AML/CFT and Sanctions in 2026: The Practical Consequences of Laws 70/2025 and 72/2025 (amending Laws 83/2017 and 97/2017)

In December 2025, two statutes entered into force that significantly amend the Portuguese legal framework on the prevention of money laundering and the enforcement of sanctions. Law 70/2025 implements Article 38 of Regulation (EU) 2023/1113 (on information accompanying transfers of funds and certain crypto-assets — the so-called Travel Rule) into the national legal order and amends Law No. 83/2017 of 18 August. Law 72/2025 transposes Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures, and amends Law No. 97/2017 of 23 August.

In a context where AML enforcement and the growing use of sanctions are establishing themselves as priorities in the European Union — a trend identified in DLA Piper's 2026 financial services outlook —, this article analyses the concrete operational consequences of these statutes for obliged entities and CASPs: the new AML/CFT obligations under the crypto-asset framework, including cooperation with the new EU Anti-Money Laundering Authority (AMLA); and the strengthening of the criminal and sanctions enforcement regime, including the qualification of violations of restrictive measures as a “predicate offence” for money laundering.

The article concludes with three priorities for Q2 2026.

 

1. Law 70/2025: New AML/CFT Obligations for Obliged Entities

Law 70/2025 deepens the integration of crypto-assets into the Portuguese AML/CFT framework, implementing Article 38 of Regulation (EU) 2023/1113 into the national legal order and strengthening the obligations already imposed on obliged entities operating in this sector. The consequences for CASPs and for financial institutions that interact with them are immediate and operationally demanding.

Self-hosted addresses: immediate obligations for CASPs

Crypto-asset service providers are now required to accompany all crypto-asset transfers with complete information on the originator and the beneficiary — with no minimum value threshold. For entities whose transaction monitoring systems were calibrated under the previous regime, this change requires an immediate review.

For transfers involving self-hosted addresses, the legislator went further: the new Article 71-A of Law 83/2017 imposes on CASPs enhanced measures proportionate to the risk, including the identification and verification of the originator or beneficiary, the collection of additional information on the origin and destination of the crypto-assets, and ongoing enhanced monitoring of those transactions. The absence of these controls constitutes a breach of Law 83/2017 as currently in force.

The obligation extends equally to credit institutions and payment institutions that process fund transfers to or from CASPs: the interaction between the traditional funds transfer regime and the new crypto-asset regime requires a review of internal verification and reporting procedures to ensure that AML/CFT programmes cover both flows in full.

Cooperation with AMLA: a new supervisory dimension

Law 70/2025 reinforces, at national level, the cooperation framework already imposed at European level by Regulation (EU) 2024/1620 — which establishes the Anti-Money Laundering Authority (AMLA). Article 141 of Law 83/2017, in its current wording, requires Portuguese sectoral authorities to cooperate with AMLA by providing all information necessary for the fulfilment of its tasks, and requires supervisory authorities of financial entities to cooperate equally with the European Banking Authority (EBA).

For obliged entities, this cooperation architecture has practical consequences: it means that information shared with the BdP or CMVM in the context of authorisation applications, suspicious transaction reports or inspections may flow to AMLA under its direct supervision mechanisms — particularly in relation to larger, higher-risk financial entities. The compliance functions of obliged entities must be prepared for this reality, notably in the documentation of client due diligence processes and in the quality of communications to national authorities.

 

2. Law 72/2025: Strengthening the Criminal and Sanctions Enforcement Regime

Law 72/2025 transposes Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures into the national legal order, and introduces the second amendment to Law No. 97/2017 of 23 August. The statute goes, however, beyond mere transposition: it simultaneously amends the Penal Code and Law No. 5/2002 of 11 January, with consequences extending to the money laundering regime and the extended asset forfeiture regime.

New criminal and sanctions enforcement framework

Article 28 of Law No. 97/2017, as amended by Law 72/2025, significantly expands the catalogue of criminal offences for violation of restrictive measures, distinguishing between conduct constituting the basic offence — such as making funds or economic resources available to designated persons, failure to freeze assets, or the provision of prohibited financial services — punishable by imprisonment of 1 to 5 years, and conduct involving a specific intent to prevent the effects of a restrictive measure, such as the concealment of funds or the provision of false information on beneficial owners, punishable under the same sentencing range. Negligence is now expressly criminalised, with imprisonment of 6 months to 2 years and 6 months. Article 29 establishes corporate liability in two tiers: fines of up to 5% of total worldwide turnover for the most serious offences (or up to €40,000,000), and up to 1% for less serious offences (or up to €8,000,000) — a calculation basis of particular relevance for international groups with operations in Portugal.

For obliged entities, these changes have a direct consequence: sanctions compliance programmes must cover not only the most obvious prohibitions, but also less visible conduct such as the provision of misleading information on beneficial owners or failure to comply with reporting obligations — an inadequate programme ceases to be merely a regulatory risk and becomes criminal exposure. Article 29-A aggravates penalties by one third where the conduct is committed by an official in the exercise of their functions or in the context of a criminal organisation; Article 29-B provides for special mitigation for those who actively cooperate in the discovery of the truth before the close of trial proceedings.

Violations of restrictive measures as a predicate offence for money laundering

The amendment to Article 368-A of the Penal Code, introduced by Article 4 of Law 72/2025, expressly includes violations of restrictive measures — as provided for in Article 28 of Law No. 97/2017 — in the catalogue of predicate offences for money laundering. Article 5 of Law 72/2025 makes an identical amendment to Law No. 5/2002 of 11 January, subjecting this category of offence to the extended asset forfeiture regime.

These amendments have a systemic consequence that goes beyond Criminal Law: the violation of restrictive measures may now independently trigger an obligation to report a suspicious transaction under Law No. 83/2017. Obliged entities that detect indicia of a violation of restrictive measures — for example, in the context of a payment transaction, a crypto-asset transfer, or a correspondent banking relationship — may now be subject to the reporting obligation under Article 43 of Law No. 83/2017, to the extent that the funds involved may be proceeds of a money laundering predicate offence.

For the compliance programmes of obliged entities, this articulation between the sanctions regime and the AML/CFT regime means that the sanctions compliance function and the AML/CFT function can no longer operate in isolation: the detection of a potential violation of restrictive measures must simultaneously trigger sanctions analysis procedures and suspicion assessment procedures for the purposes of reporting to the Financial Intelligence Unit.

Whistleblower Protection

The new Article 24-A of Law No. 97/2017 extends to individuals who report violations of restrictive measures the protection regime provided for in Law No. 93/2021 of 20 December (RGPDI), without prejudice to the application of more favourable whistleblower protection provisions.

The reference to Law No. 93/2021 is not neutral: it means that those who report violations of restrictive measures now benefit, in particular, from confidentiality of identity, prohibition of retaliatory measures, a two-year presumption that any adverse measure taken following a report is motivated by that report — with the burden of rebuttal falling on the employer — and immunity from disciplinary, civil and criminal liability for acts carried out in good faith in the context of the report.

For obliged entities, Article 24-A has an immediate practical implication: internal reporting channels established under Law No. 93/2021 must expressly include violations of restrictive measures as a reportable category. The omission of this category from internal procedures is not merely a compliance gap — it is a legally material exposure for the entity.

 

3. Three Priorities for Q2 2026

• CASPs and financial institutions with crypto-asset exposure: review transaction monitoring systems to ensure full coverage of the travel rule with no minimum threshold, including transfers involving self-hosted addresses under Article 71-A of Law No. 83/2017; and map the points of articulation with AMLA and the EBA under Article 141 of the same law.
• Obliged entities with sanctions compliance programmes: assess whether existing programmes cover the new catalogue of offences under Article 28 of Law No. 97/2017, in particular conduct relating to beneficial owners and reporting obligations; and ensure that the sanctions compliance function and the AML/CFT function are operationally integrated, given that violations of restrictive measures now constitute a predicate offence for money laundering.
• Internal reporting channels: verify that violations of restrictive measures are expressly included as a reportable category, in compliance with Article 24-A of Law No. 97/2017 and the regime of Law No. 93/2021 (Whistleblower Protection).