Source: OJ L 150, 9.6.2023, pp. 1–39

Current language: EN

Article 28 Administrative sanctions and measures


Summary What does Article 28 of the Transfer of funds regulation (TFR) say?

This article establishes the enforcement framework for breaches of the Regulation, placing the obligation on Member States to create and implement a regime of administrative sanctions and measures.

It aligns with the broader sanctioning framework already set out in Directive (EU) 2015/849, ensuring consistency across the AML/CFT landscape.

The article also extends liability beyond the institution itself, reaching individual members of management bodies and natural persons responsible for a breach, as well as legal persons whose leadership either committed or failed to prevent the breach.

Competent authorities are given the necessary powers to enforce these rules, including through cooperation with other authorities in cross-border situations.

Important points:

  • Member States are required to establish administrative sanctions that are effective, proportionate, and dissuasive, and must notify these rules to the Commission and the relevant AML/CFT committee.
  • Sanctions can be applied not only to payment service providers and crypto-asset service providers as entities, but also to individual members of their management body and other responsible natural persons.
  • Competent authorities are required to cooperate closely when exercising their sanctioning powers, particularly in cross-border cases.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Without prejudice to the right to provide for and impose criminal sanctions, Member States shall lay down the rules on administrative sanctions and measures applicable to breaches of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The sanctions and measures provided for shall be effective, proportionate and dissuasive and shall be consistent with those laid down in accordance with Chapter VI, Section 4, of Directive (EU) 2015/849.

    2. Member States may decide not to lay down rules on administrative sanctions or measures for breach of the provisions of this Regulation which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions.

    1. Member States shall ensure that, where obligations apply to payment service providers and crypto-asset service providers, in the event of a breach of provisions of this Regulation sanctions or measures can, subject to national law, be applied to the members of the management body of the relevant service provider and to any other natural person who, under national law, is responsible for the breach.

    1. Member States shall notify the rules referred to in paragraph 1 to the Commission and to the permanent internal committee on anti-money-laundering and countering terrorist financing referred to in Article 9a(7) of Regulation (EU) No 1093/2010. Member States shall notify the Commission and that permanent internal committee without undue delay of any subsequent amendments thereto.

    1. In accordance with Article 58(4) of Directive (EU) 2015/849, competent authorities shall have all the supervisory and investigatory powers that are necessary for the exercise of their functions. In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely to ensure that those administrative sanctions or measures produce the desired results and to coordinate their action when dealing with cross-border cases.

    1. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 29 committed for their benefit by any person acting individually or as part of an organ of that legal person, and having a leading position within the legal person based on any of the following:

      1. power to represent the legal person;

      2. authority to take decisions on behalf of the legal person;

      3. authority to exercise control within the legal person.

    1. Member States shall also ensure that legal persons can be held liable where the lack of supervision or control by a person referred to in paragraph 5 of this Article has made it possible to commit one of the breaches referred to in Article 29 for the benefit of that legal person by a person under its authority.

    1. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:

      1. directly;

      2. in collaboration with other authorities;

      3. under their responsibility by delegation to such other authorities;

      4. by application to the competent judicial authorities.

    2. In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and to coordinate their action when dealing with cross-border cases.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod