New EBA guidelines

With two new guidelines - EBA/GL/2024/14 and EBA/GL/2024/15 - the European Banking Authority (EBA) is setting new standards in the area of money laundering prevention and sanctions compliance. These guidelines were adopted in 2024 and come into force on 30 December 2025. They are aimed at all institutions under EBA supervision on the one hand and specifically at payment service providers (PSPs) and providers of crypto asset services (CASPs) on the other.

General guidelines on restrictive measures

The EBA/GL/2024/14 sets out general requirements for internal strategies, procedures and controls to ensure the implementation of European and national sanctions regulations. Institutions must assess which areas of their business activities are particularly susceptible to sanctions evasion. They are obliged to implement appropriate measures in proportion to the size, type and complexity of the business model.

The management body - usually the Executive Board or management - is responsible for implementation. It must ensure that sufficient resources are provided and strategies are approved. The management body in its supervisory function (e.g. the supervisory board) must monitor the effective functioning of the compliance function on an annual basis.

A central role is also played by the so-called "senior employee" (often the money laundering officer or compliance officer), who is responsible for operational implementation and ongoing reporting. The core elements here are a systematic risk assessment and regular employee training.

Special requirements for payment and crypto service providers

The EBA/GL/2024/15 contains specific requirements for PSPs and CASPs. These institutions must establish a data processing system or adapt an existing system to ensure compliance with sanction requirements. In particular, regular checks of all customers and their beneficial owners are required on the basis of up-to-date sanctions lists.

Particular attention is paid to the processing and updating of relevant customer data. Institutions must also define how they deal with alerts - especially in the case of high risks, applying the dual control principle. Transactions with confirmed hits must be suspended immediately, funds must be frozen and the relevant authorities must be informed without delay.

Conflicts in national implementation

It is noteworthy that BaFin informed the EBA in April 2025 that it would only follow the guidelines to a limited extent. It confirmed this when it published its annual report for 2024. The reason for this is national responsibility: in Germany, the Deutsche Bundesbank is primarily responsible for monitoring the sanction guidelines, not BaFin. Further developments remain to be seen. This is particularly true in light of the EU AML Regulation, which will provide for new requirements regarding sanction evasion from July 2027.

Conclusion

The new EBA guidelines mark a clear trend towards a stronger link between money laundering prevention and sanctions compliance. For institutions, this means expanding their internal control systems and closely dovetailing the responsibilities of money laundering and sanctions officers. This development will be continued by the EU AML Regulation. Early implementation of the requirements is advisable - not only with regard to regulatory requirements, but also to minimise liability risks in the management or supervisory body.

Note: For a detailed analysis, see the article by our experts Markus Haufellner, Dr Lars Haffke and Emilie Heinrichs in the BKR (Haufellner/Haffke/Heinreichs, "Aktuelle Entwicklungen im Geldwäscherecht", Zeitschrift für Bank und Kapitalmarktrecht (BKR), 2025, 392)