home industries online stores

Industry page

For online stores

Shipping goods to a recipient on the sanctions list or under embargo is a prohibited transaction — including in dropshipping and cross-border sales. Liability sits with the seller.

See demo

Works offline

GDPR-aligned

EU / UN / OFAC lists

Auditable reports

Legal status for this industry

The duty not to provide services or funds applies regardless of AML status. Brokerage, advisory, leasing, insurance — each is a "service" within the meaning of Reg. 269/2014.

Reg. 269/2014 · 833/2014 · Polish Act of 13.04.2022

Legal obligation

Does an online store have to run sanction screening?

Yes. Selling and shipping goods to a recipient on the sanctions list or under embargo is a prohibited transaction — the seller named on the invoice is liable.

Selling goods means making a resource available

Regulation (EU) 269/2014 prohibits making funds and economic resources available to entities on the EU list — and selling and releasing goods fall squarely within that. The duty does not depend on the size of the store or on whether it is an AML obliged entity. It is enough that the recipient or the payer is on the list for fulfilling the order to become a breach of the rules.

B2B sales and the corporate payer

In retail sales to consumers the risk is low, but it rises sharply with B2B and wholesale orders. A corporate client pays from the account of a company whose majority shareholder may be on the list. That is why, for business orders, it is worth screening not only the counterparty's name but also the invoice details and the UBO of the payer.

Cross-border, dropshipping and re-export

The hardest area is cross-border shipping, dropshipping and marketplace sales. Goods can travel from the supplier straight to an intermediary in a third country that re-exports them to Russia — breaching the sectoral sanctions under Regulation 833/2014. The seller who issued the invoice remains liable, even if they do not know the end recipient.

What skipping the check risks

The Act of 13 April 2022 provides for an administrative penalty of up to PLN 20M for breaching the ban. Directive (EU) 2024/1226 requires EU states to criminalise sanctions violations — in Poland it is being transposed by draft bill UC92. A real-world consequence is also the payment provider blocking the transaction and the marketplace suspending the seller's account.

This material is educational and does not constitute legal advice. Legal status: May 2026. Basis: Council Regulations (EU) 269/2014 and 833/2014 and the Polish Act of 13 April 2022.

Risk scenarios

What this looks like in your work.

SCENARIO 01

B2B sale with a corporate payment

A wholesale client pays from the account of a company whose majority shareholder is in Annex I of Reg. 269/2014. Fulfilling the order means making goods available — which is prohibited.

SCENARIO 02

Dropshipping and cross-border shipping

Goods travel from the supplier straight to an intermediary in a third country that re-exports them to Russia. The seller named on the invoice is still your store.

Hot spots

Where the risk is highest.

01
B2B sales and wholesale orders
02
Cross-border shipping and export
03
Dropshipping without control over the end recipient
04
Marketplaces and third-party sellers

Tailored workflow

When exactly to screen the customer.

On a B2B order

Screen the payer and the invoice details

Before an international shipment

Verify the recipient and the delivery country

On suspected re-export

Check the intermediary and the final destination

Mini-case

"TechHurt" store, 9,000 orders / year

Deployed in 4 days, integrated with the e-commerce platform over an API. Payer screening runs automatically on B2B orders. Package: Business — 5 900 EUR one-time.

typical persona

Service-side SMB

1–20 staff · deployed in 7 days

Most-asked questions

Truth first, technology second.

Does this really apply to my industry?

Yes. The ban on making funds available or providing services to listed persons (Art. 2 of Reg. 269/2014) applies to all economic operators — regardless of whether the industry is formally under AML obligations. For sectors like travel or real estate, criminal and administrative liability already exists today.

What if the customer doesn't agree to be screened?

Screening uses data you already hold from the contract or invoice (first name, last name, company name, tax ID, optionally date of birth). It does not require customer consent — it is the business's discharge of a legal obligation (GDPR Art. 6(1)(c)).

What do I do when there's a hit?

The app flags the result red, generates a justified report, and surfaces the procedure: pause the service, freeze funds, notify the FIU within 24 hours. Nothing is reported automatically — the decision sits with you.

Are the reports accepted by the FIU and tax authority?

Each report carries a timestamp, the reference-list version, the operator identifier and a hash of the input file — a format aligned with regulator expectations. Local archival for 5 years (the required retention period).

How often are the lists updated?

Every hour, plus immediately after publication of changes in the Official Journal of the EU. The app pulls reference files itself — it never sends customer data the other way.

Does this integrate with my CRM?

Yes. The Business and Enterprise tiers expose a REST API and ship integrations for popular CRMs (Pipedrive, HubSpot, Salesforce, Bitrix). On Starter you use the manual form.

Where is my data physically?

Wherever you install the app — your machine, your server, your network. There is no "Sanqto cloud" for customer data. Consequence: no data-processing agreements, no third-country transfers.

What's the fine if I don't screen?

Up to PLN 20,000,000 in administrative fines (Art. 15(1)(2) of the Act of 13 Apr 2022) and criminal liability up to 15 years for making funds available. Liability sits with the business — not the customer.

Contact

Book a 20-minute deployment call.

No salesperson, no slide deck. We'll show the install and answer the legal questions.

We reply within 1 business day.

Demo on your data (locally, on your hardware).

30-day trial, no commitments.

See demo