.svg)
The European Banking Authority (EBA) has issued landmark guidelines setting EU-wide standards for financial institutions, payment service providers (PSPs), and crypto-asset service providers (CASPs).
Its goal is to enhance governance, risk management and compliance with the trading bloc’s sanctions framework, effective from December 30, 2025.
The EBA’s announcement encompasses two sets of guidelines, the first of which looks at the financial sector broadly, while the second focuses specifically on PSPs and CASPs.
Sanctions have rapidly gone up the priority list for regulators and market participants in the context of recent geopolitical crises, predominantly Russia’s invasion of Ukraine, which has significantly increased sanctions requirements for businesses operating in the EU, as well as other allies.
Senior management responsibility for sanctions
A key requirement under the guidelines is the appointment of a senior staff member responsible for overseeing compliance with restrictive measures.
According to the banking supervisor, this individual must have the expertise to coordinate with internal control functions and maintain direct access to the management body. Although the role can include additional responsibilities, such as anti-money laundering/counter-terrorism financing (AML/CTF) oversight, potential conflicts of interest must be avoided.
The senior staff member should be tasked with developing proportional compliance policies and controls, conducting exposure assessments, addressing deficiencies and reporting violations, frozen assets and other compliance issues to management and authorities.
Meanwhile, at the group level in companies, the EBA expects a senior staff member to oversee compliance across subsidiaries, although each entity retains ultimate accountability.
Screening systems
The second set of guidelines, which is directed at PSPs and CASPs, states that these companies are required to implement robust screening systems capable of detecting and managing entities subject to sanctions.
The EBA expects these systems to reliably identify positive matches, immediately suspend and freeze transactions upon confirmation, and report such actions to relevant authorities without delay.
It also recommends the use of advanced algorithms, such as fuzzy matching, to minimise false positives and negatives, and the EBA has stated that systems must be adaptable to the institution’s operational complexity and exposure to regulatory risks.
In addition, the guidelines mandate regular testing of screening tools to ensure effectiveness, with a focus on calibrating settings, updating restrictive measures lists and evaluating the speed and accuracy of alert processing.
Any significant deficiencies in screening systems must be reported to the management body and addressed promptly.
Due diligence and alert management
The guidelines also place significant emphasis on due diligence and alert management, stating that PSPs and CASPs need to investigate potential matches immediately, document their decisions and ensure unresolved cases are escalated appropriately.
Compliance teams are advised to use supplementary data, including identification details and organisational structures, to clarify ambiguous matches, while institutions are also required to evaluate ownership and control by designated persons, referencing EU Council guidelines and public registers.
In cases where assessments remain inconclusive, the EBA states that competent authorities should be involved, while maintaining that institutions ultimately have responsibility for compliance.
Circumvention and outsourcing
Preventing circumvention of restrictive measures is another critical focus, and PSPs and CASPs are mandated in the guidelines to identify and mitigate attempts to alter payment details, structure transactions to conceal designated parties, or use proxies and fraudulent documentation.
The EBA recommends monitoring trends in circumvention tactics, conducting aggregated analyses of payment flows and employing geolocation tools for high-risk jurisdictions.
The supervisor has shut down the possibility of payments and crypto firms using outsourcing as an excuse for failing to comply, clarifying in the guidelines that outsourcing compliance functions does not absolve PSPs and CASPs of their accountability.
It says that service agreements must define clear roles, establish controls and require regular assessments to ensure compliance.
Bolstering compliance efforts
Ultimately, the EBA is advising that authorities overseeing these institutions are expected to notify it of their adherence to the guidelines and provide public updates on their compliance status.
The measures reflect the supervisor’s commitment to reinforcing sanctions enforcement and promoting the integrity of the financial system.
“These policies, procedures and controls should enable PSPs and CASPs to identify subjects of restrictive measures,” the document says.
“They should also enable PSPs and CASPs to take the measures necessary to ensure that they do not make any funds or crypto-assets available to those subjects, they do not carry out financial transactions or services prohibited by restrictive measures, and they manage risks of circumvention of restrictive measures.”
It is unsurprising that the EBA has sharpened its focus on sanctions, considering the political context in the EU, whereby sanctions enforcement has at times been patchy.
For example, in 2023, Romanian member of the European Parliament Eugen Tomac accused Austria of failing to enforce sanctions properly.
In 2022, Russia’s invasion of Ukraine led to the highest number of regulatory events ever recorded by Vixio, at 243 in March 2022 alone.
Firms, including those in the EU, were forced to act at short notice to remain compliant with rules.
Since then, the sanctions regime has continued to change and become more restrictive, resulting in heavier workloads for compliance teams.
