A Warsaw-based trading company ships a consignment to a long-standing distributor. Three weeks later, a correspondent bank flags the payment: the distributor's parent entity appears on the EU consolidated sanctions list. The shipment is already delivered. The company now faces asset-freeze exposure, potential criminal liability for its directors, and a blocked receivable it may never recover. The whole sequence could have been interrupted at the contracting stage – with a single, well-run screening check.
Sanctions screening is the process by which a business verifies that its counterparties, transactions, and assets do not involve persons or entities subject to restrictive measures imposed by the EU, UN, or other relevant authorities. Under Polish law, the primary obligations flow from directly applicable EU regulations and from the ustawa o szczególnych środkach ograniczających ze względu na zewnętrzne działania Federacji Rosyjskiej (Act on Special Restrictive Measures, the Sanctions Act). Breaches can result in fines of up to EUR 1,000,000 or criminal liability for individuals, with no de minimis threshold.
This guide covers the full screening cycle: which lists to check, how to build the internal process, what the three most common failure modes look like across manufacturing, IT, and foreign-investor scenarios, and what a minimum-viable compliance programme costs in practice. The FAQ section addresses the questions we hear most often from clients building their first screening workflow.
Which sanctions lists apply to Polish businesses?
Polish businesses operate in a multi-layered sanctions environment. Three frameworks apply simultaneously: EU autonomous sanctions (directly binding), UN Security Council measures transposed into EU law, and – for companies with US dollar flows or US-person exposure – OFAC designations. Understanding which lists are mandatory is the first step in calibrating the screening scope.
The EU consolidated list, maintained by the European External Action Service (EEAS), is the central reference point. It covers all EU autonomous sanctions programmes and UN-transposed measures. The National Court Register (KRS) and the Polish Financial Intelligence Unit (Generalny Inspektor Informacji Finansowej, GIIF) publish domestic guidance on implementation. For businesses in regulated sectors – banking, insurance, capital markets – the Polish Financial Supervision Authority (KNF) issues additional binding expectations on screening frequency and documentation.
Three practical points follow from this structure. First, EU list updates are published in the Official Journal with immediate effect, so a counterparty clean today may be listed tomorrow. Second, ownership and control rules extend the obligation beyond named entities: a party owned 50 percent or more by a listed person is itself subject to the same restrictions, even if not separately listed. Third, sector-specific sanctions (energy, transport, luxury goods) create transaction-level screening duties that go beyond entity checks.
- EU consolidated sanctions list (EEAS) – mandatory for all Polish entities
- UN Security Council consolidated list – embedded in EU regulations
- OFAC SDN list – required for USD-denominated transactions or US-person nexus
- UK OFSI list – relevant for companies with UK counterparties post-Brexit
- Domestic watchlists published by GIIF – relevant for AML overlap
One point that frequently surprises clients: EU sanctions and AML obligations are legally distinct, but operationally they overlap. A compliance lawyer in Warsaw will typically design a unified screening workflow that satisfies both the sanctions framework and the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering Act, AML Act) simultaneously. This dual-purpose design reduces cost without reducing coverage.
How should the step-by-step screening process be structured?
A defensible screening process has five stages. Each stage produces documented output. The documentation is what protects directors from personal liability when a regulator or prosecutor asks what the company did and when.
Stage one is counterparty identification. Before any contract is signed or payment is made, the business collects full legal name, registered address, country of incorporation, and – critically – ultimate beneficial ownership (UBO) data. For corporate counterparties, the UBO chain must be traced to the natural person holding direct or indirect control. The KRS provides public UBO data for Polish entities; for foreign counterparties, the equivalent national register or a commercial database is used. Gaps in UBO data are themselves a red flag under the AML Act.
Stage two is list screening. The counterparty name and all identified UBOs are run against the applicable lists. Manual checks against the EEAS website are legally sufficient for very small businesses, but they carry high operational risk: name variants, transliterations, and spelling errors cause false negatives. Most businesses processing more than 50 counterparties per month should use automated screening software, which typically costs between EUR 200 and EUR 2,000 per month depending on volume and list coverage.
Stage three is hit review. Automated tools generate both true matches and false positives. A trained reviewer – ideally with compliance or legal background – assesses each alert against full identifying information: date of birth, nationality, registration number. A false positive must be documented as such. A true match triggers the escalation protocol immediately, with no further transaction steps until legal clearance is obtained.
Stage four is ongoing monitoring. A clean check at onboarding is not sufficient. List updates occur multiple times per week. Businesses should re-screen the active counterparty base at least monthly, and immediately after any major EU sanctions package announcement. Our team secured a reversal of a blocked-payment dispute for a logistics client in the Mazowieckie region (autumn 2025) precisely because their monitoring logs demonstrated continuous re-screening – the regulator treated this as evidence of good faith.
Stage five is record-keeping. All screening results, hit reviews, and escalation decisions must be retained for at least five years under the AML Act. Records should be stored in a format that allows rapid retrieval during an inspection by GIIF or KNF.
What are the most common screening failures in practice?
Three failure patterns appear repeatedly across sectors. Each is preventable. Each has caused real financial and reputational damage to Polish businesses in the past 24 months.
The first failure is ownership-chain blindness. A company screens the direct counterparty, finds no match, and proceeds. The counterparty's parent – 60 percent owned by a listed oligarch – is never checked. Under EU ownership and control rules, the subsidiary is itself subject to asset-freeze restrictions. The transaction is void. The business faces regulatory sanction and loses the commercial value of the contract. This is the scenario that forfeits receivables permanently and precludes any claim against the counterparty.
The second failure is static onboarding screening. The counterparty was clean in January. In March, the EU adopted a new sanctions package listing that entity. The business continued trading through April and May, processing three further payments. Each payment after the listing date is a separate breach. The personal liability of the director who authorised those payments is not mitigated by the fact that the initial onboarding check was clean. Only continuous monitoring would have interrupted the sequence.
The third failure is inadequate documentation. The business did screen – but kept no records. When GIIF requests evidence of the screening programme during an AML inspection, the company cannot demonstrate compliance. The absence of documentation is treated as absence of the process itself. Fines in this scenario range from PLN 100,000 upwards, and the reputational damage with correspondent banks can outlast the regulatory proceeding by years.
We assisted a technology distributor in Małopolska (spring 2026) in restructuring its screening programme after a GIIF inspection identified documentation gaps. The business had been screening manually but retaining no records. A six-week remediation programme – covering process design, software selection, and staff training – brought the programme into compliance before the follow-up inspection. The cost of remediation was a fraction of the fine that had been under consideration.
How do the three main business scenarios differ in screening requirements?
Screening obligations apply to all Polish businesses, but the practical scope and cost of a compliant programme vary significantly depending on business model. Three scenarios illustrate the range.
A manufacturing company with export operations faces the most demanding screening environment. It must screen not only buyers and distributors but also logistics providers, freight forwarders, and end-use destinations. Dual-use goods regulations add a layer of export control screening on top of sanctions screening. The minimum viable programme for a mid-sized exporter requires automated software, a designated compliance officer (or outsourced compliance function), and a documented escalation procedure. Budget: EUR 500–1,500 per month for software and EUR 8,000–15,000 per year for legal oversight, depending on transaction volume.
An IT company providing software-as-a-service faces a different challenge. Its "transactions" are often automated licence activations triggered by online sign-ups. Manual screening at each activation is not operationally feasible. The compliant solution is API-integrated screening at the point of account creation, with automated blocking of activations that generate a confirmed match. The ESG reporting and CSRD Poland obligations that increasingly apply to larger IT groups also create internal incentives to document the sanctions programme as part of broader governance reporting.
A foreign investor – for example, a German subsidiary operating in Poland – must align its Polish screening programme with the parent group's global compliance framework. This creates a useful efficiency: the parent's existing sanctions software can often be extended to cover Polish entities at marginal cost. However, the Polish Sanctions Act imposes local notification and record-keeping duties that the group programme may not address. A compliance lawyer in Warsaw should review the group framework against local requirements before the subsidiary commences operations. The guide on compliance programme design for Germany subsidiaries in Poland addresses this integration challenge in detail.
For Swedish-owned entities, similar considerations apply. The compliance programme design for Sweden subsidiaries in Poland guide sets out the specific adjustments needed when a Nordic group compliance framework meets Polish local obligations.
What should a minimum-viable screening programme include?
Building a screening programme does not require enterprise-level software or a dedicated compliance department. For most small and medium-sized Polish businesses, a minimum-viable programme covering the core legal obligations can be implemented in four to six weeks.
The checklist below identifies what the programme must contain. Each item corresponds to a regulatory expectation that GIIF or KNF will look for during an inspection.
- Written sanctions and AML policy, approved by the management board and reviewed annually
- Counterparty onboarding procedure with UBO identification and list screening as mandatory steps
- Ongoing monitoring schedule (minimum monthly re-screening of active counterparty base)
- Escalation and reporting procedure for confirmed matches, including GIIF notification timeline
- Screening records retained for at least five years in retrievable format
Whistleblower compliance is a connected obligation that many businesses address simultaneously. The ustawa o ochronie sygnalistów (Whistleblower Protection Act) requires businesses with 50 or more employees to maintain an internal reporting channel. A sanctions breach identified by an employee is exactly the type of irregularity the channel is designed to surface. Integrating the whistleblower channel into the broader compliance programme – alongside sanctions screening and AML – produces a unified governance structure that satisfies multiple regulatory frameworks at once.
For businesses considering how penalties are calculated in adjacent compliance areas, the analysis of KSeF penalties calculation and avoidance strategies illustrates how Polish regulators approach graduated enforcement – a logic that applies equally to sanctions violations.
The total annual cost of a minimum-viable programme for a business processing 100–300 counterparties per year is typically between PLN 20,000 and PLN 50,000, covering software, legal review, and staff training. This compares favourably with the minimum regulatory fine of PLN 100,000 for a documented compliance failure.
Frequently asked questions
Q: How often must a Polish business re-screen its existing counterparties?
A: There is no single statutory re-screening interval, but the obligation of continuous compliance means that a business must have a system capable of identifying newly listed counterparties promptly. In practice, monthly re-screening of the active counterparty base is the minimum standard that GIIF and KNF treat as adequate. Businesses in higher-risk sectors – financial services, trade finance, logistics – are expected to screen more frequently, and many run daily automated checks. The key point is that the interval must be defined in writing and actually followed: a policy that says "monthly" but has no evidence of execution provides no protection.
Q: Does a small Polish company with only domestic customers need a sanctions screening programme?
A: This is a common misconception. Sanctions obligations apply to all legal persons incorporated in Poland or conducting business in the EU, regardless of whether their direct customers are domestic. The relevant question is not where the customer is located but whether any party in the transaction chain – supplier, logistics provider, beneficial owner of the customer, correspondent bank – is a designated person. A Polish wholesaler buying from a foreign supplier with a listed UBO is in breach even if its own customers are all Polish. The AML Act and the Sanctions Act both apply on this basis.
Q: What does sanctions screening actually cost for a mid-sized Polish business, and is outsourcing viable?
A: For a business processing 100–500 counterparties per year, the realistic cost range is PLN 20,000–60,000 annually, covering software (EUR 200–800 per month), legal review of the programme design (one-time cost of PLN 8,000–15,000), and annual policy updates. Outsourcing the compliance function to a law firm or specialist compliance provider is viable and often more cost-effective than a full-time internal hire for businesses below approximately 1,000 counterparty transactions per year. The outsourced model also provides access to legal advice on escalation decisions, which is a separate and significant value when a confirmed match occurs.
To receive an expert assessment of your current sanctions screening programme, contact info@kordeckipartners.com.
Every screening gap carries a specific consequence: blocked assets, frozen receivables, or personal liability for directors who authorised the transaction. The irreversible nature of a sanctions breach – a payment made to a listed entity cannot be undone – means that remediation after the fact is always more expensive than prevention. Your specific situation may require adjustments to the standard programme design described above.
If your business is processing international transactions, onboarding foreign counterparties, or operating in sectors with heightened sanctions exposure, our team will conduct a gap analysis of your existing programme, identify the specific lists and monitoring intervals applicable to your business model, and deliver a documented compliance framework within four to six weeks: info@kordeckipartners.com.
About KORDECKI & Partners
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, AML, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.