Countdown for EBA Guidelines on Restrictive Measures – Three months to go before deadline
In April 2025, the Swedish FSA notified that they will follow the Guidelines issued by EBA on sanctions risk management. The countdown to the deadline of the EBA Guidelines on the 31st December 2025 is getting closer. The impact is expected to be big, and financial companies are advised to adjust their sanctions risk management programmes to meet the requirements as soon as possible. In this article, we discuss why that is and what companies need to have in place to comply.
Advisense has advised clients on select parts of guidelines from financial supervisory authorities in other countries in the Nordics and the EU Nordic relying on principles described for compliance with US sanctions, mainly from OFAC, however for obvious reasons, compliance with EU sanctions is very much in focus due to the conflict in Ukraine.
The trend is already clear. Recent court decisions demonstrate that violations of EU sanctions can result in severe penalties. There is a clear trend towards more aggressive enforcement, and the risk of non-compliance is higher than ever – Substantial fines, asset confiscation, and prosecution of individuals.
Until recently, the lack of EU-wide minimum standards for prosecuting sanctions violations has contributed to fragmented enforcement. In practical terms, a regulatory framework outlining the process for sanctions risk management has been scarce if not non-existent.
The EU’s commitment to rigorous sanctions enforcement is now reshaping the compliance environment, and as supervisory bodies intensify their activities and harmonisation measures take effect, the financial and reputational cost of non-compliance is expected to rise. To be clear, EBA Guidelines on Restrictive Measures do not compete with or contradict any previous regulations, guidelines or decisions by the Swedish Financial Supervisory Authority (SFSA), as has been the case with other guidelines such as the EBA Guidelines on the AML Compliance Officer.
Meanwhile, the SFSA has not published any detailed guidelines on the matter, and decisions detailing their expectations on this subject are scarce. This is not an easy landscape to navigate
The impact on your business
With enforcement becoming stricter and the legal framework tightening, companies are advised to prioritise sanctions compliance as a core element of their risk management strategy.
Sanctions-related questions are already included in the periodic reporting to SFSA as of 2025, and there are already signs that the Swedish FSA will likely act to establish the importance of a structured sanctions risk management programme during 2026.
The requirements in the Guidelines will serve as the obvious benchmark for financial supervisory expectations on sanctions risk management. Financial services companies are advised to adopt the same mindset, and this recommendation is not only based on expected supervisory action.
The Guidelines offer a good description of a sanctions risk management programme and how it should be tailored to the exposure (i.e. risk) in relation to sanctions and sanctions evasion. This serves as important input for organisations to ensure that their sanctions risk management programmes are effectively protecting their operations against sanctions risk exposure while ensuring a tailored approach. As an added benefit, it will give a head start in relation to new sanctions-related requirements in the AML Regulation.
Right priorities, right measures
The starting point for a successful approach depends on what your organisation already has in place. Generally speaking, sanctions risk management is not a very mature practice. It is frequently limited to sanctions screening as the core issue. A broader look at sanctions risk management programme and especially the so-called exposure assessment is key, that is the general risk assessment in relation to sanctions risk. If a specific exposure assessment in relation to sanctions risk is missing or lacking, compliance with the Guidelines is likely not possible given that controls such as screening (customers and transactions) and sanctions-related due diligence must be based on typologies for sanctions evasion and the exposure to sanctions risk.
In practice this means that there is now an expectation that the choice of screening systems and screening models should be based on and tailored to the exposure and risk. The specific questions and controls in the sanctions due diligence process (CDD and EDD) should be based on an understanding of situations where the risk of sanctions evasion is higher. And this should be documented in a way that shows the logic to stakeholders such as internal audit, compliance functions and the financial supervisory authorities.
With the deadline coming up, it is a fair bet that most management teams would want to be assured that internal policies and training have been properly reviewed and updated to reflect the latest legal requirements, that screening systems are calibrated and that teams are sufficiently equipped with knowledge and tools to be in sync with evolving EU and national sanctions enforcement.
If you have not started, time is due.
Learn more about Advisense 360 degrees sanctions compliance advisory or contact us to book a meeting or workshop to discuss what your needs are and where your priorities should be.
