assessments of geographical risks. Two respondents explained that financial institutions do not have information on the ‘habitual residence or place of activity’ in practice and suggested aligning the terminology with AML KYC requirements. In the same section, also, screening against the place of birth as such does not yield meaningful results since the place of birth may give an indication of the nationality, but nationality regimes differ. Some respondents emphasised that it is not possible to ascertain with certainty the country from which a crypto-asset transfer is initiated or executed. The EBA acknowledges that the targeted screening of relevant fields should be in line with the restrictive measures exposure assessment. Regarding the second comments, geographical data needs to be collected for KYC purposes. For individual persons, the place of birth in addition to the nationality and the usual place of residence need to be collected. For legal persons, the principal place of businesses should be recorded. The wording of the Guidelines was amended accordingly. Regarding the third comment, the EBA acknowledges that it is not possible to ascertain with certainty the country from which a crypto-asset transfer is initiated or executed. Para. 40 amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 72 Comments Summary of responses received EBA analysis Amendments to the proposals Para. 41 Seven respondents explained that there are no integrated geolocation tools in screening systems of Fis. Yet one respondent confirmed that CASPs have IP log-in algorithms. Respondents suggested accounting for each CASP’s / PSP’s chosen risk-based approach. The EBA confirms that ‘if warranted by the restrictive measures exposure assessment’ means that the use of geolocation tool is not mandatory. No change. Para. 42 Three respondents asked for clarification that examples of controls should be deemed appropriate rather than be a mandatory requirement for all PSPs and CASPs. One other respondent suggested not to focus on dual-use goods only, but also include goods subject to sectoral restrictive measures. The paragraph was amended to reflect the drafting suggestion on the link with the restrictive measures exposure assessment. The paragraph now also makes reference to ‘subject to sectoral restrictive measures’. Para. 42 amended. 4.2.5 Due diligence measures to detect attempts to circumvent restrictive measures Para. 44 and 45 One respondent noted that CASPs already perform such an analysis, as in certain Member States these are obligatory annually; also, most CASPs pool data quarterly to see the corridors and flows of payments, as they monitor their clients as in para. 46. The respondent emphasised the need to collaborate between CASPs and the PSPs that report this information to FIUs and the FIUs that investigate these instances of circumvention of restrictive measures. The EBA agrees that asking for and receiving more feedback from FIUs is critical. This situation is however covered by 44.b and c No change. Para. 45 Points a to c Two respondents asked for clarification as to whether checks should be carried out on an ex post sample basis driven by concerns identified through business-as-usual transaction processing. Another respondent explained that the notions of omitting, deleting or altering information are self-explanatory and need not to provide examples. This paragraph refers to detection of possible circumvention of sanctions. As the circumvention of sanction is a predicate offence to money laundering, and that attempted transactions should be detected under the AML/CFT framework, PSPs and CASPs should be able to detect not only concluded transactions, but also attempted ones. No change was made on this point. Regarding the second comments, the EBA agrees to remove from 45.a ‘such as empty fields or meaningless information’. Para. 45 amended. Para. 46 One respondent considered the current wording as too vague, noting there is no objective information about such countries known to be used to circumvent restrictive measures. There is no publication of country lists for sanctions, but para. 44 provides that PSPs and CASPs should stay informed of such risks and refers to multiple sources of information. In addition the EBA analysis provided in response to comments received on para. 24 of the Guidelines EBA/GL/2024/14 mention that the EU No change.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 73 Comments Summary of responses received EBA analysis Amendments to the proposals list of high-risk non-member countries can provide some elements in relation to circumvention of sanctions. 4.3.1 Suspending the execution of transfers of funds and freezing of funds Para. 47 and para. 53 point b (also para. 31 point g of Guidelines EBA/GL/2024/14) Six respondents asked to clarify that suspension is triggered only by there being a confirmed/true match, and that there is no obligation to suspend at the point of a possible match. Respondents enquired whether suspension means also the suspension of all financial services to the benefit of all customers for which a customer screening alert is pending. Respondents considered this scope disproportionate to the objective as false alerts represent the vast majority of the alerts. In addition, blocking funds of non-sanctioned parties may result in civil claims and damages for non-execution of a payment order. Four respondents suggested replacing ‘without delay’ by as soon as possible without introducing risk’ as this better reflects the best practical reality achievable. In line with point g of para. 30.g of Guidelines EBA/GL/2024/14, para. 47 refers to suspension of transaction, which is relevant for further investigation of potential matches. In order to avoid confusion between suspension of transactions that are potential matches and the non-execution of transactions that would be in violation of sectoral restrictive measures, the EBA replaced the word ‘suspend’ with ‘stop the execution’ in para. 48. Regarding the second comment, in line with para. 30 point g of Guidelines EBA/GL/2024/14, the EBA reminds that once a positive true match is confirmed, the freezing of assets or the nonexecution of a transaction should take place immediately as no doubt subsists and should delay the implementation of restrictive measures. The EBA replaced ‘without delay’ by ‘immediately’. Para. 47, 48 and 53 (now 52) amended, new para. 49. Para. 47 points a. and b. Four respondents asked for clarification on the definition of freeze and suspend for CASPs, and links to instructions by FIUs. Respondents explained that CASPs can either 1. refuse the payments and give back the funds to the address provided or 2. freeze the funds only once local authorities (FIUs) have told the CASP what to do with those funds, as CASPs need a legal basis to hold these funds, otherwise the funds in question would be confiscated and held by CASPs illegally. So the BVC WG suggests that a way forward is for the CASPs to freeze the payment until the local authorities decide what CASPs should do with that payment. Respondents requested guidance in situations where CASPs decide to suspend the payment and especially The EBA acknowledges the technical possibility for CASPs, which can only pool the transaction in a suspense account until a decision is taken by the relevant national authority competent for the implementation of restrictive measures. Regarding the second comment, FIUs are not addressees of the EBA Guidelines. New para. 49 in new Section 4.3.2.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 74 Comments Summary of responses received EBA analysis Amendments to the proposals about what CASPs should do while waiting for FIUs to decide what CASPs should do with frozen funds. One respondent added that if the address that the CASPs received has expired, the use of one-time addresses could create problems. Para. 48 Six respondents asked for clarification on the information of customers. Fulfilment of such a requirement could suggest the provision of legal counsel by the financial institution, contrary to restrictions on legal counselling competencies, or give the impression of helping the customer to circumvent sanctions. Para. 48 refers to the possibility for designated persons and entities to request an authorisation to use their frozen funds or economic resources. This was clarified in the text. Moved under para. 53 in Section 4.3.4. 4.3.3 Reporting measures Para. 49 One respondent suggested that it would be disproportionately burdensome for organisations to report in all circumstances suggested, particularly where internal investigations into alerts were still being conducted. The respondent suggested that the guidelines limit reporting obligations to circumstances where there has been a breach of EU assetfreeze measures or there is a mandatory reporting requirement in the underlying sanctions legislation. Two other respondents suggested removing requirements from para. 49 points b. and c. to report the discovery of the breach of restrictive measures due to the absence of such a legal requirement. In contradiction to other respondents, one confirmed that CASPs are doing all steps included in paras. 49 to 50. The EBA acknowledges that, as the suspension of operations is a temporary measure, it should not be reported to competent authorities, so the text was amended accordingly. Regarding the second comment, the EBA clarifies that the report of discovery of the violation of restrictive measures is not mandatory but covered under applicable Union and national requirements.
Para. 49 (now 50) amended. Para. 49 and 53 Six respondents suggested replacing ’without delay’ by ‘within the timelines specified by national competent authorities or the applicable restrictive measures Regulation’. The EBA acknowledges that specified timelines might be required in applicable EU and national requirements. This was added to the requirement by default to report without delay, which aims to seek harmonisation of reporting practices. Para. 49 (now 50) and 53 (now 54) amended. Para. 50 Four respondents noted that reporting each suspicion of a possible circumvention would flood competent authorities The EBA acknowledges that there is no general legal requirement for a reporting obligation of circumvention of restrictive Para. 50 (now 51) amended.
FINAL REPORT ON GUIDELINES ON INTERNAL POLICIES, PROCEDURES AND CONTROLS TO ENSURE THE IMPLEMENTATION OF UNION AND NATIONAL RESTRICTIVE MEASURES 75 Comments Summary of responses received EBA analysis Amendments to the proposals with volumes of potentially incomplete or irrelevant information. EU sanctions regulations do not provide for a reporting obligation of this general nature. Two respondents noted that a simple sanctions violation (which is not necessarily circumvention) can also be subject to prosecution and therefore a predicate offence to money laundering (all-crimes approach). One of the respondents explained that a suspicious activity report rather than a suspicious transaction report should be filed to encompass cases of attempted circumvention of restrictive measures. measures to relevant national authorities competent for the implementation of restrictive measures. However such reporting can be provided in an EU Regulation for a restrictive measures regime, such as in Article 6.1(b) of Regulation EU 833/2014, which refers to ‘information in respect of violation and enforcement problems and judgments handed down by national court’. Point a was amended. Regarding the second comment, the EBA clarified that point b applies under applicable legislation. 4.3.4 Procedures for exemptions and when restrictive measures are lifted Para. 52 One respondent suggested that a case-by-case determination is used as a methodology for customers who can file complaints with the institution who were sanctioned and whose sanctions were subsequently lifted, instead of having in place a procedure that is only rarely used. Policies and procedures to identify and release funds can be drafted in a way that allows a case-by-case determination, as long as they are duly justified and documented. No change. 4.4 Ensuring the effectiveness of restrictive measures policies, procedures and systems Para. 56 One respondent questioned the proportionality of the reporting of any weaknesses or deficiencies to the management body. The EBA agrees to add proportionality in the reporting of weaknesses to the management body, with only significant weaknesses in such policies, procedures and controls being reported. Para. 56 (now 57) amended. Section Impact assessment KYC information guidance for the financial listbased restrictive measures screening One respondent explained that it is challenging to understand why these transactions are highlighted, as they are already subject to screening and this provision may create impractical expectations for national competent authorities. Types of transactions mentioned in the Impact assessment reflects the analysis of weaknesses identified by competent authorities for the supervision of policies, procedures and controls to ensure the implementation of restrictive measures. Those weaknesses were shared through the drafting of the 2023 EBA Opinion on ML/TF risks affecting the EU’s financial sector. No change.
76