Sanctions screening obligations for Polish

Q: Is it a common misconception that screening only applies to Russian-linked transactions?

Yes. EU sanctions regimes cover Belarus, Iran, Syria, North Korea, Myanmar, Venezuela, and a range of other jurisdictions and thematic programmes. A company that screens only for Russia-connected risk is operating a materially incomplete programme and remains exposed to breaches across all other regimes.

A Warsaw-based logistics company wins a new distribution contract in the Gulf region. The deal looks clean. The counterparty holds a respected local licence. Then, three weeks into onboarding, an automated alert flags a beneficial owner on the EU consolidated sanctions list. The company has already transferred an advance payment. It now faces a potential freeze order, a regulatory investigation, and the loss of the contract it spent six months negotiating.

Polish companies are subject to sanctions screening obligations arising from EU regulations directly applicable in Poland, supplemented by the Polish Act on Special Measures against Money Laundering and Terrorism Financing and the dedicated Polish sanctions statute. Failure to screen counterparties before entering into a transaction – or to maintain ongoing monitoring – can result in criminal liability for management, asset freezes, and permanent exclusion from public procurement. The competent supervisory authority in Poland is the General Inspector of Financial Information (GIIF), operating under the Ministry of Finance.

This guide walks through the step-by-step screening procedure, explains who is obligated, maps the most common compliance gaps, and addresses three real-world business scenarios that Polish companies encounter most frequently. Each section includes at least one concrete figure – a deadline, a threshold, or a statutory limit – so that you can calibrate your internal programme against actual legal requirements rather than general best practice.

Who is obligated to screen, and under which rules?

Sanctions screening in Poland operates on two tracks. The first is EU-level: Council regulations imposing asset freezes and prohibitions apply directly, without transposition, to every natural and legal person operating within the EU. The second is national: the Polish Act on Counteracting Money Laundering and Terrorist Financing (AML Act) designates a list of "obligated institutions" – banks, payment service providers, notaries, auditors, lawyers, and real estate agents, among others – that must screen clients against sanctions lists as part of customer due diligence. Companies outside that list are still bound by EU regulations but face fewer procedural duties under national law.

The distinction matters in practice. An obligated institution must complete sanctions screening before establishing a business relationship, at every transaction above EUR 15,000, and on an ongoing basis whenever risk indicators change. A non-obligated company – say, a mid-size manufacturer – has no procedural checklist imposed by national law, yet it commits a criminal offence if it executes a transaction with a designated person. The gap between "not required to maintain a formal programme" and "not liable for a breach" is wide enough to destroy a company.

The National Court Register (KRS) and the Central Register of Beneficial Owners (CRBR) are the primary domestic sources for identifying the ownership structure of Polish counterparties. For cross-border transactions, the EU consolidated list, the OFAC SDN list, and the UN consolidated list are the minimum baseline. Some sectors – financial services regulated by the Polish Financial Supervision Authority (KNF), defence procurement, and dual-use goods – carry additional list requirements and shorter response windows.

EU consolidated sanctions list (updated within 24 hours of designation)
UN Security Council consolidated list
OFAC SDN list (relevant for USD transactions and US-nexus contracts)
Polish national sanctions list (maintained by the GIIF)
Sector-specific lists for KNF-regulated entities

The trigger for a screening obligation is not limited to direct counterparties. Beneficial ownership rules require looking through corporate structures to identify any natural person holding more than 25% of shares or voting rights. A clean corporate name can mask a designated individual at the UBO level. That is precisely where most enforcement cases originate.

What does a step-by-step screening procedure look like?

A defensible screening programme has five sequential stages. Each stage has a defined output – a document, a decision, or a recorded check – that can be produced to a regulator or a court. The absence of documentation is treated as evidence of non-compliance, not merely an administrative gap. The GIIF has the authority to impose fines of up to PLN 1,000,000 on obligated institutions for procedural failures, independent of whether an actual sanctions breach occurred.

Stage one is pre-onboarding identification. Before signing any contract or transferring any funds, the company collects the counterparty's full legal name, registration number, registered address, and UBO data. For legal entities, this means extracting the CRBR entry and cross-referencing it against the ownership chain. For individuals, it means verifying identity documents against a minimum of two list databases. The output is a timestamped screening certificate.

Stage two is list matching. The collected data is run against the applicable sanctions lists. Automated screening tools reduce false positives through fuzzy-matching algorithms and alias databases, but they do not eliminate the need for a human review of any potential match. The review must be completed within 24 hours of the alert. Any confirmed match triggers an immediate freeze obligation and a report to the GIIF within that same 24-hour window.

Stage three is risk scoring. Not every counterparty carries the same exposure. A domestic supplier with a 30-year trading history and no foreign ownership presents different risk than a newly incorporated entity with a nominee director and a beneficial owner in a high-risk jurisdiction. The risk score determines monitoring frequency: quarterly for low-risk, monthly for medium, and event-triggered plus monthly for high-risk counterparties.

Stage four is ongoing monitoring. Sanctions lists change daily. A counterparty that was clean at onboarding can be designated tomorrow. Obligated institutions must run automated re-screening at least once every 30 days. Non-obligated companies with significant cross-border exposure should adopt the same cadence voluntarily – a designation between screenings does not excuse a transaction executed after the designation date.

Stage five is escalation and record-keeping. Any potential match, any freeze decision, and any GIIF report must be retained for five years. Internal escalation paths – who notifies whom, within what timeframe – must be documented in a written procedure. The five-year retention period aligns with the AML Act and mirrors the EU's standard evidentiary window for financial crime investigations.

What are the most common compliance gaps – and what do they cost?

Three gaps account for the majority of enforcement actions and private disputes that reach our desk. First: UBO blind spots. Companies screen the legal entity but stop there. They do not trace the ownership chain to the natural person level. A designated oligarch holding 30% of a trading company through a Cypriot holding structure will not appear on a corporate name search. The screening programme must reach the UBO, not just the contracting party.

We secured a reversal of a contract termination dispute for a technology client in the Mazowieckie region (autumn 2025). The counterparty had alleged that our client's failure to screen a sub-supplier's UBO constituted a material breach. We demonstrated that the client's screening procedure met the applicable EU standard at the time of contracting, and that the subsequent designation post-dated the transaction. The case turned entirely on documentation – specifically, the timestamped screening certificate from the onboarding stage.

Second gap: static programmes. A sanctions programme designed in 2022 and never updated is not a functioning compliance tool. The EU has added new list entries, new sectoral prohibitions, and new reporting obligations across more than fourteen sanctions packages since February 2022. A programme must be reviewed at least annually, and immediately whenever a new package is adopted. Failure to update constitutes a systemic failure, which regulators treat more seriously than a one-off oversight.

Third gap: no escalation path for public procurement. Companies bidding on Polish public contracts must confirm sanctions compliance as part of the tender documentation. A false declaration – even an inadvertent one – triggers exclusion from the current tender and from all public procurement for up to three years. The Public Procurement Office (UZP) cross-checks declarations against sanctions databases. A KIO appeal (appeal to the National Appeals Chamber) filed after exclusion has only a 10-day window from the date of the exclusion decision.

The cost of these gaps is asymmetric. A properly maintained screening programme costs between PLN 20,000 and PLN 80,000 per year for a mid-size company, depending on transaction volume and the sophistication of the tooling. A single enforcement action – fine, legal costs, reputational damage, and lost contracts – routinely exceeds PLN 500,000. The economics of compliance are not ambiguous.

How do three common business scenarios play out in practice?

Scenario one: manufacturing company with a supply chain spanning Ukraine, Turkey, and the UAE. The company is not an obligated institution under the AML Act. It has no formal KYC programme. It sources components through a Turkish intermediary whose beneficial owner recently appeared on the EU list. The company's procurement team had no screening process at all. Under EU regulations, the company committed a breach at the moment it executed the first payment after the designation date – regardless of intent. The remedy is retrospective: freeze remaining payments, report to the GIIF, engage a dispute lawyer to assess exposure, and implement a programme before resuming the relationship. The window for voluntary self-disclosure, which regulators treat as a significant mitigating factor, is narrow. It closes once an investigation is opened.

Scenario two: Warsaw-based IT services company tendering for an EU-funded public contract. The company has a screening programme but has not updated it since the twelfth sanctions package. Its automated tool does not cover the new sectoral prohibitions on IT services to certain Russian state entities. The company submits a clean declaration. Post-award, the contracting authority discovers the gap during a routine audit. The contract is suspended, and a KIO appeal by a competing bidder accelerates the timeline. The company faces exclusion from public procurement for up to three years. An updated programme and a corrected declaration before submission would have cost less than PLN 5,000 in consultant time.

Scenario three: foreign investor – a German mid-cap – establishing a Polish subsidiary to distribute industrial equipment. The parent company runs OFAC and EU screening centrally. But the Polish subsidiary enters into a local distribution agreement on its own authority, without routing the counterparty through the group compliance system. The local counterparty's UBO is on the Polish national sanctions list but not on the EU consolidated list. The group compliance team would not have caught it. The Polish subsidiary is liable under Polish national law. For cross-border investors, local list coverage is not optional. Aligning the subsidiary's screening programme with group standards – while adding Polish national list coverage – is a day-one requirement, not a later enhancement. Guidance on structuring Polish subsidiaries for compliance purposes is addressed in our corporate governance for Poland subsidiaries guide.

What should companies prepare before engaging counsel or regulators?

Preparation before a regulatory inquiry or a dispute determines how quickly – and how well – the matter resolves. Regulators assess whether a company acted in good faith and maintained a proportionate programme. Courts in commercial disputes assess whether a party took reasonable steps to identify a risk. Both assessments depend on the same underlying documentation. A company that cannot produce its screening records within 48 hours of a request is in a materially worse position than one that can.

We obtained interim protective measures for a Polish distribution company facing a counterparty claim arising from a frozen payment in Silesia (winter 2026). The counterparty argued that the freeze was unjustified and sought damages exceeding EUR 800,000. The decisive factor was our client's ability to produce a complete audit trail – screening certificates, GIIF notification timestamp, and internal escalation records – within two days of the claim being filed. The court granted the interim measures within 72 hours.

The practical checklist below covers the minimum documentation a company should be able to produce on short notice. Gaps in this list are gaps in your defence.

Timestamped screening certificates for all active counterparties (last 5 years)
Written sanctions compliance procedure, version-controlled with adoption dates
Evidence of annual programme review, including update log for new sanctions packages
GIIF notification records, if any reports were filed
UBO verification records, including CRBR extracts or equivalent foreign registry outputs

For companies that have not yet formalised their programme, the starting point is a gap analysis against the current EU consolidated list requirements and the AML Act obligations applicable to their sector. That analysis typically takes two to four weeks and produces a prioritised remediation plan. For companies already facing an inquiry, the immediate priority is legal privilege – ensuring that internal communications and assessments are covered before any external disclosure is made. The enforcement and cross-border dimensions of sanctions disputes are also relevant to the principles discussed in our guide on enforcing a Lithuania judgment in Poland, particularly where frozen assets or cross-border recognition issues arise.

For tailored advice on building or auditing a sanctions compliance programme, contact info@kordeckipartners.com. Our disputes and sanctions team advises on programme design, GIIF reporting, KIO appeals, and enforcement defence across 30 jurisdictions.

Frequently asked questions

Q: Does a small Polish company with no banking licence need a formal sanctions screening programme?

A: Yes – though the procedural requirements differ. EU sanctions regulations apply to every person and entity operating within the EU, regardless of size or sector. A small company is not required to maintain a formal AML-style programme unless it falls within the list of obligated institutions under the AML Act. However, it commits a criminal offence if it executes a transaction with a designated person, and it cannot rely on ignorance as a defence. A proportionate programme – a written procedure, a list of databases to check, and a record-keeping obligation – is both legally necessary and commercially protective.

Q: How long does it take to build a compliant screening programme from scratch?

A: For a mid-size company with moderate transaction volume, a baseline programme can be designed and implemented in four to eight weeks. This includes a gap analysis, selection and configuration of a screening tool, drafting of internal procedures, and training of relevant staff. The timeline extends to three to four months for companies with complex supply chains, multiple jurisdictions, or regulated-sector obligations. Costs range from PLN 30,000 to PLN 120,000 depending on scope. Ongoing maintenance – annual review, tool licensing, and periodic staff training – typically costs between PLN 15,000 and PLN 40,000 per year.

Q: Is it a common misconception that screening only applies to Russian-linked transactions?

A: It is one of the most frequently repeated misconceptions we encounter. EU sanctions regimes cover Belarus, Iran, Syria, North Korea, Myanmar, Venezuela, and a range of other jurisdictions and thematic programmes (terrorism, cyber, human rights). The Russia-linked packages are the most operationally intensive because of their breadth and frequency of updates, but they represent only a subset of the total screening obligation. A company that screens only for Russia-connected risk is operating a materially incomplete programme and remains exposed to breaches across all other regimes.

For a full review of your sanctions exposure and programme design, our disputes practice is available at disputes – Poland.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, dispute resolution, and enforcement defence. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.