Sanctions screening obligations for Polish

A Warsaw-based trading company receives a purchase order from a new client. The client's registered address is in a third country. Before the contract is signed, someone should ask: has this counterparty been screened against EU, UN, and Polish sanctions lists? If the answer is no – or "we are not sure" – the company is already exposed to personal liability for its management board, asset freezes, and criminal penalties under Polish law.

Polish companies are required to screen counterparties, transactions, and assets against applicable sanctions lists before entering into business relationships or executing payments. The obligation flows from EU regulations with direct effect, supplemented by the Polish Act on Counteracting Money Laundering and Terrorism Financing (AML Act). Non-compliance carries fines of up to PLN 1,000,000 and personal criminal liability for directors. The screening must be repeated whenever the risk profile of a relationship changes.

This guide walks through the legal framework, the step-by-step procedure, the most common mistakes Polish companies make, and how three different types of business – a manufacturer, an IT firm, and a foreign investor – should approach their sanctions programmes. Each section contains at least one concrete figure and a practical takeaway you can act on today.

What is the legal basis for sanctions screening in Poland?

The obligation to screen counterparties does not come from a single Polish statute. It arises from a layered framework of EU regulations, UN Security Council resolutions, and domestic implementing legislation. Understanding each layer is necessary before building any internal procedure.

EU sanctions regulations – adopted under the Traktat o funkcjonowaniu Unii Europejskiej (Treaty on the Functioning of the European Union, TFEU) – have direct effect in Poland. They require every person and entity in the EU to freeze assets of designated parties and to refrain from making funds or economic resources available to them. No domestic transposition is needed. The obligation applies from the moment a regulation enters into force.

At the domestic level, the Ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Act on Counteracting Money Laundering and Terrorism Financing, AML Act) designates obligated institutions – including banks, payment institutions, law firms, notaries, and accountants – and requires them to apply enhanced customer due diligence. The General Inspector of Financial Information (GIIF), operating within the Ministry of Finance, is the primary supervisory authority. The National Bank of Poland (NBP) and the Polish Financial Supervision Authority (KNF) exercise oversight over the financial sector. The National Court Register (KRS) provides ownership data relevant to beneficial ownership verification.

Beyond obligated institutions, all Polish companies face the direct-effect EU prohibition. A manufacturing company that is not an obligated institution under the AML Act can still be prosecuted under EU sanctions law if it knowingly supplies goods to a designated entity. The practical consequence: every Polish company with cross-border exposure needs at least a basic screening procedure, regardless of sector.

How should a Polish company build its screening procedure step by step?

A workable sanctions programme has five stages: list identification, risk classification, screening execution, match assessment, and record-keeping. Each stage has a defined output. Skipping any stage creates a gap that regulators and prosecutors can exploit.

Stage 1 – Identify applicable lists. The minimum set for a Polish company includes: (1) the EU Consolidated Sanctions List, maintained by the European External Action Service and updated within 24 hours of a new designation; (2) UN Security Council consolidated lists; (3) the Polish domestic list maintained by the GIIF. Companies with US-dollar transactions or US counterparties should also screen against OFAC's Specially Designated Nationals (SDN) list – though OFAC jurisdiction is a separate legal question.

Stage 2 – Classify counterparty risk. Not every client carries the same risk. A counterparty incorporated in a jurisdiction subject to an EU asset-freeze regime, or with beneficial owners in a sanctioned country, requires deeper scrutiny. The risk classification should be documented. A written note of two paragraphs is sufficient for a low-risk client; a full enhanced due diligence report is required for high-risk relationships.

Stage 3 – Execute the screen. Manual searches on official portals are acceptable for small volumes. Automated screening tools are advisable when a company processes more than 50 new counterparties per month. The screen should cover the legal entity, its beneficial owners (UBO), and key management. Screening only the company name while ignoring the UBO is the single most common gap found in regulatory reviews.

Stage 4 – Assess any match. A name match is not automatically a hit. Sanctions lists contain common names. The assessment must compare date of birth, nationality, registered address, and identification numbers. If doubt remains after internal assessment, the company should seek legal advice before proceeding. Proceeding without resolving a potential hit can constitute a sanctions violation, which is irreversible once the transaction is executed.

Stage 5 – Record and retain. Polish law requires obligated institutions to retain due diligence records for five years from the end of the business relationship. For non-obligated companies, best practice mirrors this standard. Records should include the date of the screen, the lists checked, the result, and the name of the person who conducted the assessment.

We secured a reversal of a freeze order affecting assets worth over PLN 3m for a logistics client in the Mazowieckie region (autumn 2025), after demonstrating that the company's internal screening records clearly documented a negative result at the time of the transaction. Without those records, the defence would have been substantially harder.

What are the most common mistakes – and their consequences?

Most sanctions breaches by Polish companies are not intentional. They result from procedural gaps that accumulate over time. Three mistakes appear repeatedly in enforcement actions and regulatory reviews.

Mistake 1 – Screening at onboarding only. Sanctions lists change daily. A counterparty who was clean at onboarding in January may be designated by March. Polish companies that screen once and never re-screen are exposed to ongoing violations. The AML Act requires obligated institutions to monitor business relationships continuously. For non-obligated companies, periodic re-screening – at least quarterly for high-risk relationships – is the minimum defensible standard.

Mistake 2 – Ignoring beneficial ownership. EU sanctions regulations target not only designated entities but also entities owned or controlled by them. A counterparty may itself be unlisted, while its 60% shareholder is on the EU Consolidated Sanctions List. Screening only the direct counterparty misses this exposure entirely. The ownership threshold under EU law is 50% – any entity more than 50% owned by a designated person is treated as designated.

Mistake 3 – No escalation path. When a potential match is identified, many companies either ignore it or freeze entirely. Neither response is correct. The procedure should specify: who receives the alert, within how many hours they must respond (24 hours is a workable standard), and what documentation is required before a decision is made. A company without an escalation path will almost certainly handle the first real hit incorrectly.

The consequences of these mistakes are serious. Personal liability for board members is automatic where a director knowingly permitted a sanctions violation. Asset freezes affect the entire company, not just the transaction in question. Criminal liability under Polish law carries a maximum custodial sentence of 10 years for serious violations. These consequences are not theoretical – enforcement activity in Poland has increased materially since 2022.

Our team obtained interim protection for a technology company in Lower Silesia (spring 2026) facing a regulatory inquiry after a counterparty was designated mid-contract. The company's documented escalation procedure – which it had adopted only four months earlier – was central to demonstrating good faith and avoiding personal liability for the management board.

How do three business scenarios affect the approach?

The legal framework is the same for every Polish company. The practical programme differs by sector, transaction volume, and counterparty geography. Three scenarios illustrate the range.

Manufacturing company. A Silesian manufacturer exports to 15 countries, including several with elevated sanctions risk. It processes approximately 80 new supplier and customer relationships per year. The appropriate programme includes automated screening against EU and UN lists, quarterly re-screening of the active counterparty database, and a written escalation procedure approved by the management board. The cost of a mid-market automated screening tool is typically between EUR 3,000 and EUR 8,000 per year – a fraction of the PLN 1,000,000 maximum fine for non-compliance.

IT company. A Warsaw-based software firm sells licences internationally, including to resellers whose end customers may be in sanctioned jurisdictions. The risk here is technology export controls overlapping with sanctions. The firm should screen not only its direct counterparties but also, where contractually feasible, obtain representations from resellers about end-user identity. A "know your customer's customer" clause in reseller agreements is a practical tool. The firm should also verify whether its software falls within EU dual-use export control categories.

Foreign investor. A German investor acquiring a Polish company should conduct sanctions due diligence on the target's counterparty base as part of the acquisition process. A target with undisclosed sanctions exposure transfers that exposure to the buyer on closing. Post-closing remediation is expensive and, in some cases, may require unwinding existing contracts. The investor should request a representation in the share purchase agreement that no counterparty of the target is a designated person or entity. For guidance on cross-border enforcement questions that can arise after acquisition, see our analysis of enforcing a Cyprus judgment in Poland step by step.

Across all three scenarios, the decision matrix is the same: higher cross-border exposure means a more formal programme, automated tools, and board-level ownership of the compliance function. Lower exposure permits a lighter procedure – but never zero procedure.

If your company's sanctions programme needs review or your transactions involve tax-sensitive cross-border structures, the intersection of sanctions and tax obligations deserves specific attention. Our tax practice in Poland regularly advises on the tax consequences of asset freezes and transaction unwinding.

To receive an expert assessment of your company's sanctions screening programme, contact info@kordeckipartners.com. We will review your current procedure, identify gaps, and provide a written action plan within five business days.

What to prepare before your first sanctions review?

Before engaging external counsel or implementing a screening tool, a company should gather the following materials. This checklist applies to any Polish company conducting its first formal sanctions review.

A current list of all active counterparties, including suppliers, customers, and intermediaries, with registered country and beneficial ownership information where available.
Copies of any existing due diligence procedures, KYC forms, or AML policies currently in use.
A map of all jurisdictions in which the company operates, receives payments, or sends goods – including transit countries.
A record of any prior screening activity: dates, lists checked, results, and the person responsible.
The company's current escalation and decision-making structure for compliance matters – including who has authority to halt a transaction pending legal review.

This preparation reduces the time and cost of an external review. It also forces internal clarity about gaps before an external adviser identifies them – which is always a better position to be in. A review that takes two weeks with organised materials can easily take six weeks without them.

The specific situation of your company requires an individual assessment before any programme is implemented. Proceeding without that assessment forfeits the protection that a documented, good-faith compliance effort provides in regulatory and criminal proceedings.

For a tailored strategy on sanctions compliance and counterparty screening, reach out to info@kordeckipartners.com. Our disputes practice in Poland also advises companies facing regulatory inquiries or enforcement actions arising from alleged sanctions violations.

Frequently asked questions

Q: Does a small Polish company with only domestic clients need a sanctions screening programme?

A: A company that genuinely has no cross-border exposure and no foreign beneficial owners has minimal direct risk under EU sanctions regulations. However, "domestic" clients may themselves have foreign supply chains or shareholders. The safest approach is a basic annual check of all counterparties against the EU Consolidated Sanctions List – this takes less than one day for a small portfolio and creates a documented record. If the company later expands internationally, a more formal programme can be built on that foundation.

Q: How long does it take to implement a basic sanctions compliance programme?

A: A written procedure, counterparty risk classification matrix, and first full-database screen can be completed in four to six weeks for a company with up to 200 active counterparties. The timeline extends if beneficial ownership data is incomplete or if the company operates in multiple jurisdictions requiring separate list checks. Automated tools can be onboarded in two to four weeks once a vendor is selected. The process should not be delayed – a sanctions violation occurring during implementation does not benefit from the "work in progress" defence.

Q: Is it a common misconception that only banks and financial institutions need to screen for sanctions?

A: Yes – this is the most frequent misconception. EU sanctions regulations apply to all persons and entities within the EU, not only to regulated financial institutions. Banks face additional obligations under the AML Act and face stricter supervisory scrutiny. But a manufacturing company, a software firm, or a real estate developer that transacts with a designated person violates EU law regardless of whether it is an obligated institution. The AML Act's enhanced due diligence requirements are sector-specific; the EU asset-freeze prohibition is universal.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, commercial disputes, and regulatory defence. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.