ECJ: Corporate fines for AML breaches can be imposed without establishing an offense by a management-level person – continuation of the Deutsche Wohnen SE line

The ECJ has clarified that legal persons can be sanctioned directly for violations of anti-money laundering (AML) obligations without the authority first having to identify, prosecute, or name a specific natural person as the offender in the operative part of its decision (Case C-291/24, Urt. v. 29.01.26). 

What is decisive is the company’s functioning compliance management system and its organizational effectiveness; if effective safeguards are lacking, the sanction can be directed at the company. With this decision, the Court continues its line from GDPR case law (including Deutsche Wohnen SE): corporate sanctions must not fail due to the inability to identify an individual perpetrator where structural deficiencies are established.

Legal Framework

The Fourth Anti-Money Laundering Directive (EU) 2015/849 requires effective, proportionate, and dissuasive sanctions against obliged entities, explicitly including legal persons.

In the ECJ´s view, the provisions on attributing the acts of management bodies and subordinate employees do not imply a requirement for a preceding individual proceeding. Sanctions against natural persons, such as members of the management, remain possible but are not a precondition for the liability of the legal person. This already follows from the principle of effet utile: the EU’s preventive and sanctioning mechanisms in the fight against money laundering must remain practically enforceable – particularly in complex organizational structures.

Background of the case 

The decision arose from proceedings by the Austrian Financial Market Authority against a credit institution for alleged breaches of due diligence obligations under the FM-GwG (Financial Markets Anti-Money Laundering Act). Although the statute already provides an attribution model regarding acts of persons in management as well as supervisory/control failures, the Austrian Higher Administrative Court (VwGH) had set strict attribution thresholds and maintained that, prior to a corporate sanction, a specific natural person had to be accused, their culpable conduct established, and they named in the judgment. The ECJ has now expressly rejected this “logic,” which requires an identified natural person first.

Practical implications for supervisors and companies

The ECJ makes it unequivocally clear:

• The addressee of the sanction is the company where its organization fails; identifying an individual perpetrator is not required for that. This brings the substance of the compliance architecture to the fore. Those who take governance and control seriously will materially reduce sanction risk; those who merely claim compliance on paper should expect tangible measures.
• Supervisory authorities can proceed directly against companies where organizational deficiencies exist; the search for a “key person” is no longer a barrier.
• Members of management can still be held personally liable – in addition, not as a prerequisite for corporate attribution. Central are risk assessment, internal controls, effective monitoring, escalation paths, and demonstrable training. What is decisive is whether the institution masters its AML risk management – not whether a single perpetrator is identified.

Significance beyond Austria

For Germany and other Member States, the Court thereby confirms the direct corporate addressee of administrative sanctions – consistent with the already established line on data protection fines (Case C-807/21, Urt. v. 05.12.2023). 

This strengthens AML and data protection supervision alike and undercuts defense strategies that attempt to narrow proceedings to the identification of a single natural person while leaving structural deficits unaddressed.

Governance recommendations for practice

A range of consequences follow for companies subject to obligations under the German Anti-Money Laundering Act (GwG) that wish to avoid fines for violations.

In addition to sharpening risk control, responsibilities should be clearly defined – that is, roles and the four-eyes principle should be bindingly regulated, and effective control paths and escalation mechanisms ensured. Obliged entities should also be able to evidence effectiveness through training, controls, alerts, and measurable actions.

It is also helpful and advisable, for purposes of optimizing the system, to review the entire process – from client onboarding through to the filing of any required suspicious activity report – to determine where improvements are still needed.