Does a Hotel Have to Screen Guests Against Sanctions?

EU sanctions affect your hotel directly — whether you run a hostel, a boutique hotel, or a conference centre. Most hoteliers assume sanctions are a problem for banks. The reality is different: the ban on making resources available to persons on the sanctions lists stems from an EU regulation that applies directly to every entity operating within the Union. A hotel room is an economic resource within the meaning of that law. If you make it available to a listed person, you breach the regulation — not a recommendation, not a guideline, but a legal act in force without any transposition into national law.

This article explains when and whom you must screen, which lists to use, and what a practical check-in verification workflow looks like.

TL;DR

• Every hotel in Poland is obliged not to make resources available to persons on the sanctions lists — this stems from Article 2(2) of Council Regulation (EU) No 269/2014 ¹, not from the AML Act.
• A hotel is normally NOT an “obliged institution” within the meaning of the AML Act of 1 March 2018 — but that does not protect it from the sanctions rules, which form a separate legal regime.
• A hotel room, a conference hall, a serviced apartment = an “economic resource” within the meaning of Article 1(d) of Regulation 269/2014 ². Making it available to a listed person = a breach of the prohibition.
• The biggest risks: individual guests from sanctioned countries (RU, BY, IR, SY, KP), corporate bookings with a listed shareholder, long stays of more than a few weeks, and MICE events with foreign sponsors.
• Screening is carried out before the stay — not after check-in.
• Administrative penalty: up to PLN 20,000,000, imposed by the Head of the National Revenue Administration (KAS) under Article 6(2) of the Act of 13 April 2022 ³.
• Directive (EU) 2024/1226 of 24 April 2024 criminalises intentional sanctions violations. Poland was required to implement it by 20 May 2025 ⁴ — the draft act designated UC92, known as the “major sanctions act”, is going through the legislative process.

Is a hotel an obliged institution within the meaning of the AML Act?

Let us start with a common misunderstanding. The Act of 1 March 2018 on counteracting money laundering and terrorist financing (Journal of Laws 2018, item 723, as amended; hereinafter: the AML Act) contains a closed list of obliged institutions in Article 2(1). Hospitality as a category does not appear on that list — a hotel carrying out standard accommodation activity is not an obliged institution (OI) within the meaning of that act.

There is one exception worth noting: Article 2(1)(23) of the AML Act covers “entrepreneurs to the extent that they accept or make payments for goods in cash of a value equal to or exceeding the equivalent of EUR 10,000” ⁵. The key word is “goods” — the provision concerns payments for goods, not services. A hotel primarily provides an accommodation service, which is why, as a rule, it does not qualify for this category merely by running a hotel. Individual situations — for example, the sale of equipment, goods on the premises, or similar deliveries of a goods-like nature — may shape the assessment differently. Leave that determination to a law firm.

For completeness: even if your hotel exceptionally met the condition in point 23 and were an OI, the separate cash thresholds in Article 35(1) of the AML Act cover two different situations — the general occasional-transaction threshold (EUR 15,000) and the cash occasional transaction of an institution under point 23 (EUR 10,000) ⁶.

The lack of OI status means no obligation to apply financial security measures (the former KYC — Know Your Customer), to report transactions to the General Inspector of Financial Information (GIIF), or to maintain a beneficial-owners register. That, however, is an entirely separate matter from the sanctions obligations.

AML and sanctions — two separate legal regimes

It is worth keeping this distinction in mind, because it is confused all the time. The AML regime arising from the Act of 1 March 2018 applies only to obliged institutions and imposes obligations on them: applying financial security measures, reporting suspicious transactions to the GIIF, and maintaining internal procedures. The sanctions regime arising from EU Regulations 269/2014 and 833/2014 and the Act of 13 April 2022 applies to all entities operating within the EU and Poland — regardless of OI status. These are not rules for banks. These are rules for everyone. You will find a fuller explanation of this difference in the article on the difference between AML and sanctions.

On what legal basis must a hotel screen its guests?

The central basis is Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (hereinafter: Reg. 269/2014). Article 2(2) of Reg. 269/2014 states expressly: “No funds or economic resources shall be made available, directly or indirectly, to or for the benefit of natural persons or natural or legal persons, entities or bodies associated with them listed in Annex I.” ¹

What is an “economic resource”? Article 1(d) of Reg. 269/2014 defines economic resources as “assets of every kind, whether tangible or intangible, movable or immovable, which are not funds, but may be used to obtain funds, goods or services” ². A hotel room is a tangible asset that may generate financial or economic benefit for the guest. A conference hall, a car park, a serviced apartment — the same applies. Making any of these resources available to a listed person constitutes a breach of Article 2(2) of Reg. 269/2014.

It is worth noting that Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions — in the consolidated versions reviewed — does not contain a ban on accommodation or lodging services as a separate category. The sectoral prohibitions in 833/2014 concern energy, finance, dual-use goods, and maritime logistics. A hotel’s sanctions obligation therefore arises primarily from Reg. 269/2014, not from Reg. 833/2014.

A supplementary national basis is the Act of 13 April 2022 on special measures to counteract support for aggression against Ukraine and to protect national security (Journal of Laws 2022, item 835, as amended; hereinafter: the Sanctions Act). Article 3(1)–(2) of the Sanctions Act grants the minister responsible for internal affairs the power to maintain the Polish sanctions list — persons and entities directly or indirectly supporting the Russian Federation’s aggression against Ukraine are subject to listing ⁷. Penalties for breaching the prohibition on making resources available are imposed by the Head of KAS under Article 6(2) of that act ³.

A separate issue is the so-called 50% ownership rule. An entity controlled by more than 50% by a sanctioned person is itself treated as subject to sanctions — even if the company as such does not appear by name on any list ⁸. This is directly relevant for corporate bookings and MICE events: a clean company, but an owner on the list = a sanctioned company. You can read more about this rule in the dedicated article on the 50% ownership rule in EU sanctions.

We cover the full legal basis for the sanction screening obligation for non-financial companies in a separate pillar article.

Which situations in a hotel carry the highest risk?

Not every booking requires in-depth verification — but certain scenarios should automatically trigger the screening procedure. Here are the most significant ones.

An individual stay from a sanctioned country. A guest with a Russian, Belarusian, Iranian, Syrian, or North Korean (DPRK) passport is not automatically a sanctioned person — sanctions concern specific individuals, not nationalities. However, the mere fact of citizenship of a high-risk country is a legitimate trigger for verification against the sanctions list before check-in.

A corporate booking. The company commissioning the stay may be clean in the register, but its shareholder may not be. Under the 50% ownership rule ⁸, it is enough for an entity on the sanctions list to hold more than half of that company’s ownership rights for the company itself to become sanctioned. With a corporate booking, you screen the company and its shareholders.

Long stays and serviced apartments. A stay of more than a few weeks has a character close to making real estate available for use — analogous to leasing or long-term rental. The risk is higher in proportion to the economic value of the service provided. We describe an analogous mechanism in transport and freight forwarding in the article on sanctions in transport and freight forwarding.

MICE events (Meeting, Incentive, Conference, Exhibition). With conference or incentive events, the risk concerns not only the participants but above all the organiser, the sponsors, and the entities financing the event. For large events involving foreign delegations, verification is essential as early as the stage of signing the contract with the organiser.

A booking through an intermediary (OTA, travel agent). When the booking is placed by an OTA platform or a travel agency and the hotel does not know the guest’s direct details, the question of liability arises. The answer under EU law is unequivocal: the obligation arises from the legal relationship in which the hotel makes a resource available — regardless of the booking channel. The absence of guest data does not relieve your hotel of liability. It is worth regulating this in the contract with the OTA or agent.

Payment by bank transfer from a bank or account in a sanctioned country. A transfer from a foreign account is not automatically a breach, but it is a trigger for verifying the payer’s identity.

Table: Risk scenarios in hospitality

Whom to screen and from which list?

The basic list every hotel in Poland should know is the EU Consolidated Sanctions List. It is maintained by the European Commission and covers persons and entities from all EU sanctions regimes, including those under Reg. 269/2014. You can read more about how to use this list in the article on the EU consolidated sanctions list.

The second mandatory list is the Polish sanctions list maintained by the Ministry of the Interior and Administration (MSWiA). It is maintained by the minister responsible for internal affairs under Article 3 of the Sanctions Act ⁷. The list is available on the gov.pl website and covers persons and entities listed by administrative decision on the grounds of supporting the aggression against Ukraine.

Optionally — if your hotel accepts payments in USD or serves clients from the United States — it is worth including the OFAC SDN list (Specially Designated Nationals and Blocked Persons List) maintained by the U.S. Department of the Treasury.

Whom to screen:

• The person making the booking (first name, surname) — always
• The person checking in, if different from the person who booked — always
• The payer for the stay, if different from the guest — always
• The company sponsoring the stay (for a corporate booking) + its shareholders (50% rule) ⁸
• The organiser and sponsors of the event (for MICE) — before signing the contract

When to screen: at the booking stage in advance, or at the latest before check-in. Screening after check-in is technically possible but operationally too late — if the guest is already staying at the hotel, the problem becomes more complicated.

The list is updated with each successive EU sanctions package — an argument for automating screening instead of manual searching. You will find a description of verification methods in the article on how to technically verify a counterparty.

Step by step — how to implement screening at a hotel

You can roll out the workflow below at your reception desk right away, even without automated screening software.

Step 1 — Collect data at the booking stage. You need: the guest’s first name and surname, nationality, and the name of the company sponsoring the stay (if it is a corporate booking). For MICE events: the details of the organiser and the financing entities. Without these data, screening is impossible.

Step 2 — Check before the stay. Verify the guest against the EU consolidated list and the Polish MSWiA list. For corporate bookings, also check the company and its shareholders ⁸. For USD payments or clients from the United States, additionally check the OFAC SDN list. We explain how sanction screening works on the technical side in the article on how sanction screening works.

Step 3 — Assess the result. Three possible verification outcomes: CLEAR (no match — standard service), POSSIBLE (a similarity in the data without certainty — request an additional identity document and distinguish from the listed person), MATCH (a hit — refuse to provide the service).

Step 4 — On a MATCH result: refuse and escalate internally. You do not have police powers — you do not detain the guest. The correct course of action is: refuse the accommodation service, immediately escalate internally to management or the designated person responsible for compliance, and seek legal advice. Disclosure of funds or reporting suspicious circumstances to the relevant authority (the GIIF or another competent body) follows the hotel’s internal policy.

Step 5 — Document the verification result. Record: the result of the check (CLEAR / POSSIBLE / MATCH), the date and time, the guest’s data, who carried out the verification, and which lists were checked. This documentation is evidence of due diligence in the event of an inspection or administrative proceedings.

Step 6 — For groups and MICE events. Organise batch verification based on the list of participants delivered before the event — not on the day it opens. The minimum is verification of the organiser and sponsors. For large corporate groups, verify all participants.

Step 7 — Regulate liability with intermediaries. If your hotel operates through OTAs or travel agents, agree in writing (a contract or annex) who carries out the screening and what scope of data is required. Remember: the hotel still remains liable for the fact of making a resource available to a sanctioned person.

What is NOT required: you do not have to refuse service to every citizen of Russia, Belarus, or Iran. You screen specific personal data against a specific database — not nationality.

The specifics of MICE events and long-term stays

The MICE and long-stay segments deserve separate treatment, because their risk profile differs from that of a standard individual stay.

For MICE events, the risk lies mainly not in the participants — it lies in the structure of the event’s financing. Sponsors from abroad, companies covering the costs of the conference, organisers using a legal entity from a sanctioned country — these are the risk vectors. Before signing a contract with an event organiser, verify their details and ownership structure in line with the 50% rule ⁸. A list of participants delivered a week before the event is the minimum — for large corporate events it should reach you earlier.

A stay in a serviced apartment lasting more than a month approaches, in character, the making of real estate available for use. In terms of sanctions risk, the argument is analogous: you are handing over an economic resource of significant economic value for an extended period. It is worth treating such bookings as elevated-risk transactions — with full verification of both the guest and the sponsoring company.

Industry hospitality organisations (IH&RA, HOTREC) have not, to date, published dedicated sanctions-compliance guidelines for the hotel sector. The absence of a central guide means that each property operator must shape its own internal procedure — relying directly on EU and Polish law.

What do you risk if you do not screen?

It is worth knowing the penalties and consequences — not to be afraid, but to understand what is at stake.

An administrative penalty of up to PLN 20,000,000. Under Article 6(2) of the Act of 13 April 2022, the Head of the National Revenue Administration (KAS) may impose a financial penalty of up to PLN 20,000,000 for breaching the prohibition on making resources available to persons on the sanctions lists ³. The scope of Article 6(1) of that act covers any person or entity that fails to comply with the obligation arising from Reg. 269/2014 — it is not limited to AML obliged institutions. The penalty does not require proof of intent — the objective fact of making a resource available to a sanctioned person is enough. You will find a full overview of penalties in the article on penalties for violating EU sanctions.

The risk of criminal liability. Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures (CELEX 32024L1226) imposed on Member States an obligation to criminalise intentional sanctions violations ⁴. The implementation deadline was 20 May 2025 ⁴ — Poland did not implement the directive by that date; the draft act designated UC92 is going through the legislative process as at the date of publication of this article. Once implementation enters into force, intentionally violating sanctions will be a criminal offence for natural persons — including hotel management. The details of the directive are discussed in the article on the Directive 2024/1226 on the criminalisation of sanctions violations.

Banking and reputational risk. The bank servicing your hotel may block the account if it detects a transaction with a sanctioned entity — even before the Head of KAS opens proceedings. Blocking the hotel’s operating account is an immediate practical consequence, independent of administrative proceedings.

FAQ — hoteliers’ questions about sanctions

Do I have to screen every guest, or only citizens of Russia? You screen personal data, not a passport. The sanctions obligation concerns specific persons entered on the lists — their nationality is secondary. In practice, for efficiency, it is worth adopting a risk-based approach: guests from high-risk countries (RU, BY, IR, SY, KP) and corporate bookings from those countries require verification as a priority. Verification based solely on nationality is insufficient and legally problematic (discrimination). Verification based on data in the sanctions lists is the correct approach.

Who is liable when the booking is placed by an OTA and the hotel does not know the guest? The hotel makes the resource available — and it is the hotel that bears sanctions liability for that fact. The booking channel is operationally irrelevant from the standpoint of Reg. 269/2014. It is worth regulating in writing with each OTA or agent: who collects the guest’s data and who carries out the screening. The hotel must still be able to demonstrate that verification was performed.

Do I have to keep a register of screening results? There is no statutory obligation for hotels to keep a register of verifications (unlike AML obliged institutions). However, documenting screening results is the best evidence of due diligence in the event of an inspection or administrative proceedings. The lack of documentation offers no protection — the resource was made available regardless.

What should I do when the result is POSSIBLE — a similarity of names, but no certainty? Do not refuse service automatically. Ask for an additional identity document and compare the detailed data with the entry on the list: date of birth, nationality, address. If, after the additional verification, there is no match — CLEAR. If doubts remain — seek legal advice before check-in.

How often are the sanctions lists updated? The EU consolidated list is updated with each successive sanctions package — regularly, though the intervals between updates vary. This is one of the reasons why manually searching the search tool on the EUR-Lex website is inefficient with a regular flow of guests.

How Sanqto can help

Sanqto is sanction screening software installed within the client’s network (on-premise) — your guests’ data never leaves the hotel’s infrastructure. Verification runs in three response states: MATCH, POSSIBLE, CLEAR, with a response time below 30 ms , which lets you build it into the reception workflow without disrupting guest service. For the hospitality industry, this helps automate the verification stage at booking or check-in and reduce the risk of human oversight under heavy traffic. We describe the details of deployment in hotels on the page for the hospitality industry.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Act of 13 April 2022 on special measures to counteract support for aggression against Ukraine and to protect national security (Journal of Laws 2022, item 835, as amended) — ISAP
• Act of 1 March 2018 on counteracting money laundering and terrorist financing (Journal of Laws 2018, item 723, as amended) — ISAP
• Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• DG FISMA — Sanctions adopted following Russia’s military aggression against Ukraine (Ownership rule section) — finance.ec.europa.eu

Footnotes

Information, not legal advice. This article is for information and educational purposes only and does not constitute legal advice. The specific legal assessment of an individual case should be carried out with a qualified lawyer specialising in sanctions and export-control law. Legal status: 27 May 2026.