The evolving sanctions landscape

The most significant development occurred in the wake of Russia's invasion of Ukraine in February 2022. Since the invasion, the EU has, at the time of writing, adopted 20 sanctions packages against Russia, which have progressively expanded both the lists of persons and entities and the sectoral restrictions. The successive packages have not only increased the number of persons and legal entities covered but have also gradually expanded the scope and complexity of the sanctions regime itself ​(2)​.

The sanctions packages generally contain a combination of individual financial sanctions and broader economic and sectoral restrictions. At the individual level, the EU has continually added persons and undertakings to the sanctions lists, which entails, among other things, the freezing of funds and a prohibition on making funds or economic resources available, directly or indirectly. At the sectoral level, the packages have included restrictions concerning energy, financial services, export controls, dual-use products, technology, transport, shipping, insurance, infrastructure, and access to capital markets. In addition, there is an ever-stronger focus on third-country actors, complex corporate structures and other mechanisms that may be used to circumvent the applicable restrictions.

In particular, the most recent packages illustrate how the EU's sanctions regime has shifted from a primary focus on direct ties to Russia to one that increasingly also addresses circumvention, financial infrastructure, and supporting networks. For example, the more recent packages have to a greater extent targeted the so-called ‘shadow fleet’ – older tankers with opaque ownership and frequent flag changes used to transport Russian oil evading sanctions. At the same time, actors that enable circumventions are being targeted: third-country undertakings and financial actors, Russian and non-Russian banks, export and supply chains, as well as financial and technological structures that contribute to maintaining or concealing economic activity in breach of the sanction rules. The packages also reflect a more pronounced focus on the connection between financial sanctions, payment infrastructure, crypto-assets, and alternative distribution and payment channels.

This development is significant for financial institutions. While sanctions compliance could previously largely be seen as a question of identifying name matches against a list, it is today increasingly about understanding the broader regulatory purpose of the sanctions and the risks the rules seek to address. The purpose is not only to prevent funds from being made available directly to designated persons or entities, but also to prevent financial institutions, knowingly or unknowingly, from being used as a channel for circumvention, concealed financing, or indirect access to the financial system.

It is precisely this development that makes the sanctions area particularly relevant today. On the one hand, we see an ever more comprehensive and detailed set of rules being rapidly expanded and adjusted in response to geopolitical events. On the other hand, the legal and practical interpretation of many of the rules remains under development. For financial institutions, this means that compliance with the sanctions rules increasingly requires a risk-based, forward-looking approach anchored in governance, rather than merely a technical screening function.

3. Sanctions enforcement: lessons from recent cases

Danish case law on sanctions remains limited, but recent enforcement activity gives a clearer picture of how breaches arise in practice and who is held responsible. The cases that have emerged, whether through Danish court rulings, ongoing criminal investigations, or decisions by foreign authorities, share a common feature: the breaches in question rarely look like a name on a list. They look like fuel ending up in conflict zones, goods rerouted through neighbouring countries, and payments structured through foreign subsidiaries and correspondent banks. Some patterns are worth highlighting.

One significant risk involves the liability of exporters for the ultimate destination of their goods. Authorities are increasingly looking past the immediate buyer to the actual end-user, particularly when products are sold through foreign branch offices or agents. The legal standard often rests on whether a company ‘should have known’ its products were destined for a prohibited zone. This means that the use of a middleman or an agent does not provide a legal shield; if the logistical chain points towards a sanctioned region, the primary exporter and its leadership face severe penalties, including the confiscation of profits and criminal charges.

Another critical vulnerability lies in how payments are routed through global banking systems. Enforcement actions have shown that when subsidiaries in neutral trade hubs instruct clients to use ‘payment detours’ or third-party intermediaries to settle invoices, it is viewed as a deliberate attempt to bypass banking filters. This is especially damaging when a company proceeds with such workarounds despite having received internal compliance warnings or seeing similar transactions rejected by banks. Such structured payment paths are seen as evidence of conscious circumvention, providing international regulators with the grounds to impose massive fines on entire corporate groups.

Finally, there is a growing focus on the blind spots in distribution networks. The rerouting of industrial goods through neighbouring ‘transit’ countries has emerged as a major focus of criminal investigations. In these scenarios, goods are officially documented for delivery to legitimate markets but are instead diverted to sanctioned jurisdictions shortly after leaving the exporter's control. Authorities increasingly use customs data and logistical patterns to expose these discrepancies, particularly when shipping documents list false destinations or when high volumes of transport occur through known smuggling routes. While companies may claim ignorance regarding a distributor's actions, evidence of systemic diversion can lead to police raids and criminal charges against both the entity and its leadership. These developments underscore that a passive approach to supply chain oversight is no longer a viable defence in the face of modern regulatory scrutiny.

4. The current obligations of financial institutions

4.1 Customer and transactions screening

Financial institutions are obligated to screen all customers and transaction counterparties to ensure compliance with EU sanctions regulations. The current Danish Anti-Money Laundering Act does not prescribe a specific screening method, instead leaving it to the individual institution to organise the process based on a risk-based approach. The EU sanctions regulations do mandate that companies verify that funds and economic resources are not made available to persons, groups, or entities on sanctions lists.

Screening involves checking both customers and beneficial owners, where relevant, as well as counterparties in transactions. This must always be conducted against updated lists, such as the EU’s consolidated sanctions list or reliable third-party screening services. If the screening produces a potential match, the institution must determine whether it is a false positive or a confirmed match with a person or entity subject to sanctions. A confirmed match means that the customer or transaction counterparty is subject to an asset freeze, meaning no funds may be made available, accounts may not be opened, and transactions may not be completed. Furthermore, the match must be reported without delay to the relevant authorities.

4.2 Asset freezing and provision of funds

EU sanctions rules impose a strict obligation on financial institutions to freeze funds and economic resources belonging to persons or entities on sanctions lists. This prohibition applies to both direct and indirect availability. Indirect availability can occur if a sanctioned person owns, controls, or otherwise exercises a decisive influence over a legal entity, or if the funds ultimately benefit sanctioned parties through third-party structures.

Institutions must therefore carefully assess ownership and control structures to ensure that funds do not unintentionally reach sanctioned parties. Any activity that makes funds available – including through complex corporate or transactional structures – is prohibited. Violations can lead to significant sanctions, both financial and legal, as well as reputational damage.

4.3 Prevention of circumvention

Financial institutions must actively prevent attempts to circumvent sanctions. This requires a risk-based approach where complex corporate structures and transaction flows through third countries are assessed for the risk that funds may end up with sanctioned persons or entities.

Preventing circumvention requires the institution to:

• Identify ownership and control interests in complex corporate structures
• Assess the ultimate beneficiaries of transactions, even when they are channelled through third parties or third countries
• Implement effective internal procedures and controls, including the monitoring of transaction patterns and the reporting of suspicious activities

By combining screening, asset freezing, and active prevention of circumvention, financial institutions can fulfil their obligations under EU sanctions regulations and minimise the risk of funds inadvertently reaching sanctioned actors.

5. Upcoming requirements in the sanctions domain: the AML Package and EBA guidelines 

The new EU AML Package explicitly integrates sanctions and restrictive measures into the general requirements for financial institutions. When banks and other financial actors assess the risk of money laundering or terrorist financing, they must simultaneously consider whether customers, beneficial owners, or transaction counterparties are subject to EU sanctions. This means that sanctions controls will become a natural part of customer due diligence (CDD), transaction monitoring, and internal compliance systems as established by the AML Package ​(3)​.

To support the implementation of these requirements, the EBA has issued guidelines providing financial institutions with specific instructions on how to build internal policies and control procedures that effectively handle both AML risks and the risk of breaching restrictive measures ​(4)​. In Denmark, the Financial Supervisory Authority has indicated that it will take the EBA guidelines into account once the AML Package is fully implemented. This creates a harmonised framework where AML requirements and sanctions obligations can be operationalised together. 

Consequently, sanctions compliance ceases to be a separate task and is instead being embedded within the existing AML controls and risk management procedures that financial institutions must already have in place. 

6. Upcoming governance requirements for sanctions – EBA guidelines

6.1 Requirements for the Board of Directors, Executive Management, and the Sanctions Officer

The EBA guidelines on restrictive measures emphasise that sanctions compliance cannot be left to individuals alone; it must be an integrated part of the institution’s management and control structure. The Board of Directors holds the overall responsibility for ensuring that the bank or financial institution has a clear strategy, sufficient resources, and effective internal policies to ensure compliance with EU and national restrictive measures. This also implies that exposure assessments are a natural part of the overall risk management process and that the Board receives regular reporting on whether controls are functioning as intended.

Executive Management is responsible for the daily implementation of these policies and controls. This means ensuring that procedures for customer due diligence, transaction monitoring, and the screening of beneficial owners are followed in practice, and that the compliance function is independent, effective, and reports directly to management. At the same time, Executive Management must ensure that information regarding potential risks and identified sanctions-related issues is continuously brought to the Board's attention.

A central requirement is the appointment of a senior employee responsible for sanctions compliance. This individual is responsible for developing and maintaining internal policies and controls, conducting ongoing exposure assessments, and ensuring that management is kept informed of changes in risk, screening alerts, and any instances involving fund freezes. An exposure assessment must identify where the institution is most vulnerable to the violation or circumvention of sanctions and serve as the basis for determining which procedures and technical controls should be applied ​(4)​.

6.2 Exposure assessment

The EBA guidelines on restrictive measures emphasise that financial institutions must conduct an exposure assessment to map out where the institution is particularly vulnerable to the breach or circumvention of sanctions. According to the EBA, this assessment must be based on the institution’s business model and cover all relevant risk factors, including customers, products, services, transactions, delivery channels, and geographic areas. Similar to risk assessments for money laundering and terrorist financing, the exposure assessment must provide a clear picture of where the institution is most exposed and where controls need to be strengthened.

The assessment should cover the following areas:

• Customers and ownership: Who are the customers, and who are the beneficial owners? Are there complex structures or connections to industries or countries that are particularly exposed to sanctions?
• Products and services: Which products and services does the institution offer, and could the delivery of these increase the risk of violations or circumvention?
• Delivery channels: How are products and services delivered? Are third parties, agents, or correspondent banks used that could create blind spots or increase exposure to geographic risk?
• Geography: Where does the institution conduct business, which countries or regions are used for transactions, and which jurisdictions are subject to restrictive measures or used for circumvention?

The assessment must be based on a wide range of information sources, including customer data from due diligence procedures, information from public authorities and international bodies, reliable media, and commercial risk reports. The assessment must be dynamic and updated regularly, with a minimum of an annual review, and must be revised in the event of new sanctions, the launch of new products, entry into new markets, or if previous controls prove insufficient.

For corporate groups, the EBA emphasises that the parent undertaking must ensure that subsidiaries perform coordinated assessments. These must follow a common methodology while also accounting for local conditions. The entire process should be documented so that management can follow the results and authorities can verify that the assessment has been correctly executed.

In this way, the risk exposure assessment, as described by the EBA, ensures that risks of sanctions are understood, prioritised, and managed in a systematic and effective manner. This makes it possible to target resources, strengthen internal controls, and prevent the violation or circumvention of EU and national restrictive measures ​(4)​.

6.3 Policies, procedures, and controls

Policies, procedures, and controls around sanctions must ensure that the institution can fully implement all applicable restrictive measures without delay. The policy should be based on the exposure assessment and establish the strategic framework for sanctions compliance, ensuring that resources, responsibilities, and priorities align with the areas where the institution is most exposed.

Key requirements include ensuring that the institution always has up-to-date information on applicable sanctions regulations, that internal controls align with the exposure assessment, and that procedures automatically trigger necessary actions when deficiencies are identified. This includes the prompt investigation of potential matches, handling of true positive matches through rejection, suspension, or fund freezes, as well as reporting to the relevant authorities. A clear division of responsibility, including in cases of outsourcing, ensures that sanctions compliance becomes an integrated part of daily operations ​(4)​.

6.4 Education and training

Employees in financial institutions should regularly be offered training and education to ensure they are consistently aware of applicable restrictive measures, the findings of the institution’s exposure assessment, and the internal policies, procedures, and controls that ensure compliance. Training should be tailored to the individual employee’s role, delivered in a timely manner, and ensure that the institution can act appropriately in relation to sanctions. Within corporate groups, the parent undertaking may coordinate or conduct training for the entire group. Training activities must be documented so the institution can demonstrate to the authorities that employees have received relevant and effective training (4).

7. Discussion: Does the new regulation effectively enhance sanctions prevention?

The new AML Package and EBA guidelines significantly strengthen the framework for sanctions compliance by making requirements more concrete and operationally grounded. Historically, sanctions compliance has often been seen as a siloed operational function, limited to the technical screening of customers and transactions and the freezing of funds where applicable. With the new regulation, sanctions compliance is more deeply integrated into overall governance, risk management, and the compliance function. This means that institutions must now be able to identify and manage broader risks, such as the indirect provision of funds, complex ownership and control structures, and attempts at circumvention.

A central component of the regulation is the exposure assessment. It forces institutions to analyse their own business models and systematically identify where they are particularly vulnerable to sanctions breaches. This covers not only customers and transactions but also products, services, delivery channels, and geographic risks. At the same time, the assessment must be based on a wide range of information sources, from customer data and information from public authorities and international bodies to reliable media sources and commercial risk reports, and must be kept continuously updated. In this way, the exposure assessment ensures that institutions can prioritise resources, target controls, and prevent sanctions breaches in a more systematic and evidence-based manner.

Policies, procedures, and controls constitute another key element. When built upon the exposure assessment, they establish the strategic framework for sanctions compliance and ensure that all relevant processes, from list updates and screening to following up on true positive alerts, are executed consistently and without delay. The division of responsibility, both internally and in cases of outsourcing, as well as ongoing employee training, is crucial to ensure rules are followed in practice and not just on paper.

At the same time, it is important to recognise that the effectiveness of rules also depends on how they are implemented. While the new regulation provides institutions with better tools to prevent sanctions breaches, regulation alone cannot eliminate risk. Effective prevention requires active management, a culture where sanctions compliance is prioritised alongside other core areas, and continuous adaptation of processes to reflect changes in both business activities and the geopolitical landscape.

Overall, the AML Package and EBA guidelines create a more robust framework where sanctions compliance becomes an integrated element of daily operations. Through systematic exposure assessments, clear policies and controls, and targeted employee training, financial institutions are better equipped to identify and manage sanctions risks, reduce the likelihood of unintentional breaches, and strengthen their ability to navigate a complex and dynamic regulatory environment.

​​Bibliography

​​1. EU. EU sanctions tracker. https://data.europa.eu/apps/eusanctionstracker/. [Online]

​2. Råd, Det Europæiske. EU's sanktionspakker. https://www.consilium.europa.eu/da/policies/sanctions-against-russia/timeline-packages-sanctions-since-february-2022/. [Online]

​3. EU-Lex. AML forordningen. https://eur-lex.europa.eu/legal-content/DA/TXT/?uri=CELEX%3A32024R1624. [Online]

​4. EBA. Final report on Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/anti-money-laundering-and-countering-financing-terrorism/guidelines-internal-policies-procedures-and-controls-ensure-implementation-union-and-national. [Online] 2025.

​5. Anklagemyndigheden. Dan-Bunkering, Bunker Holding og direktør dømt for at sælge brændstof til Syrien. https://anklagemyndigheden.dk/da/dan-bunkering-bunker-holding-og-direktoer-doemt-saelge-braendstof-til-syrien. [Online] 2021.

​6. OFAC. Settlement Agreement between the U.S. Department of the Treasury's Office of Foreign Assets Control and Danfoss A/S. https://ofac.treasury.gov/recent-actions/20221230_33. [Online] 2022.

​7. Finans. Politiet efterforsker Flügger for sanktionsbrud. https://finans.dk/erhverv/ECE18314869/politiet-efterforsker-flugger-for-sanktionsbrud/. [Online] 2025. ​​​