Background

Restrictive measures are set at EU level and are developed to safeguard EU values, maintain international peace and security, and consolidate and support democracy, the rule of law and human rights. Union restrictive measures are binding on any person or entity under the jurisdiction of EU Member States and are of particular interest for financial institutions.

The European Comission and EBA identified significant differences in the way competent authorities expect financial institutions to comply with restrictive measures. These differences undermine the implementation of EU’s restrictive measures regimes and lead to legal risks and reputational risks for financial institutions.

Two sets of guidelines

To address the issues identified, EBA decided to issue two sets of guidelines to set common EU standards for the implementation of restrictive measures:

First set of guidelines: relevant for all financial institutions (EBA/GL/2024/14)

The first set of guidelines is addressed to all institutions within the EBA’s supervisory remit (such as credit institutions and investment firms) and contain provision in respect of the financial institutions’ governance and risk management systems to ensure these are sound and sufficient to address the risk that financial institutions face when breaching or evading restrictive measures. Based on the applicable guidelines, financial institutions should;

  1. Put in place, implement, and maintain up-to-date policies, procedure and controls for compliance with restrictive measures;
  2. Have a sound governance structure where responsibility for compliance with restrictive measures is clearly allocated; and
  3. Carry out a restrictive measures’ exposure assessment, which should inform institutions’ decision on the types of controls and measures they need to apply to comply effectively with restrictive measures. The EBA guidelines prescribe that this assessment should be based on a sufficiently diverse range of information sources and the guidelines include a list of these sources.

To ensure the ongoing effectives of restrictive measures policies, procedures and controls, financial institutions should provide training to their staff members on a regular basis. This training should be tailored to staff members and their specific role. Upon request of the competent authority, financial institutions should demonstrate that their training is adequate and effective.

Second set of guidelines: relevant for PSPs and CASPs (EBA/GL/2024/14)

With the second set of guidelines, EBA fulfils its mandate from article 23 Regulation (EU 2023/112) and these guidelines are specifically addressed to payment service providers and crypto-asset service providers. The guidelines specify what PSPs and CASPs should do to comply with restrictive measures when performing transfers of funds or crypto-assets. Based on the further detailed guidelines, PSPs and CASPs should:

  1. Choose a screening system that is adequate and reliable to comply effectively with their restrictive measures obligations. PSPs and CASPs should regularly review the performance of the screening system to ensure that it remains effective and continues to reliably identify targets of restrictive measures;
  2. Define the dataset to be screened against restrictive measures adopted by the EU and, where relevant, national restrictive measures. PSPs and CASPs should assess whether the data they hold is sufficiently accurate, up to date and detailed to enable them to determine if a party to the transfer, their beneficial owner or any person purporting or being authorized to act on their behalf is subject to restrictive measures.
  3. Screen information to:
    1. Verify whether a person, entity or body is designated;
    2. Manage the risks of violation of restrictive measures, and
    3. Manage the risks of circumvention of restrictive measures.

Both guidelines apply from 30 December 2025 and should be applied by the relevant institutions in a manner that is effective and proportionate to each institutions’ nature and size, the scope and complexity of activities and its exposure to retrieve measures. The competent supervisor will take the guidelines into account when assessing the adequacy of the internal policies, procedures, and controls in respect of the implementation of restrictive measures at the level of the financial institution.

Outlook: Upcoming changes regarding AML/CFT

The last couple of years, there have been multiple and important changes on EU and national level in the field of anti-money laundering and countering the financing of terrorism (AML/CFT) framework. On 10 July 2027, the new AML Regulation (Regulation (EU) 2024/1627) will enter into force. For a further detailed overview of the new EU AML package, we refer to our previous article.  

Relatedly, in the Netherlands there is currently a proposal to amend the Sanctions Act 1977 (being the Modernisation of the Dutch sanctions system, Modernisering van het Nederlandse sanctiestelsel). Currently, this proposal is only in the phase of pre-consultation. Based on the pre-consultation text made available, it is the intention to extend the current administrative supervision under the Sanctions Act 1977 to additional parties, with as starting point that the administrative supervision under the Sanctions Act 1977 will be applicable to all institutions currently covered by the Dutch Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financieren van terrorisme). This requires the relevant institutions to have an administrative organization and internal control policy to ensure compliance with the Sanctions Act 1977 and a reporting obligation vis-à-vis the relevant supervisor in case of a hit on a sanction list. In the future, the Dutch supervisor may also include the aforementioned EBA guidelines in its supervision of other financial institutions subject to administrative supervision under the Sanctions Act 1977 by way of best practices. We will continue to monitor and report on the developments in the Netherlands in respect of the modernisation of the Dutch sanctions system.

Contact

The EBA guidelines further specify and substantiate the available guidance from the Dutch regulators. We recommend financial institutions to evaluate whether their policies, procedures, and controls comply with the new sets of guidelines from EBA. If you have questions in this respect or require assistance, please contact our Financial Regulatory Team.