# Article 28 — Administrative sanctions and measures **Source:** [Regulation (EU) 2023/1113 — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1113) 1. Without prejudice to the right to provide for and impose criminal sanctions, Member States shall lay down the rules on administrative sanctions and measures applicable to breaches of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The sanctions and measures provided for shall be effective, proportionate and dissuasive and shall be consistent with those laid down in accordance with Chapter VI, Section 4, of Directive (EU) 2015/849. Member States may decide not to lay down rules on administrative sanctions or measures for breach of the provisions of this Regulation which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions. 1. Member States shall ensure that, where obligations apply to payment service providers and crypto-asset service providers, in the event of a breach of provisions of this Regulation sanctions or measures can, subject to national law, be applied to the members of the management body of the relevant service provider and to any other natural person who, under national law, is responsible for the breach. 2. Member States shall notify the rules referred to in paragraph 1 to the Commission and to the permanent internal committee on anti-money-laundering and countering terrorist financing referred to in Article 9a(7) of Regulation (EU) No 1093/2010. Member States shall notify the Commission and that permanent internal committee without undue delay of any subsequent amendments thereto. 3. In accordance with Article 58(4) of Directive (EU) 2015/849, competent authorities shall have all the supervisory and investigatory powers that are necessary for the exercise of their functions. In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely to ensure that those administrative sanctions or measures produce the desired results and to coordinate their action when dealing with cross-border cases. 4. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 29 committed for their benefit by any person acting individually or as part of an organ of that legal person, and having a leading position within the legal person based on any of the following: 1. power to represent the legal person; 2. authority to take decisions on behalf of the legal person; 3. authority to exercise control within the legal person. 5. Member States shall also ensure that legal persons can be held liable where the lack of supervision or control by a person referred to in paragraph 5 of this Article has made it possible to commit one of the breaches referred to in Article 29 for the benefit of that legal person by a person under its authority. 6. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways: 1. directly; 2. in collaboration with other authorities; 3. under their responsibility by delegation to such other authorities; 4. by application to the competent judicial authorities. In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and to coordinate their action when dealing with cross-border cases. ## What this means in practice Article 28 is the **architecture** of the ToFR sanctions regime. It does three things: 1. **Forces consistency with AMLD5.** Member States cannot invent a lighter regime for ToFR breaches — they must mirror the AMLD5 Chapter VI Section 4 sanctions ceiling. 2. **Captures management body members personally** (para 2). ToFR breaches can be enforced against individuals on the management body and any other responsible natural person — not just the legal entity. 3. **Confirms legal-person liability** for breaches committed for the entity's benefit by senior managers or enabled by management's lack of supervision (paras 5–6). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/tofr/transfer-of-funds-regulation/chapter-vi-sanctions-and-monitoring/article-28-administrative-sanctions-and-measures.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.