The Court of Justice of the European Union has delivered an important judgment clarifying how Member States can hold financial institutions accountable for anti-money laundering violations. In Steiermärkische Bank und Sparkassen AG (Case C-291/24), decided on 29 January 2026, the Court addressed whether national courts can impose additional procedural hurdles before sanctioning legal entities for breaches of the Fourth Anti-Money Laundering Directive.
Background to the Case
The Austrian Financial Market Authority (FMA) imposed an administrative penalty on Steiermärkische Bank und Sparkassen AG for failing to comply with customer due diligence obligations under Austrian anti-money laundering law. The case reached the Federal Administrative Court of Austria, which had concerns about the compatibility of Austrian law with EU requirements.
Under Austrian practice, as interpreted by the Supreme Administrative Court, penalising a legal person required three specific conditions: first, the natural person whose actions are attributed to the legal entity must participate in proceedings as an accused party with full procedural rights; second, the penalty decision must explicitly identify that natural person by name; and third, the decision must formally establish that the named individual committed an unlawful and culpable act before attributing it to the legal entity.
The Court’s Reasoning
The Court began by emphasising the Directive’s primary objective: preventing illicit money flows that can damage the integrity and stability of the financial sector and threaten the internal market. Directive (EU) 2015/849 establishes preventive and dissuasive measures based on the fundamental principle of risk-based approach.
On the question of corporate liability, the Court made several critical points. First, nothing in Article 58(1), which requires Member States to ensure that obliged entities can be held liable for breaches, suggests that the liability of a legal entity depends on prior establishment of individual liability under national law. Legal persons act through natural persons, but the Directive merely clarifies when breaches can be attributed to the legal entity. It does not make corporate liability contingent on individual liability.
The Court noted that Article 58(3) allows Member States to impose sanctions on management members and other responsible natural persons, but this is ancillary and additional to the legal person’s liability, not a precondition for it. Similarly, Article 60(5) and (6) identifies which natural persons’ acts can trigger corporate liability without requiring those individuals to be formally identified and found liable first.
Requiring prior individual liability findings would undermine the effectiveness and deterrent effect of penalties that the Directive imposes directly on legal persons as obliged entities. The Court drew parallels with its earlier judgment in Deutsche Wohnen (C-807/21), which addressed similar issues under the General Data Protection Regulation.
The Court also reminded national courts of their duty to interpret domestic law consistently with EU directives, applying interpretative methods recognised under national law to achieve outcomes consistent with the Directive’s objectives.
Practical Implications
This judgment has significant implications for how Member States enforce anti-money laundering obligations against financial institutions.
For regulators and enforcement authorities, the ruling confirms they can impose penalties on legal entities without first establishing formal criminal or administrative liability against specific individuals. Enforcement proceedings can focus directly on the institution’s compliance failures without the procedural complexity of parallel individual proceedings.
For financial institutions, the judgment clarifies that corporate liability is not dependent on individual culpability findings. Institutions cannot escape sanctions merely because identifying and prosecuting responsible individuals proves difficult or time-consuming. This places greater emphasis on robust compliance frameworks and supervisory controls.
For compliance professionals, the case reinforces that effective governance structures and internal controls are essential. Article 60(6) liability, based on inadequate supervision or control, means institutions face exposure even when no individual in a leading position directly committed the breach.
The judgment also highlights practical enforcement challenges. Anti-money laundering investigations are often complex, with opaque underlying facts. The Court’s approach recognises that requiring individual findings first could render enforcement “practically impossible or excessively difficult”, particularly given limitation periods.
Conclusion
C-291/24 provides an important clarification on corporate liability under the EU AML Directive. The Court has firmly rejected procedural requirements that make institutional penalties dependent on prior individual liability findings.
The judgment reinforces that obliged entities bear direct responsibility for compliance, with sanctions that must be effective, proportionate, and dissuasive. While Member States retain procedural autonomy in many respects, including setting reasonable limitation period, they cannot impose requirements that undermine the Directive’s enforcement objectives.
Perhaps the Court sends a clear message: robust compliance programmes, effective internal controls, and proper supervision are essential. Institutions cannot rely on difficulties in establishing individual liability to avoid regulatory consequences for systemic compliance failures.
Leave a Reply