Sanctions compliance officer certification | Sanqto

Polish law does not require your EU-sanctions compliance officer to hold a specific certificate — there is no equivalent here to a tax adviser’s licence or an entry in the statutory auditors’ register. Even so, since Directive (EU) 2024/1226 — which criminalises EU sanctions violations — came into force, the absence of documented training for the designated person has started to carry real consequences. This article answers the question: when is a certificate practically necessary, what should it cover, and how do you tell a solid programme from a marketing badge?

TL;DR

• Polish law does not require a specific sanctions compliance officer certificate — there is no statutory obligation as there is with a professional licence.
• The Act of 1 March 2018 on counteracting money laundering and terrorist financing (the “AML Act”) obliges obliged institutions to designate a responsible person and to run regular training — but this applies only to AML obliged institutions, not to every company.¹
• Council Regulations (EU) No 269/2014² and No 833/2014³ apply directly to every company in the EU — regardless of sector — and contain no requirement to have a certified compliance officer.
• Directive (EU) 2024/1226 criminalises sanctions violations and requires intent as an element of the offence.⁴ Documentation of training can help demonstrate the absence of intent, which is gaining practical significance.
• Banks and large counterparties increasingly ask in KYC questionnaires (Know Your Customer — the procedure for verifying a client’s identity) about sanction screening procedures and the person responsible for them — having no evidence at all is a weak position.
• Good certification must cover: legal foundations (EU/UN/OFAC/MSWiA), screening in practice (fuzzy matching, the MATCH/POSSIBLE/CLEAR model, false positives), operational procedures and UBO verification — not just legal theory.
• Without a certificate you can still pass an audit; with one, you pass faster and with less risk of personal liability for the management board.

Does a sanctions compliance officer need a certificate? The answer: no and yes

Let us start with the question that comes up most often and that no competing article in Polish-language Google answers precisely.

No legal act in force in Poland obliges a company to ensure that its sanctions compliance officer holds a specific certificate as a condition for operating. That sets this role apart from regulated professions — a tax adviser needs an entry on the National Chamber of Tax Advisers (KIDP) list, a statutory auditor an entry in the audit-oversight register. A sanctions compliance officer — in the formal sense — needs nothing.

That, however, is where the simple part of the answer ends.

What the AML Act says — articles 50 and 52

The AML Act¹ introduces an obligation to designate a person responsible for fulfilling that act’s duties (art. 50) and an obligation to run regular AML/CFT staff training (CFT — Countering the Financing of Terrorism) (art. 52). Both provisions apply only to obliged institutions within the meaning of art. 2(1) of the AML Act — that is, among others, banks, accounting offices, notaries, real-estate agents meeting the AML threshold and similar entities.¹

If you run a travel agency, a leasing company, an online shop or an insurance agency, you most likely are not an obliged institution within the meaning of the AML Act. That means articles 50 and 52 formally do not apply to you. The differences between the AML regime and the sanctions regime are explained in more detail in the article AML vs sanctions — what the difference is.

The key distinction you must remember: not having AML obliged-institution status does not exempt your company from the obligation to apply EU sanctions. Council EU regulations apply directly to everyone — as the section below explains.

For who in Poland must run sanction screening, and what the obligation specifically means, see our separate pillar article.

What Directive 2024/1226 changed — criminalising EU sanctions violations

Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures (the “2024/1226 Directive”)⁴ introduced the criminalisation of EU sanctions violations at the Union level. Its art. 3(1) requires intent as an element of the offence.

The Directive requires Member States to set certain penalty thresholds. The upper limit of the statutory penalty must be at least one year of imprisonment for basic offence types, at least three years for certain aggravated types, and at least five years for the most serious categories of violation — including transactions with listed entities worth at least EUR 100,000 and violations involving military goods.⁴

At the same time, Poland has in force the Act of 13 April 2022 on special arrangements for counteracting support for aggression against Ukraine and for protecting national security (Journal of Laws 2022, item 835)⁵ — its art. 6(2) provides for a financial penalty of up to PLN 20,000,000 imposed by the Head of the National Revenue Administration, and art. 15(1) for imprisonment of no less than 3 years.⁵

A detailed discussion of the full spectrum of penalties for sanctions violations in Poland can be found in a separate article. And a full treatment of Directive 2024/1226 and the criminalisation of sanctions violations appears in a dedicated piece.

Practical consequence for certification: Directive 2024/1226 requires intent as an element of the offence.⁴ A compliance officer’s documented training can help demonstrate the absence of intent on the part of the company’s management board — an element of the offence that the Directive requires in art. 3(1). This is not a formal “due diligence defence” as in common-law systems — but in practice, a management board that has not documented the implementation of compliance training will find it harder to argue that it was unaware of the obligation.

Why non-financial companies seek certification anyway

If there is no formal obligation, where does the interest in certificates among non-financial companies come from? Three very concrete business situations are at play here.

Bank KYC questionnaires. Your business-account bank or a correspondent bank handling your foreign payments can send a questionnaire at any time: “Does your company apply sanction screening procedures? Who is responsible for them? What tools do you use?” The lack of a certificate is not a disqualifier, but a certified compliance officer named in full with a certificate number is a concrete answer — hard to challenge.

Due diligence by large counterparties. Public tenders and B2B contracts increasingly contain a sanctions-compliance clause or require a statement that appropriate procedures have been implemented. A compliance officer’s certificate is the quickest and cheapest proof that someone in your company is responsible for this and knows what they are doing.

Internal audit and inspection. The certificate is the first document an auditor reaches for when reviewing compliance — before they start asking about procedures and registers. An insurer offering a D&O (Directors and Officers) policy assesses the risk of management liability: a documented, certified compliance officer is a factor that lowers the perceived risk.

Personal liability of the management board. EU Regulations 269/2014² and 833/2014³ apply directly to every company in the EU, with no exception for the non-financial sector. A lack of procedures and a trained person is a risk that falls directly on the management board.

What sound certification should cover — a checklist

Before you choose a programme, check whether it meets the criteria below. This is at the same time a list of what your compliance officer should learn.

Essential elements (must have)

• Legal foundations — knowledge of at least four registers: the EU consolidated sanctions list (available at sanctionsmap.eu)⁶, the Polish MSWiA list maintained under the Act of 13 April 2022⁵, the UN Security Council list (un.org/securitycouncil/sanctions) and the OFAC SDN list of the US Treasury Department (ofac.treasury.gov). A programme that does not discuss all four registers by name does not cover the full scope of the obligations.

• Operational procedures — what a small company must have in its documents (sanctions policy, hit register, decision-escalation path), and what is excessive. This is precisely what distinguishes legal theory from practical compliance. Templates for these documents are discussed in the article sanctions policy and document templates.

• Sanction screening in practice — how fuzzy-matching algorithms work, what a POSSIBLE result means and how to handle it, how to reduce false positives, where data errors in sanctions lists come from. Good certification does not stop at “check the client against the list.”

• UBO and the 50% rule — how to identify the beneficial owner of an entity and why the EU methodology differs from the OFAC methodology on the control rule. Skipping the UBO is a frequent reason a company checks a person against a list but misses a sanctioned ownership structure.

• An exam with result verification — a pass threshold, randomised questions, participant identification. A certificate with no exam, or with an exam of the “everyone passes automatically” kind, is no proof of competence at all.

• A named certificate with a register number — verifiable by a bank or counterparty. A certificate without a serial number or a register is a document that is hard to confirm.

• A 12-month validity and re-certification — sanctions law changes every quarter (new sanctions packages, new list entries). A certificate with no expiry date, or an indefinite one, is a warning sign: the programme does not track changes in the law.

Warning signs (avoid)

• No exam, or an assurance that “everyone passes” — a certificate without knowledge verification is a badge.
• No updates to materials after new EU sanctions packages.
• The programme does not discuss the sanctions lists by name — only “the regulations governing sanctions” in the abstract.
• No module on practical screening — how to operate operationally, not just what the law says.
• A certificate with no expiry date, or with indefinite validity.

Certification of a compliance officer is complemented by training staff on sanctions and sanction screening — both elements together form complete due-diligence documentation.

Polish certificates and international standards — a comparison

The table below gives an overview of the main paths available on the Polish market. There is no single right answer — the choice depends on the company’s scale, sector and budget.

CAMS (ACAMS) is the banking standard — if you employ a compliance officer with financial-sector experience or you plan to work with correspondent banks, this path builds recognition. For the owner of a travel agency or a leasing company, however, it is a tool designed for a different environment. The exam is English-only, and the programme assumes several dozen hours of professional experience in financial compliance.⁷

ICA Diploma is UK-centric and in English — strong on the British and Western European markets, but practically absent from Polish SERPs and unrecognised in Polish due diligence.⁸

International certificates (CAMS from ACAMS, the ICA Diploma) cost several thousand USD/GBP — details directly from the provider.

ACO (Instytut Compliance) is the most strongly recognised Polish path in general compliance. It covers ISO 37301, ESG and anti-corruption — but EU sanctions are not a specialisation there, just one of the modules. For a CO who is to deal exclusively with sanctions, the programme may be excessively broad.

AMLSO (Instytut Compliance) is the only Polish certificate with “sanctions” explicitly in its name, addressing both financial and non-financial institutions. It is the closest direct comparable path for a non-financial company seeking a recognisable certificate from an external institution.

Law-firm workshops are useful as a supplement, but not a substitute for a certificate: a one-off format, usually no exam, no expiry date. They are hard to present to a bank or counterparty as proof of competence.

Postgraduate studies (SGH, Kozminski, Wrocław University of Economics and others — several to a dozen-plus thousand PLN, typically over two semesters) target the financial sector and people building a compliance career. For the owner of a trading company or an OTA who needs a certificate for the next audit — overkill.

Who specifically needs sanctions CO certification

Certification makes sense when the company:

• enters into transactions with foreign counterparties or clients,
• handles currency payments or processes money transfers,
• transfers title to, or control over, assets (leasing, real estate),
• works with goods that may be subject to sectoral sanctions (electronics, machinery, energy products),
• sells services to entities with a potentially complex ownership structure.

Specifically — sectors for which CO certification is strongly justified:

• Travel agencies and OTAs: foreign counterparties, currency payments, the risk of a booking for a person on a sanctions list.
• Leasing and long-term rental: transferring control over an asset to a sanctioned entity is a sanctions violation, even when the transaction looks routine.
• E-commerce with exports: foreign clients, payment gateways asking about procedures, dual-use goods.
• Real estate: an agent buys or sells on a client’s behalf — the 50% UBO rule is key to establishing the beneficial owner.
• Insurance brokers and agents: a premium paid to a sanctioned entity is a sanctions violation.
• Telecoms and SaaS providers: services for entities on the EU sectoral-sanctions list.

The role of a sanctions compliance officer in a small business — including how to formally designate this person and what their role should cover — is discussed in a separate article.

For whom certification is unnecessary, or another solution suffices: micro-businesses with no foreign counterparties, no currency payments and no dual-use goods can run compliance with a simple policy and staff training — without CO certification. The line is not sharp, but the more your company is embedded in cross-border transactions, the stronger the case for a certified person. The difference between the sanctions CO role and the AML CO role is explained in the article AML vs sanctions — a practical distinction.

Step by step — how to roll out certification in your company

The steps below take you from zero to a certified compliance officer in your company:

1. Designate the person responsible for sanctions. A management-board resolution or a scope of duties in the employment contract — even if that person is the owner. Formal designation is the first piece of documentation an auditor will see. How to do this in practice — in the article on the role of the compliance officer in a small business.

2. Do a gap analysis. Assess the candidate’s current knowledge: do they know the sanctions lists by name? Do they understand the 50% UBO rule? Do they know how fuzzy matching works and what to do with a POSSIBLE result? The answers to these questions indicate how deep a programme they need.

3. Choose a certification programme appropriate to the company’s scale. The table from the previous section is your criterion. For a non-financial SME, look for: the Polish language, a sanctions specialisation (not general compliance), an exam with result verification, a certificate with an expiry date.

4. Plan the completion time. The Sanqto programme is about 2–3 working days (6 modules, ~6h of online materials + an exam of ~60 minutes). Classroom courses (DEKRA, AMLSO) are 2–3 days of intensive training. Plan this ahead of an audit or before responding to a bank KYC questionnaire.

5. Document the exam result and the certificate in the compliance file. A compliance folder: date obtained, certificate number, exam result. This document is the first thing an auditor reaches for.

6. Inform the bank and key counterparties. Update your answer to the KYC questionnaire. Provide the compliance officer’s full name and certificate number. This is a concrete, verifiable answer.

7. Set a re-certification reminder for 12 months out. Sanctions law changes every quarter — new sanctions packages, new entries on the EU lists. A certificate from 2 years ago does not document knowledge of the current state of the law.

How Sanqto can help

If you are looking for certification tailored to a Polish non-financial company, the Sanqto certification programme covers 6 modules (~6h of online materials), a closed-book exam (~60 minutes, with result verification), a PDF certificate with the full name and register number, and a 12-month validity. The programme walks you through the whole path: from legal foundations (EU regulations, the EU/UN/OFAC/MSWiA lists) through operational procedures to screening in practice with the MATCH/POSSIBLE/CLEAR model. It is designed for companies that have no in-house lawyer — travel agencies, leasing companies, real-estate agents, insurance brokers, e-commerce and SaaS providers. Certification is included in every Sanqto licence package, including Starter, and is also available as a standalone product.

Legal basis

European Union law:

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269 (and subsequent amendments)
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833 (and subsequent sanctions packages)
• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673 — CELEX 32024L1226

Polish law:

• Act of 1 March 2018 on counteracting money laundering and terrorist financing (consolidated text: Journal of Laws 2025, item 644, in force from 16 May 2025) — eli.gov.pl
• Act of 13 April 2022 on special arrangements for counteracting support for aggression against Ukraine and for protecting national security (Journal of Laws 2022, item 835) — ISAP

Sanctions registers (for ongoing verification):

• EU consolidated sanctions list — sanctionsmap.eu
• Polish MSWiA sanctions list — gov.pl/web/mswia
• OFAC SDN list (USA) — ofac.treasury.gov
• UN Security Council sanctions list — un.org/securitycouncil/sanctions

FAQ — Frequently asked questions

Does a sanctions compliance officer need a certificate?

No — Polish law does not require a specific certificate as a condition for operating. The AML Act imposes the requirements to designate a person and run training only for AML obliged institutions.¹ Directive 2024/1226 requires intent as an element of the offence⁴ — documentation of training can help demonstrate its absence. In practice, banks and counterparties increasingly expect evidence, and a certificate is the easiest evidence.

How does sanctions CO certification differ from an AML certificate?

CAMS (ACAMS) and similar certificates focus on money laundering — transaction monitoring, reporting to the financial intelligence unit, identifying PEPs (Politically Exposed Persons). Sanctions CO certification focuses on sanctions lists, screening entities, blocking and escalation procedures, the UBO and the 50% rule. These are different competencies with partial overlap. A detailed discussion of the differences can be found in the article AML vs sanctions — what the difference is.

How long is a sanctions compliance officer’s certificate valid?

The market standard is 12 months — justified by the pace of change in sanctions law (new EU sanctions packages, list updates). A certificate with no expiry date, or an indefinite one, is a warning sign: the programme provider is not updating the content.

How much does sanctions compliance officer certification cost?

The range is wide. Law-firm workshops cost several thousand zlotys per day (usually with no exam, one-off). The DEKRA programme is among the more expensive market offers — verify the current price directly on the DEKRA website. International certificates (CAMS from ACAMS, the ICA Diploma) cost several thousand USD/GBP — details directly from the provider. Sanqto certification is included in the licence package and available as a standalone — details on the Sanqto certification programme page.

Can a small business without a legal department roll out certification in-house?

Yes — the owner or operations director can get certified themselves. There is no need to hire a lawyer. The Sanqto programme is designed exactly for this path: online materials, a self-administered exam, a PDF certificate. Time: about 2–3 working days, without leaving the office. How to formally designate this person is described in the article on the compliance officer in a small business.

Footnotes

Information, not legal advice. This article is for information and educational purposes only and does not constitute legal advice. The specific legal assessment of an individual case should be carried out with a qualified lawyer specialising in sanctions and export-control law. Legal status: 27 May 2026.