Are Your Controls Ready for EU Sanctions Compliance?

Why Screening Technology Must Now Lead

The European Banking Authority (EBA) released two comprehensive sets of guidelines aimed at strengthening how financial institutions implement EU and national restrictive measures. For fintechs, PSPs, and cross-border institutions, these guidelines aren’t just best-practice advice, they signalled a regulatory shift toward measurable, operationalized compliance.

This isn’t about ticking boxes. It’s about embedding compliance into systems, people, and technology infrastructure. To that end, the EBA’s guidelines were split into two targeted frameworks:

• The first set applies to all credit and financial institutions. It places clear responsibility on the management body for ensuring compliance, mandates regular risk assessments, calls for tailored employee training, and demands robust internal controls that go beyond documentation to real-time enforcement.
  
  
• The second set is specific to Payment Service Providers (PSPs) and reflects the sector’s fast-moving, digital-first nature. It emphasizes accurate, real-time sanctions screening at the transaction level and requires PSPs to embed compliance into the entire customer and transaction lifecycle.

Together, these guidelines mark a decisive move away from static, reactive compliance and toward proactive, operational excellence. Institutions must now demonstrate not just intent, but execution grounded in governance, technology, and continuous oversight.

What Are The Requirements?

The guidelines set clear expectations for how sanctions compliance should be governed and operationalized:

• Governance: Boards and senior leaders must be directly accountable for sanctions compliance, embedding it within their broader risk framework.
• Risk Identification: Firms are required to proactively assess and mitigate risks specific to restrictive measures, not just AML at large.
• Policy & Control Integration: Internal policies must be tailored, implemented, and consistently applied across the institution and tailored to each business line’s risk exposure.
• Staff Training: Employees across all levels must receive regular, targeted training relevant to their exposure to restrictive measures.
• Control Monitoring & Testing: It’s not enough to have controls in place—institutions are expected to actively monitor and test the effectiveness of controls, rather than relying on written policy alone.

They also released PSP-specific guidelines to address their distinct business models and risk vectors, particularly in high-speed, cross-border payment environments.

The Screening Tech Imperative: Where Operations Meet Regulation

With these new expectations, it’s clear that screening technology must evolve to become not just compliant, but operationally intelligent. Several requirements carry direct implications for screening systems and infrastructure:

First, the ability to process daily sanctions list updates and automatically trigger re-screening when needed is essential. Manual intervention or batch processing is no longer sufficient in a regulatory environment that prizes immediacy and completeness.

Second, institutions need to improve how they detect indirect ownership and control. This means using smarter tools that can connect the dots between related entities, even when the links aren’t obvious so that potential risks aren’t overlooked. 

At the same time, the way names are matched is becoming more important. Basic name matching methods no longer work well for global sanctions checks, especially when names are spelled differently or transliterated from other alphabets. Today’s systems are expected to include flexible matching features, like recognizing aliases and using other identifying attributes to make accurate connections.

Furthermore, the EBA’s push for risk-based calibration means screening systems must support easy rule tuning, scenario testing, and explainable thresholds—ensuring that matches are both effective and proportionate.

Systems must also be audit-ready, with logging, reporting, and versioned configuration that provide full transparency over time enabling institutions to demonstrate the rationale and traceability of every decision.

And critically, these capabilities must not exist in silos. The new compliance landscape requires screening platforms that can seamlessly integrate with core AML systems including payment processing, KYC, customer risk scoring, and transaction monitoring. Without interoperability, even the most advanced screening engine can become an operational bottleneck.

The Compliance Questions FI’s Should Be Asking

• Can we map and monitor complex customer and transaction behavior in real time?
• Are we equipped to detect non-obvious, cross-border risks?
• Are our employees truly trained on what matters most to regulators?
• Can our systems adapt instantly to new sanctions lists and typologies?
• Can we prove our compliance decisions with full transparency and traceability?
  
  

If any answer isn’t a confident “yes”, your compliance program is exposed.

How ThetaRay Can Support 

At ThetaRay, we view the guidelines as an essential step toward smarter, more transparent, and more scalable compliance. Our platform has been built specifically to meet the operational demands these guidelines represent.

Some of our key strengths in this context include:

• A highly configurable, rule-based and AI-powered matching engine that goes far beyond static name matching, delivering both effectiveness and efficiency in complex risk environments.
• A model risk management (MRM)-ready screening solution, with full traceability and explainability for every match generated, ensuring confidence during regulatory review or audit.
• Intelligent delta screening, powered by near real-time updates and optimized for speed, so that watchlists and customers changes as well as risk shifts are caught immediately.
• Integration with our Transaction Monitoring and Customer Risk Assessment solutions within a unified compliance platform.
  
  

In other words, our solution is grounded in:

• Effectiveness, to catch what legacy tools miss and efficiency to reduce noise and workload in watchlist screening
• Adaptability and configurability, to support unique and evolving risk models
• Trust and transparency, to withstand internal and regulatory scrutiny
• Performance and robustness, to scale across jurisdictions and business units

Bottom Line

The latest guidance makes one thing clear: reactive, rules-only compliance models are being replaced by data-driven, operationalized systems that regulators can inspect, test, and trust.

ThetaRay is built for this future. Whether you’re a global bank, regional institution, fintech, or payment provider, our platform empowers you to navigate evolving regulatory expectations with clarity, speed, and confidence—supporting effective compliance across all business models and jurisdictions.