A Warsaw-based IT services company wins a contract with a new foreign client. The onboarding team flags the client's ownership structure as opaque. No one in the company knows whether a formal risk assessment is required – or who is responsible for conducting it. Three weeks later, the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) opens a supervisory inquiry. The cost of that uncertainty is no longer theoretical.
Polish Ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorism Financing Act, AML Act) imposes a layered set of obligations on designated entities – from internal procedure design to transaction monitoring and suspicious activity reporting. Obligated institutions that fail to implement compliant programmes face administrative fines of up to PLN 5 million or 10% of annual turnover, whichever is higher. The obligations apply from the moment an entity qualifies as an obligated institution, not from the date of a supervisory request.
This guide walks through the full compliance cycle: who qualifies as an obligated institution, what the core programme elements look like, where companies typically fail, and how to structure the process across three common business scenarios. Each section includes a concrete figure – a deadline, threshold, or cost – so your team can calibrate effort against actual risk.
Which Polish companies are obligated institutions under the AML Act?
The first step in any AML programme is determining whether your entity qualifies at all. The AML Act designates specific categories of obligated institutions. These include banks, payment institutions, investment firms, notaries, lawyers, tax advisers, accountants, real estate agents, virtual asset service providers, and – importantly – certain trading companies that accept or make cash payments above PLN 10,000 in a single transaction or a series of linked transactions. If your company falls into any of these categories, the full compliance framework applies immediately.
The National Court Register (Krajowy Rejestr Sądowy, KRS) does not automatically flag entities as obligated institutions. That determination is the company's own responsibility. Many mid-sized Polish companies operating in sectors like real estate, professional services, or fintech discover their status only during a routine audit by the National Revenue Administration (Krajowa Administracja Skarbowa, KAS). By that point, the absence of internal procedures is already a sanctionable deficiency.
Foreign subsidiaries registered in Poland are subject to the same rules as domestic companies. A German holding company's Polish operating subsidiary qualifies as an obligated institution if it meets the sectoral criteria – regardless of where the parent is incorporated. The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) supervises entities in the financial sector, while other supervisory bodies cover specific professions. Knowing which supervisor oversees your entity matters: enforcement styles and audit frequencies differ meaningfully.
Three categories deserve particular attention. First, virtual asset service providers (VASPs) face the strictest onboarding requirements and the shortest remediation windows. Second, real estate intermediaries must apply customer due diligence (CDD) to every transaction, not just high-value ones. Third, accounting firms and tax advisers are obligated institutions even when their AML exposure seems low – the Act makes no exception for firm size or transaction volume.
What does a compliant AML programme require?
A compliant AML programme under the AML Act has five mandatory components. Each must be documented, reviewed at least annually, and approved by a member of senior management. The absence of any single component is treated as a standalone violation – supervisors do not discount penalties because four out of five elements are in place.
The five components are:
- A written risk assessment covering the entity's clients, products, delivery channels, and geographic exposure
- Internal AML procedures describing how CDD is performed, how suspicious transactions are identified, and how reports are submitted to the GIIF
- A designated AML compliance officer (or, for smaller entities, a named senior manager assuming that role)
- A training programme covering all employees who handle transactions or client onboarding, delivered at least once every 12 months
- An independent internal audit or review of the programme, conducted at a frequency proportionate to the entity's risk level
The risk assessment is the foundation. Without it, CDD decisions lack a documented basis. Polish supervisory guidance – issued by the GIIF and sector-specific regulators – requires the risk assessment to distinguish between low, medium, and high-risk client categories. High-risk clients trigger enhanced due diligence (EDD), which includes source-of-funds verification and, in many cases, senior management sign-off before onboarding proceeds.
We secured a reversal of a supervisory fine exceeding PLN 800,000 for a real estate advisory client in the Mazowieckie region (autumn 2025). The original penalty was issued because the firm's risk assessment had not been updated following a change in the client base. The updated documentation – prepared and submitted within 30 days of the supervisory inquiry – formed the basis for the appeal that succeeded before the administrative court.
For companies building their programme from scratch, a realistic timeline is 8 to 12 weeks. The risk assessment alone typically requires 3 to 4 weeks of structured data gathering. Procedure drafting and staff training add another 4 to 6 weeks. Entities that attempt to compress this timeline into two or three weeks consistently produce documentation that fails a supervisory review.
To discuss how AML programme design applies to your entity's structure, reach out to info@kordeckipartners.com. Every obligated institution faces a specific configuration of risk – a generic template does not satisfy the AML Act's requirement for a tailored, entity-specific assessment.
Where do Polish companies most often fail AML audits?
Supervisory findings from GIIF enforcement actions identify four recurring deficiencies. Understanding these failure modes is more useful than reviewing the statute in the abstract – each deficiency has a direct remediation path.
The first and most common failure is a risk assessment that was prepared once and never updated. The AML Act requires the assessment to reflect the entity's current client base, product mix, and geographic exposure. Companies that onboard new client segments – or enter new markets – without revising their assessment are technically non-compliant from the date the change occurred. The maximum gap between reviews should not exceed 12 months, and a material change in business activity triggers an immediate update obligation.
The second failure is incomplete beneficial ownership (UBO) identification. Polish law requires obligated institutions to identify and verify the ultimate beneficial owner of every corporate client. Where the ownership chain runs through multiple jurisdictions, entities frequently stop at the first layer of ownership. That is not sufficient. The obligation runs to the natural person who ultimately controls the client, regardless of how many intermediate holding vehicles sit between them and the Polish entity.
The third failure is inadequate suspicious transaction reporting. The threshold for a suspicious activity report (SAR) to the GIIF is not a monetary amount – it is a reasonable suspicion that a transaction is linked to money laundering or terrorist financing. Many compliance teams apply an informal minimum threshold of PLN 50,000 or more. That approach is legally incorrect and has led to fines in several documented cases.
The fourth failure is training records that cannot be produced on request. Supervisors routinely ask for attendance logs, training materials, and evidence that employees who joined after the last training cycle have been covered. Gaps in training documentation are treated as gaps in the programme itself.
For companies with operations across multiple European jurisdictions, the compliance design for Spanish and Czech subsidiaries operating in Poland raises additional layers. Our guide on compliance programme design for Spain subsidiaries in Poland addresses how group-level frameworks interact with Polish AML requirements.
How do three business scenarios shape the AML compliance approach?
AML obligations are uniform in their legal basis but highly variable in their practical application. Three scenarios illustrate how the same statutory framework produces different programme designs, cost structures, and risk priorities.
Scenario 1 – Manufacturing company with trade finance exposure. A Silesian manufacturer exports to clients in Central Asia and the Middle East. Its bank classifies several counterparties as high-risk jurisdictions. The manufacturer is not itself a financial institution, but it accepts advance payments above PLN 10,000 and therefore qualifies as an obligated institution. Its AML programme must include geographic risk mapping, enhanced CDD for clients in listed high-risk countries, and a process for escalating unusual payment patterns to the compliance officer. The annual cost of maintaining this programme – including external legal review – typically falls between PLN 15,000 and PLN 30,000 for a company of this size.
Scenario 2 – IT services company onboarding international clients. A Warsaw-based software firm wins contracts with clients registered in jurisdictions with opaque corporate registries. Its primary AML exposure is UBO identification. The firm must implement a structured onboarding checklist, maintain records for five years from the end of the client relationship, and train its account management team on red-flag indicators. The five-year record retention obligation is absolute – it applies even if the client relationship ends after a single transaction.
Scenario 3 – Foreign investor acquiring Polish real estate. A Dutch investment vehicle acquires a portfolio of commercial properties through a Polish SPV. The Polish notary handling the transaction is an obligated institution. So is any real estate agent involved. The SPV itself may also qualify, depending on its activity. For cross-border property transactions, our guide on buying property in Poland provides relevant context on how ownership structures interact with AML screening obligations at the transactional level.
Our team obtained interim protection for an IT sector client's compliance documentation in a regulatory investigation in Lower Silesia (spring 2026). The client had implemented a programme but lacked a clear audit trail showing when each procedure was approved. Reconstructing that trail within the supervisory deadline – 14 days from the initial request – required structured document recovery and legal coordination across three internal teams.
For a tailored strategy on AML programme design across your entity's specific scenario, contact info@kordeckipartners.com. The difference between a programme that passes supervisory review and one that does not often comes down to documentation sequencing rather than substantive gaps.
What does the AML compliance checklist look like in practice?
A practical compliance checklist translates the five programme components into concrete deliverables. The list below reflects the minimum documentation set that Polish supervisors expect to find during an on-site inspection. Missing any item does not automatically trigger a fine – but it does shift the burden onto the entity to explain the gap.
- Written risk assessment signed by a senior manager, dated within the last 12 months, covering clients, products, channels, and geographies
- Internal AML procedures document, version-controlled, referencing the current risk assessment
- Appointment letter or board resolution designating the AML compliance officer by name and role
- Training attendance records for all relevant employees, with dates and materials attached
- Log of CDD files for all active clients, including UBO identification documentation and the date of last review
Companies operating within a group structure face an additional layer. Group-level AML policies issued by a foreign parent do not automatically satisfy Polish law requirements. The Polish entity must have its own documentation that maps group policy to the specific obligations under the AML Act. A reference to "Group Compliance Policy v.4" is not a substitute for a Polish-law-compliant internal procedure. This is the single most common gap we encounter in foreign-owned Polish subsidiaries.
The Czech subsidiary context raises similar issues. Our article on compliance programme design for Czech Republic subsidiaries in Poland sets out how to align group frameworks with Polish regulatory expectations without duplicating documentation unnecessarily.
Timeline summary: risk assessment – 3 to 4 weeks; procedure drafting – 2 to 3 weeks; training delivery – 1 to 2 weeks; independent review – 1 to 2 weeks. Total: 8 to 12 weeks from project start to a supervisory-ready programme. Entities under active supervisory inquiry should compress this to 4 to 6 weeks and seek legal support immediately.
Frequently asked questions
Q: How often must the AML risk assessment be updated?
A: The AML Act requires the risk assessment to be updated whenever there is a material change in the entity's activity – such as a new client segment, product, or geographic market. In any event, the assessment should be reviewed at least once every 12 months. A review that produces no changes must still be documented as a completed review, with the date and name of the reviewer recorded.
Q: Does a small Polish company with only domestic clients need a full AML programme?
A: This is a common misconception. The obligation to have an AML programme does not depend on the size of the company or the nationality of its clients. It depends on whether the entity qualifies as an obligated institution under the AML Act. A domestic-only accounting firm with ten clients is as obligated as a large bank – the programme may be simpler, but it must exist and be documented. Supervisors have issued fines against micro-enterprises for the absence of a written risk assessment.
Q: What does AML compliance cost for a mid-sized Polish company?
A: Costs vary significantly by sector and complexity. For a professional services firm with a straightforward client base, initial programme design – including legal drafting, risk assessment, and training – typically costs between PLN 10,000 and PLN 25,000. Annual maintenance, including the mandatory review and updated training, adds PLN 5,000 to PLN 15,000 per year. Companies with high-risk client profiles or cross-border exposure should budget at the higher end of both ranges. Whistleblower compliance systems, where required alongside AML, add a further layer of cost and documentation.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating CSRD Poland requirements, whistleblower compliance frameworks, and AML programme design. To discuss your situation, contact info@kordeckipartners.com.
Published: April 20, 2026
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.