The war in Ukraine started a new era of unprecedented activity for sanctions compliance teams across Europe, particularly for those in financial institutions (FIs). The European Union (EU), UK, US, and many other G7 members have adopted sweeping sanctions on Russia and continued to expand them. As a result, even small FIs are hiring more and more personnel, purchasing technology, and increasing their legal capabilities to avoid running afoul of sanctions restrictions.

Unfortunately, this is a costly approach that is not protecting FIs from the dreaded dawn raids, critical media reports, or notices of a sanctions investigation. Each enforcement case or investigation, even if the FI is eventually cleared, means more management time and money spent on urgent compliance reviews and legal fees, plus possible damage to the FI’s reputation and share price.

To get to a defensible position, FIs should move out of firefighting mode and strategically rebuild their sanctions compliance function with the new operating reality in mind. A revamped function will be able to more effectively manage immediate risks and prepare for a future in which sanctions compliance becomes yet more challenging as regulations mount and extraterritorial actions (both by the US and EU) increase risks. This strategic rebuilding should also focus ruthlessly on efficiency to drive the standardization and use of technology (including generative AI, or GenAI) that delivers robust results and reduces costs.

The urgency for FIs to act is increasing because the European Central Bank (ECB) is moving toward wide-scale adoption of instant payments. These require FIs to have more advanced, real-time screening solutions that ensure compliance with sanctions but don’t slow payment processing.

Important regulatory developments are also a pressing concern. In November 2024, the European Banking Authority (EBA) published its long-awaited guidelines for compliance with EU sanctions by FIs, payment service providers, crypto asset service providers, and supervisors and regulators. The guidelines, which will come into force December 30, 2025, will prompt many FIs to significantly improve their policies, procedures, and controls. The EBA has set ambitious new expectations for regulated institutions’ overall sanctions compliance and screening measures, including creating a new role of a “senior staff member in charge of compliance with restrictive measures,” anticircumvention controls, and annual verification. In addition to the EBA’s scrutiny, the EU’s Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) will act as direct supervisor for more than 400 institutions and check whether Europe’s riskiest FIs are following the EU’s sanctions-related measures.

Strategically Rebuilding the Sanctions Compliance Function

To get in shape for the new operating reality, we recommend that FIs strategically embrace five insights.

Understand the New, More Difficult Landscape

Russia is now sanctioned by 14 EU packages, a new regulatory regime in the UK, and five US executive orders. The executive orders are complemented by more than 25 regulatory determinations and directives by US authorities, including the Office of Foreign Assets Control (OFAC). These actions have resulted in ever-longer lists of sanctioned entities, and they are creating a landscape that is structurally more complex.

• Sanctions restrictions are becoming more convoluted. In addition to traditional asset-freezing and asset-blocking sanctions, many new rules are complex, conditional, and tricky to navigate predictably and at scale. One such sanction is the novel G7 oil price cap that not only restricts the facilitation of Russian exports if the price is above a certain amount (currently set at $60 a barrel) but also limits Russian nationals’ access to banking services.
• Sanctions are becoming intertwined with import and export controls. The EU’s and UK’s sanctions regulations now contain narrative rules and product lists with absolute and conditional restrictions; increasingly, FIs must detect and prevent violations on the basis of products and services, rather than sanctioned names. However, the payment messages processed by FIs typically contain little or no information about the reason for payment—information that is needed for an FI to determine if a transfer is for a restricted product. In response, many FIs are stopping large swathes of transactions suspected of having a connection to Russia (and other jurisdictions affected by the significant number of sanctions restrictions) or those associated with customers in high-risk industries, to the detriment of much legitimate business. Recent guidance from the US Bureau of Industry and Security and the G7 clarifies expectations somewhat but adds new regulatory requirements for US and non-US FIs alike.
• Circumvention schemes are increasingly sophisticated. Sanctioned actors have always attempted to evade restrictions, but the number of circumvention schemes has increased significantly, and their sophistication means that compliance teams must wrestle with a murky network of shell companies, layered intermediaries in other countries, creative bartering, and complex financial instruments that obscure the ultimate beneficiary and economic rationale of a transaction. In addition, the 14th EU sanctions package formalized the requirement that EU companies must undertake “best efforts” to ensure that their subsidiaries do not act in contradiction of EU sanctions, even if they are outside the EU and in jurisdictions where compliance with EU sanctions is prohibited wholly or partly.
• The EU is stepping up its game in enforcement. BCG has tracked the fines, penalties, and settlements from European sanctions from 2020 through October 2024. About €490 million has been paid for violating European sanctions since 2020. The real impact for the offending companies may be five to eight times higher because of the cost of look-back exercises, additional compliance hiring, remediation, sanctions training, audits, and tech investment, plus the cost of a reduced risk appetite and changes to their strategy. While €490 million is a modest amount compared with the penalties paid in the US, it is notable that case numbers in Europe have increased by 580% since 2020, with 85% of them being prosecuted and settled after 2022 and 65% being directly attributable to violations of the sanctions imposed on Russia and Belarus after 2022. (See Exhibit 1.)

The complexity, circumvention methods, enforcement risk, and fine sizes will continue to grow. The EU is moving closer to imposing US-style extraterritorial (or secondary) sanctions, harmonizing criminal offenses, and increasing the penalties for violating EU sanctions. Patching up current processes will no longer work. An FI that wants to future-proof its sanctions compliance function must recognize this and build for the new era.

Think About Sanctions Compliance, Not Screening

Many FIs believe that they have a sanctions compliance program; in fact, they only have a sanctions screening process. Their technology and operations teams operate a tick-the-box workflow that focuses on matching names on lists and ignores the many ways that financial services can be misused to violate sanctions.

FIs need a strategic and programmatic approach to handle sanctions risk that stems from their business—an approach that they can defend to regulators, customers, and financial counterparties. FIs must be able to identify which sanctions they comply with, clarify how they ensure compliance in practical terms, and explain why their efforts reduce risk not only to an acceptable level but also to the desired one. 

As far back as 2018, the OFAC set out what the US expects of sanctions compliance programs for financial and nonfinancial organizations. It stipulated that each program should be built on at least five essential elements:

• Senior management commitment
• Risk assessment
• Internal controls
• Testing and auditing
• Training

While the EBA’s recently published guidelines do not set such precise requirements, they touch on the same themes and explicitly state that FIs must implement risk-sensitive, expansive controls that are highly adaptable to new threats. Critically, FIs must carry out detailed periodic assessments (enterprise-wide) to determine their exposure to sanctions risk and document each step of the process. These assessments must be updated when incidents and a sanctions compliance failure occur so that steps can be taken to prevent a reoccurrence. Conducting such assessments is likely to challenge the institutions that have not yet adopted a programmatic approach to sanctions compliance and need to build a solid process for understanding where their controls are not robust enough and how to remediate them.

These systems offer substantial improvements in screening quality. There are some questions about regulators’ acceptance of these systems because they typically cannot explain their reasoning, however this can be mitigated by using a responsible AI framework that complies with the EU Artificial Intelligence Act. Such a framework also helps with managing data privacy challenges, which can occur in relation to the training of AI models. Quality assurance, testing, and model validation mechanisms can add further confidence.

More Efficiently Investigate Alerts. Despite advances in matching quality, most FIs will still get high volumes of alerts, many of which are likely to be false positives. It is not unusual to see false positive rates of 95% or more. False positives can never be fully eliminated, but the volume can be reduced by using automated and highly controlled decision-making models to process categories of alerts that are considered safe. This is a tried and tested solution. Decision reapplication, which looks through previous alert processing to see if previous decisions apply, is also particularly helpful. However, there are more sophisticated options.

Trained bots (or copilots) that use GenAI can review payment messages for the most frequent false-positive scenarios and report their conclusions in a format that makes sense to human investigators, boosting confidence in AI processing. A bot may also indicate the degree of confidence in its decision. A human analyst can then review the bot’s decision and rationale before making the final verdict. This moves the role of human operators away from performing low-skill reviews of raw alerts to conducting a more sophisticated, quality-assurance-style task. The beneficial side effects: increased job satisfaction and reduced turnover of skilled staff.

GenAI can also help human investigators with other tasks, including quickly retrieving the investigatory context, accelerating the writing of reports, and looking up references in policies and internal guidelines (subject to human verification).

Be Aspirational When Dealing with Sanctions Circumvention

Regulators demand that FIs be increasingly vigilant in combating circumvention, especially when designated entities go through intermediaries in other countries. Compliance teams have worked hard to identify evasive techniques.

FIs have dealt with circumvention using several approaches:

• Intercepting transactions coming from or going to specific countries, but this is highly inefficient and detrimental to business
• Building circumvention scenarios into traditional transaction-monitoring systems that trigger alerts when fund movements, predetermined to be suspicious, are made
• Employing large teams of sanctions analysts who scour trade documents, media reports, risk databases, bills of lading, know-your-customer forms, and other documents and data collections to look for signs of circumvention (a very expensive option)
• Carrying out multiple new enhanced know-your-customer checks, event-driven reviews, and customer risk rating updates to manually assess whether a customer poses an elevated risk

Increasingly, FIs need to focus on detecting potential circumvention systematically, efficiently, predictably, and with minimal human intervention and business disruption. It should be noted that best practices in this area are still evolving, but forward-looking FIs are already experimenting and setting aspirational goals.

A first step toward automated detection of circumvention could be to use a transaction-monitoring-style system, powered by a supervised machine learning overlay, to analyze trade activity, behavioral patterns, and transactions. Such a system can create alerts on the basis of targeted detection scorecards relying on profiled trade and transactional activity. Capturing structural payment patterns and dynamically updating customer risk ratings can remove significant workload and human biases when conducting investigations. However, the challenge, as always with machine learning, lies in training the models on a sufficient amount of data to detect circumvention reliably.

AI may come to the rescue here. It may soon be possible to train new AI models on synthetic, machine-generated sanctions circumvention scenarios and train existing models for continuous identification of patterns of circumvention. It can also help to plug more data into AI models—such as data legally gathered from free public sources, media coverage, and shipping and open-source trade data. Such a solution should be built on decision intelligence, an architecture that blends multiple machine- and human-powered decision processes with a robust feedback process to drive constant improvement.

As there is no current regulatory standard for automated detection of circumvention (yet), FIs may decide to configure their system so alerts are triggered only when it is reasonably sure that it has detected circumvention. This helps reduce false positives, although it also means generating less data about potentially suspicious cases that can be used to train AI models.

The applications above underline the power of AI to drive efficiency in sanctions compliance. Nevertheless, it is essential not to be swayed by hype; these are not buy-and-forget solutions. BCG’s time-tested 10-20-70 principle underlines that the most significant challenge in deploying GenAI and automation to improve sanctions compliance will be transforming people and processes, rather than just investing in the technology. However, the gains from a successful program are substantial when used in mindful combination with additional solutions. BCG’s research and analysis show that significant efficiency gains can be achieved without compromising compliance or regulatory standards.

FIs that double down on sanctions compliance efficiency will not only reduce their costs and improve the customer experience but also innovate and push regulators and the industry to do even more to comply with sanctions. FIs are advised to aim for the sky but start small, learn and adapt, and let the use cases show their value. (See Exhibit 6.)

Look Further into the Distance

Scanning the horizon may seem like a luxury with so many tasks needing immediate attention—but it is essential.

By monitoring geopolitical shifts, early-stage legislative developments, and changes in international relations and countries’ postures, skilled compliance teams (which can be modest in size) can anticipate new sanctions or changes to existing ones long before they are officially implemented.

For example, suppose that by scanning the horizon, a team identifies the likelihood of sanctions being imposed on a particular country or sector. The team could then systematically identify and analyze emerging trends, potential threats, and future developments that could impact the sanctions regimes an FI complies with. An FI can subsequently identify customer relationships connected to the area of concern and wind down with an orderly, systematic plan using a risk-based approach, potentially long before the sanctions are implemented. Sanctions processes and workflows can be stress tested against potential new restrictions, and an FI can invest to make needed improvements before the change becomes urgent.

Such monitoring means that a sanctions team could have a playbook to follow that avoids last-minute, resource-intensive fixes that can strain budgets and operations (and increase the risk of noncompliance and, hence, regulatory action).

Monitoring is also more than just part of pragmatic planning. The sharp rise in enforcement activity has demonstrated that taking a forward-looking approach is much cheaper than using a reactive one. Being proactive in the sanctions domain can enhance an FI’s credibility and foster more constructive relationships with regulators.

The Time to Get Started Is Now

Some FIs may need to create a roadmap shaped by these insights. Whatever their capabilities, there are five key steps that they can take to kickstart improvement.

Assess what you already have. Review the most recent enterprise-wide risk assessment and determine which sanctions risks need mitigation. Consider updating the sanctions risk analysis using cleaned-up data and the most recent outputs from the horizon scan in advance of the EBA’s deadline of December 30, 2025. (If scanning the horizon isn’t a current practice, it may be necessary to hire data-driven analysts to run the process.)

Create a heat map of the areas that need additional sanctions controls, and act. Introduce new controls or improve old ones as required. In some cases, policy alignment may be needed across areas such as know your customer and anti-money laundering.

Prioritize required initiatives and identify critical interdependencies. Any program for action needs to quickly identify any crossover with other processes to avoid delays and unintended consequences. For instance, changes to know-your-customer systems to include responses to sanctions questionnaires for in-scope customers will have downstream effects on the legal department’s work on sanctions clauses in contracts.

Build a roadmap to improved performance. Set out your sanctions compliance program in writing, clearly specifying which areas are comfortably covered in their current state and which are works in progress. Identify any issues in the internal risk oversight or audit functions. After the roadmap is approved by management, it should be approved by the board of directors.

Implement, assess, test, and repeat. A sanctions compliance program is an evolving artifact that must be monitored, supported, and updated at least annually.

Flash points can emerge quickly in our current era of geopolitical uncertainty, and new sanctions can follow swiftly, straining a traditional sanctions function. However, this is not the only challenge. FIs must also cope with regulators’ increasing focus on entities that circumvent sanctions and the intertwining of sanctions with import and export controls. Yes, AI is vital to the solution, but it can’t solve these problems alone. It’s time for a strategic approach.

The authors wish to thank Iliana Hristova, Deina Kellezi, and Hanjo Seibert for their contributions to this article.