Key Aspects

• Designation of compliance officers required to oversee the implementation and monitoring of governance frameworks designed to identify and mitigate risks related to sanctions compliance.
   
• Advanced Screening Systems: A strong emphasis is placed on adopting technology to improve sanctions screening processes. The Guidelines recommend using advanced systems with “fuzzy matching” capabilities, to enhance detection of restricted entities or individuals even when data is inconsistent.
   
• Financial institutions must ensure the maintenance of complete and accurate records, including customer data and beneficial ownership information.

Analysis

On 14 November 2024, the European Banking Authority (EBA) issued two final Guidelines, EBA/GL/2024/14 and EBA/GL/2024/15 establishing EU-wide standards for internal policies, governance and control mechanisms within financial institutions. These Guidelines focus on leveraging technology and data-driven systems to detect and manage sanctions risks effectively, particularly within payment service providers (PSPs) and crypto-asset service providers (CASPs). The measures aim to strengthen the EU’s financial system by addressing gaps that may lead to sanctions evasion and compliance risks.

 These Guidelines support the EU’s broader objectives to prevent the misuse of financial networks and ensure the integrity of Union and national sanctions regimes.

 
What are the New EBA Guidelines Targeting?

The EBA’s new guidelines target:

1. Governance and Risk Management: The Guidelines introduce clear standards for oversight by senior management. It is the responsibility of the institutions to designate compliance officers whose primary function is the enforcement of sanctions policies. These officers must oversee the implementation and monitoring of governance frameworks designed to identify and mitigate risks related to sanctions compliance.
    
2. Advanced Screening Systems: A strong emphasis is placed on adopting technology to improve sanctions screening processes. The Guidelines recommend using advanced systems with “fuzzy matching” capabilities, to enhance detection of restricted entities or individuals even when data is inconsistent.
    
3. Data Quality Management: Financial institutions are required to maintain accurate and complete records of customer data and beneficial ownership information. These measures aim to minimize risks arising from outdated or incorrect details, which could compromise the effectiveness of sanctions compliance and increase the likelihood of breaches. Institutions are encouraged to regularly update and validate their data to ensure reliability.

Key Technological Measures 

1. Data Screening and Fuzzy Matching: The EBA recommends that PSPs and CASPs use screening systems with advanced fuzzy matching technology. This helps reduce false positives and improves the identification of restricted entities, especially important for managing high volumes of transactions in funds and crypto-assets.
    
2. Geolocation and Proxy Detection: Institutions are encouraged to use geolocation and proxy detection tools to prevent access from high-risk jurisdictions, a key step in avoiding indirect sanctions breaches by users attempting to bypass restrictions.
    
3. Third-Party Technology Providers: For institutions relying on third-party providers for compliance, the Guidelines require clear documentation of roles and accountability, with institutions retaining ultimate responsibility. Institutions must regularly monitor and adjust these systems to ensure they remain effective and compliant with EBA standards.

Detailed Compliance Requirements

• Governance Frameworks for Financial Institutions: EBA/GL/2024/14 provides guidelines for governance standards in all financial institutions. It requires the appointment of a senior compliance officer to manage and monitor restrictive measures. Institutions must also carry out regular risk assessments and report any breaches to ensure strong oversight.
   
• Screening Obligations for PSPs and CASPs: EBA/GL/2024/15 outlines specific rules for payment and crypto-asset service providers. Including enhanced screening protocols for fund and crypto-asset transfers. To stay effective, screening systems must be regularly updated and adjusted to align with evolving sanctions lists.

Implications for Financial Technology

• Enhanced Compliance Monitoring: Institutions relying on third-party screening tools must make sure these systems are regularly updated to include the latest sanctions and restrictive measures. The EBA stresses the importance of ongoing system calibration to uphold compliance.
   
• Documentation and Reporting: Clear documentation processes are mandatory, supporting timely reporting to national authorities and preventing gaps in compliance that could expose institutions to legal risks.

Legal Basis and Implementation Timeline

• These Guidelines are part of the EU’s 2021 AML/CFT reform and align with Regulation (EU) 2023/1113, which mandates compliance measures for fund and crypto-asset transfers. Competent authorities must report compliance within two months of translation into EU languages.  The rules will take effect on 30 December 2025, with institutions expected to achieve full compliance by July 2027.

The EBA’s Guidelines set a solid foundation for compliance, highlighting advanced screening systems and data quality as essential for managing sanctions. These standards help financial institutions strengthen their defenses against sanctions evasion and support the EU’s goals for effective sanctions enforcement.