Germany: Sanctions Laws And Regulations Report 2024 Germany

1.1 Describe your jurisdiction's sanctions regime.

Germany applies all sanctions imposed by the United Nations Security Council ("UNSC") ("UN Sanctions") and, as a European Union ("EU") Member State, all sanctions imposed by the EU ("EU Sanctions").

Germany does not unilaterally impose sanctions. However, Germany maintains a discrete national export control regime that – in very limited circumstances – is used to impose unilateral export control measures that are sometimes referred to as "German Sanctions" externally. For details, please refer to question 2.10 below.

Germany's sanctions regime distinguishes between sanctions with a focus on a specific jurisdiction ("Länderbezogene Embargomaßnahmen") and sanctions with a focus on specific individuals/entities ("Personenbezogene Embargomaßnahmen"). In the following, we shall refer to both as "sanctions" and use the terminology explained below.

Sanctions with a focus on a specific jurisdiction can further be divided into (full) embargoes, comprehensive sanctions and targeted sanctions. Embargoes, as the term is used hereinafter, prohibit all trade with or for the benefit of the sanctioned party. Comprehensive sanctions prohibit most forms of trade with, or for the benefit of, the sanctioned party. Targeted sanctions prohibit only specific forms of trade with or for the benefit of the sanctioned party.

Embargoes and comprehensive sanctions are regularly implemented in the form of economic sanctions. Targeted sanctions may also be implemented in the form of economic sanctions or in the form of financial sanctions.

Economic sanctions, broadly comparable to U.S. sectoral sanctions, are designed to restrict trade, usually within a particular economic sector, industry or market – e.g., the oil and gas sector or the defence industry ("Economic Sanctions").

Financial Sanctions, broadly comparable to U.S. Specially Designated Nationals ("SDN") listings, are restrictive measures taken against specific individuals or entities that may originate from a sanctioned country or may have engaged in a condemned activity ("Financial Sanctions").

These natural persons and organisations are identified and listed by the EU in the EU Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions ("EU Consolidated List") (see question 2.4 below for details), resulting in targeted restrictions such as travel bans or asset freezing for those listed. With the application of EU Financial Sanctions, all funds and economic resources belonging to, owned by, held by or controlled by natural or legal persons, entities and bodies listed are frozen. Moreover, no funds or economic resources can be made available, directly or indirectly, to or for the benefit of the listed parties.

Finally, the knowing and intentional participation in activities intended to circumvent the aforementioned asset freezes is also prohibited.

1.2 What are the relevant government agencies that administer or enforce the sanctions regime?

The government agencies that administer or enforce the sanctions and export control regime in Germany are:

1. the Federal Office for Economic Affairs and Export Controls ("Bundesamt für Wirtschaft und Ausfuhrkontrolle") ("BAFA"), the competent authority for administering Economic Sanctions and the export control regime, which, inter alia, is processing applications for export licences and for release of frozen economic resources within the framework sanctions exceptions;
2. the German Federal Bank ("Deutsche Bundesbank"), the competent authority for administering Financial Sanctions, which, inter alia, is processing reports from banks and insurance companies on the implementation of the asset freeze as well as applications for release of frozen funds within the framework of sanctions exceptions;
3. the Central Department for Sanctions Enforcement ("Zentralstelle für Sanktionsdurchsetzung") ("ZfS"), the competent authority to enforce the asset freeze and the prohibition to make available funds or economic resources adopted by the EU within the framework of Financial Sanctions, which is primarily investigating funds and assets of sanctioned parties;
4. the German Customs Administration ("Zoll"), the competent authority to, inter alia, enforce import- and export-related prohibitions within the framework of Economic Sanctions and to take appropriate operative measures, including the imposition of fines for violations of sanctions that constitute an administrative offence;
5. the Public Prosecutor's Offices ("Staatsanwaltschaften") in German Federal States ("Länder") and Federation ("Bund"), the competent authorities to prosecute breaches of sanctions amounting to crimes and administrative offences, which may rely on Customs Criminal Office ("Zollkriminalamt"), Customs Investigation Offices ("Zollfahndungsämter") and Main Customs Offices ("Hauptzollämter") for conducting criminal investigations.

Furthermore, the Federal Office for the Protection of the Constitution ("Bundesamt für Verfassungsschutz") ("BfV"), in close cooperation with the domestic intelligence services of the German Federal States and with other agencies, including BAFA, is responsible for uncovering any activities of proliferation concern in order to prevent any illegal procurement efforts of foreign countries. Also, the Financial Intelligence Unit ("Zentralstelle für Finanztransaktionsuntersuchungen") ("FIU"), the central office for financial transaction investigations, organised as part of the German Customs Administration system, analyses suspicious activity reports under the Money Laundering Act that include the overlapping topic of terrorist financing.

Further, the European Commission is the competent authority for certain sanctions-related authorisation requests.

Finally, Europol, jointly with EU Member States, Eurojust and Frontex, is conducting "Operation Oscar" to support financial investigations by EU Member States targeting criminal assets owned by individuals and legal entities sanctioned in relation to the Russian invasion of Ukraine. Operation Oscar also aims to support criminal investigations by EU Member States in relation to the circumvention of EU-imposed trade and economic sanctions. Together with the EU Sanctions Whistleblower Tool and the addition of sanctions violations to the list of EU crimes, this continues to increase enforcement risk in the EU, which in the past was somewhat dependent on the enforcement appetite of the EU Member State competent authority tasked to enforce EU sanctions.

1.3 Have there been any significant changes or developments impacting your jurisdiction's sanctions regime over the past 12 months?

Yes, there have been some significant changes in the past year.

Russia's war of aggression against Ukraine. The EU and Germany reacted to Russia's continuing aggression against Ukraine by implementing further rounds of (additional) EU Financial Sanctions and Economic Sanctions and export control measures against Russia. Further sanctions were also enacted against Belarus for its involvement into Russia's full-scale invasion of Ukraine and against Iran for the manufacture and supply of drones to Russia.

An overview over the latest developments and a summary of the sanctions currently in place can be found:

• For the EU at: [Hyperlink]
• For Germany at: [Hyperlink] ft/Ausfuhrkontrolle/Embargos/Russland/russland_node.html and [Hyperlink] (in German).

Enforcement. After enacting the German Sanctions Enforcement Act I ("SEA I") in May 2022 containing measures that could be implemented in the short term to render German sanctions enforcement more effective, Germany enacted the Sanctions Enforcement Act II ("SEA II") in December 2022, which brought about structural improvements of sanctions enforcement in Germany.

SEA II comprises amendments to the German Foreign Trade Act (Außenwirtschaftsgesetz), Money Laundering Act (Geldwäschegesetz), Banking Act (Kreditwesengesetz), Payment Services Oversight Act (Zahlungsdiensteaufsichtsgesetz), Insurance Supervision Act (Versicherungsaufsichtsgesetz), Securities Institutes Act (Wertpapierinstitutsgesetz), Securities Trading Act (Wertpapierhandelsgesetz), Capital Investment Code (Kapitalanlagegesetzbuch), Stock Exchange Act (Börsengesetz), Financial Services Supervision Act (Finanzdienstleistungsaufsichtsgesetz) and nine further acts.

Furthermore, SEA II introduced the new German Sanctions Enforcement Act (Sanktionsdurchsetzungsgesetz or "SanktDG"), which created a new government agency – the ZfS as mentioned above at question 1.2 – under the authority of the Federal Ministry of Finance hosted by the General Directorate of Customs.

The ZfS, without interfering with the competence of other government agencies mentioned above at question 1.2, has a statutory mandate to ensure the enforcement of sanctions adopted in the EU Regulations and to work together with agencies in other EU Member States on the enforcement of these sanctions.

The primary responsibility of the ZfS is to enforce the asset freeze and the prohibition to make available funds or economic resources adopted by the EU within the framework of Financial Sanctions. In order to efficiently investigate funds and other assets of sanctioned parties, the ZfS has been given comprehensive powers to identify and seize assets. SanktDG also introduces new administrative proceedings for asset investigation which can be initiated by the ZfS with respect to the sanctioned parties (person-related investigation) or questionable assets (asset-related investigation). The ZfS shall also administer a new register of assets of sanctioned parties. Furthermore, a whistleblower system has been established within the framework of the ZfS to collect information on potential and actual sanctions violations and violations against asset reporting obligations under EU and German law. Finally, the ZfS has the authority to appoint a monitor to supervise sanctions compliance in companies which have violated, or are at risk of violating, Financial Sanctions.

2.1 What are the legal or administrative authorities for imposing sanctions?

Germany does not unilaterally impose sanctions, but applies all UN and EU Sanctions (see question 1.1 above).

The legal authority for EU Sanctions is Article 29 of the Treaty on the EU ("TEU") and Article 215 of the Treaty on the Functioning of the EU ("TFEU").

In the case of arms embargoes, the Council of the EU (the "Council"), the institution representing the governments of the EU Member States, adopts a respective Council Decision as part of its Common Foreign and Security Policy ("CFSP"). This Decision is binding on EU Member States, which, in turn, implement the decision on an EU Member State level. In Germany, the legal authority for such implementation and enforcement is the Foreign Trade and Payments Act (Außenwirtschaftsgesetz) ("AWG"), flanked by the administrative authority, the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung) ("AWV").

In the case of EU Economic Sanctions and EU Financial Sanctions, the Council again adopts a respective Decision as part of its CFSP and, additionally, an EU Sanctions Regulation which is binding and directly applicable in all EU Member States. While the EU Member States do not, therefore, need to implement such EU Sanctions Regulations in national EU Member State law, the EU Sanctions Regulations require the EU Member States to create authorities to ensure enforcement of the EU Regulation on an EU Member State level.

Regarding the legal authorities or administrative authorities for implementing UN sanctions, please see question 2.2 below.

2.2 Does your jurisdiction implement United Nations sanctions? Describe that process. Are there any significant ways in which your jurisdiction fails to implement United Nations sanctions?

Yes.

UN Sanctions are regularly implemented via EU Sanctions which, in turn, apply in Germany (see question 2.1 above).

As the process of the implementation of UN Sanctions via EU Sanctions may cause a delay between listing by the United Nations ("UN") and applicability in Germany, Germany additionally directly implements UN Sanctions based on Section 6(1) AWG in connection with Sections 4(1)(2) and 4(1)(3) AWG, Section 4(2)(3) AWG and Section 13(6) AWG.

There are no significant ways in which the EU and/or Germany have failed to implement UN sanctions.

2.3 Is your jurisdiction a member of a regional body that issues sanctions? If so: (a) does your jurisdiction implement those sanctions? Describe that process; and (b) are there any significant ways in which your jurisdiction fails to implement these regional sanctions?

Yes.

Germany is a Member State of the EU and implements EU Sanctions; regarding the process of implementation in the case of arms embargoes, EU Economic Sanctions and EU Financial Sanctions, the Council adopts a respective decision as part of CFSP. In Germany, the legal basis for implementation into German law and respective enforcement of such a decision is the AWG, flanked by the administrative authority AWV.

In the case of EU Economic Sanctions and EU Financial Sanctions, the respective additional EU Sanctions regulation is directly applicable in all EU Member States. Therefore, while the EU Member States do not need to implement such EU Sanctions regulations in national EU Member State law, the EU Sanctions regulations require EU Member States to implement authorities to ensure enforcement of the EU regulation on an EU Member State level; in Germany, this is done via the AWG, flanked by the AWV.

There are no significant ways in which Germany has failed to implement EU Sanctions.

2.4 Does your jurisdiction maintain any lists of sanctioned individuals and entities? How are individuals and entities: a) added to those sanctions lists; and b) removed from those sanctions lists?

Germany does not maintain a list of sanctioned individuals and entities, but applies the EU Consolidated List. For the process of the implementation of such EU Financial Sanctions, see questions 2.1 and 2.3 above; for further details on (de-)listing, see [Hyperlink]

Individuals and entities are added to or removed from the EU Consolidated List upon a proposal of the High Representative of the EU for Foreign Affairs. Various bodies and committees of the Council discuss the respective proposal before the Council decides on the addition/removal by unanimous vote.

2.5 Is there a mechanism for an individual or entity to challenge its addition to a sanctions list?

Sanctioned persons may submit a request to the Council, asking for the reassessment of the listing decision (see here for details: [Hyperlink]

According to Articles 275 and 263 of the Treaty of the Functioning of the EU, sanctioned persons may also challenge the Council's listing decision before the European General Court ("EGC").

The European Court of Justice ("ECJ") may also review whether UN Sanctions, specifically those related to listings, are in accordance with EU primary law. For illustration purposes, a respective judgment can be found at [Hyperlink];from=DE

2.6 How does the public access those lists?

The sanctions search tool maintained by the EU, the so-called "EU Sanctions Map" ( available at [Hyperlink] ), serves as a good starting point for an initial assessment on whether Germany maintains sanctions against a particular jurisdiction, individual or entity.

An overview of sanctions with a focus on specific jurisdictions can be found at [Hyperlink];v=6

An overview of sanctions with a focus on specific individuals/entities, the so-called EU Consolidated List of persons, groups and entities subject to EU Financial Sanctions, can be found at [Hyperlink]

German companies also regularly screen against the UN Sanctions List and sanctions lists from jurisdictions in which they do business or with which they otherwise interact, such as the US (OFAC Sanctions List) and the UK (OFSI Consolidated List).

Searching and consolidating hundreds of sanctions lists is laborious and therefore companies often rely on screening list data vendors. There are different types of vendors including traditional, innovative and niche vendors on the market:

• More traditional vendors provide and enrich the data through their own research and consolidate all relevant and available sanctions lists and other lists (e.g., suspected money laundering and terrorism financing). Usually, these vendors additionally offer rule-based screening tools.
• More innovative vendors employ advanced analytics, e.g., natural language processing models, to technically enhance sanctions list data in multiple languages and detect connected parties through entity resolution technology.
• Some niche vendors focus on building up video and image databases for these lists to enable companies to detect individuals using other names to disguise their real identity or individuals that are not publicly known by name, which is especially relevant for terrorism financing.

When selecting a vendor, companies should focus on factors like list update management (e.g., frequency) and scope of available data points for each list entry.

How can companies manage those lists?

Managing screening lists is a relevant exercise for companies as list data is one of the two key data inputs used for list screening models together with client (static) data. Consequently, managing the quality and scope of these lists is crucial for increasing risk coverage and efficiency in screening results.

List management is a frequent source of inefficiency in the name-list screening process. In many cases, screening list data providers deliver a complete set of lists but do not support their clients in choosing the relevant list screening scope for them. This can result in the tendency to screen a client portfolio against too many lists, some which may be irrelevant to the company's business model, geographic scope of operations, and risk appetite. By selectively defining the list scope, fewer alerts (and, in turn, fewer false positives) will be created, automatically leading to an improvement in efficiency.

List scope can be defined by aligning, for example, the geographic scope to the company's countries of operation with the relevant sanctions regimes, the products subject to sanctions, or the depth of the screening level. Moreover, the list scope should be based on risk appetite. While sanctions are usually assessed as a zero-tolerance risk, within other suspected money laundering and terrorism financing relevant lists, the list scope can usually be reduced significantly.

What does ongoing monitoring involve and what is its relevance to businesses?

Ongoing monitoring requirements in Germany involve different types of screening with varying levels of complexity that depend on the type of company. The most comprehensive screening requirements are found in the German financial services industry. Here companies are expected to conduct sanctions screening at several stages of the relationship life cycle. There are two major types of sanctions screening processes – the client/vendor/employee screening and the transaction screening.

The client/vendor/employee screening is carried out as part of the onboarding due diligence procedures and then daily across the entire portfolio to cover potential changes either in list data or client/vendor/employee data. A typical challenge that can be observed with this type of screening is the complexity of screening connected parties (e.g., UBOs, supply chain, etc.) as these are often difficult to identify. In addition, missing regular and event-driven review triggers often lead to outdated data points making the detection of suspicious activity more error-prone.

Transaction screening is conducted as part of the payment process for each transaction before it is released. In this case, the counterparty of the transaction rather than the bank's customer is subject to screening against sanctions lists. In the transaction screening process, the typical challenges concern the implementation of the requisite technological capabilities. Robust payment screening technology is required to enable ex-ante screening of transactions, which must be stopped from processing until sanctions screening has been conducted on very short time-scales. As compared to client screening, transactions screening is further complicated by the fact that payment transactions data often contain limited information about the counterparty and that often the extraction process of relevant screening information from the transaction data is complex (e.g., in trade finance transactions).

In both cases, applying new technology capabilities can help overcome some of the inherent challenges concerning sanctions screening. Advanced analytics techniques, such as contextual data enrichment and entity resolution, can help companies to enhance effectiveness and efficiency. Consequently, if ongoing monitoring is done thoroughly, companies can better manage their actual risk exposure and make informed decisions, e.g., about taking a new client into their portfolio or keeping an existing one.

What causes higher false positives and how can organisations manage false positives better?

The screening approach currently applied by most companies follows the logic of data inputs (e.g., client static data, sanction list data, etc.) that are fed into a detection model. This model usually employs (fuzzy) name matching logic to compare the client data with the list entries and, as a result, provides a confidence score. The company defines a threshold based on its risk appetite starting from which confidence level a match is considered suspicious and an alert is created.

There are three main areas companies can focus on to improve on managing false positives:

• Data: Often, it can be observed that only a limited number of data points is included and that relevant information, such as, for example, date of birth is not part of the data fields used by name-matching algorithms. Contextual data enrichment and entity resolution can help to make connections and transfer relevant screening information, e.g., collected in the KYC process, to increase the probability of a name match or automatically discount due to disconfirming information. Poor data quality in client data management systems can also cause higher numbers of false positives. In this case, clear policies and procedures, a strong risk culture raising awareness, especially in the first line of defence, and intuitive tooling that supports data collection and update processes can help companies to improve data quality over time.
• Detection: Traditional screening tools often still deploy static rule-based detection algorithms that focus on exact name matching, running the risk of missing out on relevant alerts. A good approach to improving screening detection algorithms is typically, on the one hand, to increase sensitivity of the matching logic (e.g., through the use of a string distance measure such as the Levenshtein ratio, tokenisation, phonetic algorithms, etc.) in order to increase risk coverage and, on the other hand, to reduce false positive alerts by including additional data points such as customer static data as described above, implementing feedback loops to tune the algorithms over time or using more advanced machine learning algorithms to increase precision and efficiency.
• Alert handling: It can be observed in the market that alerts are often handled on a first-in-first-out-principle leading to a lack of transparency on the actual risk exposure and potential longer lead times to handle risks properly. Technology can support alert handling to focus on the most relevant alerts by employing techniques such as risk-based alert segmentation, alert triage or alert hibernation to suppress obvious false positive alerts, prioritise the ones with highest risk exposure and route them to the respective reviewer to enable process efficiency.

2.7 Does your jurisdiction maintain any comprehensive sanctions or embargoes against countries or regions?

For an explanation of the different types of sanctions, please see question 1.1.

The UN, the EU and, correspondingly, Germany currently do not apply embargoes against any country or region.

However, Belarus, North Korea, Russia and Russian-occupied areas of Ukraine, in particular Crimea, Sevastopol and parts of the oblasts of Donetsk, Kherson, Luhansk and Zaporizhzhia, are currently subject to comprehensive sanctions.

2.8 Does your jurisdiction maintain any other sanctions?

Germany applies sanctions targeting, to a different extent, countries and/or persons from several non-EU countries as listed herein ([Hyperlink] sfuhrkontrolle/Embargos/embargos_node.html ). As of July 21, 2023, those countries are: Armenia; Azerbaijan; Belarus; Burundi; Central African Republic; China; Democratic Republic of the Congo; Guinea; Guinea-Bissau; Iran; Iraq; Lebanon; Libya; Mali; Moldova, Myanmar (Burma); Nicaragua; North Korea; Russia; Somalia; South Sudan; Sudan; Syria; Tunisia; Turkey; Ukraine (in particular, non-government controlled areas); Venezuela; Yemen; and Zimbabwe.

2.9 What is the process for lifting sanctions?

The same procedure for the imposition of sanctions applies to the revocation of sanctions; please refer to question 2.1 above.

Accordingly, the decision by the Council must also be unanimous. This requirement has led to EU Sanctions regulations often containing an end date so that, instead of a uniform decision to lift them, a uniform decision to maintain the sanctions will usually be required every six months.

2.10 Does your jurisdiction have an export control regime that is distinct from sanctions?

Yes.

The EU's export control regime for dual-use items governed by Regulation (EU) 2021/821 ("Dual-Use Regulation") is binding and directly applicable in Germany. This export control regime includes:

• export control rules, including assessment criteria and types of authorisations (individual, global and general authorisations);
• a common EU list of dual-use items;
• provisions for end-use controls on non-listed items in certain cases (e.g., cyber-surveillance items which could be used for serious human rights violations);
• controls on brokering and technical assistance relating to dual-use items and their transit through the EU;
• control measures and compliance to be introduced by exporters; and
• provisions on administrative cooperation, implementation and enforcement through EU Member States.

Further EU's export control regulations directly applicable in Germany include Regulation (EU) 258/2012 ("Firearms Regulation") and Regulation (EU) 2019/125 ("Anti-Torture Regulation").

Control of exports of military technology and equipment in the EU is governed by Council Common Position 2008/944/CFSP, which defines common rules as binding for EU Member States, and the corresponding EU Common Military List. The Common Position includes criteria for the assessment of the export licence applications and some further rules. It does not affect the right of EU Member States to operate more restrictive national policies.

On that basis, Germany maintains a discrete and complex national export control regime regulated in AWG and AWV. In particular, Germany maintains its national Export Control List in Annex AL to AWV, which includes military goods controls (Part I Section A), additional items controlled nationally (Part I Section B) and certain vegetable products (Part II).

2.11 Does your jurisdiction have blocking statutes or other restrictions that prohibit adherence to other jurisdictions' sanctions or embargoes?

Yes.

Germany enforces the EU Blocking Statute (as amended, the "EU Blocking Statute"), and the AWV also includes the prohibition against declaring adherence to a foreign boycott. Further, the GDPR, while having the primary function of protecting the personal data and privacy rights of EU data subjects, in practice can sometimes act as a "blocking statute" prohibiting transfers to non-EEA countries or the processing of personal data pursuant to obligations that arise outside of EU or EU Member State law.

EU Blocking Statute

The effect of the EU Blocking Statute is to prohibit compliance by EU entities with, inter alia, the re-imposed U.S. sanctions on Iran as well as certain U.S. sanctions on Cuba, the most relevant being those deriving from the application of certain parts of the U.S. Cuban Liberty and Democratic Solidarity Act of 1996, the so-called "Helms-Burton Act".

The EU Blocking Statute was originally enacted in 1996 as a countermeasure to certain U.S. extraterritorial sanctions against Cuba, Libya, and Iran. The EU viewed these sanctions as a violation of international law, a threat to international trade and an impairment of the interests of "EU operators". Consequently, pursuant to its preamble, the EU Blocking Statute sought to protect against the "effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom". To achieve that goal, the EU Blocking Statute, inter alia, prohibits compliance with any legal acts listed in the regulation which "purport to regulate activities of natural or legal persons under the jurisdiction of a Member State". The Member States of the EU are responsible for implementing sanctions to be imposed in the event of a breach. Germany does so by penalising a breach of the EU Blocking Statute as an administrative offence with a maximum fine of EUR 500,000 with the potential of additional forfeit of gains.

In addition, the EU Blocking Statute nullifies the effect of foreign court judgments based on relevant legal acts in the EU, hinders service and discovery requests, such as those deriving from Helms-Burton Act claims, and establishes a reporting obligation as well as a right to recover damages. These effects and obligations have been discussed in depth at [Hyperlink]

It remains to be seen whether the fact that the EU itself has entered the terrain of extraterritorial sanctions (see below under question 2.12) will influence the continuing existence and application of the EU Blocking Statute.

Boycott Declaration Prohibition

Section 7 sentence 1 of the AWV states: "The issuing of a declaration in foreign trade and payments transactions whereby a resident participates in a boycott against another country (boycott declaration) shall be prohibited (...)."

There is no precedent clarifying the exact scope, but it is a common understanding among sanctions practitioners in Germany that, unlike the EU Blocking Statute, Section 7 of the AWV does not prohibit mere compliance with foreign sanctions; rather, it specifically prohibits the issuing of a declaration to do so.

Section 7 sentence 2 of the AWV further clarifies that "[The boycott declaration prohibition] shall not apply to a declaration that is made in order to fulfil the requirements of an economic sanction by one state against another state against which the Security Council of the United Nations in accordance with Chapter VII of the United Nations Charter, the Council of the European Union in the context of Chapter 2 of the Treaty on European Union or the Federal Republic of Germany has also imposed economic sanctions".

This only leaves a narrow window of application of Section 7 of the AWV. As an example, due to no UN, EU and, accordingly, German sanctions implemented or applied against Cuba, the issuing of a boycott declaration relating to Cuba in the context of a German nexus should be approached carefully.

General Data Protection Regulation

Sanctions screening involves screening customer data against designated sanction lists. The very act of inputting a name (or, indeed, other details such as address, nationality, passport, tax ID, place of birth, date of birth, former names and aliases) into a sanctions screening tool or the filing of a Suspicious Activity Report ("SAR") could qualify as an act of personal data processing under the GDPR.

The processing of personal data is lawful under the GDPR when conducted in line with one of the legal bases provided in the regulation, such as when it is "(...) necessary for compliance with a legal obligation to which the controller is subject (...)" as per Article 6(1)(c) of the GDPR. While a German company may be able to rely on EU sanctions law as a "legal obligation" justifying the screening of personal data under some circumstances, this may not necessarily be the case for sanctions screening due to U.S. and other third-country sanctions, export control laws and regulations – which stem from a "legal obligation" arising outside of EU or EU Member State law.

For personal data transfers to the U.S., on July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Framework.

2.12 Does your jurisdiction impose any prohibitions or threaten any sanctions consequences for transactions that do not have a connection to that jurisdiction (sometimes referred to as "Secondary Sanctions")?

Yes, without explicitly recognising that these are Secondary Sanctions.

The EU has historically strongly opposed Secondary Sanctions and even enacted the EU Blocking Statute prohibiting compliance by EU entities with certain extraterritorial sanctions of the U.S.

However, after Russia launched a full-scale invasion of Ukraine in February 2022, setting off the largest armed conflict in Europe since World War II, the EU introduced certain elements at least reminiscent of Secondary Sanctions in its Russia sanctions regulations, which are directly applicable in Germany.

In particular, the new version of Art. 3(1)(h) of Council Regulation (EU) 269/2014 ("Reg 269/2014") introduced within the 8^th sanctions package of October 5, 2022 provides for a listing criterion targeting persons facilitating infringements of the prohibition against circumvention of EU sanctions against Russia. Such persons can now be added to EU sanctions lists, thus becoming subject to an asset freeze. Such risk exists if a non-EU person facilitates infringement of the circumvention prohibition (i.e., the prohibition to participate, knowingly and intentionally, in activities the object or effect of which is to circumvent EU sanctions) committed by a person under EU jurisdiction.

Furthermore, within the 11^th sanctions package of June 23, 2023, the EU introduced a novel anti-circumvention tool in Art. 12f of Council Regulation (EU) 833/2014 ("Reg 833/2014"), allowing to restrict exports of certain goods to third countries whose jurisdiction is demonstrated to be at high risk of being used for circumvention of EU sanctions against Russia. No countries or goods have yet been designated under this provision. Therefore, the provision is the first step to signal to countries with a certain unusual development in their exports to Russia that the EU is willing to take the next level of escalation, if need be (e.g., Kazakhstan, Georgia, Armenia, Turkey, Azerbaijan, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan etc.). At the same time, the designation of a third country under this regime is considered to be an exceptional, last-resort measure, which shall be taken only if individual measures and further dialogue with the third country proved inefficient to prevent systemic circumvention.

Despite these remarkable developments towards Secondary Sanctions, the Consolidated FAQs of the European Commission on EU sanctions against Russia still claim that EU sanctions are never extraterritorial and do not apply to non-EU companies that do business entirely outside the EU. It remains to be seen whether the EU will recognise its adherence to Secondary Sanctions as a legitimate policy instrument at least in certain exceptional cases.

Furthermore, please note that EU Sanctions regularly apply to business carried out in whole or in part in the EU. Given the tendency of the ECJ and European Commission to interpret sanctions provisions broadly and the lack of any indications that a de minimis interpretation would be available, this jurisdictional criterion can significantly expand the reach of EU Sanctions. With respect to this criterion, it has been argued in German commentary literature that the use by non-EU companies of servers located within the EU for the conclusion of a contract or execution of a transaction relevant from the EU sanctions perspective would suffice to establish the necessary EU nexus. Another example of how EU jurisdiction might be established under this provision, as mentioned in German commentary literature, includes the use of SWIFT by non-EU companies for payments in connection with transactions relevant from the EU sanctions perspective, given that SWIFT is a society incorporated under Belgian law.

3.1 What parties and transactions are subject to your jurisdiction's sanctions laws and regulations? For example, do sanctions restrictions apply based on the nationality of the parties involved? Or the location where the transactions take place?

Broadly speaking, any parties and transactions with a nexus to Germany and/or the EU may be subject to sanctions as well as export control laws and regulations applicable in Germany.

In Germany specifically, any trade in goods, services, capital, payments and other types of trade with foreign (i.e., non-German) territories, as well as the trade in foreign valuables and gold between residents of Germany ("Außenwirtschaftsverkehr"), while not restricted per se, is subject to Germany's sanctions and export control laws and regulations, specifically to the restrictions of the AWG and AWV.

This also includes restrictions under international agreements, which the German legislative bodies have approved in the form of federal acts, such as the Wassenaar Arrangement, the Nuclear Suppliers Group, the Australian Group and Missile Technology Control Regime and legal provisions of the bodies of international organisations to which the Federal Republic of Germany has transferred sovereign rights (i.e., the EU).

EU Sanctions, in turn, generally apply: (i) within the territory of the EU; (ii) on board of any aircraft or vessel under the jurisdiction of an EU Member State; (iii) to any person inside or outside the territory of the EU who is a national of an EU Member State; (iv) to any legal person, entity or body, inside or outside the territory of the EU, which is incorporated or constituted under the law of an EU Member State; and (v) to any legal person, entity or body in respect of any business done in whole or in part within the Union.

3.2 Are parties required to block or freeze funds or other property that violate sanctions prohibitions?

Yes.

Any individual or entity obliged to comply with EU Financial Sanctions, regularly EU banks and financial institutions, that know or have reasonable cause to suspect that they are in control or in possession of, or are otherwise dealing with, the funds or economic resources of a person subject to EU Financial Sanctions, must: (i) freeze the funds and specifically not deal with them or make them available to, or for the benefit of, the designated person; and (ii) report the funds or economic resources to the competent authority of the EU Member State (in Germany, the German Federal Bank). See question 3.4 for further details on reporting.

Making payments to a bank account of a sanctioned person is prohibited, unless specifically authorised by a competent authority or unless it is reasonably determined that the funds will not be made available to the sanctioned person. EU banks may credit frozen accounts insofar as it can be ascertained that the incoming funds are frozen upon being credited to the account.

For specific questions on freezing of funds and/or making available economic resources, please see the respective Commission opinion of June 19, 2020, available at [Hyperlink] and FAQs on sanctions against Russia and Belarus regarding asset freeze and prohibition to provide funds or economic resources as of May 10, 2023, available at [Hyperlink] -provide-funds-or-economic-resources_en

3.3 Are there licences available that would authorise activities otherwise prohibited by sanctions?

Yes.

For EU Financial Sanctions, e.g., those based on Reg 269/2014, the competent authorities of the EU Member State to enforce such EU Financial Sanctions (in Germany, the German Federal Bank) may authorise the release of certain frozen funds or economic resources, or the making available of certain funds or economic resources in certain cases laid down in Articles 4-6e of Reg 269/2014, e.g., after having determined that the release of funds or economic resources concerned is necessary to satisfy the basic needs of the sanctioned person.

For EU Economic Sanctions, e.g., those based on Reg 833/2014, the competent authorities of the EU Member State to enforce such EU Economic Sanctions (in Germany, BAFA) may authorise certain transactions, e.g., the sale of dual-use goods for non-military use in Russia intended for medical or pharmaceutical purposes.

For specific licences related to the EU Blocking Statute, the respective request should be sent to the European Commission's dedicated EU Blocking Statute team at: EC-AUTHORISATIONS-BLOCKING-REG@ec.europa.eu.

The German export control regime also includes exceptions and authorisation requirements. A more detailed description on the respective process can be found at [Hyperlink]

3.4 Are there any sanctions-related reporting requirements? When must reports be filed and what information must be reported?

Yes.

According to the respective provisions of EU Financial Sanctions, i.e., Article 8 of Reg 269/2014, those who are subject to EU Financial Sanctions must: (i) supply immediately any information which would facilitate implementation of the Regulation to the competent authority of the EU Member State, in Germany accordingly, to the German Federal Bank; and (ii) cooperate with the competent authority in any verification of such information.

In German law, Article 10 of SanktDG stipulates a similar reporting requirement of a sanctioned person: (i) to report their funds or economic resources to ZfS; and (ii) to cooperate with the ZfS in any verification of such information. This requirement is triggered only if the EU Regulation providing for Financial Sanctions does not already provide for a respective requirement.

Further, there are additional reporting obligations in place, partly deriving from more specific banking-related laws, e.g., those applicable specifically to financial institutions. Such organisations are expected to report information about sanctioned individuals through SARs. This must be reported to the German Federal Bank, which is responsible for the implementation of EU Regulations on Financial Sanctions in Germany, and/or the FIU. Specifically, in case of asset freezes due to EU Financial Sanctions, banks and financial institutions must provide information about any funds, accounts, assets, BIC codes, reference numbers, amounts and dates connected with the sanctioned individuals and entities.

How can technology support regulatory reporting?

As suspicious activity reporting (SAR) in the sanctions area is observed less frequently than in anti-money laundering (AML), the process to reporting is less standardized in Germany. AML SARs are reported through a portal (GoAML) that can be supported by technology through measures such as the automated creation of a XML file containing all relevant data regarding the client, the transaction and the counterparty subject to reporting, through automated data extraction mechanisms and the deployment of narrative generation algorithms. In contrast, the approach to reporting sanctions alerts in Germany is by sending a rudimentary form via mail, fax or e-mail to the BAFA, leaving less room for automation. From an audit perspective, it can still be helpful to employ technologies such as narrative generation in the rarer cases of sanctions reporting to ensure consistency as well as creating a simple management information dashboard to gain insights on the company's reporting processes (e.g., point in time when transaction was intended to be carried out, time elapsed until reporting is filed, etc.).

3.5 How does the government convey its compliance expectations? Are certain entities required to maintain compliance programmes? What are the elements of a compliance programme required (or recommended) by the competent regulator(s)?

Both the EU, via Commission Recommendation 2019/1318 on internal compliance programmes for dual-use trade controls, and Germany, via BAFA Leaflet on Internal Compliance Programmes (ICP) for company-internal export control systems, and German Federal Bank Guidance on compliance with financial sanctions, have become vocal on how they expect individuals and companies under their jurisdiction to implement sanctions and export control laws and regulations.

In principle, while there is no obligation to maintain a compliance programme, the responsible persons must prove "the due care of a prudent manager faithfully complying with his duties" (see BAFA Leaflet on Internal Compliance Programmes (ICP) for company-internal export control systems, referring to section 93 of the German Stock Corporation Act), which will be – to say the least – facilitated by maintaining a risk-based compliance programme.

The guidance provided by the European Commission, BAFA and German Federal Bank is similar and suggests that in the area of sanctions and export control the management should set up an internal export control programme, which should include the following components: a regularly repeated risk assessment; management commitment to the objectives of sanctions and export control compliance; an organisational structure and distribution of responsibilities reflecting the results of the risk assessment; sufficient human and technical resources and other (IT) work equipment to address the identified risks; appropriate process organisation; record-keeping and storage of documents; diligent staff selection, training and awareness raising, as well as regular reviews of process and system controls (ICP audits), taking appropriate corrective actions if needed; the establishment of a whistleblower system; and assuring physical and technical security.

Is there any reference or due diligence recommendation available?

In addition to the guidance from the European Commission, BAFA and German Federal Bank outlining the requirements for Internal Compliance Programmes as mentioned above, the BAFA has published a Leaflet on Article 5 of Dual-Use Regulation, which contains specific guidelines for the due diligence in connection with controls of non-listed cyber-surveillance items. In particular, these guidelines refer to a three-stage, transaction-related screening process based on item, destination and end-user reference points to be conducted as part of the due diligence.

4.1 Are there criminal penalties for violating economic sanctions laws and/or regulations?

Yes.

Violations of EU Sanctions and German foreign trade law, including Germany's export control regime, may be punished as criminal offences or as administrative offences. Intentional violations constitute criminal offences. According to Section 17(1) AWG, for example, a violation of an arms embargo constitutes a criminal offence and is punishable by imprisonment of up to 10 years. Furthermore, a fine may be imposed and determined according to the perpetrator's individual financial situation/income and the offence.

Provisions on criminal offences and penalties can be found in Sections 17 and 18 AWG, Section 80 AWV and Section 16 SanktDG.

Negligent violations of EU Sanctions and German foreign trade law, including Germany's export control regime, are generally considered administrative (regulatory) offences. "Negligence" is defined as not exercising the necessary standard of care ("Fahrlässigkeit"). As per Section 19(6) AWG, such administrative offence may result in a fine of up to EUR 500,000 per offence and forfeit of gains resulting from the administrative offence committed.

Further details can be found at:

4.2 Which government authorities are responsible for investigating and prosecuting criminal economic sanctions offences?

The authority responsible for investigating and prosecuting criminal Economic Sanctions is the public prosecutor's office at the court which exercises local jurisdiction over the breach of sanctions (Section 143(1) of the Courts Constitution Act ("GVG")).

The competent public prosecutor's office will be assisted by the competent authority administering the sanctions (in cases of Financial Sanctions, the ZfS and German Federal Bank, and in cases of Economic Sanctions, the BAFA). Furthermore, as noted above, the public prosecutor's office may rely on certain offices within the German Customs Administration for conducting criminal investigations; see question 1.2 above.

Only in rare and extremely exceptional cases may the Federal Prosecutor General take over the investigation (Section 142a GVG); e.g., if the sanctions violation investigated has the potential to disrupt or endanger national security or external security of the foreign relations of the Federal Republic of Germany.

4.3 Is there both corporate and personal criminal liability?

While the concept of corporate criminal liability does not exist under German law, corporations may still face administrative penalties based on the Act on Regulatory Offences (Ordnungswidrigkeitengesetz) ("OWiG").

Specifically, under Section 30 OWiG, the corporation may be fined if certain executive employees, specifically executive employees with the power to represent the corporation, have committed a criminal offence or a regulatory offence, e.g., a breach of applicable sanctions laws and regulations, as a result of which duties incumbent on the corporation have been violated, or where the corporation has been enriched or was intended to be enriched.

Furthermore, under Section 130 OWiG, if the owner or certain executive employees, specifically executive employees with the power to represent the corporation, intentionally or negligently omit to take the supervisory measures required to prevent contraventions, e.g., breaches of applicable sanctions laws or regulations, such owner or executive employee may be held liable. An example of this would be the failure to implement an effective internal compliance programme resulting in a breach of sanctions laws or regulations by an employee whom the owner or the executive employee was supposed to supervise.

4.4 What are the maximum financial penalties applicable to individuals and legal entities convicted of criminal sanctions violations?

In general, and if a maximum fine is not specified in the particular law, the maximum fine for individuals should not exceed EUR 1,000 (see Section 17(1)OWiG). However, Section 19(6) AWG punishes administrative offences of individuals in the context of sections 19(1), 19(3)(1)(a), 19(4)(1)(1) with a maximum fine of up to EUR 500,000. Other administrative offences regarding the AWG are to be punished with a maximum fine of up to EUR 30,000. The exact amount depends on the economic circumstances of the perpetrator.

According to Section 30(1) OWiG, if a criminal or administrative offence which violates the responsibilities of or enriches or was supposed to enrich a legal entity is committed: by the body or a member of the body that is authorised to represent that legal entity; by the executive or a member of the board of directors of an association; by a shareholder authorised to represent that legal entity; or by any other executive, then the legal entity itself can be punished with an administrative penalty. In the case of an intentional criminal offence, a fine of up to EUR 10 million can be imposed; in the case of a negligent criminal offence, a fine of up to EUR 5 million can be imposed (Section 30(2)(1) OWiG). If the violation in the context of Section 30(2) OWiG is an administrative offence, the maximum fine is governed by the particular violated law, Section 30(2)(2) OWiG. If the particular law governing the administrative offence refers to Section 30(2)(3) OWiG, the maximum fine shall be multiplied by 10.

In any case, the maximum fine can be significantly higher if Section 17(4)(1) OWiG is applicable, which states that the fine is supposed to be higher than the economic advantage for the perpetrator ("disgorgement"). According to Section 17(4)(2) OWiG, every particular maximum fine could therefore be exceeded significantly if the economic advantage for the perpetrator is higher than the maximum fine. These provisions are explicitly applicable in the context of fines against legal entities under Section 30(1) OWiG (see Section 30(3) OWiG).

4.5 Are there other potential consequences from a criminal law perspective?

Yes.

Another potential consequence of a violation of Sections 17-19 AWG, Sections 80-82 AWV and Sections 16-17 SanktDG is that the objects to which the criminal or administrative offence relates and objects which were used or intended for the committing or preparation may be confiscated pursuant to Section 20 AWG or Section 18 SanktDG.

In practice, a breach has practical consequences with regard to the customs authority. In response to a breach, the customs authority may suspend or revoke authorisations or customs simplifications that have been granted. The consequences particularly affect export-oriented companies. Finally, the audits carried out by a customs authority depend on the risk profile of the company. Thus, if the customs authority has noticed an increase in the number of infringements committed by the company in foreign trade and has already imposed fines, the frequency of the company's audit automatically increases.

As a further potential consequence, according to Section 124(1)(3) of the Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen) ("GWB"), contractual authorities may exclude a company from participating in any award procedure if the company has committed serious misconduct while doing business, resulting in the questioning of its integrity. As the awarding authority has the discretion to assess if a company has committed serious misconduct, resulting in the questioning of its integrity and possibly a violation of Sections 17, 18, or 19 AWG, this could lead to an exclusion according to Section 124(1)(3) GWB.

4.6 Are there civil penalties for violating economic sanctions laws and/or regulations?

Yes.

For civil penalties which can be imposed on corporations, please see questions 4.3 and 4.4 above.

Provisions on administrative offences and civil penalties which can be imposed on individuals are laid down in Section 19 AWG, Sections 81 and 82 AWV and Section 17 SanktDG.

Penalties for violations of EU sanctions are in particular provided for in Sections 19(1)(1) and 19(5) AWG and Section 82 AWV.

4.7 Which government authorities are responsible for investigating and enforcing civil Economic Sanctions violations?

The local public prosecutor's office ("Staatsanwaltschaft") and main customs office ("Hauptzollamt"), with assistance of the ZfS, German Federal Bank and BAFA, are responsible. See question 1.2.

4.8 Is there both corporate and personal civil liability?

Yes.

Both corporate and personal civil liability may occur as a result of a breach of EU sanctions.

Companies may be held liable for regulatory offences as described above in questions 4.3 and 4.4. In addition, companies may also become subject to general civil liability.

Individuals may be held liable for regulatory offences as described above in question 4.6. In addition, personal liability may arise under civil law for members of the Management Board in light of Section 93(3) of the German Stock Corporation Act.

4.9 What are the maximum financial penalties applicable to individuals and legal entities found to have violated economic sanctions?

Please see question 4.4 above.

4.10 Are there other potential consequences from a civil law perspective?

Please see question 4.5 above regarding criminal liability and question 4.8 regarding civil liability.

4.11 Describe the civil enforcement process, including the assessment of penalties. Are all resolutions by the competent authorities public?

The local public prosecutor's office and main customs office are in charge of investigating administrative offences and imposing regulatory fines.

The imposition of fines is regulated in Section 17(3) OWiG. The assessment of fines is made at the discretion of the imposing authority and shall primarily consider the significance of the regulatory offence and the degree of fault by the perpetrator. Financial circumstances of the perpetrator can also be taken into account. The necessity to disgorge the profits of the perpetrator in accordance with Section 17(4) OWiG (see also question 4.4 above) is also regularly taken into account.

Resolutions by the competent authorities are typically not public.

4.12 Describe the appeal process. Have companies challenged penalty assessments in judicial proceedings?

In principle, the person or company concerned may appeal the decision imposing a fine. As a consequence, the authority which imposed the fine may decide to grant the appellant's request. Otherwise, the matter is brought before the court.

4.13 Are criminal and civil enforcement only at the national level? Is there parallel state or local enforcement?

The local public prosecutor's office and main customs office, with the assistance of the ZfS, German Federal Bank and BAFA, prosecute violations of EU sanctions and German export control laws on a national level; see questions 1.2, 4.2 and 4.7 above.

In parallel, the ZfS enforces the asset freeze and the prohibition to make available funds or economic resources adopted by the EU within the framework of Financial Sanctions.

4.14 What is the statute of limitations for Economic Sanctions violations?

The applicable statute of limitations is based on whether the sanctions violation is considered a crime or an administrative offence. Further, the statute of limitations applicable in cases where the sanctions violation is considered a crime depends on the maximum prison term associated with the specific sanctions violation.

In cases where the sanctions violation is a crime, specifically in cases of an intentional violation of an arms embargo, the limitation period is 10 years (Section 17(1) AWG, Section 78(3)(3) StGB). Under certain perpetrator-related circumstances (e.g., gang membership), the limitation period is 20 years (Section 17(3) AWG, Section 78(3)(2) StGB). For intentional violations of typical EU sanctions provisions, the limitation period is five years (Section 18(1) AWG, Section 78(3)(4) StGB).

In cases where the sanctions violation is an administrative offence, e.g., in cases of negligent breach of EU sanctions, the limitation period is three years (Section 19 AWG, Section 31(2)(1) OWiG).

5.1 If not outlined above, what additional Economic Sanctions–related measures are proposed or under consideration?

Further packages of EU sanctions against Russia can be expected in the light of Russia's ongoing war of aggression against Ukraine.

5.2 Please provide information for how to obtain relevant Economic Sanctions laws, regulations, administrative actions, and guidance from the Internet. Are the materials publicly available in English?

Official information regarding EU sanctions is published and frequently updated on a sanctions map provided by the European Commission, which can be accessed at [Hyperlink]

The above-mentioned EU law can also be found online on EUR-Lex. For example, see [Hyperlink] for the TFEU and [Hyperlink] for the TEU

German law is publicly accessible at [Hyperlink] A list of laws available in English can be accessed at [Hyperlink] (please be aware of the disclaimer under "User-Notice").

An influential source of guidance on EU sanctions against Russia and Belarus are the Consolidated FAQs of the European Commission, which are being published and continuously updated at [Hyperlink]

Germany is among the few EU countries which have published an own detailed guidance on EU sanctions against Russia.

In particular, the German Federal Ministry for Economic Affairs and Climate Action ("Bundesministerium für Wirtschaft und Klimaschutz") ("BMWK"), which is the Ministry supervising the BAFA and thus in charge of Economic Sanctions, has published the FAQs on EU sanctions against Russia, which are gaining considerable influence through their level of detail. The BMWK FAQs can be accessed at [Hyperlink] (in German).

The German Federal Bank has also published detailed FAQs on EU Financial Sanctions, particularly addressing sanctions against Russia and Belarus, which can be accessed at [Hyperlink] (in German).

The introductory leaflet published by the BAFA is very comprehensive and valuable to those new to this area of law as well as experienced practitioners. This around 40-page document can be downloaded free of charge at [Hyperlink]

For comprehensive current developments and more detailed information on, in particular, individual sanctions regimes, see – inter alia – [Hyperlink]

A deeper insight into U.S. sanctions law is recommended: Adam Smith/Stephanie Connor/Richard Roeder, in U.S., EU, and UN Sanctions: Navigating the Divide for International Business, published by Bloomberg Law in 2019.

Gibson Dunn's International Trade practice and the lawyers on our global sanctions team can help navigate the complex web of varying obligations and restrictions.

AlixPartners helps clients across the globe with sanctions risk analytics, forensics, and risk management transformation ( see [Hyperlink] ).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.