A mid-sized Warsaw accounting firm receives a routine inspection notice from the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF). The firm has clients in multiple jurisdictions, processes significant cash flows, and has never formally documented its anti-money laundering procedures. Within weeks, the inspector identifies gaps in customer due diligence records, missing risk assessments, and no designated AML compliance officer. The resulting fine exceeds PLN 1 million.

Polish anti-money laundering law – the Act on Counteracting Money Laundering and Terrorism Financing (ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu, the AML Act) – imposes structured compliance obligations on a defined category of businesses called obligated institutions. These businesses must implement internal procedures, conduct customer due diligence, appoint a compliance officer, and report suspicious transactions to the GIIF within specified deadlines. Failure to comply triggers administrative fines of up to PLN 5 million or 10% of annual turnover, whichever is higher, and personal liability for management board members.

This guide walks through the AML compliance framework step by step. It covers which entities are obligated, what internal procedures must contain, how customer due diligence works in practice, and what the three most common implementation mistakes look like across different business models. A checklist and FAQ close the guide for quick reference.

Which Polish companies fall under the AML Act?

The AML Act defines obligated institutions broadly. The list covers banks, payment institutions, investment firms, insurance companies, currency exchange operators, real estate agents, notaries, auditors, tax advisers, accountants, lawyers (in specific transaction types), and trust and company service providers. The National Court Register (Krajowy Rejestr Sądowy, KRS) lists over 400,000 entities that could fall within at least one of these categories.

For non-financial businesses, the threshold is activity-based rather than sector-based. An IT company that also provides corporate administration services – registering companies, managing registered offices – qualifies as a trust and company service provider. A real estate developer that acts as an intermediary in transactions qualifies as a real estate agent. Sector labels in the KRS are not determinative. The decisive question is what services the company actually provides.

Three scenarios illustrate the boundary clearly. First, a manufacturing company with no financial services component is not an obligated institution. Second, a holding company that provides intra-group treasury management may qualify as a payment institution depending on licensing status. Third, an accounting firm advising on corporate restructurings is an obligated institution regardless of its size. The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) supervises licensed financial entities; the GIIF supervises the remaining categories directly.

  • Banks, payment institutions, e-money institutions
  • Currency exchange operators and virtual asset service providers (VASPs)
  • Real estate agents and notaries
  • Accountants, auditors, and tax advisers
  • Trust and company service providers

Self-assessment is the first practical step. Before designing any internal procedure, a company must determine whether it is an obligated institution at all. Getting this wrong in either direction is costly – operating without required procedures exposes the company to fines, while over-engineering compliance for a non-obligated entity wastes resources. For guidance on how this analysis applies to subsidiaries of foreign groups, see our note on compliance programme design for Lithuania subsidiaries in Poland.

What must an AML internal procedure contain?

Every obligated institution must adopt a written internal AML procedure before it begins providing services to clients. The procedure is not a generic policy document. Polish AML law specifies the minimum content: a risk assessment methodology, customer due diligence rules, record-keeping obligations, suspicious transaction reporting rules, employee training requirements, and the scope of the compliance officer's duties. The procedure must be updated whenever the company's risk profile or applicable law changes – and at minimum reviewed every two years.

The risk assessment is the foundation. It must analyse the company's exposure to money laundering and terrorism financing risk across four dimensions: clients, products and services, transactions, and geographic exposure. A company serving predominantly domestic retail clients has a different risk profile from one serving corporate clients in high-risk jurisdictions. The GIIF publishes a national risk assessment (last updated in 2024) that obligated institutions must take into account when building their own assessments.

We assisted a logistics and freight-forwarding company in Silesia (autumn 2025) in restructuring its AML procedures after a GIIF pre-inspection review identified that its risk assessment had not been updated since 2021 and did not reflect the company's expansion into cross-border payments. The revised procedure reduced the company's residual risk rating and averted a formal investigation.

Three elements that procedures most commonly omit in practice:

  • Explicit treatment of politically exposed persons (PEPs) and their family members
  • Enhanced due diligence triggers for transactions above EUR 15,000 in cash
  • A documented escalation path from front-line staff to the compliance officer

The procedure must also address whistleblower channels. Under the Whistleblower Protection Act (ustawa o ochronie sygnalistów), companies with 50 or more employees must operate an internal reporting channel. For AML purposes, this channel should be integrated with – or clearly distinguished from – the AML suspicious transaction reporting route. The technical requirements for that channel are set out in our separate analysis of whistleblower channel design and technical requirements.

How does customer due diligence work in practice?

Customer due diligence (CDD) is the operational core of AML compliance. It requires the obligated institution to identify and verify the client's identity, identify the beneficial owner, understand the purpose and nature of the business relationship, and monitor transactions on an ongoing basis. Standard CDD applies to all clients. Enhanced CDD applies where the risk assessment indicates elevated risk – including transactions with clients from high-risk third countries listed by the European Commission, or where the client is a PEP.

Identification means collecting specific data: for natural persons, name, date of birth, nationality, and identity document number. For legal entities, the company name, registered address, KRS number, and the identity of all beneficial owners holding more than 25% of shares or voting rights. Verification means cross-referencing that data against reliable, independent sources – the KRS, the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR), and where necessary, third-party data providers.

The CRBR is a public register maintained by the Ministry of Finance. All Polish companies (other than listed companies and certain public entities) must disclose their beneficial owners. Discrepancies between CRBR data and information provided by the client must be documented and investigated. Ignoring a discrepancy is not a neutral act – it constitutes a failure of CDD and can ground a finding of negligence in a GIIF inspection.

Ongoing monitoring means that CDD is not a one-time exercise at onboarding. Transactions must be reviewed for consistency with the client's declared business profile. A client registered as a small consulting firm that begins processing high-value real estate transactions triggers a mandatory review. The review must be documented. Records must be retained for five years from the end of the business relationship – a deadline the AML Act sets explicitly.

What are the most common AML compliance mistakes – and how do you avoid them?

Three business scenarios illustrate the compliance mistakes most frequently identified in GIIF inspections. Each scenario reflects a different organisational model and a different failure mode. Recognising the pattern in advance is cheaper than correcting it after an inspection.

Scenario 1 – manufacturing company with a treasury function. A Mazowieckie-based manufacturer sets up an internal treasury centre to manage intercompany loans across its group. Management assumes the company is not an obligated institution because its core business is production. In fact, the treasury function may qualify as a financial activity under the AML Act. The company has no CDD records, no risk assessment, and no compliance officer. The GIIF can impose a fine of up to PLN 5 million for each identified breach.

Scenario 2 – IT company providing corporate services. A Kraków-based software developer also registers companies and provides registered office addresses for clients. This makes it a trust and company service provider. The IT team treats AML compliance as a legal formality and delegates it to a junior administrator with no training. The company's internal procedure has not been updated since initial registration. Beneficial owner verification is missing for 60% of the corporate client portfolio.

Scenario 3 – foreign investor's Polish subsidiary. A German group establishes a Polish subsidiary to manage regional operations. The parent has a group-wide AML policy governed by German law. The Polish subsidiary adopts the group policy by reference, without adapting it to Polish law requirements. Polish AML law requires a standalone Polish-law procedure, a Polish-language training programme, and a compliance officer appointed under Polish employment or mandate arrangements. The group policy satisfies none of these requirements.

For foreign investors structuring their Polish presence, our corporate practice note on corporate and M&A in Poland addresses the structural choices that affect compliance obligations from the outset.

We obtained a reduction of a proposed GIIF administrative sanction from PLN 800,000 to PLN 120,000 for a real estate advisory client in the Małopolska region (spring 2026) by demonstrating that the company had implemented corrective measures within 30 days of receiving the inspection report and had no prior compliance history.

What to prepare: AML compliance checklist

Getting AML compliance right requires assembling both documents and organisational structures before a GIIF inspection is announced. Inspections are conducted without prior notice. The following checklist covers the minimum requirements for an obligated institution at any stage of its compliance programme – whether building from scratch or reviewing an existing setup.

  • Written AML internal procedure, reviewed within the last two years, covering all statutory minimum content
  • Documented institutional risk assessment aligned with the 2024 GIIF national risk assessment
  • CDD files for all active clients, including CRBR verification records and beneficial owner identification
  • Appointed AML compliance officer with a written scope of duties and documented training history
  • Record-retention system ensuring five-year retention of all CDD and transaction records

ESG reporting obligations – including CSRD Poland requirements for large and listed companies – are increasingly intersecting with AML compliance. The CSRD requires disclosure of governance and anti-corruption frameworks, which overlap significantly with AML internal procedures. Companies building their first AML programme should design it with this dual purpose in mind. A single governance document that satisfies both AML and ESG reporting requirements reduces administrative cost and audit risk. Whistleblower compliance, already required under the Whistleblower Protection Act, is a third layer that should be integrated at the design stage rather than added retrospectively.

The compliance lawyer Warsaw market has developed standardised templates for AML procedures, but templates carry risk. A template not calibrated to the company's specific risk profile will fail a GIIF inspection. The compliance function must be built around the company's actual client base, transaction types, and geographic exposure – not around a generic sector model.

Specific AML compliance gaps create irreversible consequences. A GIIF finding of systemic non-compliance – meaning the obligated institution never implemented the required procedures – precludes mitigation arguments and triggers the full penalty range. Acting before inspection is the only reliable risk-management strategy.

To receive an expert assessment of your company's AML compliance status and identify gaps before a GIIF inspection, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does AML compliance apply to small companies with fewer than ten employees?

A: Yes. The AML Act does not set a size threshold for obligated institutions. A sole-trader accountant or a two-person company service provider is subject to the same substantive obligations as a large bank. The only difference is that smaller entities may have proportionally lower penalty exposure, since fines can be calculated as a percentage of annual turnover. However, the obligation to implement internal procedures, conduct CDD, and appoint a compliance officer applies regardless of headcount.

Q: How long does it take to build an AML compliance programme from scratch?

A: For a straightforward obligated institution with a homogeneous client base and limited geographic exposure, a basic programme can be implemented in four to six weeks. This covers the institutional risk assessment, a tailored internal procedure, compliance officer appointment, and initial staff training. For companies with complex client portfolios, cross-border transactions, or group-level integration requirements, the timeline extends to three to four months. The risk assessment phase is typically the longest, because it requires input from business lines, not just the legal team.

Q: Is it sufficient to adopt a parent company's group AML policy for a Polish subsidiary?

A: No. This is one of the most common misconceptions among foreign-owned Polish businesses. Polish AML law requires a standalone procedure drafted in Polish, aligned with the specific requirements of the AML Act, and implemented under Polish-law governance arrangements. A group policy can serve as a baseline reference document, but it cannot substitute for a Polish-law procedure. The GIIF will request the Polish-language procedure during an inspection; a group policy in German or English will not satisfy this requirement.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.