Sanqto
home industries travel agencies
Industry page

For travel agencies and OTAs

Booking a package for a customer on the EU sanctions list is the provision of a service — and it's prohibited. Liability sits with the agency, not the traveller.

See demo
Works offline
GDPR-aligned
EU / UN / OFAC lists
Auditable reports
Legal status for this industry
The duty not to provide services or funds applies regardless of AML status. Brokerage, advisory, leasing, insurance — each is a "service" within the meaning of Reg. 269/2014.
Reg. 269/2014 · 833/2014 · Polish Act of 13.04.2022
Legal obligation

Does a travel agency have to run sanction screening?

Yes. If you sell packages, bookings or concierge services, you are required to screen your counterparties against sanctions lists — regardless of whether you are an obliged entity under AML law.

The duty does not come from banking law

The most common mistake is: "sanctions are a matter for banks". In fact, Council Regulation (EU) 269/2014 prohibits making funds and economic resources — including services — available to anyone on the EU list. The ban binds every company operating in the EU, and selling a trip, a ticket or a hotel package counts as "making a service available" within its meaning. Holding the status of an AML obliged entity changes nothing here.

What triggers risk in tourism

The flashpoints are corporate and VIP clients, group bookings through intermediaries, and payments from foreign companies. A listed person rarely buys a package under their own name — they use a company, a foundation or an agent. That is why screening a name alone is not enough: you have to establish the UBO of the payer, especially with B2B collection.

Sectoral sanctions are a separate layer

Beyond the list of persons and entities, sectoral sanctions under Regulation 833/2014 also apply — including restrictions on flights, luxury services and certain destinations. A yacht charter, a premium service or arranging a trip to a restricted destination may breach the rules even when the client themselves is not on any list.

What skipping the check risks

For making funds or services available to a listed party, the Act of 13 April 2022 provides for an administrative penalty of up to PLN 20M. Directive (EU) 2024/1226 additionally requires EU states to criminalise sanctions violations — in Poland it is being transposed by draft bill UC92. A documented screening procedure is at the same time evidence of due diligence.

This material is educational and does not constitute legal advice. Legal status: May 2026. Basis: Council Regulations (EU) 269/2014 and 833/2014 and the Polish Act of 13 April 2022.

Risk scenarios

What this looks like in your work.

SCENARIO 01

B2B booking on a corporate card

A corporate client books a package for the board. Payment by the company card; the company's majority shareholder is in Annex I of Reg. 269/2014. The agency provides the service → liability sits with the agency.

SCENARIO 02

Group booking via a third party

An agent sells a 40-person package to a "cultural foundation" with a Russian parent company. UBO screening exposes the link in seconds.

Hot spots

Where the risk is highest.

  • 01
    Corporate and VIP customers
  • 02
    Group bookings via intermediaries
  • 03
    Payments from foreign entities
  • 04
    Concierge services, charters, yachts
Tailored workflow

When exactly to screen the customer.

1
On booking creation
Quick screening by name / payer's tax ID
2
Before B2B collection
UBO screening of the paying company
3
Periodically for portfolio clients
Weekly monitoring of list changes
Mini-case

"Amber Travel", 1,200 customers / year

Deployed in 4 days. Booking system data imported via CSV. Full audit trail for the FIU from month two. Package: Business — 5 900 EUR one-time.

typical persona
Service-side SMB
1–20 staff · deployed in 7 days
Most-asked questions

Truth first, technology second.

Does this really apply to my industry?
Yes. The ban on making funds available or providing services to listed persons (Art. 2 of Reg. 269/2014) applies to all economic operators — regardless of whether the industry is formally under AML obligations. For sectors like travel or real estate, criminal and administrative liability already exists today.
What if the customer doesn't agree to be screened?
Screening uses data you already hold from the contract or invoice (first name, last name, company name, tax ID, optionally date of birth). It does not require customer consent — it is the business's discharge of a legal obligation (GDPR Art. 6(1)(c)).
What do I do when there's a hit?
The app flags the result red, generates a justified report, and surfaces the procedure: pause the service, freeze funds, notify the FIU within 24 hours. Nothing is reported automatically — the decision sits with you.
Are the reports accepted by the FIU and tax authority?
Each report carries a timestamp, the reference-list version, the operator identifier and a hash of the input file — a format aligned with regulator expectations. Local archival for 5 years (the required retention period).
How often are the lists updated?
Every hour, plus immediately after publication of changes in the Official Journal of the EU. The app pulls reference files itself — it never sends customer data the other way.
Does this integrate with my CRM?
Yes. The Business and Enterprise tiers expose a REST API and ship integrations for popular CRMs (Pipedrive, HubSpot, Salesforce, Bitrix). On Starter you use the manual form.
Where is my data physically?
Wherever you install the app — your machine, your server, your network. There is no "Sanqto cloud" for customer data. Consequence: no data-processing agreements, no third-country transfers.
What's the fine if I don't screen?
Up to PLN 20,000,000 in administrative fines (Art. 15(1)(2) of the Act of 13 Apr 2022) and criminal liability up to 15 years for making funds available. Liability sits with the business — not the customer.
Contact

Book a 20-minute deployment call.

No salesperson, no slide deck. We'll show the install and answer the legal questions.

We reply within 1 business day.
Demo on your data (locally, on your hardware).
30-day trial, no commitments.

By clicking, you consent to being contacted with our offer. Data does not leave the EEA.

See demo