A Warsaw-based technology company completes its first transaction with a new corporate client. The payment is unusual – fragmented, routed through three separate entities, slightly below a key reporting threshold. The compliance officer asks: does Polish AML law require us to file a report? Who exactly counts as a "beneficial owner"? And what happens if we get it wrong? These questions are not academic. The penalties are real, and the procedures are not always where companies expect them to be.

Polish anti-money laundering law is governed by the Ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorism Financing Act, AML Act). The Act imposes obligations on a defined list of "obligated institutions," which includes not only banks and financial intermediaries but also law firms, accountants, real estate agents, and certain trading companies. Non-compliance can result in administrative fines reaching PLN 5 million or, in serious cases, fines equivalent to twice the benefit derived from the violation. Obligations apply from the moment a company qualifies as an obligated institution – there is no grace period.

This guide walks through the core compliance steps in sequence. It covers who qualifies as an obligated institution, what internal procedures must look like, how to conduct customer due diligence, and where companies most often fail. Three business scenarios illustrate how obligations differ depending on company type. A practical checklist and FAQ close the guide.

Who qualifies as an obligated institution under Polish AML law?

The first question every Polish company must answer is whether it falls within the AML Act's scope at all. The Act lists obligated institutions explicitly. The category is broader than most compliance officers assume, and misclassification – believing your company is outside scope – is one of the most costly errors a business can make. Personal liability of management board members follows automatically if the company fails to implement required procedures.

Banks, payment institutions, and investment firms registered with the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) are the obvious cases. Less obvious are: notaries and attorneys handling real estate or corporate transactions, accountants and tax advisors, real estate agents, entities providing company formation services, and dealers in high-value goods where cash transactions exceed EUR 10,000. That last threshold catches more trading companies than they expect.

Registration requirements add a further layer. Certain obligated institutions must register with the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) – the central AML supervisory authority in Poland, operating under the Ministry of Finance. Failure to register when required is itself a separate violation, independent of any substantive compliance failure. The National Court Register (Krajowy Rejestr Sądowy, KRS) filing does not substitute for GIIF registration.

Three business scenarios illustrate the scope issue clearly. A manufacturing company in Silesia selling industrial equipment for cash above EUR 10,000 per transaction is an obligated institution – even though its core business has nothing to do with finance. An IT firm in Warsaw providing software licences is generally outside scope, unless it also provides company formation or accounting services. A foreign investor's Polish subsidiary acting as a group treasury centre will almost certainly qualify, given the volume and nature of intercompany transactions it handles.

What must the internal AML procedure contain?

Once a company confirms it is an obligated institution, it must adopt a written internal AML procedure. The AML Act sets minimum content requirements. The procedure must address: risk assessment methodology, customer due diligence rules, transaction monitoring criteria, suspicious activity reporting, employee training obligations, and the appointment of an AML compliance officer (or equivalent). Companies with more than 20 employees must appoint a dedicated officer by name. The procedure must be updated whenever the company's risk profile changes materially – and at minimum reviewed annually.

Risk assessment is the foundation. The AML Act requires each obligated institution to document its own money laundering and terrorism financing risk assessment before drafting its procedure. This is not a generic template exercise. The assessment must reflect the company's actual client base, geographic exposure, product types, and transaction volumes. A real estate agent in Małopolska handling transactions with non-EU buyers faces a different risk profile than a Warsaw-based accounting firm serving domestic SMEs.

We secured a correction of a defective internal procedure for a financial services client in the Mazowieckie region (autumn 2025). The original procedure had been copied from a banking template and contained obligations that did not apply to the client's business model, while omitting transaction monitoring criteria that did. GIIF inspectors flagged the mismatch during a routine review. The revised procedure, tailored to the client's actual risk profile, resolved the finding without a formal sanction.

The procedure must also address beneficial ownership identification. Under Polish corporate legislation, obligated institutions must identify and verify the beneficial owner of every client entity – meaning the natural person who ultimately owns or controls more than 25% of shares or voting rights. This obligation connects directly to the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR), which companies are required to update within 7 days of any change in ownership structure.

How does customer due diligence work in practice?

Customer due diligence (CDD) under the AML Act operates on a three-tier structure: standard, simplified, and enhanced. The tier applied determines the depth of identity verification, the frequency of ongoing monitoring, and the documentation retained. Applying the wrong tier – particularly applying simplified CDD where enhanced is required – is one of the most common compliance failures identified in GIIF inspections. It also exposes the company to direct personal liability of the board member responsible for compliance oversight.

Standard CDD applies to most business relationships. It requires identification and verification of the client's identity, identification of the beneficial owner, understanding the purpose and intended nature of the business relationship, and ongoing monitoring of transactions. Documents must be retained for 5 years from the end of the business relationship – not from the date of the transaction. That distinction matters for records management planning.

Enhanced CDD is mandatory for three categories: politically exposed persons (PEPs) and their family members or close associates; clients or transactions connected to high-risk third countries identified on the EU list; and any situation where the obligated institution identifies a higher risk of money laundering. Enhanced CDD requires senior management approval before establishing the relationship, more intensive source-of-funds verification, and increased monitoring frequency. The 5-year retention period still applies, but the volume of documentation is substantially greater.

Simplified CDD is available only where the AML Act explicitly permits it – for example, for certain regulated financial institutions as clients. It is not a general option for "low-risk" clients as companies sometimes assume. Applying simplified CDD to a client who does not qualify for it is treated as a failure to conduct CDD at all.

  • Identify and verify client identity before establishing the business relationship
  • Identify beneficial owners and cross-check against the CRBR
  • Assess whether standard, simplified, or enhanced CDD applies
  • Retain all CDD documentation for 5 years after the relationship ends
  • Monitor transactions on an ongoing basis and flag anomalies for review

For a tailored strategy on CDD procedures and risk-tier classification, reach out to info@kordeckipartners.com.

The compliance programme design guide for Luxembourg subsidiaries in Poland explores how multinational group structures affect CDD obligations at the Polish entity level – a scenario that arises frequently for foreign-owned trading and financial companies.

What are the reporting obligations and key deadlines?

Reporting is the most time-sensitive element of AML compliance. The AML Act imposes two distinct reporting obligations. First, obligated institutions must report any transaction – or attempted transaction – that raises suspicion of money laundering or terrorism financing to the GIIF. This is a Suspicious Transaction Report (STR). There is no minimum value threshold for STRs. The obligation arises whenever suspicion exists, regardless of amount. Second, cash transactions above PLN 15,000 (or the equivalent in foreign currency) must be reported automatically, regardless of whether suspicion exists.

Timing is strict. STRs must be submitted immediately upon identifying suspicion – the AML Act does not allow for extended internal review periods before filing. In practice, GIIF guidance treats "immediately" as meaning within 24 to 48 hours of the suspicion being identified by a responsible employee. Delays beyond that window, even where the STR is eventually filed, can be treated as a compliance failure. The obligated institution must also refrain from executing the suspicious transaction, if possible, while the GIIF assesses the report – though this obligation has specific exceptions where freezing would alert the client.

Our team obtained a withdrawal of a proposed administrative sanction for a real estate intermediary in Lower Silesia (spring 2026). The intermediary had filed an STR but had done so four days after the suspicion was first documented internally. GIIF had proposed a fine. We demonstrated that the internal delay was caused by a system failure, not deliberate non-compliance, and that the company had self-reported the system issue before the inspection. The sanction was withdrawn.

The guide to buying property in Poland is relevant here: real estate transactions are a recognised money laundering risk sector under Polish and EU AML frameworks, and both buyers' agents and sellers' agents may qualify as obligated institutions depending on the transaction structure.

What are the most common AML compliance mistakes, and how can they be avoided?

GIIF inspection reports and published administrative decisions reveal a consistent pattern of failures. Most are procedural rather than substantive – companies that genuinely want to comply but implement their procedures incorrectly. The consequences are the same regardless of intent. Administrative fines under the AML Act are not limited to cases of deliberate evasion. A defective procedure, even one adopted in good faith, can attract a fine of up to PLN 5 million. Board members who fail to ensure compliance can face personal fines of up to PLN 1 million.

The most common failure is a generic procedure that does not reflect the company's actual risk profile. This is particularly prevalent among companies that adopted AML procedures in 2018 when the current Act entered into force and have not updated them since. The EU's AML package (including the 2024 AML Regulation, which will apply directly in Poland from 2027) will require further updates. Companies that have not reviewed their procedures in the last 12 months are already at risk.

The second most common failure is inadequate beneficial ownership verification. Many companies rely solely on the CRBR entry without independent verification. The CRBR is a disclosure register – entries are not verified by the state before publication. An obligated institution cannot treat a CRBR entry as conclusive. It must conduct its own verification, document what it found, and flag any discrepancy between the CRBR entry and the information obtained from the client.

The third failure category is employee training. The AML Act requires regular training for all employees involved in AML-relevant activities. "Regular" means at minimum once a year. Training records must be retained. Companies that rely on a one-time onboarding session and do not document annual refresher training are vulnerable in inspections.

The compliance programme design guide for Swiss subsidiaries in Poland addresses how parent-company AML frameworks interact with Polish law obligations – a gap that frequently produces compliance failures in foreign-owned entities.

Specific compliance issues require individual assessment. To receive an expert review of your company's AML procedure and risk classification, contact info@kordeckipartners.com.

What to prepare: AML compliance checklist

Before an inspection or before onboarding a new high-value client, every obligated institution should verify the following. The checklist below reflects the minimum documentation GIIF inspectors typically request at the outset of a review. Missing any item does not automatically trigger a fine, but it shifts the burden of proof onto the company to demonstrate that the underlying obligation was met in substance.

  • Written internal AML procedure, dated and signed, reviewed within the last 12 months
  • Documented risk assessment covering client base, geographies, products, and transaction types
  • GIIF registration confirmation (where applicable to your institution type)
  • CDD files for all active business relationships, with beneficial owner verification documented
  • Training records for all AML-relevant employees, covering the current and preceding calendar year

This checklist is a starting point, not a substitute for legal review. The AML Act imposes additional obligations depending on institution type, transaction volumes, and client risk profiles.

Frequently asked questions

Q: Does a small Polish trading company with fewer than 10 employees need a full AML procedure?

A: Size does not determine whether the AML Act applies. If the company qualifies as an obligated institution – for example, because it regularly accepts cash payments exceeding EUR 10,000 – it must adopt a written internal procedure regardless of headcount. The obligation to appoint a named AML compliance officer applies to companies with more than 20 employees, but all other requirements apply from day one of qualifying as an obligated institution. There is no minimum turnover or employee threshold for the core compliance obligations.

Q: How long does it take to implement a compliant AML procedure from scratch?

A: A realistic timeline for a medium-sized company is 6 to 10 weeks, assuming management engagement and access to client data for the risk assessment. The risk assessment itself typically takes 2 to 3 weeks. Drafting and reviewing the procedure takes a further 2 to 3 weeks. Employee training and documentation of the rollout add another 1 to 2 weeks. Companies that skip the risk assessment stage and go directly to a template procedure typically find themselves repeating the exercise after the first GIIF inspection. The cost of a properly structured implementation is significantly lower than the cost of a corrective process following an inspection finding.

Q: Does AML compliance overlap with CSRD Poland or ESG reporting obligations?

A: The obligations are separate but increasingly interconnected. CSRD Poland imposes sustainability disclosure requirements that include governance and anti-corruption disclosures. Whistleblower compliance – required under the EU Whistleblower Directive as implemented in Poland – creates a reporting channel that may capture AML-related concerns. A company with a well-functioning compliance programme, including a whistleblower hotline, is better positioned on both fronts. ESG reporting under CSRD requires companies to disclose their anti-money laundering and anti-corruption governance arrangements, so a documented AML procedure directly supports ESG reporting obligations. Compliance lawyers in Warsaw increasingly advise on both frameworks simultaneously.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.