Sanctions Update: Landmark EU Guidelines Adopted

The latter half of 2024 saw material changes to EU sanctions guidance on topics of acute significance for EU operators. Some key changes relate to the oversight of non-EU subsidiaries, due diligence controls and the use of non-liability clauses. Our Financial Regulation team examines the implications of these recent developments for EU operators and, where relevant, their non-EU subsidiary companies.

They also consider the outlook for the year ahead, with the recent adoption of the 15^th sanctions package against Russia, and the introduction of landmark EBA guidelines on sanctions compliance, which will become effective in December 2025.

Sanctions developments in 2024

The EU continued to renew and expand its measures against Russia in 2024 by way of the adoption of further packages of sanctions.

The fourteenth package of sanctions against Russia, adopted on 24 June 2024 (the 14^th package), amended the provisions prohibiting circumvention. As part of the 14^th package, a “best efforts” obligation was created to ensure that non-EU subsidiaries of EU companies do not “participate in activities” that undermine EU sanctions measures. The European Council stated that while EU sanctions do not have extra-territorial application:

“it is important that the foreign subsidiaries of EU companies do not engage in activities that go against the purpose of our sanctions … it falls on the parent companies to work in this direction, through the leverage they have over their foreign subsidiaries”.

EU operators must perform due diligence to prevent ‘controlled high priority’ goods from reaching Russia. They must also ensure that their foreign subsidiaries trading in those goods do the same. EU operators will be expected to have due diligence mechanisms capable of identifying and assessing the risks of re-exportation to Russia. Those measures must also be capable of mitigating re-exportation risks, and EU operators will need to ensure that their foreign subsidiaries also implement those requirements.

Non-liability clauses and appropriate due diligence

The 14^th package further stipulated that EU operators cannot rely on ‘non-liability clauses’. These are clauses stating that operators are not liable for actions that infringe sanctions regulations if they neither knew nor had reasonable cause to suspect the infringement. This protection does not apply if the operator has failed to carry out appropriate due diligence, such as conducting basic checks or inspections.

What is appropriate due diligence? The European Commission updated its FAQs on Circumvention and Due Diligence in December 2024 to state that due diligence should be proportionate and should include at a minimum:

• Screening of all parties to the transaction, including indirect parties such as suppliers
• Control of the goods and services, including whether the goods are subject to other control regulations, and
• Risk analysis of the transaction, including on the contractual documentation, financial flows, etc

More recently, the 15^th sanctions package against Russia was adopted on 16 December 2024. The focus of this package is to further target Russia’s shadow fleet and to continue to combat sanctions circumvention. It includes substantial individual and entity listings related to the Russian military-industrial complex and increases the local protection of EU Central Securities Depositories.

EBA Guidelines

In a welcome development for EU operators who may have trouble fully understanding what is expected of them in terms of compliance, the European Banking Authority (EBA) published two landmark sets of guidelines (the Guidelines) in November 2024. The Guidelines establish common standards for financial institutions to comply with EU and national sanctions measures. Their aim is to address the significant differences in the way competent authorities expect financial institutions to comply with EU sanctions measures. The Guidelines will apply from 30 December 2025, affording financial entities sufficient time to review their sanctions controls frameworks.

The first set of Guidelines apply to all financial institutions within the EBA’s supervisory remit. They specify the governance arrangements and internal policies, procedures and controls relevant in-scope financial institutions should have in place to be able to comply with restrictive measures, including:

• Putting in place, implementing and maintaining up-to-date policies, procedures and controls to comply with EU sanctions measures
• Having a sound governance structure where responsibilities for sanctions compliance is clearly allocated
• Carrying out a sanctions exposure assessment to inform the financial institution on the types of controls and measures it needs to apply to comply effectively with sanctions measures, and
• Implementing regular training programmes to ensure that staff are up to date on EU sanctions

The second set of Guidelines is specific to payment service providers (PSPs) and crypto asset service providers (CASPs). They specify what PSPs and CASPs should do to comply with restrictive measures to prevent transfers of funds and crypto-assets to sanctioned persons, including:

• Choosing a screening system that is adequate and reliable to comply with EU sanctions obligations
• Defining the dataset to be screened against EU sanctions measures and where relevant, national sanctions measures, and
• Screening information to verify whether a person is designated and manage the risks of violation and/or circumvention of EU sanctions measures

The EBA will expect national competent authorities to refer to the Guidelines when assessing compliance.

The Guidelines also provide that from July 2027, national anti-money laundering and counter-terrorist financing supervisors will have a monitoring role to ensure compliance by obliged entities with targeted financial sanctions under the new AML Regulation.

What next?

It appears that competent authorities are focusing more on the mechanics of sanctions screening. The Central Bank of Ireland (CBI) has previously noted that Irish law does not impose any obligations on the CBI, as a supervising entity, to ensure that supervised entities are complying with sanctions. However, the CBI indicated its specific priorities for 2024 and 2025 in its Regulatory Supervisory Outlook Report (February 2024). The CBI’s priorities include maintaining its focus on:

• Implementing EU financial sanctions
• Engaging with entities on their financial sanctions control frameworks, and
• Conducting substantive testing of screening tools.

Elsewhere, the Financial Conduct Authority recently updated its Financial Crime Guide to provide more specific guidelines regarding its expectations concerning sanctions screening. The updated guidance includes, for example, that it is good practice for screening tools to be tailored to the firm’s risk and appropriate for screening UK sanctions. It also highlights that screening processes may differ depending on the nature of the firm’s business and its assessment of the risks.

Conclusion

The area of sanctions promises to remain very active in 2025 and a continuing compliance challenge for EU operators in terms of surveillance, interpretation, and timely implementation. In this environment, the new EBA Guidelines are a welcome development.

Please reach out to a member of our Financial Regulation team should you require advice and support in this area.

The content of this article is provided for information purposes only and does not constitute legal or other advice.