Sanctions compliance has evolved from a sub-component of AML/CFT programmes into a separate financial crime discipline with dedicated governance, methodologies, and regulatory expectations. This shift has been driven by geopolitical instability, expanded EU sanctions regimes, increased scrutiny of sanctions evasion, and growing concerns about proliferation financing. At the same time, the EU’s new regulatory framework is integrating sanctions and AML into a more unified compliance system.
A distinction that's often overlooked. Sanctions obligations do not primarily arise from the PMLFTR or the FIAU Implementing Procedures Part I. Those instruments govern ML /FT risk, CDD, ongoing monitoring, and reporting. Sanctions obligations stem from a separate source, which is the EU restrictive measures, UN regimes, and national enforcement frameworks. Yet regulators increasingly expect the two to operate as one, because evasion, laundering, and proliferation financing routinely overlap in practice.
The EU is hard wiring this convergence. The AMLR introduces a single EU rulebook, with Article 10 requiring institutions to assess risk holistically across customers, products, delivery channels, and geography, explicitly incorporating sanctions exposure. AMLD6 strengthens enforcement and reinforces the link between sanctions breaches and money laundering risk. Supervision is tightening with Malta's FIAU, and in time the EU's new Anti-Money Laundering Authority (AMLA), expect firms to move beyond formal compliance toward demonstrable effectiveness, particularly where AML and sanctions intersect.
Where the two genuinely overlap. Customer due diligence is the shared foundation - but expectations have moved beyond formal ownership thresholds toward assessing real control and influence. Screening systems share infrastructure yet diverge at the outcome, whereby AML alerts trigger enhanced due diligence and potential STRs, while a confirmed sanctions hit demands immediate action, which is asset freeze and regulatory notification. Trade is another fault line, with trade-based money laundering and sanctions evasion leaning on the same typologies, that is third-country transshipment, invoice manipulation, and trade-document discrepancies which exploit complexity and opacity.
Integration is genuinely hard. Sanctions operate under strict liability that any involvement with a designated party is a breach. AML relies on risk-based, contextual judgement. Designing unified controls across those two logics is difficult. Beneficial ownership is a persistent gap with sanctioned actors deliberately structure around the traditional 25% threshold using minority stakes and layered arrangements.
Technology compounds the problem where sanctions need real-time screening and instant intervention, while AML systems are often retrospective and monitoring-driven; a mismatch that bites hardest in legacy environments. And crypto, DeFi, and unhosted wallets open new channels for evasion that many existing tools simply can't see.
The impact on risk assessment. Modern BRAs weigh direct and indirect exposure, evasion risk, sectoral sanctions, sanctioned ownership structures, and proliferation financing. At customer level, the binary "no hit, proceed / hit, freeze" has given way to assessing layered ownership, links to designated persons, opaque intermediaries, unusual fund routing, and high-risk corridors. A customer can present elevated sanctions risk while being neither formally sanctioned nor high ML/TF risk.
For Maltese subject persons, the direction is clear. Regulators expect sanctions risk embedded in the Business-Wide Risk Assessment, AML and sanctions policies aligned, and consistent governance and escalation. Parallel frameworks won't suffice. Sanctions risk is no longer about matching names against a list, it's about understanding how your business could be drawn into circumvention, indirect ownership, and proliferation financing within an increasingly interconnected regulatory environment.
How BDO can help:
BDO can help subject persons operationalise sanctions requirements as a core element of their AML framework, fostering a cohesive and risk‑sensitive compliance approach that reflects both the letter and the underlying intent of the AMLR, while ensuring sanctions are fully embedded within broader compliance processes. We design sanctions-focused Business and Customer Risk Assessments tailored to your business model and clear escalation aligned to current standards. We also support the governance, board oversight, targeted training, and independent assurance testing that regulators now look for, whether you need a complete sanctions framework or focused gap remediation.