Skip to content
AuditFront
RPT.2 EU Sanctions DD

EU Sanctions DD RPT.2: Internal Escalation Process

What This Control Requires

Is there a clear internal escalation process for sanctions red flags - from front-line staff to compliance to legal to authority notification?

In Plain Language

Red flags identified by sales, operations, or finance staff need a documented path to compliance decision-makers and, if necessary, to external authorities. Without a clear escalation process, critical information gets stuck at the wrong level - either because front-line staff do not know who to tell, or because middle management does not appreciate the urgency.

The EBA Guidelines on Restrictive Measures (November 2024) specifically require naming a specific person responsible for sanctions compliance. Not 'the compliance team' or 'the legal department' but a named individual with clear authority and responsibility.

The escalation process must be fast enough to meet the 2-week reporting deadline under Regulation 269/2014 - which means it cannot involve weeks of committee meetings and approval chains.

How to Implement

Create and document a sanctions escalation workflow with clear timelines:

1. Detection - front-line employee identifies a red flag (screening match, suspicious behaviour, unusual transaction)

2. Immediate report - same-day notification to the compliance officer or designated senior staff member. The EBA Guidelines require naming a specific person.

3. Assessment - compliance evaluates within 1-3 business days: clear false positive (document and close), additional due diligence needed (set deadline), or escalation to legal.

4. Legal review - if confirmed or suspected, legal advises on: blocking/freezing requirements, authority notification obligations, and business relationship decisions.

5. Authority reporting - if required, file report with the national competent authority within the 2-week deadline per Regulation 269/2014.

6. Documentation - record every step with dates, participants, decisions, and rationale.

Critical implementation details: - The escalation path must work even when key people are absent (holiday, sick leave) - define deputies. - Front-line staff must be able to escalate without managerial approval (to prevent suppression). - Set clear SLAs at each step to ensure the overall timeline fits within the 2-week reporting deadline. - Test the process annually with realistic scenarios. - Train all customer-facing and operations staff on this process.

Evidence Your Auditor Will Request

  • Documented sanctions escalation policy with named responsible persons and deputies
  • Evidence of escalation process testing (tabletop exercises, scenario drills)
  • Training records for front-line staff on the escalation process
  • Sample escalation records showing the process was followed for real or test cases
  • SLA documentation for each step in the escalation process

Common Mistakes

  • No documented escalation process - relying on informal 'talk to compliance' guidance
  • Named compliance officer but no defined deputies for absence periods
  • Escalation process too slow to meet the 2-week authority reporting deadline
  • Front-line staff unable to escalate directly to compliance (blocked by management layers)
  • No testing of the escalation process - only discovering gaps during a real incident

Related Controls Across Frameworks

Framework Control ID Relationship
EU Sanctions DD EU Sanctions DD RPT.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.4 (related mapping) Related

Frequently Asked Questions

Who should the escalation point be?
The EBA Guidelines require a 'designated senior staff member' - this must be a named individual with sufficient authority to halt transactions and sufficient access to escalate to the board or CEO. In larger organisations, this is typically the Chief Compliance Officer or Head of Financial Crime. In smaller companies, it may be the CFO, General Counsel, or a board member with explicit sanctions compliance responsibility. The key is authority, accessibility, and accountability.
How do we ensure front-line staff actually escalate concerns?
Three factors drive escalation behaviour: awareness (staff know what to look for), confidence (staff believe their concerns will be taken seriously), and safety (staff do not fear negative consequences for raising concerns). Achieve this through: regular training with practical scenarios, a no-blame policy for good-faith escalations, feedback loops showing staff that their escalations led to action, and making escalation easy (a dedicated email address, phone number, or reporting tool).
How often should we test the escalation process?
At least annually, and after any significant organisational change (new compliance officer, restructuring, acquisition). Tabletop exercises work well: present a realistic scenario to the team and walk through the escalation process step by step. Time each stage. Identify bottlenecks. After the exercise, document lessons learned and update the process if gaps were found.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.

Start Free Assessment