New EBA guidelines

With two new guidelines – EBA/GL/2024/14 and EBA/GL/2024/15 – the European Banking Authority (EBA) is setting new standards in the fields of anti-money laundering and sanctions compliance. Adopted in 2024, these guidelines will enter into force on 30 December 2025. They are addressed on the one hand to all institutions under EBA supervision, and on the other hand specifically to payment service providers (PSPs) and crypto-asset service providers (CASPs).

General guidelines on restrictive measures

Guideline EBA/GL/2024/14 sets out general requirements for internal strategies, procedures, and controls to ensure compliance with European and national sanctions regimes. Institutions must assess which areas of their business activities are particularly vulnerable to sanctions circumvention. They are required to implement appropriate measures, proportionate to the size, nature, and complexity of their business model.

Responsibility for implementation lies with the management body – usually the executive board or management team. This body must ensure that sufficient resources are allocated and that appropriate strategies are approved. The supervisory function of the management body (e.g. supervisory board) is tasked with overseeing the effectiveness of the compliance function on an annual basis.

A key role is played by the designated “senior manager” (often the AML officer or compliance officer), who is responsible for operational implementation and ongoing reporting. Core elements include a systematic risk assessment and regular staff training.

Specific requirements for payment and crypto service providers

Guideline EBA/GL/2024/15 contains additional obligations for payment service providers (PSPs) and crypto-asset service providers (CASPs). These entities must establish or adapt a data processing system that ensures compliance with sanctions regulations. Specifically, regular screening of all customers and their beneficial owners against up-to-date sanctions lists is required.

Special emphasis is placed on the processing and updating of relevant customer data. Institutions must also define how they handle alerts — especially in high-risk cases, using the four-eyes principle. Transactions with confirmed matches must be immediately suspended, funds frozen, and the relevant authorities informed without delay.

Conflicts in national implementation

Notably, BaFin informed the EBA in April 2025 that it would only partially comply with the guidelines. This position was reiterated in BaFin’s 2024 annual report. The reason lies in national jurisdiction: in Germany, primary responsibility for sanctions oversight rests with the Deutsche Bundesbank, not BaFin. The further development of this issue remains to be seen — especially in light of the EU AML Regulation, which will introduce new rules on sanctions circumvention starting in July 2027.

Conclusion

The new EBA guidelines signal a clear shift toward a stronger integration of AML and sanctions compliance. For institutions, this means expanding internal control systems and more closely aligning the responsibilities of AML and sanctions officers. This trend will continue with the implementation of the EU AML Regulation. Early implementation is advisable — not only to meet regulatory expectations, but also to minimise liability risks for management and supervisory bodies.

Note: For an in-depth legal analysis, see the article by our experts Markus Haufellner, Dr. Lars Haffke and Emilie Heinrichs in BKR: Haufellner/Haffke/Heinrichs, “Current developments in anti-money laundering law”, Bank- und Kapitalmarktrecht (BKR), 2025, p. 392.