Introduction
Anti-money laundering (AML) and sanctions compliance have traditionally operated as distinct regulatory areas, each characterized by divergent requirements concerning risk management, internal controls, audit mechanisms, and reporting obligations. This regulatory bifurcation is also reflected in the ratio legis of both regimes: AML legislation is predicated upon a pronounced Risk-Based Approach, whereas sanctions legislation has historically developed along a predominantly Rule-Based Paradigm.
Recent compliance frameworks, however, increasingly consolidate obligations pertaining to AML and sanctions. Such regulatory convergence engenders a doctrinal amalgamation that risks diluting the conceptual clarity of both regimes, thereby generating interpretative uncertainties and imposing significant structural and organizational recalibrations upon the compliance architectures of affected businesses.
A paradigm shift: Sanctions compliance within the EU AML framework
The European AML landscape has recently been reshaped by the adoption of the EU AML package, most notably the AML Regulation (EU) 2024/1624 (AMLR). According to the EU legislator, institutions and persons subject to the AMLR (Obliged Entities) play a crucial role as “gatekeepers” of the EU’s financial system. Having said that – and considering recent geopolitical developments – the AMLR extends beyond measures aimed at preventing money laundering and terrorist financing. It requires Obliged Entities to implement mechanisms designed to mitigate risks associated with the non-implementation or evasion of targeted financial sanctions, meaning both asset freezing and prohibitions on making funds or other assets available, directly or indirectly, for the benefit of designated persons and entities.
While existing EU sanctions guidelines have long emphasized that operators should adopt adequate measures to address sanctions risks, the AMLR represents the first instance of an AML regime imposing hard-coded, legally-binding obligations for comprehensive sanctions compliance, encompassing, inter alia:
- Risk-based policies, procedures, and controls: Obliged Entities must establish an internal control framework incorporating risk-based policies, procedures, and controls to effectively manage and mitigate risks of non-implementation or evasion of targeted financial sanctions. Importantly, these risk-sensitive requirements do not supplant the rule-based obligations under applicable EU sanctions laws concerning customer screening for sanctions compliance.
- Business-wide risk assessment: Obliged Entities are required to adopt proportionate measures – reflecting their size, complexity, and risk exposure – to identify and assess not only money laundering and terrorist financing risks but also risks of non-implementation or evasion of targeted financial sanctions. The European Anti-Money Laundering Authority (AMLA) will issue guidelines specifying minimum standards for such assessments. These are expected to align with existing guidance from sanctions authorities, including risk indicators related to customers and transactional patterns.
- Customer due diligence (CDD): Obliged Entities must verify whether customers or beneficial owners are subject to targeted financial sanctions. For legal entities, this includes determining whether designated persons exercise control or hold more than 50% ownership or a majority interest, individually or collectively. Although the precise contours of ownership and control remain the subject of considerable debate and are currently under scrutiny in proceedings pending before the CJEU, the sanctions best practices promulgated by the Council – by reference to Recital 37 of the AMLR – ought likewise to be regarded as a significant interpretative benchmark within the prevailing AML framework. However, these obligations apply both at onboarding and throughout the regular monitoring of the business relationship. Notably, simplified due diligence measures should not be applied if there is a suspicion that the customer, or any person acting on behalf of the customer, is attempting to evade targeted financial sanctions.
- Expanded responsibilities for compliance officers: From an organizational perspective, Obliged Entities must designate a compliance officer responsible for implementing policies, procedures, and controls relating to targeted financial sanctions. This evolution of the compliance function demands expertise beyond traditional AML knowledge, particularly in assessing complex asset freeze restrictions, which often require specialized sanctions expertise.
Enhancing AML – sanctions alignment in level 2 and 3 instruments
Beyond the directly applicable level 1 regulations, EU regulators seek to further harmonize the AML framework through level 2 and 3 instruments, including certain standards and guidelines. Notably, the European Banking Authority (EBA) has issued two guidelines (EBA/GL/2024/14 and EBA/GL/2024/15) addressing compliance with and implementation of sanctions within the EU and its Member States, which will apply as of 30 December 2025. These guidelines establish common EU standards for governance arrangements, strategies, procedures, and controls that financial institutions, payment service providers and crypto-asset service providers must implement to ensure compliance with European and national sanctions regimes. However, the German Federal Financial Supervisory Authority (BaFin) has announced that it will not fully incorporate these guidelines into its administrative practice. BaFin has criticized the absence of a clear distinction between AML and sanctions law, warning of potential “over-compliance”.
Nevertheless, the guidelines reflect the broader trend toward harmonization and closer integration of AML and sanctions compliance, even as BaFin’s reservations underscore the delicate balance required when pooling these two regimes into a unified compliance framework.
Managing circumvention risks
The convergence of AML and sanctions compliance is also evident in supervisory practice, particularly in the context of circumvention scenarios. For example, BaFin has recently observed an increase in schemes designed to obscure Iranian involvement in transactions and business relationships. According to several supervisory notices, payment agents have been used as “alternative” payment channels to bypass sanctions against Iranian banks and restrictions within the SWIFT system, thereby concealing links to Iran and evading domestic control mechanisms. Such attempts to circumvent sanctions frequently trigger enhanced due diligence obligations under AML law.
Conversely, the German legislator – implementing Directive (EU) 2024/1226, which introduces EU-wide minimum standards for prosecuting sanctions violations – will classify acts of concealment as a criminal offense under the German Foreign Trade and Payments Act (Außenwirtschaftsgesetz – AWG). This development is noteworthy because “concealment” is already recognized as a form of money laundering under § 261 (2) of the German Criminal Code (Strafgesetzbuch – StGB), thereby incorporating AML logic into sanctions legislation.
Holistic approach to reporting obligations
The scope of reporting obligations under AML and sanctions laws remains, in certain respects, ambiguous. One recurring question concerns how to address reports of potential sanctions violations. These may constitute predicate offenses for money laundering and thus may require both a suspicious activity report (SAR) under § 43 of the German Money Laundering Act (Geldwäschegesetz – GwG) and – according to the typical reporting obligations under the relevant EU sanctions regimes – a corresponding sanctions report to the Federal Office for Economic Affairs and Export Control (BAFA) or the Deutsche Bundesbank. However, BAFA has clarified in its Russia-related guidance that, where sanctions violations are reported to the Financial Intelligence Unit (FIU) pursuant to Directive (EU) 2015/849, there is no obligation to submit “the same information” to other competent authorities. Accordingly, proper reporting to the FIU satisfies the relevant sanctions reporting requirement. Nevertheless, businesses should carefully assess whether reported information is relevant to both regimes, as separate handling of red flags is increasingly insufficient.
Outlook: Navigating the integration imperative
AML and sanctions compliance are increasingly converging – both legally and operationally. Recent regulatory developments, particularly the incorporation of targeted financial sanctions risks within the scope of the AMLR, underscore the legislator’s intent to promote an integrated approach to risk management. Enforcement authorities have likewise acknowledged the interconnection between AML and sanctions law, fostering closer cooperation in supervisory and investigative practices. Notably, investigations by customs authorities into sanctions breaches are now frequently triggered by SARs submitted to the FIU.
For businesses, this evolution necessitates a strategic reassessment of internal processes to address these intertwined requirements and mitigate reputational and liability risks. In particular, businesses must clarify – and, where necessary, adjust – responsibility for relevant compliance areas, ensuring that internal information flows are leveraged appropriately under both AML and sanctions regimes. These regulatory interdependencies will likely result in the AML/compliance officer assuming a more prominent role in sanctions-related matters, including oversight of targeted financial sanctions compliance. Furthermore, in high-risk transactions, reporting obligations must not be considered in isolation. Instead, they should be assessed holistically across regimes and addressed through a coordinated, strategic compliance framework.
