Skip to content
AuditFront
PROG.1 EU Sanctions DD

EU Sanctions DD PROG.1: Designated Sanctions Compliance Officer

What This Control Requires

Is there a designated senior staff member responsible for sanctions compliance?

In Plain Language

The EBA Guidelines on Restrictive Measures (November 2024) explicitly require a 'designated senior staff member in charge of compliance with restrictive measures.' This must be a named person with sufficient authority, resources, and direct access to the board or CEO.

This is not a box-ticking exercise. The designated person must have genuine authority to halt transactions, access to all relevant business information, and the budget to implement effective screening and due diligence. Designating a junior employee without authority or an already-overloaded executive without bandwidth defeats the purpose.

For smaller companies, this may be the CFO or General Counsel with explicit sanctions responsibility added to their mandate. For larger organisations, it should be a dedicated compliance officer or the Chief Compliance Officer.

How to Implement

Designate a specific senior person (by name and role, not just 'the compliance team') as responsible for sanctions compliance per the EBA Guidelines.

The designated person should have: 1. Direct access to the board or CEO - able to escalate without layers of approval 2. Authority to block or escalate transactions - cannot be overruled by commercial functions 3. Sufficient budget and tools for screening and due diligence - including commercial screening software if warranted by the business volume 4. Regular reporting obligations to management - at least quarterly updates on sanctions compliance status 5. Access to all relevant business data - customer records, transaction data, counterparty information

For smaller companies, this may be the CFO or General Counsel with explicit sanctions responsibility added to their mandate. Document the appointment formally through a board resolution or management decision.

Define a deputy who assumes responsibility during absence (holiday, sick leave, travel). The sanctions compliance function cannot have a single point of failure.

Include sanctions compliance responsibilities explicitly in the designated person's job description, performance objectives, and reporting lines. This ensures the role is not just a title but an operational reality.

Evidence Your Auditor Will Request

  • Formal appointment documentation (board resolution, management decision, or equivalent)
  • Job description or mandate document showing sanctions compliance responsibilities
  • Evidence of authority: ability to halt transactions, access to business data, budget allocation
  • Deputy designation for absence periods
  • Regular reporting records to management or board on sanctions compliance status

Common Mistakes

  • Designating 'the compliance team' rather than a named individual with clear authority
  • Appointed person lacks authority to halt transactions or is routinely overridden by commercial functions
  • No deputy designated - single point of failure during absence periods
  • Insufficient budget or tools provided to the designated person for effective compliance
  • Sanctions compliance added to an already-overloaded role without additional time or resources

Related Controls Across Frameworks

Framework Control ID Relationship
EU Sanctions DD EU Sanctions DD RPT.2 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.2 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.4 (related mapping) Related

Frequently Asked Questions

Can the sanctions compliance officer also handle AML responsibilities?
Yes, and this is common in many organisations, especially smaller ones. AML and sanctions compliance share many tools and processes (screening, KYC, suspicious activity reporting). The key is that the person has sufficient time, authority, and resources for both functions. If combining roles means neither function gets adequate attention, consider splitting them or hiring additional support.
What seniority level is required?
The EBA Guidelines require a 'senior staff member' with sufficient authority. This means someone at a level where they can halt transactions and escalate directly to the board without being overruled by commercial interests. In practice: C-suite (CCO, CFO, CLO), senior VP, or Director level. A junior analyst with no authority to stop a transaction does not meet the requirement, even if they carry the title.
Does the designated person need sanctions-specific qualifications?
The EBA Guidelines do not specify particular qualifications, but the person must have sufficient knowledge to fulfil the role effectively. This typically means: understanding of the EU sanctions framework, familiarity with screening processes and tools, knowledge of the company's business model and risk profile, and awareness of circumvention typologies. If the designated person lacks specific sanctions expertise, ensure they have access to external specialists and relevant training.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.

Start Free Assessment