David Savage has written the EU Sanctions Enforcement chapter of the second edition of Global Investigations Review’s Guide to Sanctions.

The full guide is split into three sections: Sanctions and Export Control Regimes Around the World; Compliance Programmes; and Sanctions in Practice.

David’s chapter falls under the first part, and in it, he gives an overview of the EU enforcement framework and looks at the criticism of it. David also looks at how the EU investigates suspected breaches as well as its approach to reporting, professional secrecy and legal professional privilege under the framework. Lastly David looks at the future of EU sanctions enforcement.

GIR say about their guide:

“We live in a new era for sanctions. More states are using them, in more creative (and often unilateral) ways. This creates ever more complication for everybody else. Hitherto no book has addressed all the issues raised by the proliferation of sanctions regimes and investigations in a structured way. GIR’s The Guide to Sanctions addresses that. Written by contributors from the small but expanding field of sanctions enforcement, it dissects the topic in a practical fashion, from every stakeholder’s perspective, providing an invaluable resource.”

The third part of David’s chapter, looking at the EU’s approach to reporting, professional secrecy and legal professional privilege is set out below.


Reporting, professional secrecy and legal professional privilege

Regulatory reporting

There are two distinct reporting requirements in respect of EU sanctions. The first is a general obligation that applies to everyone and requires that natural and legal persons supply their competent authority as soon as practicable with information that would facilitate compliance with the regulations. The second is a more targeted obligation that applies to specified businesses and professions. Those businesses will vary in each jurisdiction, as will the penalties for failing to comply with the reporting expectations. The manner of reporting varies from jurisdiction to jurisdiction.

Examples of information that might be reported from the perspective of a financial institution include:

  • the reason for the report;
  • full details regarding the customer, including name, account name, account numbers and sort codes, bank details, residential or company address, date of birth and nationality, where known;
  • full details of the remitter or beneficiary (or both), which may be available from, for example, the SWIFT message (SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a network of more than 8,300 banks, securities and corporations located in more than 200 countries that allows for the exchange of standardised financial messages between financial institutions throughout the world). These details may include account names, account numbers and sort codes, bank details, nationalities of payers, and dates of birth, where known;
  • any other information that may be available from the transfer message, which may include references, dates, goods involved, amounts and currencies;
  •  intermediary information, which may include the intermediary’s role in the transfer, names, date of birth, company registration information, country of operation or nationality, address or location, account name, account number and sort code, and bank details, where known;
  • ultimate beneficiary information, which may include name, account name, account number and sort code, bank details, residential or company address, date of birth and nationality, where known;
  • the amount of funds in question;
  • the quantity of any funds or economic resources held on behalf of the customer;
  • a breakdown of the prior transactions on the account;
  • the nature of the investigation undertaken and any relevant findings and remedial action;
  • if reporting a breach, details of the breach; and
  • the sanctions regimes to which the report relates.

Certain EU regulations, including for example, Council Regulation (EU) 2017/150, which addresses the destabilising conduct of the Democratic People’s Republic of Korea (DPRK), require that credit and financial institutions ‘promptly report any suspicious transaction, including attempted transactions’ and notify their local financial intelligence unit ‘where there are reasonable grounds to suspect that funds could contribute to the DPRK’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programmes or activities (“proliferation financing”)’ (Article 23(1)(e) of Council Regulation (EU) 2017/1509 of 30 August 2017). EU corporates must have a thorough understanding of their reporting requirements, therefore, both under the relevant regulations and pursuant to domestic requirements.


Professional secrecy and legal professional privilege

Notwithstanding the existence of reporting requirements, organisations are not required to provide any information to which professional secrecy or legal professional privilege attaches.

In common law systems, legal professional privilege and confidentiality are a fundamental feature of the rule of law. Documents are normally considered to be privileged if they contain confidential information supplied by a client to his or her lawyer, or advice supplied by the lawyer to the client. When litigation is reasonably in contemplation, the scope of privilege may be extended to third-party communications.

In civil law systems, professional secrecy requirements can vary. For example, in France, a relatively new rule, Article 226-13, in the Criminal Code concerning professional secrecy no longer mentions a specific profession: ‘The disclosure of secret information by a person entrusted with such a secret, either because of his position or profession, or because of a temporary function or mission, is punished by one year’s imprisonment and a fine of €15,000.’ In Germany, however, the obligations of professional secrecy stem from both the German Criminal Code and the law regulating the legal profession. Section 43a of the Federal Lawyers’ Act provides:

A Rechtsanwalt has a duty to observe professional secrecy. This duty relates to everything that has become known to the Rechtsanwalt in professional practice. This does not apply to facts that are obvious or which do not need to be kept secret from the point of view of their significance.

It should be noted that certain jurisdictions do not consider that in-house counsel are able to assert professional secrecy over documents. This is something that should be considered by in-house counsel (or externally instructed lawyers) during any sanctions investigation.

Whenever sanctions issues are identified, and it is considered either necessary or appropriate to report to regulators, issues of professional secrecy and legal professional privilege will need to be considered, both in respect of historical documentation and documentation created as part of any investigation that is undertaken. Key considerations may include:

  • in respect of historical documentation, for what purpose the document was created. Were legal counsel involved in the creation of the documentation? Was litigation reasonably in contemplation at the time the documentation was created?
  • in respect of investigation-related documentation, whether lawyers are involved in providing advice or receiving information designed to inform any advice they give. Are lawyers providing legal advice or are they, in fact, providing commercial advice – a single document can include both. If third parties are involved (e.g., forensic accountants), is litigation reasonably in contemplation? If so, communications with, and documents created by, the third parties may also be covered by professional secrecy or privilege. When interviewing employees, does your jurisdiction consider the work-product to be covered by professional secrecy rules or privilege?

The decision as to whether to claim privilege or rely on professional secrecy when dealing with regulators is of the utmost importance. In general, regulators will expect companies to be entirely frank with them regarding the conduct in question, and the steps undertaken to investigate the issue. Asserting professional secrecy or legal privilege when communicating with regulators may raise doubt as to the scope of the investigation undertaken and the conclusions reached. In certain cases, this could affect any potential discount that may be applied to penalties issued by the regulator.


Recent enforcement decisions

Although the number of enforcement actions within the EU remains low compared to the US, there is a trend in the number of actions and the value of the penalties extracted by certain competent authorities. It is clear that EU competent authorities are interested in pursuing actions against individuals and corporates, which has been the modus operandi of US regulators for many years. Ensuring that both classes of potential defendants are prosecuted should serve to promote top-level commitment to effective sanctions compliance, as well as a risk-averse attitude to problematic activity at all levels within an organisation.

Set out below are a few of the key sanctions decisions from the past three years.



On 7 February 2019, it was announced that three Belgian companies, AAE Chemie Trading (AAE), Anex Customs (Anex) and Danmar Logistics (Danmar), were convicted for exporting chemicals to Syria without a licence. Council Regulation (EU) No. 36/2012 (as amended) prohibits the ‘transfer or export, directly or indirectly’ of equipment, goods or technology ‘which might be used for the manufacture and maintenance of products which might be used for internal repression’. In breach of this regulation, AAE, Anex and Danmar were alleged to have exported to Syria 168 tonnes of isopropanol, 219 tonnes of acetone, 77 tonnes of methanol and 21 tonnes of dichloromethane in 24 deliveries from 2014 to 2016.

The Court imposed conditional fines of up to €500,000 and suspended prison sentences for one managing director and one manager.

This case demonstrates the severity with which those in breach of sanctions can be treated, notwithstanding that there was no evidence that the dual-use goods were intended to be used for nefarious purposes and that domestic screening failures had resulted in the breaching shipments.



On 11 November 2020, the Danish State Prosecutor for Serious Economic and International Crime announced charges against a Danish marine fuel trader, Dan-Bunkering, suspected of violating EU sanctions on Syria by delivering 172,000 tonnes of jet fuel in 33 transactions to Russian warplanes stationed there. The transactions, carried out between 2015 and 2017, amounted to 647 million kroner (€87 million). A hearing has been scheduled for 26 October to 14 December 2021.



On 29 March 2019, the Sanctions Commission of the French Banking Regulator (the ACPR) conducted disciplinary proceedings against the bank Raguram International (Raguram) and rendered its decision on 8 April 2019.

The Sanctions Commission found that, between 2015 and 2017, Raguram recorded thousands of foreign exchange transactions that breached EU and French regulations for failing to identify and verify its customer base and for failing to integrate lists of persons targeted by EU regulations into its systems and controls framework, resulting in an inability to comply with EU and national asset freeze measures. Raguram had further failed to correctly report to the ACPR that it had inadequate systems and controls to ensure compliance with anti-money laundering and asset freeze obligations because, at the time of the report, it had not recognised that its controls environment was defective.

No penalty was issued, as the bank had purchased a compliance solution prior to the grievance being identified during an on-site inspection, and had implemented enhanced controls for customer identification and verification.

This decision demonstrates that competent authorities expect companies to continue to review and enhance their internal systems and controls framework. Companies that have demonstrated proactivity in terms of remediation have often received reduced penalties in recognition of their proactive approach to compliance.



In March 2021, two German citizens were convicted by the Hanseatic Higher Regional Court, a special state security court in Hamburg, for violating an arms embargo on Russia imposed after the annexation of Crimea in 2014. According to investigations, the individuals sold metal processing equipment, which could have been used in military missile production, to Russian clients. To circumvent checks on these dual-use goods, the individuals made contracts with fictitious recipients and forged documents, and the goods ultimately ended up with a defence-end purchaser. Along with a prison sentence, the main defendant was also fined more than €8 million, that being the price he received for the equipment in question. The second defendant was sentenced to two years’ probation and handed a fine.


The Netherlands

On 18 February 2019, the Limburg court convicted Dutch company Euroturbine BV and its Bahrain-based subsidiary Euroturbine SPC for exporting gas turbine parts to Iran without a licence. It imposed fines of €500,000 and €350,000 respectively, finding that sham legal structures were established to circumvent export controls. It also imposed custodial sentences on two individuals and sentenced a third to 180 hours of community service.

On 7 February 2020, the Limburg court imposed penalties of €600,000 and more than €4 million on the same entities for breaching EU and Dutch export controls on Iran. The penalties represent the value obtained by each entity as a result of their illegal transport of gas turbine components to Iran without an export licence.


An extract from the second edition of GIR’s The Guide to Sanctions. The whole publication is available here.

The full EU Sanctions Enforcement chapter can be found here.



You can find further information regarding our expertise, experience and team on our Financial Crime page.

If you require assistance from our team, please contact us or alternatively request a call back from one of our lawyers by submitting this form.



Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.