New sanctions compliance obligations – effective from 30 December 2025

Implementation of the European Banking Authority
(“EBA”) Guidelines on restrictive measures (EBA/GL/2024/14 and EBA/GL/2024/15) and the consequences of Directive (EU) 2024/1226 and the draft Polish sanctions act – liability of collective entities, the requirement to demonstrate due diligence and the role of the CSCE certificate.

1. Why this concerns your institution – regulatory and criminal context

A. EBA guidelines on sanctions

From 30 December 2025, the EBA Guidelines (EBA/GL/2024/14 and EBA/GL/2024/15) on internal policies, procedures and control mechanisms for the implementation of EU and national restrictive measures (sanctions) shall apply.

The Guidelines cover, among other things:

• banks and credit institutions (CRD);
• payment and electronic money institutions (PSD2, EMD);
• payment service providers (PSP); and
• crypto-asset service providers (CASP).

In this regard, the Polish Financial Supervision Authority, which has notified the EBA of its intention to apply the Guidelines, is responsible for supervising the implementation of the EBA Guidelines by the above institutions.

B. Directive (EU) 2024/1226 – infringement and circumvention of sanctions as criminal offences

Directive (EU) 2024/1226 on criminal offences and sanctions for infringements of restrictive measures:

• harmonises criminal liability for sanctions violations in the EU;
• explicitly provides for the possibility of liability of legal persons (collective entities);
• covers the liability of management; and
• emphasises the need for effective compliance systems as part of the assessment of guilt and sanctions.

In practice: in the event of a breach of sanctions, not only will it be examined whether “a breach has occurred”, but also whether the institution did everything that could reasonably be expected to prevent it.

C. Draft of the Polish “major” sanctions law

The draft law implementing Directive (EU) 2024/1226 provides, among other things, for:

• liability of collective entities without prejudice (without the need for a final conviction of a natural person);
• financial penalties of up to 5% of annual turnover or up to PLN 200 million;
• administrative and criminal sanctions against management; and
• the possibility of mitigating or excluding liability if the institution demonstrates that:
  • it has implemented an effective and adequate compliance system; and
  • it has exercised due diligence

2. What the EBA explicitly requires – obligations subject to assessment

A. Governance and responsibility of the Management Board

The governing body of an institution is responsible for:

• approval of the sanctions compliance strategy;
• supervision of its implementation;
• regular (at least annual) assessment of the effectiveness of policies, procedures and control mechanisms; and
• ensuring that corrective measures are taken in the event of non-compliance.

This is a factor that is directly relevant to the assessment of the criminal liability of management in the context of future tightening of criminal law provisions on sanctions.

B. Appointment of a senior sanctions manager

The institution must appoint a senior manager responsible for sanctions compliance who has:

• real competences;
• appropriate organisational authority; and
• access to the management board.

The senior manager should be responsible for reporting any breaches of restrictive measures to the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego).

C. Risk exposure assessment

Risk assessment:

• must identify the applicable sanctions regimes;
• must be up-to-date, reviewed at least once a year;
• must be updated for new products, markets and customers; and
• must be based on diverse and reliable sources.

A lack of reliable risk assessment significantly hinders the demonstration of due diligence in the context of collective liability and individual criminal liability.

D. Screening, alerts, and decision documentation

The EBA requires, among other things:

• an annual review of the effectiveness of screening systems;
• calibration (including fuzzy matching) based on risk assessment;
• documentation of calibration justifications and readiness to present them to authorities; and
• documentation of decisions made in relation to alerts.

This is one of the most “enforceable” areas in supervisory practice.

E. Training and the obligation to “be able to demonstrate”

The institution must:

• conduct regular training sessions;
• document its training plan; and
• be able to demonstrate that the training is adequate and effective.

This excerpt from the EBA Guidelines explicitly introduces a standard of proof which, by analogy, applies to the entire sanctions compliance system.

Training plans should also be documented and made available to the Polish Financial Supervision Authority upon request.

3. Criminal liability of collective entities – practical consequences

In the event of a breach of sanctions, the authorities will investigate, among other things, whether:

• the institution had a functioning system in place;
• the management board exercised supervision;
• reviews and corrective actions were in place;
• decisions were documented; and
• risks were correctly identified.

4. CSCE as a tool for demonstrating due diligence

A. What is CSCE – Certified Sanctions Compliance Entity

The CSCE is an independent benchmark and verification process that:

• tests the effectiveness of the penalty system;
• identifies gaps;
• generates a report and remediation plan; and
• issues a certificate of compliance.

B. Why CSCE responds to EBA requirements and regulations tightening criminal liability for violation and circumvention of sanctions

The CSCE supports an institution precisely where the EBA and criminal law “meet”:

• effectiveness (EBA) → actual functioning of the system, not just documents;
• regular review (EBA) → cyclical, external verification;
• documentation and demonstration (EBA + criminal directive) → report, methodology, evidence; and
• due diligence (criminal directive/sanctions act) → ability to demonstrate that the institution acted proactively and in accordance with market standards.

C. The importance of CSCE in proceedings

In practice, the CSCE may:

• serve as evidence of due diligence;
• support arguments regarding the adequacy of the compliance system; and
• influence the mitigation or exclusion of liability of the collective entity and management.

The EBA guidelines will apply from 30 December 2025, and Directive (EU) 2024/1226 and the draft Polish sanctions act significantly increase the risk of liability of collective entities and management personnel.

Therefore, we recommend implementing an EBA-ready sanctions compliance programme and considering CSCE certification as a tool for verification and demonstration of due diligence.

More about the certificate: www.sanctionscertificate.eu