Sanctions compliance officer in a small business — do you need one

Legal status as of: 2026-05-20.

Large corporations have compliance departments with several specialists. You run a business where a handful — or at most a few dozen — people are responsible for everything, and you have just read that the obligation to screen counterparties against EU sanctions lists applies to you too. The natural question is: do you now need to hire a compliance officer? The answer is simpler than you might think — and it definitely does not mean a new full-time post.

TL;DR — key points

• The regulations do not require an ordinary SME to have a formal “sanctions compliance officer” position — that obligation applies to obliged entities under the AML Act, not to every business.
• The obligation to screen counterparties against EU sanctions lists exists independently — it flows directly from EU regulations, which are binding on everyone.¹²
• In practice, it is sufficient to designate one person within the company to be responsible for sanctions — this can be the owner, the accountant, or a nominated employee.
• You do not need to be a lawyer. What is needed is familiarity with the procedure, access to up-to-date lists, and consistent execution.
• Sanctions compliance training and certification help document competence and protect the company in the event of an inspection.
• A tool that automates screening dramatically reduces both time and the risk of error — particularly when the counterparty base is large or changes frequently.

Does a small business need a sanctions compliance officer?

The short answer: there is no such obligation stated explicitly for businesses in general. The requirement to have a designated compliance officer — including one responsible for AML and sanctions — applies primarily to obliged entities within the meaning of the Act of 1 March 2018 on counteracting money laundering and the financing of terrorism³ (GIIF — the General Inspector of Financial Information — oversees compliance; the category covers banks, brokerage houses, notaries, real-estate intermediaries above certain thresholds). If your business does not fall into that category, neither Article 6 nor similar provisions of that Act requiring the appointment of a specific AML officer apply to you.

This does mean something important, however: the absence of a formal obligation to appoint someone to the post does not exempt you from the underlying verification obligation itself. These are two separate questions — and confusing them is one of the most common mistakes SMEs make.

The verification obligation exists regardless of the post

EU regulations — including Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine¹ and Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine² — are directly applicable legal acts in every Member State, requiring no transposition into national law.⁴ This means your business is subject to these rules automatically — regardless of whether you have one employee or a hundred.

Supplementing these is the Polish Act of 13 April 2022 on special solutions to counter support for aggression against Ukraine and to protect national security (Journal of Laws 2022, item 835)⁵, which imposes additional obligations in the domestic sphere and sets penalties for their breach. Under that Act, the Head of the National Revenue Administration (KAS — Krajowa Administracja Skarbowa) may impose a financial penalty of up to PLN 20,000,000.⁶⁷

In other words: the absence of a compliance officer is not a defence. The penalty applies to the breach — not to the absence of a post. You can read more about the financial consequences in the article on penalties for breaching EU sanctions.

Who should practically be responsible for sanctions in a small business?

Since there is no obligation to hire a specialist, a practical question arises: who should realistically take on that responsibility? Experience points to several models that work well in SMEs.

The owner or managing director — the simplest solution in businesses of up to ten people. You have full control over decisions and direct access to information about counterparties. The downside: every new compliance task falls directly on you, and as the business grows quickly this may become unsustainable.

Someone from the finance or accounts team — a logical choice, because that is the department through which payments and counterparty data flow. They will often already have some exposure to AML procedures (if the business works with a bank) and will understand the importance of documentation.

A designated employee — “sanctions contact point” — a formally named person who need do nothing beyond a simple procedure: check the counterparty before a transaction, record the outcome, and escalate if a hit arises. The title need not be “compliance officer” — what matters is a written delegation of responsibilities.

The critical element in every variant: a written designation. An internal memorandum or a clause in the sanctions policy naming who is responsible for screening, who makes the decision if there is a hit, and what the escalation path looks like — that is the minimum that protects both the company and the individual.

What competencies are needed (and why you do not need to be a lawyer)?

This question holds back many businesses unnecessarily. You do not need to hire a legal counsel or a bank-trained AML specialist. The person responsible for sanctions in a small business needs:

Procedural knowledge — an understanding of what a sanctions list is, which lists apply (EU, UN, the Polish MSWiA list⁸ — MSWiA stands for the Ministry of Internal Affairs and Administration), how to check a counterparty, and what to do when a “possible hit” result appears. This knowledge can be acquired through training, not through years of experience.

Access to up-to-date lists — sanctions lists are updated regularly. The EU consolidated list is published by the European Commission (DG FISMA)⁹. The Polish sanctions list is maintained by the Ministry of Internal Affairs and Administration⁸. The responsible person must know where to find current data — or use a tool that updates the data automatically.

Documentation skills — recording the result of each check, the date, the list checked against, and the decision taken. This is not essay-writing — a straightforward hit register is sufficient.

The ability to escalate — if something looks suspicious, the person must know who to go to next (management, external lawyer) and when to put a transaction on hold.

None of these competencies requires a legal qualification. They do require regularity and discipline — a one-off screening is not enough when sanctions lists are being updated and you are gaining new counterparties.

How to distribute responsibilities without hiring a full-time employee?

Implementing sanctions responsibility in a small business need not cost much — either in money or in time. Here is a practical framework for an SME:

1. Designate one person in writing — ideally someone already working in finance or operations. Name them explicitly in an internal document or sanctions policy.

2. Describe the procedure in a few steps — when to check (before every new transaction, when signing a contract, when renewing a relationship), how to check (manually or via a tool), and what to do with the result.

3. Set an escalation threshold — if the screening result is CLEAR, the transaction proceeds. If POSSIBLE or MATCH, the matter goes to management or a lawyer. The person designated for routine checks should not make that call alone.

4. Maintain a register — date of check, entity checked, list used, result, person who checked, decision taken. An Excel spreadsheet is fine to start with — what matters is that it exists.

5. Set a frequency for periodic re-screening — established counterparties are worth re-checking every quarter or with each new payment, because sanctions lists change regularly.

6. Ensure a documentary trail — a printout or saved record of the screening result for each check, with the date and the name of the person who performed it. In the event of an inspection, this is evidence that the procedure was working.

This approach requires no new hire. It requires a few minutes a week — and consistency.

Training and certification — building competence without a postgraduate degree

It is worth providing training to the person designated as responsible for sanctions. Not because of any legal requirement, but for practical reasons: first, it means that person knows what they are doing and feels confident; second, a certificate of training completion is a document that, if questions are raised by an inspecting authority, demonstrates that the company takes the subject seriously.

Good sanctions compliance training should cover:

• the legal basis — which regulations and Acts apply, what the penalties for breach are,
• familiarity with sanctions lists — EU, UN, OFAC¹⁰, MSWiA⁸, and the differences between them,
• the screening procedure — how to carry out a check, how to assess the result, what to do with a hit,
• documentation and the hit register — how to maintain it, what to retain, and for how long.

Training need not take a week. A focused online course with a final examination and certificate is entirely sufficient for the person handling screening in a small business. Sanqto offers such a package as part of its product — training, an online examination, and a sanctions compliance officer certificate for the person you designate in your company. It is also worth training other employees who have contact with counterparties — we describe how to organise that in the article on employee sanctions training.

When to consider outsourcing or automation?

Manual screening — searching the sanctions lists yourself — is feasible, but it has a scalability limit. With a handful of counterparties a month it is manageable. With several dozen, it starts to become risky (omissions, outdated data, lack of documentation).

Outsourcing — delegating the compliance process to an external provider (a law firm or specialist company) — makes sense when a business lacks internal resources and wants to transfer operational responsibility. It is worth remembering that legal liability still rests with the business as the legal entity — not with the external adviser.

Automation — a sanctions screening tool checks the counterparty against current lists and returns a result: MATCH, POSSIBLE, or CLEAR. It reduces the check to seconds, eliminates human error with partial matches (e.g. similar names), and automatically creates a documentary trail. For travel agencies, estate agents, insurance brokers, and other non-financial-sector businesses that screen tens or hundreds of counterparties, automation means real operational relief.

Consider automation when:

• you are screening more than 20–30 counterparties a month,
• your sector requires fast decisions (e.g. bookings, distance contracts),
• you want certainty that data is always current — without manually downloading new versions of lists,
• you need a ready-made hit register for a potential inspection.

Sanqto is an on-premise solution — installed within your company’s own infrastructure, without transmitting data to external servers. It returns a three-state result (MATCH / POSSIBLE / CLEAR) and automatically creates a documentary trail for every check. More about what counterparty screening looks like in practice can be found in the article on counterparty verification against sanctions.

FAQ — frequently asked questions

Does a sole trader (self-employed individual) also have to screen counterparties against sanctions lists?

Yes. EU regulations apply to everyone — individuals operating a business, companies, associations.⁴ Legal form does not exempt you from the obligation. A sole trader that transfers money or provides services to a sanctioned entity is in breach of the same rules as a large company.

How long does manual screening of one counterparty take?

Checking one person or business manually — on the EU consolidated list website and the MSWiA list — typically takes a few minutes. The problem arises with larger numbers of counterparties, similar names (false positives / false negatives), the need to verify beneficial owners (the 50% rule¹¹), and the need to document the process.

What is the 50% rule and do I need to check a counterparty’s owners?

EU sanctions cover not only entities listed directly, but also those in which a listed person or entity holds more than 50% of the shares or exercises control over them.¹¹ In practice this means that checking the counterparty’s company name alone may not be sufficient — it is worth verifying its beneficial owners as well, particularly when the company is from a high-risk jurisdiction. We explain this mechanism in detail in the article on the 50% ownership rule.

Is the employee designated for screening personally liable for a sanctions breach?

Criminal liability for breaching EU sanctions can apply to natural persons — including managers. Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024¹² requires the criminalisation of sanctions violations in all Member States. An employee’s liability depends on the circumstances of the specific case and the scope of their responsibilities — that is a matter for a lawyer to assess. What is certain, however, is that the complete absence of any procedure within a business protects no one.

How often should I re-screen established counterparties?

Sanctions lists are updated regularly — new entries appear frequently, independently of any formal “package” of measures. A one-off check at the time of signing a contract is not sufficient. The accepted practice is to re-screen established counterparties periodically — at minimum with each new payment, or on a regular schedule (e.g. quarterly), and without exception whenever significant details on their side change.

Do I need to screen individual customers, not just businesses?

It depends on the sector. In tourism, real estate, and insurance the customer is often a private individual — and sanctions lists cover natural persons as well as corporate entities. If your business serves individual customers in transactions of material value, screening should cover them too. We describe the full scope of the screening obligation in the article on the sanctions screening obligation.

How Sanqto can help

Sanqto is a sanctions screening tool built for businesses outside the financial sector — such as travel agencies, estate agents, insurance brokers, and other SMEs that need to screen counterparties but have no compliance department. The solution operates on-premise — your clients’ and counterparties’ data never leaves your own infrastructure. Screening returns a three-state result: MATCH, POSSIBLE, or CLEAR, and every check is automatically documented. The product includes an implementation document pack (sanctions policy, procedural instruction, hit register) and a compliance officer training and certification programme for the person you designate in your team.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Act of 13 April 2022 on special solutions to counter support for aggression against Ukraine and to protect national security (Journal of Laws 2022, item 835) — ISAP
• Act of 1 March 2018 on counteracting money laundering and the financing of terrorism (Journal of Laws 2018, item 723) — ISAP
• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• Polish sanctions list (MSWiA) — gov.pl/web/mswia
• EU consolidated sanctions list (DG FISMA) — finance.ec.europa.eu
• OFAC SDN List (U.S. Department of the Treasury) — ofac.treasury.gov
• UN Security Council Consolidated List — un.org

Footnotes

Information, not legal advice. This article is informational and educational in nature. It does not constitute legal advice. Legal status as of: 20 May 2026. Your company’s specific obligations depend on its business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.