A mid-sized Polish trading company with distribution links across Eastern Europe discovered, during a routine contract review, that one of its long-standing counterparties appeared on a European Union consolidated sanctions list. The firm had no dedicated compliance function, no documented screening workflow, and no clear understanding of which sanctions regimes applied to its operations. The clock was already running.
Polish businesses are subject to EU sanctions regulations directly applicable in Poland, as well as domestic enforcement administered by the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF). Failure to screen counterparties against current EU, UN, and OFAC lists before executing a transaction can result in asset freezes, contract nullity, and personal liability for management board members. The screening obligation applies regardless of company size or sector.
This case study traces how the company identified its exposure, built a defensible screening process within six weeks, and avoided enforcement action. Each stage carries lessons directly applicable to other Polish businesses operating across multiple jurisdictions.
What was the compliance gap that triggered the engagement?
The company had been operating for eleven years without a formal sanctions screening programme. Its onboarding process relied on a single credit-check step and a manual review of trade registers. No one had mapped which sanctions regimes – EU Regulation 269/2014, the consolidated EU financial sanctions list, or OFAC's Specially Designated Nationals list – applied to its counterparty base. That gap is common among Polish mid-market firms.
The triggering event was a contract renewal with a supplier registered in a third country. An internal finance officer, acting on a tip from a business partner, ran an ad hoc name search against the EU financial sanctions list maintained by the Office for Foreign Assets Control of the European Union. The supplier's ultimate beneficial owner appeared as a designated individual. No transaction had been blocked. But the relationship had continued for eight months after the designation date.
Under Polish AML legislation – the ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Act on Counteracting Money Laundering and Terrorist Financing) – obligated entities must freeze assets and report to the GIIF within 24 hours of identifying a sanctions match. The company had missed that window repeatedly. That created personal liability risk for two board members who had signed payment instructions during the period.
We were engaged within 48 hours of the internal discovery. The immediate priority was to assess whether any funds had actually been transferred to a designated person, and whether a voluntary disclosure to the GIIF would reduce enforcement exposure. Both questions required a structured factual reconstruction before any legal strategy could be set.
How did we design the screening process in response?
The strategy rested on three parallel workstreams: immediate risk containment, process architecture, and staff training. Each had a fixed timeline. The containment phase had to close within five business days. The process design had to be documented and tested within four weeks. Training had to be completed before the company resumed onboarding any new counterparties.
We secured a reversal of a potential GIIF enforcement referral for a trading client in the Mazowieckie region (winter 2026) by filing a voluntary disclosure within the statutory 24-hour window from the date of our formal engagement, supported by a detailed transaction chronology. The disclosure framed the breach as a systemic gap rather than intentional evasion – a distinction that Polish enforcement practice treats as a significant mitigating factor.
The screening process we designed covered four list categories:
- EU consolidated financial sanctions list (updated daily via the EU Sanctions Map)
- UN Security Council consolidated list
- OFAC Specially Designated Nationals and Blocked Persons list
- Polish domestic list maintained by the GIIF
Each counterparty onboarding file now requires a documented screening record with a timestamp, the list versions checked, the operator's name, and a sign-off field. Rescreening is triggered automatically at 90-day intervals and on any material change in the counterparty's ownership structure. The National Court Register (Krajowy Rejestr Sądowy, KRS) beneficial ownership data feeds directly into the rescreening schedule.
For a comparable approach used in a different sector context, see our analysis of compliance programme design for Spain subsidiaries in Poland, which addresses analogous list-management challenges for inbound investors.
What were the key process decisions and their rationale?
Three decisions shaped the architecture. First, we recommended a software-assisted screening tool rather than manual list checks. Manual processes fail under volume pressure. The client processed roughly 140 new counterparties per quarter. At that throughput, a human-only workflow generates false negatives at a rate that creates unacceptable legal exposure. The tool selected integrates with the EU Sanctions Map API and flags partial name matches for human review within a defined fuzzy-match threshold.
We also obtained protective interim measures preserving contractual rights worth over EUR 3m for a logistics client in Lower Silesia (spring 2025) by documenting that the client had implemented a compliant screening programme before the disputed transaction – evidence that proved decisive in the counterparty's attempt to void the contract on sanctions grounds.
Second, we separated the screening function from the commercial team. Previously, account managers ran their own checks – or skipped them under deal pressure. The revised governance model places screening within the compliance officer's remit, with a documented escalation path to the management board for any potential match. This mirrors the governance structure recommended under Polish corporate legislation for entities operating in regulated sectors.
Third, we built the whistleblower channel into the same compliance framework. Under the ustawa o ochronie sygnalistów (Whistleblower Protection Act), companies with 50 or more employees must maintain an internal reporting channel. Integrating that channel with the sanctions compliance workflow means that any employee who identifies a potential match has a clear, protected route to report it – without needing to escalate through commercial management. For parallel governance considerations, see our note on corporate governance for Poland subsidiaries.
What lessons apply to other Polish businesses?
The most transferable lesson is timing. Voluntary disclosure before an enforcement authority identifies a breach is treated materially differently from disclosure made after an investigation opens. The GIIF's enforcement practice – and the practice of the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) in supervised sectors – consistently applies reduced penalties where the entity self-reported, cooperated fully, and implemented corrective measures within 30 days. Waiting for the regulator to knock forfeits that mitigation entirely.
The second lesson concerns scope. Many Polish businesses assume sanctions screening applies only to financial institutions subject to AML obligations. That assumption is incorrect. EU sanctions regulations apply directly to all natural and legal persons within the EU. Any Polish company that makes a payment, delivers goods, or provides services to a designated person or entity commits a breach – regardless of whether it holds a banking licence. The compliance obligation is sector-neutral.
The third lesson is documentation. A screening process that exists but is not documented provides little protection. Enforcement authorities assess process quality through records. If a company cannot produce a timestamped screening log for a specific transaction, the presumption runs against it. A checklist approach – even a simple one – is far more defensible than an undocumented verbal procedure.
What to prepare before an enforcement inquiry:
- Timestamped screening logs for all counterparties onboarded in the past 24 months
- Version records for each sanctions list checked at the time of screening
- Written escalation procedure for potential matches
- Evidence of staff training on sanctions obligations
- GIIF registration status and reporting history
For businesses with French parent structures navigating the same obligations, our related analysis of compliance programme design for France subsidiaries in Poland addresses how group-level ESG reporting and CSRD Poland disclosure requirements intersect with local sanctions compliance duties.
The company in this matter completed its programme within the six-week target. No enforcement action was taken. The voluntary disclosure was acknowledged by the GIIF, and the board members' personal liability exposure was resolved without proceedings. The cost of building the programme was a fraction of the penalty exposure that remained open on the date of our engagement.
Frequently asked questions
Q: Does the sanctions screening obligation apply to Polish companies that do not operate in the financial sector?
A: Yes. EU sanctions regulations apply directly to all persons and entities within the European Union, regardless of sector. A Polish trading, manufacturing, or technology company that transacts with a designated counterparty breaches EU law even if it has no AML or banking licence obligations. The General Inspector of Financial Information administers enforcement, but the underlying legal obligation is EU-level and sector-neutral.
Q: How often should a Polish business rescreen its existing counterparty base?
A: Polish compliance practice – and the guidance issued by the GIIF – supports a minimum 90-day rescreening cycle for active counterparties, with immediate rescreening triggered by any change in beneficial ownership, a new designation in a relevant jurisdiction, or a material change in the commercial relationship. For counterparties in higher-risk jurisdictions, monthly rescreening is advisable. The key requirement is that the rescreening schedule is documented and consistently applied.
Q: What is the most common misconception about sanctions compliance among Polish SMEs?
A: The most common misconception is that a one-time check at onboarding is sufficient. Sanctions lists are updated continuously – the EU consolidated list alone is revised multiple times per week. A counterparty that was clean at onboarding may be designated six months later. Without a rescreening programme, the company will not detect that change until a problem surfaces. By that point, the breach has already occurred and the voluntary disclosure window may have closed.
Specific compliance needs require tailored analysis. Implementing a defensible screening programme – particularly where past transactions may carry residual exposure – involves legal, procedural, and regulatory dimensions that interact differently in each business context. To discuss how the sanctions screening framework applies to your company's situation, email info@kordeckipartners.com.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, AML, ESG reporting, and CSRD Poland obligations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.