Request Demo
Back to News
Industry News

Why a sanctions freeze is a data problem before it is a legal one

·11 min read

A data provider's perspective on Swiss Federal Supreme Court judgment 4A_537/2025 of 28 April 2026 In brief — four things to know • The trigger is suspicion, not proof. A Swiss financial institution must freeze and report assets as soon as it has reasonable suspicion they are directly or indirectly controlled by a sanctioned person — and the freeze applies automatically, by law, without waiting for an official order. • The risk hides in the relationships, not the name. The client company and its beneficial owner were on no list; the exposure ran through extended family — the owner was the spouse of the sanctioned person's nephew. Plain name-against-list screening catches none of this. • “Family” is defined differently everywhere. EU and UK PEP rules use a narrow, closed list (spouse, children, parents); Switzerland's PEP rule is open-ended (“persons close for family, personal or business reasons”); and sanctions regimes turn on control, not kinship — with US measures reaching furthest through the “acting on behalf of” and 50% rules. • For data providers, it is a balancing act. The job is to map relationships richly enough to support any of these tests, while respecting data-protection limits and keeping false positives manageable — and to leave the final call on “how close is too close” to the client. Sanctions screening is often imagined as a clean, binary exercise: a name either matches an entry on a list, or it does not. The reality our clients deal with every day is far messier — and a recent judgment from the Swiss Federal Supreme Court is a useful reminder of just how subtle the line can be. Very often the hard question is not whether someone is listed, but how far a chain of family and ownership links has to run before the assets at the other end of it are caught by a freeze. This case sits squarely on that line.

Why a sanctions freeze is a data problem before it is a legal one

A party that was never on any list

The dispute concerned a Swiss company that asked its crypto-custody provider to transfer out its assets. The company itself appeared on no sanctions list. Nor did the individual who beneficially owned it. The relevant connection ran through several degrees of separation: the beneficial owner was the spouse of the company's former chief operating officer, and that COO was the nephew of an individual designated by OFAC years earlier and subsequently listed by the EU, the UK and Switzerland. The sanctioned individual's son was listed as well.

So the structure the custodian had to reason about was not “our client is sanctioned.” It was “our client is a company, owned by the spouse of the nephew of a sanctioned person.” For anyone who screens names against lists for a living, that is precisely the configuration that slips through a literal, party-by-party check.

What the Court actually decided

The custodian froze the assets and refused the transfer instruction, invoking its obligations under the Ordinance on Measures in Connection with the Situation in Ukraine. The client sued. The Supreme Court, upholding the Zurich Commercial Court, sided with the custodian and clarified three points that matter enormously for how compliance data gets used:

• Reasonable suspicion is the trigger, not certainty. Direct evidence that a sanctioned person controls the assets is notrequired. It is enough that the institution has a reasonable suspicion (begründeter Verdacht) that the assets are directly or indirectly controlled by a sanctioned person. The Court framed this not as a question of standard of proof, but as the substantive threshold for the obligation itself.

• The freeze applies by operation of law. Once the conditions are met, assets are frozen ex lege. The institution does not wait for a formal administrative order before declining to move them.

• Suspicion justifies refusing the client. Because executing the transfer would have breached the Ordinance and the Embargo Act, the custodian was entitled to refuse performance and committed no breach of its mandate.

In the case at hand, the “concrete indications” the Court relied on were exactly the kind of signals a good data set is built to surface: the close family and economic links between the client's beneficial owner and the sanctioned individuals, reinforced by an order from the Office of the Attorney General concerning the same assets.

The data problem beneath the legal test

The legal threshold — reasonable suspicion of indirect control — is only as good as the information available to form it. And that is where extended-family links become a genuinely hard data challenge rather than a box-ticking one. Three implications stand out:

1. List screening alone would have caught nothing.Matching the account holder's name against the consolidated lists returns a clean result. The exposure lives entirely in the relationships around the named party — ownership, marriage, and kinship — none of which appears on the list entry itself.

2. “Relatives and close associates” has to be both broad and disciplined. A nephew is already a step beyond the parent–child and spousal links that most RCA data covers well. A nephew's spouse, and a company that spouse owns, is another two steps out. Cast the net too narrowly and you miss the structure entirely; cast it indiscriminately and every distant in-law becomes a false positive. The value is in mapping the network accurately and attaching enough context — economic ties, control indicators, adverse media, enforcement signals — to tell a genuine indirect-control structure apart from a coincidental family name.

3. The bar is suspicion, so the data needs to raise the flag, not prove the case. The Court was explicit that institutions act on reasonable suspicion, before any authority has confirmed anything. That reframes what compliance data is for. It does not need to deliver a courtroom-ready finding of control; it needs to put the institution on notice that a plausible link exists, early enough to freeze and report. Beneficial-ownership unwinding, kinship graphs, and corporate-network data are what convert a clean name-match into a defensible “we had reasonable grounds to suspect.”

“Family” does not mean the same thing in every regime

Part of what makes this so hard to screen for is that “family” is not a single, portable concept. Different frameworks draw the line in very different places, and a programme calibrated to one will misfire against another.

The general PEP starting point. Across the FATF-aligned world, a politically exposed person is someone entrusted with a prominent public function, and the same enhanced scrutiny is extended to that person's family members and close associates(often shortened to “RCAs” — relatives and close associates). That much is common ground. Where regimes diverge sharply is in who counts as a family member.

The narrow, strictly defined end — EU and UK. Under the EU's money-laundering directives, a PEP's “family members” are an enumerated, closed list: the spouse (or equivalent partner), the children and their spouses or partners, and the parents. Siblings, uncles, aunts, nephews and cousins are simply not in it; the UK Money Laundering Regulations follow the same lineage. Some frameworks reach a little further — Qatar's QFC, for instance, defines a family member by blood or marriage up to the second degree — but even that typically captures grandparents, grandchildren and siblings rather than an uncle. In these regimes, reading “family” too expansively is the error in the other direction: treating a distant relative as automatically exposed invites wrongful blocking, unjustified de-risking and legal challenge.

Switzerland's PEP rule — principles-based and deliberately open. Swiss anti-money-laundering law takes a different drafting approach. The Anti-Money Laundering Act (AMLA / GwG, Art. 2a) defines PEPs and then extends the regime to persons close to them — in the statutory language, natural persons who are recognisably close to a PEP “for family, personal or business reasons.” There is no enumerated list and no fixed degree of kinship. The boundary is left to the financial intermediary's risk-based judgement. That makes the Swiss PEP concept potentially broader than the EU's closed list, but also less predictable: a nephew or an in-law is not excluded by definition the way they are under EU AML rules, yet nor are they automatically captured. The institution has to reason about closeness.

SECO and the sanctions regime — control, not kinship.Crucially, the case we are discussing is a sanctions matter, not a PEP/AML one — and in the sanctions world “family” is not the operative concept at all. Switzerland's sanctions ordinances (administered by SECO) freeze assets owned or controlled, directly or indirectly, by listed persons. SECO's interpretative guidance on the sanctions measures sets out criteria for ownership and control, and Switzerland expressly aligns its practice as closely as possible with the EU's. A family relationship is therefore relevant only as an indicator that a listed person may exercise indirect control — it is evidence, not the test. This is exactly the reasoning the Supreme Court applied: the freeze did not rest on the client being “family,” but on concrete indications that a listed person indirectly controlled the assets.

The US — enumerated relatives plus control-and-conduct tests. US sanctions sit at the broad end, but not because they publish a longer family tree. CAATSA's secondary-sanctions provisions do enumerate relatives: Section 228 reaches foreign persons who knowingly facilitate significant transactions for a sanctioned person or their child, spouse, parent or sibling — already a step beyond the EU PEP list by capturing siblings. The genuinely wide reach, though, comes from tests that have nothing to do with kinship labels. OFAC can designate anyone “acting for or on behalf of” a blocked person, and its 50 Percent Rule treats as blocked any entity owned 50% or more, directly or indirectly, by blocked persons. That is the route by which an uncle's exposure attaches to a nephew — and to a company two steps removed from him. In the case discussed above, the nephew was not caught because “nephew” appears on a list; he was separately designated as a financial facilitator, and the assets were frozen because of indirect control, not because of the family relationship in the abstract.

The practical lesson is that you cannot carry a single rule of thumb about “how close is too close” from one regime to the next. The EU PEP question is essentially “is this person on the closed family list?” The Swiss PEP question is “is this person recognisably close to a PEP?” The sanctions question — Swiss, EU or US — is “is this person owned by, controlled by, or acting for a listed person, whatever the family label?” Good data has to answer all three, and be clear about which question it is answering.

The provider's balancing act

For a data provider, sitting between these regimes is a genuinely delicate position, and the tensions do not resolve neatly.

The first is data protection. Mapping relatives, in-laws and beneficial owners means processing personal data about people who are not customers, have not consented, and may have no wrongdoing attached to them at all — a nephew's spouse, say, who simply founded a company. Under the GDPR and the Swiss Federal Act on Data Protection, that processing has to be lawful, proportionate and accurate, and some of it (information hinting at political exposure, or implying criminality) edges toward special-category or highly sensitive data. The obligation to map a network and the obligation to minimise and safeguard personal data pull in opposite directions, and both are legally binding.

The second is respecting narrow and broad definitions at the same time. The same individual can be out of scope under EU PEP rules, in scope under a risk-based Swiss closeness assessment, and squarely caught by a sanctions control test. A provider cannot collapse these into one “family flag”; it has to model the relationship once and let each client apply the standard that its own regime demands. Over-broad data turns into noise for the EU-PEP user; over-narrow data leaves the sanctions user exposed.

The third is client expectations versus operational reality. Compliance teams want comprehensive coverage and low false-positive rates and manageable alert volumes — three goals that trade off against one another. Every additional degree of kinship surfaced is more potential exposure caught and more potential noise generated. Screening cadence, batch re-screening against list changes, and analyst capacity all impose hard limits on how wide the net can practically be.

The job, then, is not to pick a single definition of “family” and apply it everywhere. It is to capture relationships accurately and richly enough to support any of the tests a client might face, attach the context and provenance that let a human judge closeness and control, and present it in a way that respects data-protection limits — so the client, not the data set, makes the final call on where the line falls.

The takeaway

There is no bright line that says “two degrees of family separation is too far, three is fine.” This judgment confirms that there isn't meant to be one: the test is whether the available indications support a reasonable suspicion of direct or indirect control, however many relationships sit in between. For financial institutions, that makes the breadth, accuracy and contextual depth of their underlying data the practical front line of sanctions compliance. The list tells you who is named. Everything that determines whether you should freeze sits in the connections the list does not show you.

 

Sources and further reading

The case

• Swiss Federal Supreme Court, judgment 4A_537/2025 of 28 April 2026 (bger.ch)

• Commercial Court of the Canton of Zurich, judgment HG230210-O of 17 September 2025 (PDF)

• Baker McKenzie, original case note on the judgment

Swiss legislation

• Ordinance on Measures Connected with the Situation in Ukraine (SR 946.231.176.72) — Art. 15 (asset freeze) and Art. 16 (reporting)

• Embargo Act / EmbA (SR 946.231)

• Swiss Code of Obligations (SR 220) — Art. 20 (right to refuse unlawful performance) and Art. 397 (mandate instructions)

• Anti-Money Laundering Act (AMLA / GwG, SR 955.0), Art. 2a — PEP and “close persons” definition

Regulators and guidance

• SECO, Sanctions / Embargoes overview

• SECO, Interpretative aid for sanction measures (criteria for ownership and control)

EU and US frameworks

• EU, Directive (EU) 2015/849 (4th AML Directive) — PEP family-member definition

• OFAC, FAQ 401 on the 50 Percent Rule and FAQ 574 on CAATSA Section 228

 

This post discusses a published court judgment for general information and is not legal advice. The judgment is anonymised; the parties are referred to by role.

Related Articles

Polixis Assistant

Hi 👋, thanks for visiting Polixis!

How can we help?