In Monty Python’s famous sketch about the Spanish inquisition, the chief weapons of the medieval clerics are “fear, surprise, and ruthless efficiency”. Unfortunately, the same cannot be said of European restrictive measures (also referred to simply as sanctions). The initial announcement of new sanctions targets in the Official Journal of the European Union (OJEU) by the European Council should enable the financial services sector to quickly freeze any asset transfers and halt payments that might attempt to remove newly-sanctioned funds from EU banks.
A sense of surprise and urgency is the chief weapon of any sanctions authority.
But, much like in the Python skit, a comical lack of coordination risks diminishing the measures' effectiveness in practice. That’s because unlike anywhere else in the world, EU sanctions list data – the actual material used by automated screening processes to ensure that sanctioned entities cannot initiate transactions – is not produced and published by the same body that imposes them. Instead, this task falls to the European Commission’s Financial Services directorate (FISMA), which – at least from what we’re able to gather – monitors the OJEU for new designations and then sets out to update the EU sanctions database (FSD) as quickly as they can with the probably somewhat limited resources that they have available. The resulting update delay is usually a day or two, but in the case of big EU sanctions packages, it can stretch out to a week – or, if the publication falls onto Christmas, three.
This makes it hard for banks and financial institutions to quickly implement new measures against freshly sanctioned entities, even though they are required by law to do so and even though the EU, just like any issuer of sanctions, has an interest that relevant assets and financial flows are frozen quickly.
I said “immediately”!
The situation is particularly challenging against the backdrop of evolving EU financial regulations. In March, the European Parliament and the Council adopted regulation 2024/886 on instant payments in the EU, parts of which will become effective next year. Under the new regulations, the EU is demanding that payment services providers scan their client base “immediately” once new sanctions are issued or existing programs are amended, holding banks accountable to a standard the regulator itself clearly does not live up to.
This situation is also unsatisfying for the risk data providers (such as ourselves) that financial institutions and service providers rely on to provide them with timely and structured data on sanctioned entities. OpenSanctions has set up a complex monitoring system that tracks OJEU document publications related to 120+ EU sanctions regulations, and then alerts our team (via a public Slack channel, #eu-journal, which interested parties are invited to join!) to immediately transcribe those new designations into structured data.
We think that the entire industry would benefit from timely and easily accessible EU sanctions data and that’s why OpenSanctions is trying to raise awareness around this and potentially prompt the EU to improve the way it publishes its sanctions data.
Why is this happening?
As a first step, we sought to understand the EU's awareness of this issue, and in July, we submitted a freedom of information request (FOI) with the Council. (Anyone can put it in such FOI request as an important tool for citizens to hold governments accountable – and it can be fun! You can do so, for example, via the easy-to-use asktheEU platform that helps direct your request to the right place.)
The response was underwhelming. At first, the Council (as the EU’s sanctions issuing body, no less) said it was not responsible and merely referred to the Commission. In the end we received a response by the Commission unit responsible for releasing the EU sanctions database that no documents exist whatsoever on this (except for a user manual on how to use the software of the EU’s Financial Sanctions Database, which according to the Commission can not be disclosed as a hacker might use it to attack the service, thereby threatening the bloc’s public security).
What is to be done?
This leaves us stuck: we don’t know why the EU sanctions data is unreliable, and we don’t know if there are any plans to fix its publication process. From our experience with government bodies, two simple explanations for the publication and data update disconnect seem likely: inadequate resources for the responsible unit in DG FISMA and insufficient coordination between the Council and the Commission. Both are fixable, but perhaps it will take a bit of public pressure to help make EU sanctions more effective by making the implementation more timely.
Maybe then, Nobody expects the European sanction.
Annex: EU responses to information requests
For transparency, we are publishing our exchange of communications with the EU.
- Council response: we know nothing, and we're not responsible (PDF).
- DG FISMA response: we're responsible, but we also know nothing (PDF).
