A true positive sanctions hit is a screening match confirmed against the published sanctions designation. False positives end in a case note that records why the match was cleared. True positives begin a procedural sequence governed by Council Regulation (EU) 269/2014, national implementing law, and the supervisory practice of the relevant authority.
A confirmed sanctions hit triggers legal obligations, not just an internal escalation.
This article walks you through what to do when a screening alert turns out to be a real match: confirm it, freeze, report, and document.. The sections cover what makes a hit a true positive, the actions required within the first 24 hours, the Article 8 reporting obligation and its two-week deadline, the German competent authority notification structure, the communication restrictions under Article 9, and the audit trail that has to outlive the incident.
The piece describes EU regulations as written and as implemented in Germany. It is operational interpretation, not legal advice.
What makes a sanctions hit a true positive?
A true positive is a screening match confirmed against the primary designation source. The screening tool produces an alert when a similarity score crosses the configured threshold. The alert is a candidate match. Whether it is a true positive depends on the investigation that follows.
The confirmation rests on three checks. Identity: the screened entity is the entity named in the designation, with matching identifiers from the published record. Status: the designation is in force on the date of the transaction or relationship, verified against the consolidated list maintained by the European Commission. Reach: the asset freeze or trade restriction applies to the activity in question.
Internal governance varies by program. An analyst makes the initial determination and a compliance lead approves it before the program acts. Many programs apply a four-eyes principle before recording a hit as confirmed, especially where the case turns on ownership, control, or identity ambiguity. Once the match is confirmed, the freeze should take effect immediately, regardless of internal approval steps.
What happens in the first 24 hours?
Article 2 of Regulation 269/2014 requires that all funds and economic resources owned, held, or controlled by a person listed in Annex I are frozen, and that none are made available to them directly or indirectly. The freeze is automatic and takes effect on confirmation. The 24-hour framing of this section is operational, not a regulatory grace period.
The word frozen has a technical meaning. Article 1 defines the freezing of funds as preventing any move, transfer, alteration, use of, access to, or dealing with the funds that would result in a change in their volume, amount, location, ownership, possession, character, destination, or any other change that would enable use, including portfolio management. The freezing of economic resources is similarly defined as preventing their use to obtain funds, goods, or services.
The first action on confirmation is to give effect to the freeze. The program identifies all funds and economic resources within its custody or control that the freeze captures and stops any movement of them. The action covers pending transactions, shipments in transit, and services that would otherwise be performed for or on behalf of the designated person. For exporters, manufacturers, and logistics operators, the freeze often requires operational holds beyond payments alone: shipment release blocks, warehouse holds, export-control review, and suspension of freight or customs instructions linked to the counterparty.
While the freeze takes effect, the compliance team notifies senior management, legal counsel, and the relevant business unit. The notification logs the time of confirmation, who the designated party is, and which funds or economic resources are affected. The records behind the freezing decision have to be kept and retrievable from the start. These are the alert itself, the evidence confirming identity, status, and reach, and the freezing action taken.
What the business must block operationally
A confirmed sanctions match is not handled by compliance alone. The business has to stop every path through which funds, goods, services, or economic resources could still reach the designated person.
For trade intensive companies, that means more than a payment block. The business partner should be blocked in the ERP or master data system. Open sales orders, purchase orders, deliveries, invoices, payments, credit notes, service tickets, and warranty obligations should be reviewed and held where performance would breach the restrictive measure.
Shipments need immediate attention. Goods not yet released should be held in the warehouse. Goods already with a freight forwarder or carrier should not be delivered, rerouted, or released without compliance approval. Customs declarations, export documents, freight instructions, and broker communications should be paused or reviewed before anything further is submitted or amended.
Services also matter. Technical support, maintenance, installation, repairs, software access, training, and consulting may amount to making economic resources available. The business unit should not continue performance simply because no physical goods are moving.
Every operational block should be documented: when the ERP block was applied, which orders or shipments were stopped, which payments were held, who was notified, and who approved each step. A true positive is defensible only if the company can show that the restriction was translated into operational controls.
What does the Article 8 reporting obligation require?
Article 8 of Regulation 269/2014 requires natural and legal persons to supply information that would facilitate the application of the Regulation to their national competent authority. The obligation, added by the 10th sanctions package and applied from 26 April 2023, has a two week deadline.
The information to be reported includes funds and economic resources frozen in accordance with the Regulation, information held on funds and economic resources within EU territory subject to an asset freeze that should have been but were not treated as frozen, and information held about any move, transfer, alteration, use of, access to, or dealing with such funds and economic resources in the two weeks preceding the listing of the relevant designated person. The notification is made to the competent authority of the member state where the reporting person is resident or located, with simultaneous transmission to the European Commission via the address listed in Annex II.
The two week deadline runs from the date the information comes into the reporting person's possession. Late reporting is itself a breach. The German implementing law, Außenwirtschaftsgesetz (AWG) §18 and §19, treats violations of EU sanctions reporting obligations as either a criminal offense or an administrative offense depending on intent.
Article 8 does not require the reporting person to disclose information protected by professional secrecy where that secrecy is recognised by EU or national law. Information received in accordance with Article 8 is used only for the purposes for which it was provided. The reporting person carries a good-faith immunity for disclosures made under the obligation.
Article 5r of Regulation 833/2014 adds a parallel reporting obligation for transfers of funds out of the Union exceeding 100,000 EUR by legal persons established in the Union whose proprietary rights are owned for more than 40% by Russian persons or entities. The reporting frequency is quarterly. Credit and financial institutions have a similar half yearly obligation. These sit alongside Article 8 reporting and are not substitutes for it.
Where do you report a true positive in Germany?
The German competent authority structure splits the notification by the type of restrictive measure. Financial sanctions, meaning asset freezes and the prohibition to make funds available, are administered by the Deutsche Bundesbank, Servicezentrum Finanzsanktionen. Trade-related sanctions, meaning restrictions on the supply of goods, technologies, and services, are administered by the Bundesamt für Wirtschaft und Ausfuhrkontrolle (BAFA).
A confirmed asset freeze of monetary funds is reported to the Bundesbank. A confirmed restriction on a goods transaction is reported to BAFA. A case that affects both must be reported to both.
The Zentralstelle für Sanktionsdurchsetzung (ZfS) was established under the Sanktionsdurchsetzungsgesetz (SanktDG) §10 Abs. 1 and the Außenwirtschaftsgesetz §13 Abs. 2a as the central authority for receiving reports from sanctioned persons themselves about their own frozen assets, and as the German enforcement authority for sanctions implementation. The ZfS holds the register of assets of sanctioned parties and operates a whistleblower system for reporting violations.
The format of the report to the Bundesbank is described in the Bundesbank Merkblatt. The required information includes the identity of the designated person, the funds and economic resources affected, the date and nature of the freezing action taken, and the identity of the reporting person. Reports are submitted by email to a designated address or through the supervised reporting channels for institutions subject to ongoing reporting obligations.
Programs operating across Austria or Switzerland need a separate authority map. Austria implements EU restrictive measures through the Oesterreichische Nationalbank and the Finanzmarktaufsicht under the Sanktionengesetz. Switzerland applies parallel measures under the Embargo Act through the State Secretariat for Economic Affairs, separately from EU law.
Member-state divergence within the EU is real. The Best Practices document is non-binding, and national competent authorities can reach different conclusions on identical facts. A program operating across multiple member states cannot assume that a report to one competent authority discharges the obligation in another.
What you can and cannot say to the counterparty
EU sanctions prohibit knowingly and intentionally participating in activities that circumvent the restrictions. For frozen assets, that prohibition appears in Article 9 of Regulation 269/2014. For blocked goods, technology, and trade flows, it appears in Article 12 of Regulation 833/2014. Communications with the counterparty can create circumvention risk where they enable the movement of funds, goods, or economic resources before the restriction takes effect.
Programs typically avoid operational detail that could help the counterparty move or shield assets. The exact communication should be coordinated with legal counsel and, where necessary, the competent authority. Disclose only what the regulation requires and what the counterparty needs to know for the restriction to take effect.
Even a frozen counterparty has certain rights. Where the freeze affects funds or economic resources held for their account, they are entitled to know it has happened and to seek a derogation from the competent authority under Article 4, 5, 6, or 6a of Regulation 269/2014. The program cannot obstruct that. The authority can authorise a release in specified circumstances: basic needs, professional fees, the execution of judicial decisions, or contractual payments due under contracts signed before the designation.
A contract signed before the counterparty's designation stays valid. What changes is performance: the EU party must suspend it wherever fulfilment would breach the asset freeze. The counterparty can apply to the competent authority for a derogation that allows specific payments, and the program supports that application by providing whatever information the authority requests, while keeping the freeze in place until the derogation is granted.
Internal communication is similarly bounded. Information about the true positive is shared with personnel who need it to give effect to the freeze, prepare the report, and preserve the case file. Wider distribution is avoided, to protect the integrity of the supervisory process and to limit the surface area for inadvertent tipping off.
What survives in the audit trail
The case file is the program's record of what was decided, when, by whom, and on what evidence. It is the artefact that supervisory authorities and auditors examine after the fact. The supervisory expectation is that the case file is comprehensive enough to permit a third party to reconstruct the decision without further explanation from the program.
The case file for a true positive sits on top of what Article 8 and the supervisory documents specifically require. Article 8 requires the report to identify the designated person, the funds and economic resources affected, and the date and nature of the freezing action. The Bundesbank Merkblatt requires the reporting institution to demonstrate the basis on which the freezing decision was made.
Beyond those requirements, supervisory inspections look at the reasoning trail. The competent authority asks how the program concluded that the entity was subject to the asset freeze, and expects to see what supported the identity, status, and reach checks: registry extracts, ownership analysis, public-record verifications. A case file that records only the conclusion, with none of the evidence behind it, is itself a finding.
Retention is governed by national implementing law. In Germany, the AWG and the Bundesbank Merkblatt specify that records relating to sanctions compliance are retained for the duration of the limitation period for the underlying offense. The limitation period for intentional violations of an arms embargo is 10 years under AWG §17 read with §78(3) of the Strafgesetzbuch (StGB). For aggravated cases involving gang membership or commercial scale, the limitation period extends to 20 years. In Germany, many programs align sanctions case file retention with the applicable limitation periods, often using 10 years as the minimum internal standard.
Council Decision (EU) 2022/2332 of 28 November 2022 made the violation of EU restrictive measures a recognised area of crime under Article 83(1) of the Treaty on the Functioning of the European Union. The implementing directive sets a minimum standard for how member states criminalise sanctions violations, which brings enforcement closer together across the bloc. The practical effect is that authorities and courts can apply consistent standards when they examine, years later, how a program handled a true positive.
Case files surface in two settings: supervisory inspections and enforcement actions. In both, the file is judged as evidence of whether the program identified, froze, reported, and documented the event correctly, which is much the same test an auditor applies.
Where the procedural sequence stands in 2026
Council Regulation (EU) 269/2014 and Regulation (EU) 833/2014 set the core rules. Article 2 of 269/2014 requires you to freeze assets immediately. Article 8 requires you to report to the national competent authority within two weeks of receiving the information. Article 9 of 269/2014 and Article 12 of 833/2014 ban any action that helps the counterparty get around the sanctions. National authorities such as the Deutsche Bundesbank Servicezentrum Finanzsanktionen and BAFA shape how this plays out in practice.
A confirmed sanctions hit is a legal obligation, not just an internal matter. A program that handles it well confirms the match, escalates it internally, freezes immediately, reports within two weeks where Article 8 applies, keeps all communication within the limits of Article 9, and retains the case file for as long as the limitation period requires.