EU Sanctions Enforcement

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The use of trade and financial sanctions by the European Union (EU) has become an increasingly important element of the bloc’s foreign policy. There are currently in operation 44 sanctions programmes – known as restrictive measures in the EU – in respect of 34 jurisdictions,[2] representing a significant increase during the past decade. When considering the applicability of EU sanctions regimes to businesses operating within the bloc, as well as sanctions implemented by the United States (US) and specific regulations enacted by individual states, the scope for inadvertent breach is considerable and the consequences severe.

It is imperative, therefore, that businesses based in or operating within the EU have an understanding of the various regimes with which they may need to comply, including those implemented by the United Nations (UN), the EU and the United Kingdom (UK), as well as the US, which has expanded the scope of its sanctions to apply to companies and individuals throughout the world.

While there has historically been limited appetite for enforcement within EU Member States, certain jurisdictions are now beginning to identify, investigate and subsequently prosecute individuals and companies for breaching the various EU sanctions regulations and there remains considerable appetite across the EU to enforce anti-money laundering breaches.[3] Compliance, therefore, has never been more important.

The EU enforcement framework

The European Commission (the Commission) stated in 2018 that:

any rule, no matter how carefully drafted and prepared, is only as effective as its implementation. In driving forward its policy priorities, the Commission, therefore, pays attention not only to proposing new legislation but also to ensuring that it is properly applied and enforced.[4]

Foreign policy within the EU has traditionally been viewed as a national competence. However, over the years, the EU has developed a common foreign and security policy (CFSP) that enables the 27 Member States to present a united front on key issues, including sanctions.

The adoption of the 1992 Maastricht Treaty introduced a legal basis for the EU’s competence for sanctions, by creating the CFSP, which is governed by Chapter 2 of Title V of the Treaty on European Union.[5][6] EU sanctions are enacted as part of the CFSP either to implement UN Security Council (UNSC) Resolutions (also known as derived sanctions within the EU) or with a view to pursuing autonomous EU foreign policy objectives independently of any UNSC Resolution.[7] Autonomous sanctions are normally introduced when the EU opts to pursue stricter measures than those required by the UNSC or if the UNSC is unable to agree[8] to measures against a particular country.[9] All EU restrictive measures are then published in the Official Journal of the European Union,[10] whereupon they automatically become enshrined in EU law and are binding and directly applicable[11] throughout the EU.[12]

At a time when the EU sanctions framework was in its relative infancy, the Commission published a paper that highlighted a key strand of the EU’s sanctions policy:

While it is important that restrictive measures are adequately designed to address the specific situation of the targeted country or persons, they can only be effective if they are properly implemented, enforced and monitored.[13]

This was reiterated in 2018:

The effectiveness of EU restrictive measures – and also the EU’s credibility – hinges to a large degree on restrictive measures being implemented and enforced promptly and without exceptions in all Member States.[14]

Role of Member States

The day-to-day administration and enforcement of sanctions is delegated to the competent authorities of each Member State within the EU.[15] Put succinctly, the competent authorities of Member States are responsible for:

  • determination of penalties for violations of the restrictive measures;
  • the granting of exemptions;
  • receiving information from, and cooperating with, economic operators (including financial and credit institutions);
  • reporting upon their implementation to the Commission;
  • for UN sanctions, liaison with Security Council sanctions committees, if required, in respect of specific exemption and delisting requests.[16]

Each Member State must determine, therefore, the penalties that it considers to be sufficiently robust to deter transgressions, and draft and issue guidance designed to provide clarity for natural and legal persons as to their sanctions compliance obligations. Thus, depending on (1) the jurisdiction or jurisdictions in which the potential transgression has occurred, (2) the nature of the breach, and (3) the authority or authorities within the jurisdiction, or jurisdictions, that consider themselves seized, the potential offence may be criminal or civil in nature, and the penalties range from fines to custodial sentences. This lack of uniformity across the bloc is not without its critics (this is dealt with further below – see section titled ‘Criticism of the EU enforcement framework’).

The delegated authority for sanctions administration and enforcement is supported by an EU-wide system of checks and balances. The European Council has stated:

The uniform and consistent interpretation and effective implementation of the restrictive measures is an essential element ensuring their effectiveness in order to achieve the desired political objectives. Member States shall inform each other of the measures taken under the relevant legal acts and shall supply each other with any other relevant information at their disposal in connection with these acts, in particular information in respect of violation and enforcement problems and judgments of national courts.[17]

This information-sharing requirement is enshrined in each Regulation and is designed to ensure that there is some form of consistency of approach as regards enforcement of sanctions across the bloc.[18] For example, Council Regulation (EU) No. 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine, mandates the following at Articles 8 and 9:

Article 8
1. Member States shall lay down the rules on penalties applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.
2. Member States shall notify the rules referred to in paragraph 1 to the Commission without delay after the entry into force of this Regulation and shall notify it of any subsequent amendment.
Article 9
1. Member States shall designate the competent authorities referred to in this Regulation and identify them on the websites listed in Annex I. Member States shall notify the Commission of any changes in the addresses of their websites listed in Annex I.
2. Member States shall notify the Commission of their competent authorities, including the contact details of those competent authorities, without delay after the entry into force of this Regulation, and shall notify it of any subsequent amendment.
3. Where this Regulation sets out a requirement to notify, inform or otherwise communicate with the Commission, the address and other contact details to be used for such communication shall be those indicated in Annex I.[19]

The expectation of information sharing is expanded in a Note of the Council of the European Union, which states:

Member States should also exchange information with, inter alia, other Member States, the Commission, the EEAS, Europol, Eurojust, FATF, Sanctions Committees established by the UN Security Council (including the Committee established pursuant to Resolution 1267 (1999) concerning Al-Qaida) and the UNSC Counter-Terrorism Committee, as appropriate.[20]

Role of the European Commission

The Commission ensures that Member States implement domestic rules on enforcement and penalties in a proper and timely manner, and take appropriate action to apply and enforce these regulations. If a Member State fails to adopt the necessary implementing rules, an infringement procedure can be started by the Commission against that Member State.[21]

Role of the Council of the EU

Sitting within the Council of the EU, the Working Party of Foreign Relations Counsellors (RELEX) deals with ‘legal, financial and institutional issues of the [CFSP]’,[22] with sanctions[23] being a priority. RELEX’s mandate includes: ‘[e]xchanging information and experiences on the implementation of specific restrictive measures regimes imposed by the EU’; ‘[c]ontributing to developing best practices among Member States in implementation of restrictive measures’; and ‘[e]xamining all relevant technical issues relating to the implementation of EU restrictive measures’.[24]

Role of the EU courts

As enforcement of EU financial and economic sanctions takes place predominantly at the Member State level, there is a limited role for the EU supranational courts in the enforcement of restrictive measures. However, both Regulations and Council Decisions are subject to judicial review by the European Court of Justice and the General Court in Luxembourg.[25]

Criticism of the EU enforcement framework

It has been noted that: ‘Effectiveness should be the central objective of any country’s sanctions framework, and can be measured according to a range of factors, including their economic impact, whether sanctions achieve a change of behaviour in the sanctioned target, or how widely they are implemented.’[26] It is this final aspect that, as regards the EU, courts the most controversy.

Lack of consistency

Historically, enforcement throughout the EU has not been consistent.[27] What is agreed to be implemented at an EU level is not necessarily implemented as required at the Member State level. There are a number of reasons for this inconsistency of approach:

  • Some Member States have specific departments dedicated to monitoring and gathering information, investigating breaches of the EU sanctions regimes and subsequently enforcing in appropriate cases,[28] while in others the subject of enforcement is a more convoluted matter.
  • In some countries, there may be a lack of political impetus to pursue stringent enforcement, while in others the issue may simply be one of resourcing.
  • There may be domestic legal constraints or an inclination to protect the economic interests of domestic operators regarding the enforcement of sanctions.

The result is an uncoordinated and, arguably, weak EU sanctions regime, with ample opportunity for sanctions evasion. Even when there are clear examples of breaches of the EU sanctions regime, enforcement has not always occurred. One example of this failure is a complaint by the European Centre for Constitutional and Human Rights that a secret meeting took place between a senior military adviser to Syria’s president, Bashar al-Assad, and top Italian officials[29] and for which no action has been taken to date.

To compound the issue, the publicised penalties for sanctions violations as between Member States are also extremely inconsistent, as are the disjointed licensing regimes throughout the bloc. The fact that there are very few Member States that release information regarding sanctions investigations or enforcement activity creates further uncertainty, particularly for corporates looking for guidance on the creation of an effective systems and controls environment designed to minimise the potential for sanctions breaches.

Scope for evasion

EU sanctions are narrow in application, broadly requiring compliance only by those with a clear EU nexus, jurisdiction, nationality or incorporation.[30] Given the importance of the EU’s economy to international trade, this limited application of sanctions presents innumerable opportunities for those seeking to use EU products or financial services with a view to evading the broader application of US sanctions.[31] At present, the only tool for coordination between the Member States consists of exchanging experience and developing best practices, which, given the scope for sanctions violations without a co-ordinated EU effort, is problematic. This lack of uniformity in terms of implementation across the bloc needs to be addressed (see further, below, in the section entitled ‘The future of EU sanctions enforcement’).

Following the departure of the UK from the EU, there is scope for this type of criticism to increase. Historically, the UK was a vocal proponent of EU sanctions,[32] and played a key part in their design, implementation and direction. Its departure is likely to have a detrimental effect on both UK and EU sanctions policy, implementation and enforcement going forward.[33]

Investigating suspected breaches

In-house counsel, senior compliance officers, c-suite executives and directors are expected to understand their business to the best of their ability, including any potential exposure to sanctions. For those working in multinational organisations, this can be a particular challenge. It is imperative, therefore, for senior directors and officers to understand the business areas that are more explicitly exposed to the risk of sanctions breaches. This can only be fully recognised following the implementation of a robust risk assessment framework, including mediation of identified issues.

However, even the strongest systems and controls framework will invariably have weaknesses. Potential breaches of sanctions can arise in a myriad of ways. Transaction monitoring systems within financial institutions may identify potential matches with specially designated nationals, sectoral sanctions identifications, and entities and individuals designated by the EU, that require investigation by monitoring teams. These investigations may be straightforward or complicated, depending on the nature of the ‘hit’. More complicated will be investigations when it is not the system that has identified the potential issue, but rather identification is by way of a whistle-blower or as part of ‘business as usual’ continuing monitoring, thereby indicating potentially active deception and obfuscation by clients and, in some cases, employees.

What is required in terms of an investigation will vary depending on the initial issues identified and the manner in which the investigation unfolds. However, key considerations at the outset of an investigation may include the following:

  • investigation committee: well-run investigations will normally be directed by a central investigation committee, separate from the board, that can control the focus and progress of investigatory work. Depending on the nature of the investigation, the committee may require input from various departments, including legal, financial crime, compliance, information technology, risk, human resources (HR) and operations, as well as a representative of the board;
  • scoping: the scope of the investigation should be ascertained from the outset. The size and scale of any investigation will depend on a number of factors, including the potential severity of any suspected breaches of sanctions and the efficacy of the systems and controls framework within which those potential breaches occurred. Investigations that are flexible in terms of scale tend to be the most effective;
  • regulatory exposure: it is important to identify which regulators in which jurisdictions would expect to be notified of the potential or actual issue. By considering this from the outset, the terms of reference for the investigation will take cognisance of regulatory expectations, which may be gleaned from guidance, judgments or enforcement actions publicised by the relevant competent authority. When considering the regulator to which a report may need to be made, corporates should consider, inter alia, their place of registration, jurisdictions with a corporate presence, the place or places where the misconduct occurred, and the nationality and location of members of staff and clients linked to the conduct;
  • potential penalties: the nature of the potential exposure to the company and any implicated individuals is obviously key. This exposure may include civil and criminal penalties, the imposition of monitors on the business, reputational impact, potential for additional scrutiny from other regulators, and costly systems and controls remediation;
  • internal and external communications: communications, both internal and external, should be drafted and implemented from a central point and all external communications should be reviewed by legal counsel;
  • independent legal advisers (ILAs): for larger-scale investigations, consideration will need to be given to the provision of ILAs for those in the spotlight or those whose interests will not necessarily align with those of the company;
  • document preservation: document preservation protocols should be implemented and, where applicable, automatic deletion of documentation protocols suspended to ensure key evidence is not destroyed. Staff being investigated should be notified of document preservation requirements;
  • HR issues: consideration of employee suspension and, potentially, termination may be required; and
  • regulatory reporting: at the appropriate time, it will be important to consider whether there is an obligation to report to regulators, or whether it would be in the company’s interests to voluntarily self-report. In the former case, there may be agreements, statutes, regulations or other legal requirements that mandate some form of disclosure by the company. In the latter, providing a voluntary self-disclosure may result in a reduced penalty. In either event, it is important to note that many regulators now have open lines of communication with their foreign counterparts. It should be assumed, therefore, that disclosure to one regulator will result in information being passed to other regulators throughout the world. Reporting is considered further in the next section.

Reporting, professional secrecy and legal professional privilege

Regulatory reporting

There are two distinct reporting requirements in respect of EU sanctions. The first is a general obligation that applies to everyone and requires that natural and legal persons supply their competent authority as soon as practicable with information that would facilitate compliance with the regulations. The second is a more targeted obligation that applies to specified businesses and professions. Those businesses will vary in each jurisdiction, as will the penalties for failing to comply with the reporting expectations. The manner of reporting varies from jurisdiction to jurisdiction.

Examples of information that might be reported from the perspective of a financial institution include:

  • the reason for the report;
  • full details regarding the customer, including name, account name, account numbers and sort codes, bank details, residential or company address, date of birth and nationality, where known;
  • full details of the remitter or beneficiary (or both), which may be available from, for example, the SWIFT[34] message. These details may include account names, account numbers and sort codes, bank details, nationalities of payers, and dates of birth, where known;
  • any other information that may be available from the transfer message, which may include references, dates, goods involved, amounts and currencies;
  • intermediary information, which may include the intermediary’s role in the transfer, names, date of birth, company registration information, country of operation or nationality, address or location, account name, account number and sort code, and bank details, where known;
  • ultimate beneficiary information, which may include name, account name, account number and sort code, bank details, residential or company address, date of birth and nationality, where known;
  • the amount of funds in question;
  • the quantity of any funds or economic resources held on behalf of the customer;
  • a breakdown of the prior transactions on the account;
  • the nature of the investigation undertaken and any relevant findings and remedial action;
  • if reporting a breach, details of the breach; and
  • the sanctions regimes to which the report relates.

Certain EU regulations, including for example, Council Regulation (EU) 2017/1509,[35] which addresses the destabilising conduct of the Democratic People’s Republic of Korea (DPRK), require that credit and financial institutions ‘promptly report any suspicious transaction, including attempted transactions’ and notify their local financial intelligence unit ‘where there are reasonable grounds to suspect that funds could contribute to the DPRK’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programmes or activities (“proliferation financing”)’.[36] EU corporates must have a thorough understanding of their reporting requirements, therefore, both under the relevant regulations and pursuant to domestic requirements.

Professional secrecy and legal professional privilege

Notwithstanding the existence of reporting requirements, organisations are not required to provide any information to which professional secrecy or legal professional privilege attaches.

In common law systems, legal professional privilege and confidentiality are a fundamental feature of the rule of law. Documents are normally considered to be privileged if they contain confidential information supplied by a client to his or her lawyer, or advice supplied by the lawyer to the client. When litigation is reasonably in contemplation, the scope of privilege may be extended to third-party communications.

In civil law systems, professional secrecy requirements can vary. For example, in France, a relatively new rule, Article 226-13, in the Criminal Code concerning professional secrecy no longer mentions a specific profession: ‘The disclosure of secret information by a person entrusted with such a secret, either because of his position or profession, or because of a temporary function or mission, is punished by one year’s imprisonment and a fine of €15,000.’[37] In Germany, however, the obligations of professional secrecy stem from both the German Criminal Code and the law regulating the legal profession. Section 43a of the Federal Lawyers’ Act provides:

A Rechtsanwalt has a duty to observe professional secrecy. This duty relates to everything that has become known to the Rechtsanwalt in professional practice. This does not apply to facts that are obvious or which do not need to be kept secret from the point of view of their significance.[38]

It should be noted that certain jurisdictions do not consider that in-house counsel are able to assert professional secrecy over documents. This is something that should be considered by in-house counsel (or externally instructed lawyers) during any sanctions investigation.

Whenever sanctions issues are identified, and it is considered either necessary or appropriate to report to regulators, issues of professional secrecy and legal professional privilege will need to be considered, both in respect of historical documentation and documentation created as part of any investigation that is undertaken. Key considerations may include:

  • in respect of historical documentation, for what purpose the document was created. Were legal counsel involved in the creation of the documentation? Was litigation reasonably in contemplation at the time the documentation was created?
  • in respect of investigation-related documentation, whether lawyers are involved in providing advice or receiving information designed to inform any advice they give. Are lawyers providing legal advice or are they, in fact, providing commercial advice – a single document can include both. If third parties are involved (e.g., forensic accountants), is litigation reasonably in contemplation? If so, communications with, and documents created by, the third parties may also be covered by professional secrecy or privilege. When interviewing employees, does your jurisdiction consider the work-product to be covered by professional secrecy rules or privilege?

The decision as to whether to claim privilege or rely on professional secrecy when dealing with regulators is of the utmost importance. In general, regulators will expect companies to be entirely frank with them regarding the conduct in question,[39] and the steps undertaken to investigate the issue. Asserting professional secrecy or legal privilege when communicating with regulators may raise doubt as to the scope of the investigation undertaken and the conclusions reached. In certain cases, this could affect any potential discount that may be applied to penalties issued by the regulator.[40]

Recent enforcement decisions

Although the number of enforcement actions within the EU during the past few years remains minimal when compared to the US, there is a positive trend in the number of actions and the value of the penalties extracted by certain competent authorities. It is clear that EU competent authorities are interested in pursuing actions against individuals and corporates, which has been the modus operandi of US regulators for many years. Indeed, ensuring that both classes of potential defendants are prosecuted should serve to promote top-level commitment to effective sanctions compliance, as well as a risk-averse attitude to problematic activity at all levels within an organisation.

Set out below are a few of the key sanctions decisions from the past two years.


In April 2018, it was announced that three Belgian companies, AAE Chemie Trading (AAE), Anex Customs (Anex) and Danmar Logistics (Danmar), were being prosecuted for exporting chemicals to Syria without a licence. Council Regulation (EU) No. 36/2012[41] (as amended)[42] prohibits the ‘transfer or export, directly or indirectly’ of equipment, goods or technology ‘which might be used for the manufacture and maintenance of products which might be used for internal repression’.[43] In breach of this regulation, AAE, Anex and Danmar were alleged to have exported to Syria 168 tonnes of isopropanol, 219 tonnes of acetone, 77 tonnes of methanol and 21 tonnes of dichloromethane in 24 deliveries from 2014 to 2016.

All three companies, as well as certain managers and managing directors, were subsequently found guilty by Antwerp Criminal Court on 7 February 2019. The Court imposed conditional fines of up to €500,000 and suspended prison sentences for one managing director and one manager.

Interestingly, in this case, the companies and individuals were found to be guilty, notwithstanding the fact that:

  • there was no reason to believe the chemicals in question had been used in the production of chemical weapons;
  • the companies’ Syrian trading partners did not appear on any designated persons lists; and
  • following an internal audit, it was apparent that Belgian customs had not performed physical checks of the cargo, as they were under time pressure and it was deemed difficult to consult EU legislation in the internal customs system.[44]

This case demonstrates the severity with which those in breach of sanctions can be treated, notwithstanding that there was no evidence that the dual-use goods were intended to be used for nefarious purposes and that domestic screening failures had resulted in the breaching shipments.


On 29 March 2019, the Sanctions Commission of the French Banking Regulator (the ACPR) conducted disciplinary proceedings against the bank Raguram International (Raguram) and rendered its decision on 8 April 2019.[45]

The Sanctions Commission found that, between 2015 and 2017, Raguram recorded thousands of foreign exchange transactions that breached EU and French regulations for failing to identify and verify its customer base and for failing to integrate lists of persons targeted by EU regulations into its systems and controls framework, resulting in an inability to comply with EU and national asset freeze measures. Raguram had further failed to correctly report to the ACPR that it had inadequate systems and controls to ensure compliance with anti-money laundering and asset freeze obligations because, at the time of the report, it had not recognised that its controls environment was defective.

Notwithstanding that Raguram did not contest the findings of the Sanctions Commission, no penalty was issued, as the bank had purchased a compliance solution prior to the grievance being identified during an on-site inspection, and had implemented enhanced controls for customer identification and verification.

This decision demonstrates that competent authorities expect companies to continue to review and enhance their internal systems and controls framework. Companies that have demonstrated proactivity in terms of remediation have often received reduced penalties in recognition of their proactive approach to compliance.


In early 2020, a backpacker hostel adjacent to the site of the DPRK’s embassy in Berlin was required to be closed down.[46] The Cityhostel Berlin had been operating since 2007 and had agreed to pay the embassy of the DPRK, which owned the site, €38,000 a month in rent. The German government was concerned that the payment of this rent constituted a revenue stream for the DPRK government.

Pursuant to Council Regulation (EU) 2017/1509,[47] it is prohibited to ‘lease real property, directly or indirectly, from persons, entities or bodies of the Government of the DPRK’ or:

(c) to engage in any activity linked to the use of real property that persons, entities or bodies of the Government of the DPRK own, lease or are otherwise entitled to use, except for the provision of goods and services which:
(i) are essential for the functioning of diplomatic missions or consular posts, pursuant to the 1961 and 1963 Vienna Conventions; and
(ii) cannot be used to generate income or profit, directly or indirectly, for the Government of the DPRK.[48]

This Regulation was implemented following a UN resolution prohibiting the DPRK from using diplomatic properties as sources of revenue.[49]

EGI, the Turkish company that operated the hostel, contended that the mere use of the DPRK property was not a breach of the Regulation and that it had not made any rental payments to the embassy since before the imposition of the new Regulation. The Berlin Administrative Court held that the issue of rental payments and the existence of the lease were to some degree irrelevant, as EGI was in any event in breach of the restriction on engaging in any activity linked to the use of real property owned by the government of the DPRK. The Court further stated that there was no option other than to close the hostel as the DPRK ‘represents a threat to world peace due to its nuclear weapons program’.[50]

The future of EU sanctions enforcement

Sanctions are a key tool for supporting the EU’s foreign policy objectives, which include ‘safeguarding EU’s values, fundamental interests, and security’.[51] However, for that tool to achieve its full potential, proper implementation and enforcement of sanctions by EU Member States is fundamental. Indeed, in September 2019, Ursula von der Leyen called for ‘proposals to ensure Europe is more resilient to extraterritorial sanctions by third countries and to ensure that the sanctions imposed by the EU are properly enforced throughout its financial system’.[52]

It is clear that President von der Leyen intends the EU sanctions framework to be subject to enhanced scrutiny, particularly with respect to implementation and enforcement at the Member State level. Importantly, responsibility for sanctions now rests with Valdis Dombrovskis’s[53] portfolio – Financial Stability, Financial Services and Capital Markets Union (FISMA).[54] Having moved responsibility for sanctions to FISMA, it appears that President von der Leyen is actively implementing a more strategic approach to the review of sanctions implementation. Arguably, this may minimise circumvention and give more operational certainty to organisations with a presence in multiple Member States who have, to date, been provided with inconsistent messaging.

To achieve a more uniform approach to sanctions enforcement, one possibility may be the establishment of an EU-wide sanctions enforcement body, possibly building on the work already undertaken by RELEX.[55] Such an entity could monitor compliance with sanctions by Member States across the EU. The bloc has historically been reticent, however, in establishing a centralised monitoring body, as it would require significant funding and a legislative mandate for which there currently appears to be little appetite. It does not appear likely, as matters currently stand, that such a body will be established in the near term.

To that end, the implementation and enforcement status quo looks set to remain. While this inconsistent approach has garnered much criticism, the gradually increasing rate of enforcement activity would tend to indicate that certain EU Member States are prepared to take sanctions-busting activity seriously. In so doing, those States are contributing to the EU’s foreign policy objectives and demonstrating that compliance is a subject that both legal and natural persons in the EU must take seriously. It is to be hoped that more Member States take up this particular gauntlet soon.


1 David Savage is a partner at Stewarts.

2 For details about EU sanctions regimes, see the EU Sanctions Map, created during the Estonian Presidency of the EU Council, that took place between July and December 2017. Several countries, including Iran and Syria are the targets of multiple EU sanctions programmes. Certain entries on the list are not considered to be ‘typical’ sanctions programmes, for example those concerning Haiti, Serbia and Montenegro (bans on satisfying claims arising from former sanctions against these three countries), as well as the United States (measures restricting extra-territorial effects of US law, more commonly known as the EU Blocking Regulation), at

3 Sanctions and anti-money laundering [AML] requirements within the EU share many objectives and characteristics. Considering AML enforcement actions, particular in the context of commentary on a company’s systems and controls framework, can be useful in informing the direction of a sanctions compliance programme.

4 European Commission, press release, ‘Member States’ compliance with EU law: the situation improves but still work to be done’, 12 July 2018, at

5 See ‘Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union [TFEU] – Consolidated version of the Treaty on European Union – Protocols – Declarations annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon, signed on 13 December 2007 – Tables of equivalences’, at

6 See also Article 2(4) TFEU, which provides: ‘The Union shall have competence, in accordance with the provisions of the Treaty on European Union, to define and implement a common foreign and security policy, including the progressive framing of a common defence policy.’ ‘Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union – Consolidated version of the Treaty on European Union – Protocols – Declarations annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon, signed on 13 December 2007 – Tables of equivalences, at

7 Council of the European Union, ‘Basic Principles on the Use of Restrictive Measures (Sanctions)’, Doc. 10198/1/04 REV 1 of 7 June 2004, para. 3, at

8 See Article 27 of the UN Charter for details on UNSC votes and majority required ( Note also: ‘The creators of the United Nations Charter conceived that five countries – China, France, the Union of Soviet Socialist Republics (USSR) [which was succeeded in 1990 by the Russian Federation], the United Kingdom and the United States – because of their key roles in the establishment of the United Nations, would continue to play important roles in the maintenance of international peace and security. They were granted the special status of Permanent Member States at the Security Council, along with a special voting power known as the “right to veto”. It was agreed by the drafters that if any one of the five permanent members cast a negative vote in the 15-member Security Council, the resolution or decision would not be approved.’ (see

9 See, e.g., ‘Security Council Fails to Adopt Draft Resolution on Syria That Would Have Threatened Sanctions, Due to Negative Votes of China, Russian Federation’, 19 July 2012, at

10 See

11 See ‘The direct effect of European law’ for discourse on the principle of direct effect within the EU, at

12 See

13 European Commission, ‘Sanctions or restrictive measures’, Spring 2008, at

14 Council of the European Union, ‘Sanctions Guidelines – update’, Doc. 5664/18 of 4 May 2018, at

15 id., at paragraph 53: ‘Member States should take appropriate measures to ensure that restrictive measures are complied with.’

16 European Commission, ‘Sanctions or restrictive measures’, Spring 2008, at

17 Council of the European Union, ‘Sanctions Guidelines – update’, Doc. 5664/18 of 4 May 2018, at

18 id.

19 Council Regulation (EU) No. 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine, OJ L 229, 31.7.2014, pp. 1 to 11, at

20 Council of the European Union, ‘Restrictive measures (Sanctions) – Update of the EU Best Practices for the effective implementation of restrictive measures’, Doc 8519/18 of 4 May 2018, at This Note also requires that: ‘Member States should ensure efficient national co-ordination and communication mechanisms between all relevant government agencies, bodies and services with competence in the field of restrictive measures, such as ministries, financial intelligence units, financial supervisors, intelligence and security services, judicial authorities, the office of the public prosecutor and other law enforcement bodies, as appropriate.’

21 Articles 227 and 228 of the Treaty establishing the European Community; see also Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union – Consolidated version of the Treaty on European Union – Protocols – Declarations annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon, signed on 13 December 2007 – Tables of equivalences, at


23 For further information regarding the ‘Sanctions Formation’ of RELEX, see Council of the European Union, ‘Monitoring and evaluation of restrictive measures (sanctions) in the framework of CFSP – Establishment of a “Sanctions” formation of the Foreign Relations Counsellors Working party (RELEX/Sanctions)’, Doc. 5603/04, 22 January 2004, at

24 Council of the European Union, ‘Sanctions Guidelines – update’, Doc 5664/18 of 4 May 2018, at

25 For further information, see Elena Chachko, ‘Foreign Affairs in Court: Lessons from CJEU Targeted Sanctions Jurisprudence’, The Yale Journal of International Law, Volume 44: 1, at

26 See Emil Dall, Isabella Chase and Tom Keatinge, ‘Coordinating Sanctions After Brexit: Considerations for the Future of UK Sanctions Policy’, Royal United Services Institute, 13 May 2020, p. 3, at

27 See European Parliament recommendation to the Council of 2 February 2012 on a consistent policy towards regimes against which the EU applies restrictive measures, when their leaders exercise their personal and commercial interests within EU borders (2011/2187(INI)), at

28 For example, prior to Brexit, the UK’s Office for Financial Sanctions Implementation was one such dedicated department ( Another example is Spain’s Commission for the Prevention of Money Laundering and Financial Infringements, within the Ministry of Economy (

29 European Center for Constitutional And Human Rights, ‘Joint Letter: 14 Syrian and International Human Rights Organisations Support ECCHR’s Complaint Against Italy’, 28 June 2018, at

30 See, e.g., Article 11 of Council Regulation (EC) No. 1183/2005 of 18 July 2005 imposing certain specific restrictive measures directed against persons acting in violation of the arms embargo with regard to the Democratic Republic of the Congo, which states to whom that Regulation will apply, at

31 US sanctions can have extra-territorial application, including through the use of US dollars in transactions. Furthermore certain other US sanctions regimes are ‘secondary sanctions’, which can apply absent any nexus with the US.

32 This was particularly so with respect to sanctions against Russia in 2014, following the illegal annexation of Crimea (and Sevastopol).

33 For further information on the potential impact of Brexit on EU sanctions policy, see Erica Moret and Fabrice Pothier, ‘Sanctions After Brexit’, Survival, Global Politics and Strategy, 60:2, pp. 179 to 200, at; see also Emil Dall, Isabella Chase and T Keatinge, op. cit., footnote 26, above.

34 SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a network of more than 8,300 banks, securities and corporations located in more than 200 countries that allows for the exchange of standardised financial messages between financial institutions throughout the world.

35 Council Regulation (EU) 2017/1509 of 30 August 2017 concerning restrictive measures against the Democratic People’s Republic of Korea and repealing Regulation (EC) No. 329/2007, at

36 Article 23(1)(e) of Council Regulation (EU) 2017/1509 of 30 August 2017.

37 See

38 See

39 See, e.g., the UK’s Serious Fraud Office’s ‘Corporate Co-operation Guidance’ which states: ‘Organisations seeking credit for co-operation by providing witness accounts should additionally provide any recording, notes and/or transcripts of the interview and identify a witness competent to speak to the contents of each interview.’ (

40 Interestingly, the UK’s Office of Financial Sanctions Implementation states in its guidance on ‘Monetary Penalties For Breaches of Financial Sanctions’: ‘We also recognise that some documents may be protected by legal professional privilege. Protections for legally privileged material are explicitly written into the majority of the current regulations, which exempt legally privileged information from having to be disclosed under the above obligations and requirements. Even where there is no such explicit provision, we consider that relying on legal professional privilege could amount to a reasonable excuse not to disclose a document.’ (

41 Council Regulation (EU) No. 36/2012 of 18 January 2012 concerning restrictive measures in view of the situation in Syria and repealing Regulation (EU) No. 442/2011, at

42 Council Regulation (EU) No. 697/2013 of 22 July 2013 amending Regulation (EU) No. 36/2012 concerning restrictive measures in view of the situation in Syria, at

43 id., at Article 2a.

44 Syrian Archive, ‘Antwerp court convicts three Flemish firms for shipping 168 tonnes of isopropanol to Syria’, 7 February 2019, at

45 Raguram International, Procedure No. 2018-05, Removal from the list mentioned in Article L.612-21 of the Monetary and Financial Code, Audience of 29 March 2019, Decision rendered on 8 April 2019, at (in French).

46 Administrative Court, Re: North Korea Hostel (No. 4/2020), press release of 28 January 2020, at (in German).

47 Council Regulation (EU) 2017/1509 of 30 August 2017 concerning restrictive measures against the Democratic People’s Republic of Korea and repealing Regulation (EC) No. 329/2007, at

48 id., at Article 20.

49 United Nations Security Council, Resolution 2321 (2016) dated 30 November 2016, at

50 ‘Berlin court rules hostel at North Korean Embassy must close’, .DW, 28 January 2020, at

51 See

52 Mission letter from President von der Leyen to Valdis Dombrovskis, Executive Vice President responsible for the Directorate-General for Financial Stability, Financial Services and Capital Markets Union, 10 September 2019, at

53 Mr Dombrovskis is the Director General for Financial Stability, Financial Services and Capital Markets Union.

54 See

55 For more information, see

Unlock unlimited access to all Global Investigations Review content