Sanqto
home blog aml vs sanctions — what is the difference and why they are not the same
Article

AML vs Sanctions — What Is the Difference and Why They Are Not the Same

AML applies to obliged entities; EU sanctions apply to every company. Learn the key legal differences and why your business must conduct sanction screening.

Published: · Sanqto Team · 18 min read
aml-sankcje sanction-screening instytucje-obowiazane compliance obowiazek-screeningu kas giif roznica-aml-sankcje
Two separate legal tracks — AML and sanctions — shown diverging on a diagram, symbolising distinct compliance regimes for companies in Poland

If someone told you that sanction screening is a matter for banks and firms covered by the AML Act (the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing), you were misinformed. AML and the EU sanctions regime are two separate legal systems — with different legal bases, different scopes of application, and different supervisory authorities. Council Regulation (EU) No 269/20141 applies to every company operating in the European Union, regardless of whether it is an obliged entity within the meaning of the AML Act. This article explains that distinction once and for all.

Legal status as of: 2026-05-20.

TL;DR — six key differences at a glance

  • AML (anti-money laundering and counter-terrorist financing) is the Act of 1 March 2018, which imposes obligations on a closed list of entities — so-called obliged entities — primarily banks, accounting offices, estate agents, notaries, and similar.
  • EU sanctions arise from EU regulations (chiefly No 269/20141 and No 833/20142), which apply directly to every natural and legal person on the territory of the Union — without any sectoral exception and without any threshold based on company size.3
  • If your company is not an AML obliged entity, you still have a sanction screening obligation arising directly from EU regulations and the Act of 13 April 2022.4
  • The authority responsible for AML is the GIIF (Generalny Inspektor Informacji Finansowej — General Inspector of Financial Information); the authority responsible for sanctions enforcement against non-financial firms is the Head of the National Revenue Administration (Szef Krajowej Administracji Skarbowej)5 — these are two different institutions with two different inspection procedures.
  • The administrative fine for a breach of the sanctions obligation is up to PLN 20,000,0006, regardless of whether the company is an AML obliged entity.
  • If your company is an AML obliged entity, you are subject to both regimes simultaneously — they are not alternatives; they are overlapping requirements.

The most common misconception — “AML and sanctions are the same thing”

This belief is widespread and understandable. Both topics arise together in compliance discussions, both involve verifying clients and counterparties, and the abbreviations — AML, KYC, PEP, sanctions — sound like one set of rules for the financial sector. Operationally they do look similar: you check who you are doing business with.

However, operational similarity does not mean legal identity. Conflating the two regimes leads to one specific mistake: a company outside the list of AML obliged entities concludes it has no verification obligations at all. A travel agency that is not an AML obliged entity says: “this doesn’t apply to us.” A marketing agency serving clients across Europe says: “we’re not a bank.” That mistake can cost up to PLN 20 million in administrative fines6.

The distinction is straightforward once you look at the legal bases of the two systems — so let us start there.

What is AML — the Act of 1 March 2018 and obliged entities

AML stands for Anti-Money Laundering. In Poland this area is governed primarily by the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (Journal of Laws 2023 item 1124, consolidated text) — hereinafter: the AML Act.

The AML Act imposes obligations on obliged entities — a closed list of entities set out in Article 2(1) of that Act. The list is long but coherent: it covers mainly entities from the financial sector and entities performing particular functions in economic transactions. Alongside banks and financial institutions you will find, among others: accounting offices and tax advisers, notaries and legal advisers in relation to specified activities, estate agents, and auction houses for transactions above a defined value.

What must an obliged entity do? AML obligations are extensive. They include applying customer due diligence measures (identity verification, i.e. KYC — Know Your Customer), assessing the money-laundering risk, ongoing monitoring of transactions for suspicious patterns, registering transactions above a defined value, and — crucially — reporting suspicious transactions to the GIIF (Generalny Inspektor Informacji Finansowej — General Inspector of Financial Information)7. The GIIF is a state administrative authority operating within the Ministry of Finance that coordinates anti-money-laundering efforts in Poland.

The key word is “obliged entities”: if you are not listed in Article 2(1) of the AML Act, the AML Act essentially does not apply to you. That is precisely where the false conclusion arises: since AML does not apply to me, “compliance” does not apply to me.

What is sanction screening and who is subject to it

Sanction screening is the verification of a counterparty, client, or transaction against sanctions lists — registers of persons, companies, and organisations subject to restrictive measures issued by the EU, the UN, or national authorities. The result of that verification is one of three states: MATCH (confirmed hit — transaction prohibited), POSSIBLE (possible hit — requires further investigation), or CLEAR (no hit found).

The obligation to conduct sanction screening arises from an entirely different set of rules than the AML Act. Its legal basis consists of Council Regulations of the European Union — primarily Regulation No 269/2014 of 17 March 20141 and Regulation No 833/2014 of 31 July 20142 — and the Polish Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835)4.

The crucial difference in scope: EU regulations are directly applicable in every Member State without any need for transposition3 and bind every natural person, every legal person, every entity, and every body on the territory of the European Union. Article 2(1) of Regulation No 269/2014 requires the freezing of funds belonging to listed persons and prohibits making funds available to them — that prohibition applies to everyone, not only to banks.1

This means your travel agency, leasing company, marketing agency, or e-commerce shop has a direct legal obligation arising from EU regulations — regardless of whether it is an obliged entity within the meaning of the AML Act. A detailed description of exactly who is subject to the sanction screening obligation in Poland can be found in the article sanction screening obligation — who is affected.

Comparison table — AML vs EU sanctions

The table below sets out both regimes across six dimensions that matter in practice for an SME.

DimensionAML regimeEU sanctions regime
Legal basisAct of 1 March 2018 on Counteracting Money Laundering (Journal of Laws 2023 item 1124, consolidated text)7Regulation No 269/20141, Regulation No 833/20142; Act of 13.04.2022 (Journal of Laws 2022 item 835)4
Scope of applicationClosed list: obliged entities under Article 2(1) of the AML Act (banks, accounting offices, estate agents, notaries, etc.)Every natural and legal person on the territory of the EU — no sectoral exception3
PurposePreventing money laundering and terrorist financingEnforcing restrictive measures against specific persons, entities, and countries
Key obligationsKYC (identity verification), customer risk assessment, transaction monitoring, reporting of suspicious transactions to GIIFProhibition on transacting with listed entities, obligation to freeze assets, verification before every transaction
Supervisory authorityGIIF (General Inspector of Financial Information)7 for AML obliged entitiesHead of the National Revenue Administration — KAS (Szef Krajowej Administracji Skarbowej)5 for non-financial firms; GIIF7 for obliged entities
Penalty for breachAdministrative and criminal penalties under the AML Act (varying by type of breach)Up to PLN 20,000,000 in administrative fines (Article 6(2) of the Act of 13.04.2022)6; a maximum custodial sentence of at least five years (Article 5(3)(b) of Directive 2024/12268, for breaches involving assets of at least EUR 100,000)

Why a company outside the AML obliged entities must still conduct sanction screening

This is the crux of the entire article. Most SME owners, when they hear “compliance” and “client verification,” think: “that’s for banks.” Yet these two concepts relate to two different legal systems with entirely different reach.

The AML Act creates a narrow list of entities with extensive obligations. The EU sanctions regime creates a broad, universal prohibition — applicable to everyone — with one central command: do not do business with an entity on the sanctions list.

EU regulations are a special type of legal act: they enter into force without implementation by national parliaments and apply directly to every citizen and every company in the Union.3 You do not need to be a bank or an accounting office to be addressed by Regulation 269/2014. It is enough that you carry on business in the EU and enter into commercial transactions.

A few practical examples:

  • Your estate agency is acting as an intermediary in the sale of a flat. The buyer is on the sanctions list. If the transaction proceeds — you have breached the prohibition in Article 2 of Regulation 269/20141, even if you are not an AML obliged entity (although estate agents are simultaneously obliged entities — which makes this a good example of the two regimes overlapping).
  • Your travel agency sells a holiday package. The client is on the EU sanctions list. Accepting the payment and providing the service constitutes a sanctions breach — regardless of the fact that travel agencies are not AML obliged entities.
  • Your insurance company issues a policy. The policyholder is listed on the Polish MSWiA list9 maintained by the minister responsible for internal affairs. The transaction is prohibited by operation of the Act of 13 April 2022.4

The authority that will inspect your company and impose any fine is not the GIIF (which inspects AML obliged entities), but the Head of the National Revenue Administration.5 The maximum administrative fine is PLN 20,000,000.6 Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures10 required Member States to criminalise such violations — the implementation deadline was 20 May 2025.11 Legislative work on the national implementing act is ongoing in Poland.

What to do if your company is subject to both regimes

Some companies are simultaneously AML obliged entities and addressees of the EU sanctions regime. This applies, among others, to estate agents, insurance brokers, and accounting offices. The choice is not between one or the other — both apply in parallel and both must be complied with.

Step 1: Identify which regime (or both) applies to you. Check whether your sector or form of business is listed in Article 2(1) of the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing. If it is — you are an AML obliged entity. Regardless of the outcome of that check, you are also an addressee of EU regulations as an entity carrying on business on the territory of the Union.3

Step 2: Keep the compliance procedures separate. AML obligations (customer risk assessment, transaction monitoring, reporting to GIIF) and sanctions obligations (verification against sanctions lists before every transaction) are two distinct processes. In practice, sanctions verification is an element of the KYC process — you conduct it at client onboarding alongside identity verification. But they must not be confused conceptually.

Step 3: Establish who in the company is responsible for what. AML obliged entities are required to designate a responsible person (Article 8 of the AML Act). For sanctions obligations there is no identical statutory requirement for non-financial firms — but designating a responsible person and documenting the internal procedure in writing is good practice and evidence of due diligence. How to allocate that responsibility without creating a new post is explained in the article on the sanctions compliance officer in a small company.

Step 4: Build your documentation. For the AML regime the requirements are: a risk assessment, internal procedures, a transaction register, and reports to GIIF. For the sanctions regime: a verification register (who, when, which list, result), a sanctions policy, and a procedure for handling MATCH and POSSIBLE results. Article 49 of the Act of 1 March 2018 on Counteracting Money Laundering specifies a five-year retention period for documentation kept by obliged entities12 — you may use that as a reference point for sanctions documentation as well.

Step 5: Monitor sanctions lists on an ongoing basis. Lists are updated on a rolling basis, without a fixed schedule. The Polish MSWiA list is updated after each decision by the minister responsible for internal affairs13; the EU list is updated after each sanctions package. Checking once at contract signature is not sufficient. Re-verify at every material transaction with an existing counterparty — more on how to organise ongoing monitoring is set out in the article on sanctions list updates. More on what the current EU sanctions list looks like can be found in the article the sanctions list — what it is and who it affects.

FAQ — frequently asked questions

Does a company that is not an AML obliged entity have to conduct sanction screening?

Yes. The sanction screening obligation does not arise from the AML Act — it arises directly from Council Regulations (EU) No 269/20141 and No 833/20142, which apply to every natural and legal person on the territory of the European Union.3 The absence of AML obliged-entity status does not exempt a company from this obligation.

What is the GIIF and does it inspect companies outside the financial sector?

The GIIF (Generalny Inspektor Informacji Finansowej — General Inspector of Financial Information) is a body established by the Act of 1 March 2018 on Counteracting Money Laundering7, responsible for coordinating anti-money-laundering and counter-terrorist-financing efforts. The GIIF inspects obliged entities within the meaning of the AML Act — banks, accounting offices, estate agents, and other entities listed in Article 2(1) of that Act. For non-financial companies outside that list, the competent authority in respect of a sanctions breach is the Head of the National Revenue Administration (KAS — Krajowa Administracja Skarbowa)5.

Are sanction screening and KYC (Know Your Customer) the same thing?

No. KYC — i.e. customer identity verification — is an element of AML procedures required of obliged entities. Sanction screening is the checking of a counterparty against sanctions lists; it may be an element of the KYC process, but it is a separate activity required by separate legislation. A company that is not an AML obliged entity has no formal obligation to run a full KYC process — it does, however, have an obligation to verify against sanctions lists.

Which authorities enforce sanctions compliance in Poland and who imposes fines?

In Poland, fines for breach of obligations arising from EU regulations are imposed by the Head of the National Revenue Administration (KAS)5 — by way of an administrative decision — of up to PLN 20,000,000.6 AML obliged entities are additionally supervised by the GIIF7. Entities supervised by the KNF (Komisja Nadzoru Finansowego — Polish Financial Supervision Authority) in the area of sanctions are supervised by the KNF.

Am I subject only to Polish law, or also directly to EU law?

Both. EU regulations are directly applicable legal acts3 — they require no transposition and apply to you directly, just like a national statute. The Polish Act of 13 April 20224 supplements them with national implementing tools (the MSWiA lists, the powers of KAS) and penalties. Both levels of law apply simultaneously.

What penalties can we face for a sanctions breach — specific figures?

The administrative fine imposed by the Head of KAS is up to PLN 20,000,000 (Article 6(2) of the Act of 13 April 2022)6. At European level, Directive 2024/122610 provides for a maximum custodial sentence of at least five years for breaches involving funds or economic resources worth at least EUR 100,0008. A detailed discussion of all types of penalties can be found in the article penalties for breaching EU sanctions in Poland.

What to do in practice — 5 steps for a company that is not an AML obliged entity

  1. Check whether you are an AML obliged entity. Review Article 2(1) of the Act of 1 March 2018. If your sector is listed — you have additional AML obligations. Regardless of the outcome, proceed to step 2.

  2. Accept that the sanctions obligation applies to you. Regulation 269/20141 applies to you directly and without exception. Establish which sanctions lists you must monitor — the minimum is the EU Consolidated List and the Polish MSWiA list9.

  3. Designate a person responsible for sanctions compliance. This may be a member of your administrative staff, someone from your legal team, or an external adviser. What matters: a written authorisation and a documented internal procedure.

  4. Implement a verification procedure. Every new counterparty, every new transaction — verification against sanctions lists before it is executed. Document the result in a hit register: date, counterparty details, list used, result (MATCH/POSSIBLE/CLEAR), signature of the responsible person.

  5. Ensure continuity of monitoring. Lists are updated irregularly and without advance notice. A counterparty that was CLEAR three months ago may be on the list today. Regular monitoring — or automation of this process — is not optional; it is an element of due diligence.

How Sanqto can help

Sanqto is sanction screening software designed with non-financial companies in mind — travel agencies, estate agencies, insurance brokers, leasing companies, and other entities that have a sanctions obligation but do not fall within the list of AML obliged entities. The software is installed within the client’s own network (on-premise model), which means counterparty data never leaves your infrastructure. The system verifies counterparties against sanctions lists and returns a result in one of three states — MATCH, POSSIBLE, or CLEAR — automatically documenting every check as an audit trail. The package includes a ready-made sanctions policy, an operational procedure, and a hit register — the documents you will show the Head of KAS at any inspection.

  • Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty, and independence of Ukraine — CELEX 32014R0269

  • Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833

  • Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835) — eli.gov.pl

  • Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (Journal of Laws 2023 item 1124, consolidated text) — eli.gov.pl

  • Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and on the facilitation of such violations, and amending Directive (EU) 2018/1673 — CELEX 32024L1226

  • Polish sanctions list maintained by the MSWiA (Ministry of the Interior and Administration) — maintained by the minister responsible for internal affairs, published in the BIP MSWiA: gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami

Footnotes

Information, not legal advice. This article is informational and educational in nature. It does not constitute legal advice. Legal status as of: 2026-05-20. The specific obligations of your company depend on your business profile and require individual assessment — if in doubt, consult a lawyer or a compliance adviser.

  1. Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty, and independence of Ukraine, Article 2(1)–(2): “All funds and economic resources belonging to, owned, held or controlled by the natural or legal persons, entities or bodies listed in Annex I, or by natural or legal persons, entities or bodies associated with them, shall be frozen. No funds or economic resources shall be made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in Annex I, or to natural or legal persons, entities or bodies associated with them.” — CELEX 32014R0269 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine, Article 2(1): “It shall be prohibited to sell, supply, transfer or export, directly or indirectly, dual-use goods and technology — whether or not originating in the Union — to any natural or legal person, entity or body in Russia or for use in Russia […]” — CELEX 32014R0833 ↩︎ ↩︎ ↩︎ ↩︎

  3. An EU regulation is directly applicable in every Member State without any need for transposition. Source: EUR-Lex — eur-lex.europa.eu/EN/legal-content/summary/regulation-eu-legal-act.html. Quote: “A regulation is binding in its entirety and directly applicable in all Member States.” ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  4. Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835) — title and key particulars: date of promulgation 2022-04-13, entry into force 2022-04-16. — eli.gov.pl ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  5. Act of 13 April 2022 (Journal of Laws 2022 item 835), Article 6(2) — the financial penalty is imposed by way of a decision by the Head of the National Revenue Administration (Szef Krajowej Administracji Skarbowej). — api.sejm.gov.pl ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  6. Act of 13 April 2022 (Journal of Laws 2022 item 835), Article 6(2): “A financial penalty shall be imposed by the Head of the National Revenue Administration, by way of a decision, of up to PLN 20,000,000.” — eli.gov.pl ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  7. Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (Journal of Laws 2023 item 1124, consolidated text), Article 12(1): “The duties of the General Inspector include taking measures to counteract money laundering and terrorist financing.” — eli.gov.pl ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  8. Directive (EU) 2024/1226, Article 5(3)(b): “the offences referred to in Article 3(1)(a), (b) and (h)(i) and (ii) are punishable by a maximum term of imprisonment of at least five years” — the provision applies where the breach concerns funds or economic resources worth at least EUR 100,000. — CELEX 32024L1226 ↩︎ ↩︎

  9. Ministry of the Interior and Administration (MSWiA — Ministerstwo Spraw Wewnętrznych i Administracji) — List of persons and entities subject to sanctions (Polish sanctions list). The current list is available at: gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami ↩︎ ↩︎

  10. Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and on the facilitation of such violations, and amending Directive (EU) 2018/1673 — CELEX 32024L1226 ↩︎ ↩︎

  11. Directive (EU) 2024/1226, Article 20(1): “Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 20 May 2025.” — CELEX 32024L1226 ↩︎

  12. Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing, Article 49: “Obliged entities shall retain [documentation] for a period of five years, calculated from the first day of the year following the year in which the business relationship ended […].” — eli.gov.pl ↩︎

  13. Act of 13 April 2022 (Journal of Laws 2022 item 835), Article 2(1) and Article 3(1): “The list of persons and entities against whom the measures referred to in Article 1 are applied, hereinafter referred to as ’the list’, shall be maintained by the minister responsible for internal affairs. The minister responsible for internal affairs shall issue decisions on the inclusion in and removal from the list.” — eli.gov.pl ↩︎

All articles See demo