On 13 March 2026, the European Commission (EC) published an FAQ entitled “Provision of payments services”, refining the EU sanctions targeting Russia.1 Compared to previous guidance touching upon Article 5b(2) in Council Regulation 833/2014, this new FAQ is a significant shift because it translates the legal requirements of Article 5b(2) into the practical language used in day-to-day payment operations.2
A Broader Scope
The March FAQ provides more detailed guidance regarding account continuity than anything issued so far. It clarifies that Article 5b(2) does not, in itself, require operators to terminate existing contracts or close accounts altogether. Rather, the broader customer relationship and nonprohibited services may continue, while the specific activities prohibited by Article 5b(2) must cease for customers who fall within scope. For banks, payment institutions and electronic-money institutions, that distinction is operationally significant because it separates the continued existence of the customer relationship from the separate question of whether a prohibited service is being provided.
That clarification should not be read as any relaxation of supervisory expectations. The obligation remains to ensure that prohibited services are not provided. There is an obvious risk of false comfort where firms rely upon the fact that accounts need not be closed, yet lack both the controls and the capability to adequately demonstrate to show that prohibited services were actually being in fact being prevented.
Ownership and Residence
Further clarification concerns the basic scope of Article 5b(2). As explained in the March FAQ, the prohibition is directed at three principal categories of customers: Russian nationals, natural persons residing in Russia, and legal persons, entities or bodies established in Russia. By contrast, an entity established in a Member State or in a third country does not fall within Article 5b(2) merely because it is owned or controlled by Russian persons. Russian ownership, in itself, is therefore not enough to trigger the prohibition for payment services, although the FAQ is equally clear that Article 12 may still be engaged where such an entity is being used as a vehicle for circumvention.
The residence and nationality exceptions must be read separately from that basic rule. Even where a natural person would otherwise fall within Article 5b(2), the prohibition does not apply if that person is a national of a Member State, of a country in the European Economic Area (EEA), or of Switzerland, or if that person holds a temporary or permanent residence permit in one of those jurisdictions. The March FAQ adds that holders of long-stay Type D visas who have completed the requisite residence-registration formalities are typically to be treated as legally resident for these purposes.
The FAQ also refines the residence exception by clarifying that instruments like residence permits must remain valid throughout the full validity period of any newly issued payment instrument. That raises a practical implementation question, namely how the duration of the instrument is to be aligned with the duration of the underlying residence right. Firms may therefore need to consider shorter instrument-validity periods, permit-expiry triggers, or renewal and revalidation controls.
Defining the Payment Chain
The March FAQ clarifies that existing payment instruments do not need to be cancelled or frozen, and that online and mobile banking, direct bank transfers and cash withdrawals are not prohibited by Article 5b(2)(b). By contrast, the prohibition does apply to the issuance, renewal or replacement of additional cards, and to commercial cards personalised for in-scope persons who do not benefit from the relevant exceptions. The distinction is therefore not between all payment instrument-related (i.e. card-related) activity and no card-related activity, but between the continued use of certain existing arrangements and the provision of new or specifically prohibited payment services.
The FAQ then refines that analysis by looking beyond the instrument itself to the service through which the transaction is carried out. A card may remain formally valid, yet a particular method of using it may still involve a prohibited service. That is why the EC draws a distinction between the continued existence of the payment instrument and the separate question of whether the surrounding payment infrastructure amounts to acquiring or payment initiation. In the same vein, the FAQ states that a simple bank-link redirection to the user’s own bank is not, without third-party initiation, a prohibited payment-initiation service.
The practical consequence is that firms can no longer assess compliance at the level of the product or channel alone. They must instead identify and classify the underlying payment services embedded within each transaction flow. In many cases, a single customer interaction will involve multiple service components, some of which may fall within Article 5b(2) while others do not. This requires a degree of service mapping and process decomposition that many institutions have not historically performed in a sanctions context. A Russian national resident in Russia, for example, may continue to use an existing debit card for an ATM withdrawal, even though the issuance of a replacement card upon expiry, or the use of that card through a separate third-party payment-initiation service, may fall within the prohibition. The compliance assessment must therefore distinguish between the continued use of an existing instrument and the provision of a separate regulated service within the same customer journey.
The March FAQ also clarifies the allocation of compliance responsibility across the payments chain. Although the account-servicing payment service provider (PSP) is identified, with reference to Recital 19 of Regulation (EU) 2025/2033, as the actor best placed to assess the customer relationship and the relevant account status, that does not displace the independent obligation of other providers in the chain to ensure that they are not themselves facilitating a prohibited service. PSPs are not expected to conduct exhaustive screening of each transaction at the moment of initiation. Their obligation, like that of acquirers, is instead to ensure that they are not themselves providing a prohibited service. In practice, that division of responsibility is likely to require a clearer delineation of roles, supported by contractual arrangements, control frameworks, and, where necessary, reliance models that can be justified to supervisors.3
Implementation Challenges and Areas of Likely Scrutiny
For many firms, the most immediate difficulty will not lie in interpreting the legal rule in the abstract, but in demonstrating that the operational distinctions drawn by the FAQ are actually being observed in practice. Customer-intake processes are often not designed to capture, verify and retain evidence of nationality and residence at the degree of granularity now required, especially in cases involving dual nationals, expatriates, complex residency profiles, or non-Russian entities with a Russian nexus. Detecting indirect exposure through affiliates, intermediaries and nested payment chains is rarely achievable through simple rules alone, particularly where the firm facilitates part of a broader transaction in which value may accrue to a restricted person through layered settlements or more complex structures.
Where operators transact across payment, electronic-money or crypto business lines, the control challenge may be more acute still. In such settings, the institution may need visibility over the client’s total exposure across linked accounts, wallets, subaccounts or related arrangements, together with a defensible valuation methodology and threshold-monitoring framework capable of triggering before a breach occurs. Supervisory attention is likely to focus less on the elegance of the written policy than on whether the firm can show that prohibited services are identified, internally referred, and blocked at the appropriate point in the payment chain.
How Can We Help
For institutions navigating the March FAQ, the central challenge lies in converting a more exacting sanctions framework into operational controls that can withstand scrutiny. We assist clients in mapping products and transaction flows to the underlying regulated services, testing whether existing screening and customer-status validation measures are sufficient, identifying where prohibited services may arise in practice, and strengthening the governance, internal-referral and evidential frameworks needed to support a targeted, services-based approach under Article 5b(2).
1European Commission, “Sanctions adopted following Russia’s military aggression against Ukraine”, Finance; European Commission, “Provision of payments services”, Finance.
2European Commission, “Frequently asked questions – sanctions against Russia”, Finance; European Commission, “Commission Consolidated FAQs”; European Commission, “Deposits”, Finance.
3European Commission, “Provision of payments services”, Finance.
