A Kraków-based IT services company wins a new client in the financial sector. The procurement team flags an AML questionnaire. The compliance officer realises the firm has no internal procedures, no designated officer, and no documented risk assessment. The contract is at risk – and so is the company's registration with the General Inspector of Financial Information.

Polish anti-money laundering law imposes structured obligations on a defined list of "obligated institutions," including accountants, tax advisers, lawyers, real estate agents, virtual asset service providers, and certain corporate service providers. The primary statute is the ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Act on Counteracting Money Laundering and Terrorist Financing, AML Act), which implements the EU's Fourth and Fifth Anti-Money Laundering Directives. Penalties for non-compliance reach PLN 5 million or twice the benefit gained from the breach.

This guide walks through each compliance step in sequence: identifying whether your business is an obligated institution, building the required internal framework, conducting customer due diligence, training staff, and managing ongoing reporting obligations. Three business scenarios illustrate how the rules apply in practice.

Is your company an obligated institution under Polish AML law?

The first question is threshold: does your business fall within the statutory list of obligated institutions? The AML Act enumerates the categories. Financial institutions – banks, payment institutions, investment firms – are the obvious examples. Less obvious are notaries, attorneys, tax advisers, accountants, auditors, real estate agents, and providers of registered office or company formation services. If your company falls within any of these categories, the full compliance framework applies from day one of operations.

The General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF), operating within the Ministry of Finance, supervises most non-financial obligated institutions. Sector-specific supervisors include the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) for financial entities and the National Bar Council (Naczelna Rada Adwokacka, NRA) for attorneys. Knowing your supervisory authority matters: enforcement powers, inspection cycles, and reporting channels differ between them.

One common misconception: holding company vehicles and pure real estate holding structures sometimes assume AML obligations do not apply to them. That assumption is wrong where the entity provides any regulated service – even incidentally – to third parties. A manufacturing company with an in-house treasury function serving group entities may trigger the rules. When in doubt, a short eligibility analysis prevents a much costlier enforcement finding later.

  • Check whether your activity matches any category in the AML Act's enumerated list
  • Identify your supervisory authority – GIIF, KNF, or a professional self-regulatory body
  • Consider whether group-level services to third parties trigger separate obligations
  • Document the eligibility analysis and retain it for inspection purposes

What does the internal AML framework require?

Once obligated institution status is confirmed, the AML Act requires four core elements: a written internal procedure, appointment of a senior officer responsible for AML compliance, a documented risk assessment, and a functioning reporting channel. The internal procedure must be adopted before the company begins serving clients in the relevant category. There is no grace period. Failure to adopt procedures before commencing regulated activity is itself a breach, carrying fines of up to PLN 1 million for the first infraction.

The senior AML officer must sit at management level – a board member or a person directly reporting to the board. This is not a formality. The GIIF has issued findings against companies that delegated AML responsibility to junior compliance staff without board-level oversight. The officer's appointment must be documented and notified to the supervisory authority where required by sector rules.

The risk assessment is the analytical backbone of the framework. It must evaluate the company's exposure to money laundering and terrorist financing risk across four dimensions: clients, products and services, delivery channels, and geographic exposure. The assessment must be reviewed at least every two years – or immediately following a material change in business activity. We secured a successful GIIF inspection outcome for a fintech client in Mazowieckie (autumn 2025) by demonstrating that its risk assessment had been updated within 30 days of launching a new payment product.

The compliance programme design for Germany subsidiaries in Poland addresses how group-level AML frameworks interact with local Polish requirements – a practical consideration for subsidiaries operating under a parent's global compliance structure.

How does customer due diligence work in practice?

Customer due diligence (CDD) is the operational heart of AML compliance. The AML Act establishes three tiers: standard, simplified, and enhanced. Standard CDD applies to all new client relationships. It requires identity verification, identification of the beneficial owner (defined as any natural person holding more than 25% of ownership or voting rights), and assessment of the business relationship's purpose. Verification must occur before the relationship commences – not after the first transaction.

Simplified CDD is available for lower-risk clients, such as listed companies subject to public disclosure requirements or public authorities. Enhanced CDD applies to higher-risk situations: politically exposed persons (PEPs), clients from high-risk third countries identified on the EU list, complex or unusually large transactions, and any situation where the obligated institution identifies elevated risk. Enhanced CDD requires additional source-of-funds documentation and senior management approval before the relationship begins.

Ongoing monitoring is a continuing obligation, not a one-time exercise. Transactions must be screened against the client's risk profile. Where a transaction appears inconsistent with the declared business purpose, the institution must investigate and, where suspicion persists, file a suspicious activity report (SAR) with the GIIF within 24 hours of forming the suspicion. Failure to file a SAR where one is required carries personal liability for the responsible officer – not just an institutional fine.

For foreign investors structuring Polish operations, the compliance programme design for Luxembourg subsidiaries in Poland sets out how cross-border ownership structures affect beneficial ownership identification and CDD procedures.

What are the training, record-keeping, and reporting obligations?

The AML Act requires annual training for all staff involved in AML-relevant activities. Training must cover the typologies of money laundering and terrorist financing relevant to the company's specific risk profile, the procedures in force, and how to identify and escalate suspicious activity. Training records must be retained for five years. An inspection finding that training was not conducted – or was conducted but not documented – triggers fines and remediation orders.

Record-keeping obligations run in parallel. CDD documentation, transaction records, and risk assessments must be kept for five years from the end of the business relationship or the date of the transaction. Electronic records are permitted, but the system must allow retrieval within a reasonable time during an inspection. The GIIF has the power to demand records within 24 hours during an on-site inspection.

Reporting to the GIIF occurs in two forms. First, threshold reporting: cash transactions exceeding PLN 15,000 (or the equivalent in foreign currency) must be reported within 14 days. Second, SAR filing: any transaction or attempted transaction that raises suspicion of money laundering or terrorist financing must be reported immediately. The tipping-off prohibition applies from the moment a SAR is filed – disclosing to the client that a report has been made is itself a criminal offence.

Whistleblower compliance intersects here. Polish law implementing the EU Whistleblowing Directive requires companies with 50 or more employees to maintain an internal reporting channel. AML-related concerns – including suspected breaches of internal procedures – can be reported through this channel. Coordinating the AML reporting structure with the whistleblower channel avoids duplication and gaps.

We helped a real estate advisory firm in Małopolska (spring 2026) establish an integrated reporting system covering both AML obligations and whistleblower channel requirements, reducing the compliance overhead by consolidating documentation and escalation paths.

For businesses operating through development or construction structures, the development agreements in Poland: structure and risks analysis covers how AML obligations interact with real estate transaction documentation.

Three business scenarios: manufacturing, IT, and foreign investors

Understanding abstract rules is easier through concrete situations. Three scenarios illustrate how AML obligations materialise differently depending on the business model.

Manufacturing company with a corporate treasury function. A Silesian manufacturer provides cash pooling and intercompany lending to ten group entities. The treasury function qualifies as a payment service in certain configurations. If the function serves entities outside the group, the company may be an obligated institution. The immediate step is a written eligibility analysis. If obligated, internal procedures must be adopted within 30 days of the eligibility determination, and the board must appoint a senior AML officer.

IT company providing virtual asset services. A Warsaw-based software firm launches a token-based loyalty programme with transferable value. Virtual asset service providers are explicitly listed as obligated institutions under the AML Act. CDD obligations apply from the first user onboarding. The risk assessment must address the anonymity risk inherent in virtual assets and the geographic profile of users. Enhanced CDD applies where users are resident in high-risk jurisdictions.

Foreign investor establishing a Polish subsidiary. A German group acquires a Polish accounting firm. The Polish entity is an obligated institution by virtue of its accounting services. The parent's group-wide AML policy must be assessed for compatibility with Polish law requirements – gaps are common, particularly around beneficial ownership identification and SAR filing timelines. The local board carries personal liability for non-compliance, regardless of group policy.

  • Document the eligibility analysis before commencing regulated activity
  • Appoint the senior AML officer at board level and notify the supervisory authority
  • Complete the initial risk assessment before onboarding the first client
  • Implement CDD procedures with identity verification completed before relationship commencement
  • Schedule annual training and retain records for five years

Specific compliance situations often require tailored assessment. KORDECKI & Partners has advised clients across manufacturing, financial services, and technology sectors on building AML frameworks that satisfy GIIF expectations and integrate with group-level ESG reporting and CSRD Poland obligations.

To receive an expert assessment of your company's AML compliance posture, contact info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to build a compliant AML framework from scratch?

A: For a small obligated institution with a straightforward client base, the core framework – internal procedure, risk assessment, officer appointment, and initial training – can be completed in four to six weeks. Larger entities with complex product ranges or significant geographic exposure should allow three to four months. The timeline depends heavily on whether the risk assessment requires external input and how quickly the board approves the internal procedure.

Q: Does a Polish subsidiary of a foreign group need its own AML procedures, or does the group policy suffice?

A: A common misconception is that a group-level AML policy satisfies Polish law requirements automatically. It does not. The AML Act requires a locally adopted procedure that reflects the specific risk profile of the Polish entity. Group policy can form the basis, but it must be adapted to address Polish supervisory requirements, SAR filing channels to the GIIF, and beneficial ownership identification under Polish rules. The local board remains personally liable for compliance.

Q: What does an AML compliance programme typically cost for a mid-sized Polish company?

A: Costs vary significantly. For a mid-sized obligated institution – say, an accounting firm with 20 to 50 staff – initial programme design typically involves 20 to 40 hours of legal advisory work, plus internal implementation time. Annual maintenance, including training and risk assessment updates, adds further cost. The relevant comparison is against the penalty exposure: fines reach PLN 5 million, and personal liability for the AML officer is uncapped in criminal proceedings. Early investment in a sound programme is consistently more cost-effective than post-inspection remediation.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.