Sanctions hit register — how to maintain it and what it must contain

Legal status as of: 2026-05-20.

You carry out sanction screening — checking counterparties against EU and MSWiA (Polish Ministry of Internal Affairs and Administration) sanctions lists before every transaction. But are you documenting each of those checks? A sanctions hit register is not a bureaucratic form — it is proof that you have exercised due diligence. Without it, any regulatory inspection starts from assumptions rather than facts. This article gives you concrete answers to the following questions: what exactly to record in the register, why you must also record “clean” results, how long to retain the documentation, and what an inspection looks like in practice.

TL;DR — the five key points

• A hit register is a recorded history of every counterparty check against sanctions lists — with the date, result, and the person responsible. Without it you have no evidence of due diligence.
• Record every result — MATCH, POSSIBLE, and CLEAR. “Clean” checks are also evidence that the procedure is working.
• Minimum register fields: date and time of the check, who carried it out, counterparty details, which lists were checked (with date/version), result (MATCH/POSSIBLE/CLEAR), actions taken.
• Retention period: for companies that are AML obliged entities — 5 years from the end of the business relationship (Article 49 of the AML Act¹). For other companies — there is no hard statutory rule, but applying the same 5-year prudential standard is good compliance practice.
• During a regulatory inspection the register is the first document an inspector asks for — absence of documentation is treated as absence of verification.

What a sanctions hit register is

A sanctions hit register is a record of all checks carried out by your company against sanctions lists. Each entry in the register answers one question: “when, who, and how was this counterparty checked — and what was the outcome?” It is an internal document you maintain for your own purposes, but in the event of an inspection it becomes your primary piece of evidence.

The obligation to verify counterparties against EU sanctions lists follows directly from EU regulations — Council Regulation (EU) No 269/2014 of 17 March 2014² and Council Regulation (EU) No 833/2014 of 31 July 2014³. These regulations are directly applicable in every Member State — without the need for additional national implementing legislation⁴. The hit register is the practical tool for demonstrating that you are complying with them.

The Polish Act of 13 April 2022 on special solutions for counteracting support for aggression against Ukraine and for the protection of national security (Journal of Laws 2022, item 835)⁵ supplements this obligation in the domestic legal order and sets out the penalties for breach — a financial penalty of up to PLN 20,000,000 imposed by the Head of the National Revenue Administration (KAS — Krajowa Administracja Skarbowa)⁶. In this context, documentation is not optional; it is a component of an effective defence.

If you are just starting out and want to first check whether your company is subject to the screening obligation, read the article Does my company have to carry out sanction screening?

Why you must also record “clean” checks (CLEAR result)

This is a question we hear often: why record a check when the result was negative — no hit found? The answer is straightforward: a regulatory authority conducting an inspection does not see that “nothing happened”. It sees either documentation or the absence of it.

An absence of a register entry for a particular counterparty means — from the authority’s perspective — that the check may never have been carried out at all. You cannot effectively rely on due diligence if you have no record confirming when and how the check took place. Even a CLEAR result must be documented for it to have evidentiary value.

There is another important reason. EU sanctions lists are updated regularly — new entities and individuals are added with each new EU sanctions package against Russia and Belarus⁷. If your documentation shows verification dates and list versions, you can demonstrate that you checked the counterparty against the lists as they stood on that particular day — and a listing that appeared later cannot be attributed as your fault.

A register of CLEAR results also builds a credible picture of your compliance system. The authority can see that checks are carried out systematically, not only for “suspicious” counterparties. That is a fundamental distinction between a company that has a procedure and applies it, and one that merely claims it “does screening somewhere”.

Which fields the register must contain — a template structure

A good sanctions hit register does not need to be complicated. It needs to be complete. The table below shows the minimum structure you can implement in a spreadsheet or a dedicated system.

A few notes on the template

The “Sanctions lists checked” field is critical — it is not sufficient to write “checked”. You need to know which version of the list you were working with on the day of the check. The EU Consolidated List maintained by the European Commission (DG FISMA)⁷ and the Polish MSWiA list⁸ may be updated without a fixed schedule, so the check date plus the list download date/version together create a complete picture.

For POSSIBLE results, document in detail: what raised the concern, which additional identifiers you examined, and why you ultimately ruled out the hit (or did not). Such documentation protects you in any subsequent proceedings — it shows that you did not ignore a warning signal but approached it methodically. How to distinguish a genuine hit from a name coincidence is described in the article on false positives in sanctions screening.

For a MATCH result — do not act unilaterally. Freeze the funds and report the matter to the Head of the National Revenue Administration (KAS)⁶. Document every step in the entire course of action, with dates and times.

A detailed description of how to interpret each of the three results and what to do step by step is provided in the article Counterparty verification for sanctions — a step-by-step guide.

How long to retain documentation

This question requires precision, because the answer differs depending on who you are.

If you are an obliged entity within the meaning of the Act of 1 March 2018 on counteracting money laundering and the financing of terrorism (Journal of Laws 2018, item 723)¹ — for example, a real estate intermediary or an insurance broker — there is a hard statutory rule: Article 49 of that Act requires documentation to be retained for 5 years from the date of termination of the business relationship with the client, or from the date on which an occasional transaction was carried out¹. That is the minimum required directly by law.

If you are not an AML obliged entity — your sanctions obligation arises directly from EU Regulations 269/2014² and 833/2014³, but neither of those acts explicitly specifies a retention period for verification documentation for non-financial companies. This means there is no hard statutory rule requiring you to keep the register for 5 years. However, applying the same 5-year standard as a prudential measure is solid compliance practice — it corresponds to the general limitation period for obligations under Polish civil law and gives you a safety buffer in any potential administrative proceedings.

Regardless of your legal category: deleting documentation before 5 years have elapsed from the date of the check is risky. Proceedings before the Head of KAS, or a regulatory inspection, may relate to transactions from several years ago — and the absence of documentation from that period makes an effective defence impossible.

If you carry on an activity where uncertainty about obliged-entity status is real — this applies, amongst others, to real estate agents, insurance agents, and brokers — read the article on the sanction screening obligation in the insurance sector or the real estate sector.

Form of the register — spreadsheet vs automated system

There is no regulation requiring you to maintain the register in a specific format. What matters is that the register is legible, complete, and available on demand to the regulatory authority. In practice, companies choose one of two approaches.

Spreadsheet (Excel, Google Sheets)

A spreadsheet is the simplest option, particularly for companies with a small number of counterparties — up to a few dozen checks per month. The advantages are zero implementation cost and full control over the structure. The disadvantages are the absence of automatic alerts, the risk of errors when completing entries manually, lack of built-in version control, and difficulty scaling. With a spreadsheet you need to remember to save backups regularly and to secure access — the register contains counterparties’ personal data and is therefore subject to GDPR.

If you opt for a spreadsheet, create it once using the template from the previous section and maintain the same structure throughout — a consistent history is legible to any auditor.

Automated system (dedicated screening software)

A dedicated sanction screening tool automates the entire process: it retrieves sanctions list updates, carries out checks according to defined rules, records results, and builds an audit trail without manual intervention. Every check is logged with the exact time, list version, and result — precisely in the form that a regulatory authority expects.

For companies processing tens or hundreds of checks per month, automation eliminates the risk of errors and omissions. An important criterion when selecting a system is the ability to install it within your company’s own infrastructure (on-premise) — your counterparties’ data does not need to leave your network.

A hit register maintained automatically by software is, in effect, a ready-made proof of due diligence — the verification history for each counterparty can be exported and presented to an inspector within minutes.

The hit register during a regulatory inspection

Oversight of compliance with sanctions regulations by non-financial companies falls within the competence of the Head of the National Revenue Administration (KAS)⁶. For AML obliged entities, supervision is exercised respectively by GIIF (Generalny Inspektor Informacji Finansowej — the General Inspector of Financial Information)⁹ and — for entities supervised by KNF (Komisja Nadzoru Finansowego — the Polish Financial Supervision Authority) — the KNF itself. Each of these bodies has the power to demand documentation relating to sanctions screening carried out.

What does the authority check in practice? An inspector starts by asking whether the company has a sanctions procedure and whether it is being applied. The hit register is the evidence of application. The authority verifies in particular:

• Whether checks were carried out before every new business relationship and during the course of ongoing cooperation.
• Whether the register covers all counterparties, not only “suspicious” ones — selective checking is a red flag.
• Whether the register contains entries with dates and list versions, enabling confirmation that checks were current.
• How POSSIBLE and MATCH results were handled — whether documentation of actions taken exists.
• Whether the person who carried out the check is clearly identified.

An absent register, or a register with gaps (e.g. missing dates, missing list versions, missing results for some counterparties), is treated by the authority as an absence of verification in those areas. That in turn opens the way to administrative proceedings and a potential financial penalty under Article 6(2) of the Act of 13 April 2022⁶.

It is also worth knowing that Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024¹⁰ — whose transposition deadline for EU Member States was 20 May 2025 — requires states to criminalise intentional sanctions violations. Poland already provides for criminal liability for breaches of the sanctions regime — complete compliance documentation is one of the arguments that can distinguish an “unintentional breach” from a “deliberate” one. A full breakdown of penalties and supervisory authorities is provided in the article What penalties apply for sanctions violations in Poland and the EU?

Most common errors in maintaining the register

In practice, companies that already have a hit register make several recurring mistakes. Each of them can undermine the evidentiary value of the documentation.

No list version date. You record the result “CLEAR” but do not record which version of the sanctions list you used or when you retrieved it. The authority cannot assess whether the check was current — lists change regularly with successive EU sanctions packages⁷.

Checking only at first contact. A one-off check of a counterparty at the time of signing a contract is not sufficient. An entity that was “clean” a year ago may have been added to a list since then. The register must show periodic checks during the course of the business relationship.

Omitting CLEAR results. If the register contains only MATCH and POSSIBLE entries — clear hits — the authority may ask: where are the checks that returned no hits? Either they were not carried out, or they were not recorded. Both answers are problematic.

No name or signature of the person who carried out the check. The register must clearly indicate who performed the check. An anonymous entry stating “checked” is not evidence — it is not known who did it or whether that person had the requisite competence.

A form without an “actions taken” field. Merely recording a POSSIBLE result without describing the follow-up steps is half a record. The authority will check what the company did after the initial hit — whether it investigated thoroughly or simply ignored the signal.

Retrospective completion of the register. Filling in the register “from memory” weeks after the check took place is risky and easy to challenge. Entries should be added in real time — ideally on the day of the check or automatically by the system.

FAQ — frequently asked questions about the sanctions hit register

Do I have to maintain a hit register if I run a small company?

Yes. The sanctions obligation arises from EU regulations²³, which apply to every company operating in the EU — regardless of size. The register is proof that you are fulfilling that obligation. A small company can maintain it in a simple spreadsheet — what matters is that it is complete.

Must the register have a specific legal form or an official template?

No — neither Polish law nor EU law imposes a specific template for a sanctions hit register on non-financial companies. What counts is completeness and the ability to reconstruct the verification history for each counterparty. The template in this article may be treated as the minimum.

If a counterparty is already in my database and I simply want to “recheck” them — do I create a new entry?

Yes, every new check should have its own entry in the register — with the current date, list version, and result. Do not overwrite old entries. The verification history for each counterparty is valuable: it shows from what point you have been checking them and how frequently.

Do I have to record checks on foreign counterparties differently from Polish ones?

The entry format is the same. The only difference is the identification details — for foreign entities you record the equivalent of a Polish NIP from their country of registration (e.g. VAT-EU, EIN, Company Registration Number). You check them against the same lists: the EU list, the MSWiA list⁸, the UN list, and where relevant OFAC¹¹.

How long must I retain the register after I have ended cooperation with a counterparty?

For AML obliged entities — 5 years from the end of the business relationship (Article 49 of the AML Act¹). For non-financial companies there is no hard statutory rule, but applying the same 5-year standard is good practice. After that period you may consider deleting the data, bearing in mind your GDPR obligations regarding personal data retention periods.

Does sanction screening software automatically maintain the register?

Good sanction screening software logs every check automatically — with the date, result, and list version. That is its core function. When purchasing or implementing a system, ask the supplier whether the verification history can be exported in a format accepted by regulatory authorities (e.g. CSV or digitally signed PDF).

What to do — a step-by-step list

1. Create the register — use the table template from this article. If you already have something similar, check that it contains all the required fields: date + time, who carried out the check, counterparty details, list (with date/version), result, actions taken.
2. Fill in any missing entries — if you have been carrying out checks but not maintaining a register: fill in what you can recall or reconstruct from other documents (emails, system histories). Retrospective documentation is better than no documentation — but mark the entries as having been added retrospectively.
3. Designate a responsible person — the register must have an owner. The person assigned to compliance is responsible for ensuring that every check is recorded in real time.
4. Establish a “who, when, and how” procedure — when a check must be carried out (before every new transaction, periodically for ongoing counterparties), who carries it out, and who approves the result in cases of POSSIBLE or MATCH.
5. Define the retention period — include in your company’s sanctions policy a statement that documentation is retained for at least 5 years from the date of the check or the end of the business relationship (whichever is later).
6. Secure access to the register — the register contains personal data (names, NIP numbers, counterparty details) and is therefore subject to GDPR. Restrict access to those who need to read or update it. Maintain a backup.
7. Consider automation — if the number of checks is growing (several dozen or more per month), manually maintaining the register itself becomes a risk. An automated system eliminates human error and ensures complete documentation without additional effort. It is also worth linking the register to your company’s sanctions policy — we describe the document templates separately.

How Sanqto can help

Sanqto is sanction screening software designed for companies outside the financial sector — such as travel agencies, insurance agencies, real estate intermediaries, and e-commerce businesses. The system operates on-premise: your counterparties’ data does not leave your company’s infrastructure. Every check is recorded automatically and returns one of three results — MATCH, POSSIBLE, or CLEAR — building a ready audit trail without any manual register entries. As part of the implementation package, we also offer a ready-made hit register template and sanctions policy — tailored to the sector in which you operate. Find out how Sanqto works in your sector: sanction screening for travel agencies and the tourism industry, sanction screening for real estate intermediaries, sanction screening for insurance brokers and agents.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269

• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833

• Council Regulation (EU) No 765/2006 of 18 May 2006 concerning restrictive measures in view of the situation in Belarus — CELEX 32006R0765

• Act of 13 April 2022 on special solutions for counteracting support for aggression against Ukraine and for the protection of national security (Journal of Laws 2022, item 835) — ISAP

• Act of 1 March 2018 on counteracting money laundering and the financing of terrorism (Journal of Laws 2018, item 723) — ISAP

• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226

• Polish sanctions list (MSWiA) — maintained by the Minister of Internal Affairs and Administration: gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami

• EU Consolidated List (Financial Sanctions Database / FSD) — maintained by the European Commission (DG FISMA): finance.ec.europa.eu

Footnotes

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 2026-05-20. Your company’s specific obligations depend on its business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.