A Company's Sanctions Policy — What It Must Contain and How to Implement It

If your company carries out sanctions screening — or is just starting to implement it — sooner or later you will face a question: what exactly needs to be put in writing? A sanctions policy is an internal document that describes the principles governing how your company verifies counterparties against EU, UN, and Polish MSWiA (Ministry of Internal Affairs and Administration) sanctions lists¹. This is not an academic formality — it is your primary evidence of due diligence in the event of an inspection by the Head of the National Revenue Administration (Szef Krajowej Administracji Skarbowej, KAS)². This article explains what such a policy must contain, what other documents are needed, who should approve it, and how to keep it up to date.

Legal status as of: 2026-05-20.

TL;DR — the five key points

• A sanctions policy is an internal company document that sets out: who you verify, when, against which lists, and what you do when a hit occurs. Without it, even a properly conducted screening process is difficult to demonstrate to an inspecting authority.
• The obligation to verify stems directly from EU Regulations No. 269/2014³ and 833/2014⁴, which are directly applicable in every Member State without the need for transposition⁵ — as well as from the Polish Act of 13 April 2022⁶.
• Complete documentation consists of four elements: the sanctions policy, a job instruction, a hit register, and a sanctions risk assessment. A fifth element — template correspondence — is useful when dealing with authorities.
• Approval should be given at board or business-owner level. The person responsible for compliance must be designated in writing.
• Review should be mandatory at least once a year and whenever there is a significant change in the law or in the company’s scope of activities.

What a sanctions policy is and why you need one

A sanctions policy is an internal document that describes how your company fulfils its obligations arising from EU and national legislation on restrictive measures. It is not a document for the authorities — it is produced for the company’s own use and for its employees. But if an inspection by the Head of KAS (Szef KAS) takes place, it is the first document an inspector will ask for².

It is worth understanding where this obligation comes from. Council Regulation (EU) No 269/2014 of 17 March 2014³ and Council Regulation (EU) No 833/2014 of 31 July 2014⁴ prohibit entering into transactions with entities listed on sanctions lists. EU Regulations are directly applicable — they bind every company operating within the European Union without any additional national measures being required⁵. The Polish Act of 13 April 2022 on Special Solutions for Counteracting Support for Aggression Against Ukraine and for the Protection of National Security (Journal of Laws 2022, item 835) supplements these provisions with national enforcement mechanisms and a financial penalty of up to PLN 20,000,000 imposed by the Head of KAS².

If you are not yet sure whether your company is subject to this obligation at all, read the article does my company have to carry out sanctions screening first — it explains who the rules apply to and where they originate.

The sanctions policy itself serves two functions. The first is operational: employees know what they are supposed to do, who to check, and what to do when a hit occurs. The second is evidentiary: in the event of proceedings you can demonstrate that the company acted in accordance with established procedures rather than leaving compliance to chance. In practice, compliance without documentation is compliance that cannot be proven.

What a sanctions policy must contain

There is no single official sanctions policy template prescribed by Polish law for companies outside the financial sector. This means you have some flexibility in terms of form — but the content should cover several key areas.

Personal and material scope

The policy should precisely define who is subject to verification. The minimum is: customers before entering into a business relationship, counterparties and suppliers, and intermediaries and commercial agents. If you carry out cross-border activities or deal with ultimate beneficial owners (UBOs), it is worth including checks on the entire ownership chain — EU sanctions cover entities in which a listed person holds more than 50% of the shares or exercises control⁷.

The material scope defines which transactions screening applies to: the sale of goods, the provision of services, the conclusion of lease agreements, and the disbursement of funds. The more precisely you describe this, the less room there is for operational uncertainty.

Sanctions lists covered by verification

Name the lists your company checks explicitly. The minimum for any Polish company is the EU Consolidated List maintained by the European Commission (DG FISMA)⁸ and the Polish sanctions list maintained by MSWiA (Ministry of Internal Affairs and Administration) and published in the Public Information Bulletin (BIP)¹. If you trade with entities outside the EU or settle transactions in US dollars, consider adding the UN list⁹ and the OFAC Specially Designated Nationals (SDN) list¹⁰. Companies with exposure to the United Kingdom should include the UK OFSI Consolidated List¹¹.

It is worth stating in the policy where you obtain the lists from and how you ensure you are using the current version. Lists are updated on an ongoing basis, without a fixed schedule — the EU Consolidated List is modified by DG FISMA each time a new sanctions package is adopted or an individual listing is amended⁸.

Roles and responsibilities

Who in the company is responsible for sanctions compliance? The policy should identify a specific role (or a named individual — if the company is small): who approves verification results, who makes the decision on a POSSIBLE outcome, and to whom a MATCH result is escalated. A lack of a clear division of responsibilities is one of the most common problems found during inspections.

In a small company this may be a single person — the owner or a designated employee. In a larger organisation it is worth introducing a two-tier structure: an operational employee carries out the verification, and a person designated by the board approves borderline cases. Whatever the structure, the designation should be documented in writing.

The verification procedure — step by step

This is the core of the document. Describe what checking a counterparty looks like: which tools or systems you use, what counterparty data you enter (full name or company name, date of birth or tax identification number, country of domicile), how you interpret results, and how you document each step. If you use a software system for screening, name it and identify who is responsible for keeping it up to date.

It is worth defining clearly the mandatory moments for verification: before every new business relationship (before signing a contract or completing the first transaction), and for established counterparties — after each update to the lists or on a set cycle (for example, quarterly). Find out more about how to carry out verification in practice in the article counterparty verification for sanctions.

Handling a hit

This is the section that is often overlooked — and yet it is critical. The policy should describe three screening outcome scenarios:

• CLEAR — no hit; the transaction may proceed; the result is recorded.
• POSSIBLE — ambiguous result; additional checks are required (comparison of date of birth, document number, country) and a decision by the person designated by the board is needed. The decision and its reasoning are documented.
• MATCH — confirmed hit; the transaction is blocked, the counterparty’s funds (if held by the company) are frozen, and the hit is reported to the competent authority — the Head of KAS or MSWiA².

Also describe what happens to ongoing business relationships when a counterparty appears on the list while a contract is still in force.

Verification frequency and policy review

Specify how often you check established counterparties (for example, quarterly or after each significant update to the lists). Also set out a review schedule for the policy itself: at least once a year and whenever there is a significant change in the law or a material change in the company’s business profile.

Training

State who receives sanctions compliance training and when. The minimum is the person designated to carry out screening. For companies with higher risk exposure — all employees who have contact with customers and counterparties. Documented training is an additional piece of evidence of due diligence.

The other documents: job instruction, hit register, risk assessment, template correspondence

The sanctions policy is a strategic document — it sets out the principles. For day-to-day work you also need several operational documents.

Job instruction

This is a document written with the employee who physically carries out the verification in mind. Whereas the policy describes “what” and “why”, the job instruction explains “how” — step by step. It should contain: where to log in to the system or website, what to enter in the search field, how to read the result, what to do with each of the three possible outcomes, and to whom and how quickly to report a MATCH or POSSIBLE result. A good job instruction should be understandable to someone who has never dealt with sanctions compliance before.

Hit register

The hit register is a running log of all verifications carried out. Each entry should contain at minimum: the date of verification, data identifying the counterparty (full name or company name, country), the list or lists checked, the verification result (CLEAR / POSSIBLE / MATCH), the name of the person who carried out the verification, and — in the case of POSSIBLE and MATCH results — a description of the actions taken and the final decision. For POSSIBLE results it is worth including a justification for why it was decided to proceed with or block the transaction.

The hit register is the most important evidentiary document in the event of an inspection. It shows that screening was actually carried out — not merely described in a policy. The Act of 13 April 2022 does not impose an explicit obligation on non-financial-sector companies to maintain a register⁶, but its absence in the event of proceedings can effectively undermine an argument of due diligence.

Sanctions risk assessment

The risk assessment is a document describing the risk of breaching the sanctions regime in connection with your company’s business profile. It should take into account: the sector and type of customers (whether you have individual or corporate clients), the geography of transactions (whether you serve customers from higher-risk areas), and the type of products or services offered (whether they are products subject to export prohibitions under Regulation 833/2014⁴). The result of the risk assessment influences how stringent the verification procedure should be — a company with exclusively local customers in a low-risk sector may adopt a simplified approach, whilst a company importing goods from high-risk regions should apply full screening to every transaction.

For companies that are obliged entities within the meaning of the Act of 1 March 2018 on Counteracting Money Laundering and the Financing of Terrorism (Journal of Laws 2018, item 723)¹², the risk assessment is a mandatory element arising directly from that Act. For other companies, a risk assessment is good practice that strengthens their position in the event of proceedings.

Template correspondence

Template correspondence is useful in two situations. The first is reporting a hit to an authority — the Head of KAS or MSWiA — when you confirm that a counterparty appears on a sanctions list²¹. The second is correspondence with the counterparty or customer when a transaction is blocked. Ready-made templates allow you to act quickly and correctly in situations where time pressure is high and the consequences of an error are serious.

Who approves the documentation and how to keep it up to date

Approval

The sanctions policy should be approved by the person or body authorised to commit the company: the owner, the chief executive, or — in the case of larger organisations — by a board resolution. Approval should be documented with a date and signature. In the event of an inspection, this demonstrates that compliance was not the initiative of a single employee but a deliberate management decision.

At the same time it is worth designating in writing the person responsible for the day-to-day application of the policy — by name, with a statement of the scope of their authority and duties. If that person changes (departure of an employee, restructuring), the updated designation should be made without delay and documented.

Review

The sanctions policy should be reviewed and updated in three situations. First, on a regular cycle — at least once a year, with the date and signature of the approving person. Second, after any significant change in the law — such as the adoption of a new EU sanctions package, an amendment to the Polish Act of 13 April 2022⁶, or the entry into force of national provisions implementing Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the criminalisation of violations of EU restrictive measures¹³. Third, when the company’s business profile changes: entry into a new geographic market, a new category of customers, or a new type of product or service.

It is worth archiving every version of the policy with a date — not only the current version but previous ones as well. In the event of an inspection covering past events you can demonstrate which version of the policy was in force at any given time.

Documentation as evidence of due diligence during an inspection

The administrative penalty imposed by the Head of KAS under Article 6(2) of the Act of 13 April 2022 may amount to up to PLN 20,000,000². This is a penalty for breaching obligations relating to the freezing of funds or the prohibition on making funds available to a listed entity. The issue is not the screening itself — it is what you did or failed to do when a counterparty turned out to be on the list.

In practice, inspecting authorities assess not only whether a breach occurred, but also how the company acted: whether it had procedures in place, whether they were applied, and whether the documentation shows a trail of decisions taken. Complete compliance documentation — a policy, a hit register, a job instruction — allows you to demonstrate that you acted in good faith and with due diligence. This is not a guarantee of avoiding a penalty, but it is a significant factor that authorities take into account when assessing a case.

It is also worth bearing in mind criminal liability. Directive (EU) 2024/1226 of 24 April 2024 required EU Member States to criminalise violations of sanctions, and the deadline for its transposition was 20 May 2025¹³. Poland is processing the national implementing bill — the status of the legislative process is subject to change, so before taking any compliance decisions it is worth checking the current state of affairs on the Government Legislation Centre website at legislacja.rcl.gov.pl. A full picture of the possible consequences — including the personal liability of owners and board members — is set out in the article penalties for sanctions violations in Poland.

Compliance documentation is also increasingly required by business partners. Companies from Western Europe — particularly Germany, the Netherlands, and Scandinavia — are increasingly asking Polish suppliers and partners to confirm that sanctions procedures have been implemented. The absence of documentation can cost a contract, even if no sanctions violation has ever occurred.

How to get started — a sanctions documentation implementation checklist

Below is a practical action plan for a company building its compliance documentation from scratch. The order matters — start with the foundations before moving on to the detail.

1. Confirm that the obligation applies to you. Review the article does my company have to carry out sanctions screening and make sure you understand why the obligation applies to your sector.
2. Designate a responsible person in writing. A board resolution, a written authorisation, or at least an email approving the scope of duties — anything that can be produced at an inspection.
3. Prepare a sanctions risk assessment. Assess which transactions and which customers you have in your portfolio, where the risk comes from, and how significant it is. One or two pages are sufficient to start.
4. Write the sanctions policy. Cover all six areas described in the section above: scope, lists, roles, procedure, handling of hits, and training. It does not have to be long — five to eight pages is a reasonable minimum.
5. Prepare the job instruction. Print it or make it available to the person carrying out verifications at their place of work.
6. Start the hit register. This can be a spreadsheet, a database, or a module within a screening system. The key point is that every verification is recorded.
7. Carry out the first training session. Go through the policy, the instruction, and the register with the designated person. Record the date and participants.
8. Approve the document package with a board signature. Date and signature on the title page of the policy and the risk assessment.
9. Set a reminder for the annual review. Or earlier — if your sector is exposed to frequent changes in the sanctions regime.
10. Retain everything for at least five years. In the event of proceedings, authorities may request documentation from previous years.

If you run a travel agency, an estate agency, or work as an insurance broker, check also the sector articles: sanctions screening for travel agencies and tourism, for estate agencies, and for insurance.

How Sanqto can help

Sanqto offers a ready-made implementation document package — a sanctions policy, a job instruction, a hit register, a risk assessment, and template correspondence — designed with non-financial-sector companies in mind. Beyond the documents, Sanqto’s sanctions screening software operates on an on-premise model: your counterparty data never leaves your company’s infrastructure, and verification results — MATCH, POSSIBLE, or CLEAR — are automatically recorded, creating a ready audit trail. If you would like to see how this works in practice for your sector, visit: tourism and travel agencies, real estate, insurance.

Frequently asked questions (FAQ)

Is a sanctions policy mandatory for every company?

The regulations do not impose an explicit obligation on non-financial-sector companies to hold a formal document called a “sanctions policy”. What is mandatory is compliance with the prohibitions arising from EU Regulations No. 269/2014³ and 833/2014⁴ and the Act of 13 April 2022⁶. A sanctions policy is the instrument that allows a company to demonstrate that it is fulfilling those obligations — and it is widely recognised as an element of due diligence.

How long should a sanctions policy be?

There is no minimum or maximum length. For a small company with a straightforward business profile, five to eight pages will suffice. For a company operating in multiple countries, with a wide customer portfolio or products subject to export prohibitions, the document may be considerably longer. What counts is completeness of content, not length.

Does a sanctions policy have to be prepared by a lawyer?

No. The policy can be prepared by the company owner, the person responsible for compliance, or — using a ready-made template — any person who understands the company’s business profile. It is advisable for the document to be reviewed by someone with legal or compliance expertise before approval, but this is not a formal requirement.

How often should the hit register be updated?

After every verification — both when the result is CLEAR and when it is POSSIBLE or MATCH. A register that contains only hits is not a screening register — it is merely an incident log. Inspecting authorities expect documentation of the entire verification process, not just the exceptions.

What should you do if a counterparty you already work with is added to a sanctions list?

You must immediately halt all payments and deliveries to that counterparty, freeze any funds of theirs held by the company (for example, a deposit), and report the hit to the competent authority — the Head of KAS or MSWiA²¹. Continuing a transaction after a hit has been identified is a breach of the EU Regulation’s prohibition, regardless of any pre-existing contract. Detailed information on the legal consequences of a violation is set out in the article penalties for sanctions violations.

Does the hit register need to be retained? For how long?

The Polish Act of 13 April 2022 does not specify an explicit retention period for sanctions documentation for non-financial-sector companies⁶. In practice, it is advisable to apply a rule analogous to the general provisions on document retention — at least five years — taking into account the potential limitation periods for administrative and criminal proceedings.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Act of 13 April 2022 on Special Solutions for Counteracting Support for Aggression Against Ukraine and for the Protection of National Security (Journal of Laws 2022, item 835) — ISAP
• Act of 1 March 2018 on Counteracting Money Laundering and the Financing of Terrorism (Journal of Laws 2018, item 723) — ISAP
• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• Polish Sanctions List (MSWiA) — gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami
• EU Consolidated List (FSD, DG FISMA) — finance.ec.europa.eu/eu-and-world/sanctions-restrictive-measures_en
• UN Security Council Consolidated List — un.org/securitycouncil/content/un-sc-consolidated-list
• OFAC Specially Designated Nationals List (SDN) — ofac.treasury.gov/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists
• UK OFSI Consolidated List — gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets

Footnotes

Information, not legal advice. This article is informational and educational in nature. It does not constitute legal advice. Legal status as of: 20 May 2026. The specific obligations of your company depend on your business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.