In a global financial ecosystem, compliance with sanctions frameworks has become a cornerstone of regulatory expectations. Two recent guidelines, one from the United States and the other from the European Union, highlight the increasing accountability placed on financial institutions (FIs) to uphold sanctions compliance. These guidelines outline measures for institutions to safeguard against breaches and ensure compliance to restrictive measures.
From the U.S. perspective, the focus lies on facilitation and due diligence in export-related financial transactions when items for example, are in risk of being sent to sanctioned countries. In the EU, the emphasis is on asset freezes and the critical role of banks as gatekeepers of financial systems. Banks are tasked with preventing sanctioned parties from accessing funds or assets, further reinforcing their pivotal role in sanctions enforcement.
This article was written by Lorena Velo [email protected]) and Kristi Rutgers ([email protected]). Both Lorena and Kristi are consultants with RSM Netherlands Business Consulting with a focus on International Trade & Strategy.
European Banking Authority Guidance
The European Union has intensified its regulatory framework to harmonize sanctions compliance. In July 2021, the European Commission proposed reforms to the EU’s anti-money laundering and counterterrorism financing framework, including Regulation (EU) 2023/1113, which comes into effect on December 30, 2024. Article 23 mandates the EBA to issue Guidelines on integrating restrictive measures into FIs' governance and risk management. On November 14, 2024, the EBA issued two comprehensive Guidelines: EBA/GL/2024/14 addresses to all institutions within the EBA’s supervisory authority including financial institutions and EBA/GL/2024/15, specifically targeting payment service providers (PSPs) and crypto-asset service providers (CASPs). The new guidelines aim to harmonize sanction compliance across the EU and specifically guide financial institutions on their sanction obligations. For financial institutions, the guidelines establish a framework to ensure that internal policies, procedures and controls, governance structures to address risks of breaches or circumvention of restrictive measures.
1. Governance Framework and the role of the management body:
- •Financial institutions must develop sound governance systems to ensure adequate implementation of restrictive measures. The management body is, among others, responsible for the strategy for compliance with restrictive measures and oversee the implementation through policies, procedures and controls necessary for the implementation of restrictive measures. The management body should be aware of the exposure to restrictive measures and vulnerability to circumvention of restrictive measures
- A senior staff member must be appointed to, among others, put in place and maintain policies, procedures, and controls that are adequate to ensure compliance with restrictive measures and reporting to the management body. This person may also take on additional roles (e.g., AML officer) if no conflicts of interest arise.
2. Conducting a restrictive measures exposure assessment:
Financial institutions must conduct a restrictive measures exposure assessment which should enable them to identify and assess which restrictive measures apply to the financial institution, the probability of non-implementation and circumvention of those measures and the impact of any restriction measures violations. Additionally, financial institutions must assess their vulnerability to and exposure to restrictive measures based on risk factors, such as geographical, customer, product, services and delivery channels. Restrictive measures exposure assessment should remain up to date and relevant. Therefore, assessments must be reviewed annually and should be revised upon significant operational or regulatory changes (e.g. significant changes to the institution’s activity profile, customer base, organizational structure or business model). Financial institutions should evaluate whether conducting retroactive screening of their customer databases and historical transaction records would be beneficial and proportionate. This is particularly relevant if the institution has identified or reasonably suspects that its prior screening system was insufficient or ineffective.
3. Ensuring the ongoing effectiveness of restrictive measures policies, procedures and controls
Financial institutions must establish proper processes to ensure they effectively implement restrictive measures and maintain current exposure assessments. Policies should be regularly reviewed and updated to maintain up-to-date information on measures to keep exposure assessment relevant. Institutions should investigate potential matches without delay and handle true matches appropriately with follow-up actions such as rejection, suspension, freezing, and reporting to relevant authorities within specified timelines and clearly document organizational tasks and responsibilities, including outsourcing arrangements, to ensure accountability and compliance.
4. Training
Regular training must be provided to staff to ensure awareness of restrictive measures, the results of exposure assessments, and policies, procedures, and controls. Training should be tailored to staff members and their specific roles. Financial institutions should document their training plan.
The Bureau of Industry and Security Guideline
The Bureau of Industry and Security (BIS) has released the following Guidelines for financial institutions to ensure compliance with Export Control Regulations, particularly General Prohibition 10 (GP 10). This guidance emphasizes the necessity of integrating EAR-related due diligence into FIs' compliance processes.
1. Screening Procedures
BIS advocates for integrating EAR-related due diligence into risk management and compliance processes both before and after onboarding customers. Screening tools include restricted party lists maintained by BIS (e.g. Denied Persons List, Entity List) as well as consolidated Screening List (CSL), which combines restricted lists from BIS, the Department of Treasury’s Office of Foreign Assets Control (OFAC), and the Department of State’s Directorate of Defense Trade Controls (DDTC).
2. Mitigating Measures
BIS recommends FIs not only to screen their customer but also the customers’ customer, particularly for entities that have shipped items from the Common High Priority List (CHPL) to Russia since 2023. When engaging with customers on restricted lists or tied to high-risk activities, FIs should assess, whether the customer exports, reexports, or transfers items subject to EAR and, if so, FIs should request documentation of internal controls from customers such as screening measures.
3. Transaction Monitoring
FIs should conduct regular post-transaction reviews to identify red flags, including:
- Refusal by customers to provide details about end-users, intended end-use, or company ownership.
- The name of the involved parties in the transaction is a match or similar to one of the parties on a restricted-party lists.
- Parties involved in the transaction are physically co-located with a party on the Entry list or the SDN list or involve an address that is identified by BIS as an address with high diversion risks.
- Transactions involve last-minute changes in payment routing that were previously scheduled from a country of concern.
- Unresolved issues warrant halting future transactions with customers.
4. Real-Time Screening
Although BIS does not require real-time screening for every transaction, in high-risk scenarios (e.g., cross-border payments linked to export-sensitive items), real-time screening is recommended. Critical lists for real-time screening include:
- The BIS Denied Persons List.
- Military-intelligence end-users (e.g., entities in Russia, China, Iran, and other embargoed nations).
- Certain parties designated on the Entity List, subjected under:
- The Foreign Direct Product Rule (FDP);
- The Russia/Belarus-military end user and procurement rule;
- Other persons included on the Entity list and subject to license review policy
5. Reporting Obligations
Suspicious Activity Reports (SARs) related to potential EAR violations should be submitted to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). These reports are used to notify FinCEN of potential export control violations, including instances of money laundering or fraud associated with sensitive transactions.
Forward Thinking
Looking ahead, financial institutions should align with international frameworks to ensure consistent application of restrictive measures across jurisdictions. Non-compliance with the guidances established by BIS and EBA exposes Financial Institutions to significant risks, fines, reputational damage and operational disruptions. A notable example is the fine imposed to the Deutsche Bank in 2023. Deutsche Bank was fined $186 million by the Federal Reserve for inadequate money laundering and sanctions compliance controls, exemplifying the consequences of lapses in regulatory adherence. To mitigate such risks, financial institutions must prioritize compliance as a core component of their operations. This responsibility extends beyond internal practices, requiring institutions to ensure that their customers also meet compliance obligations. Aligning with international frameworks is vital to ensure the consistent application of restrictive measures globally.
RSM is a thought leader in the field of Strategy and International Trade consulting. We offer frequent insights through training and sharing of thought leadership based on a detailed knowledge of industry developments and practical applications in working with our customers. If you want to know more, please contact one of our consultants.