A Warsaw-based trading company receives a request from its bank to demonstrate that its AML procedures are current and documented. The compliance officer opens the company's internal manual – last updated three years ago – and realises that the firm has never formally designated an AML officer, never conducted a business risk assessment, and never trained its staff. The bank's deadline is 14 days.
Polish anti-money laundering law, grounded in the ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorist Financing Act, AML Act), imposes specific obligations on a defined category of "obligated institutions." These include financial entities, legal service providers, accountants, real estate agents, and certain dealers in high-value goods. Failure to implement a compliant AML programme exposes both the company and its management to administrative fines reaching PLN 1 million or more, and in serious cases to criminal sanctions that preclude the responsible individual from holding managerial positions.
This guide walks through the step-by-step procedure for building AML compliance in Poland. It covers who qualifies as an obligated institution, what internal structures are required, what the common implementation mistakes are, and how three different business types should approach the process. The FAQ section addresses the most frequent questions from clients at the outset of an AML project.
Who qualifies as an obligated institution under Polish AML law?
The AML Act defines "obligated institutions" by reference to the type of activity, not the company's size. A small accounting firm handling client funds qualifies. A large manufacturing company that sells only to other businesses generally does not – unless it accepts cash payments above EUR 10,000. Getting this threshold question right is the first step.
The main categories include: banks and payment institutions supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF); notaries, lawyers, and legal counsel providing specific transactional services; accountants and tax advisors; real estate agents; dealers in high-value goods (art, luxury vehicles, precious metals); and virtual asset service providers registered with the National Court Register (Krajowy Rejestr Sądowy, KRS). Each category carries its own scope of obligation.
The cash threshold deserves special attention. Any entity that accepts or makes cash payments of EUR 10,000 or more in a single transaction – regardless of its primary business – falls within the AML Act's scope for that transaction. This catches many retail and wholesale businesses off guard. We have seen manufacturers in the Silesia region discover their AML exposure only during a General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) audit in autumn 2025 – at which point the absence of any documented procedures became an immediate enforcement issue.
- Banks, credit unions, and payment institutions (KNF-supervised)
- Notaries, attorneys, and legal advisors in transactional roles
- Certified accountants, tax advisors, and audit firms
- Real estate agents and property developers accepting cash
- Dealers accepting cash payments above EUR 10,000
If your company falls into any of these categories, the obligations described below apply in full. If you are uncertain whether your activity triggers the threshold, a brief legal review is the lowest-cost way to resolve the question before a regulator resolves it for you.
What internal structures does the AML Act require?
Once an entity is confirmed as an obligated institution, the AML Act requires four core structural elements: a designated AML officer (or compliance function), a written internal procedure document, a business-wide risk assessment, and a staff training programme. All four must be in place before the institution begins the relevant activity – not retrospectively.
The AML officer must be a member of senior management or a person directly accountable to senior management. This individual is responsible for implementing procedures, reporting suspicious transactions to the GIIF, and maintaining records for at least five years. Smaller firms often designate an existing manager, which is permitted, provided the role is formally documented and the person has received adequate training. The five-year record-keeping requirement is non-negotiable and applies to customer due diligence files, transaction records, and training logs.
The internal procedure document must address customer due diligence (CDD) steps, enhanced due diligence triggers, transaction monitoring methodology, suspicious activity reporting, and sanctions screening. It cannot be a generic template downloaded from the internet. Polish supervisory practice – reflected in GIIF guidance – expects the document to reflect the specific risk profile of the institution. A law firm handling real estate transactions faces different risks than a currency exchange operator, and the procedures must show that the institution understands the difference.
The business risk assessment is a written document evaluating the institution's exposure to money laundering and terrorist financing risk. It must be updated whenever the business model changes significantly, and reviewed at least periodically. The assessment feeds directly into the CDD approach: higher-risk clients require enhanced due diligence, including source-of-funds verification. This is where many companies fail – they produce the assessment document but do not connect it operationally to their client onboarding process.
How does the step-by-step implementation timeline work?
A realistic AML implementation for a mid-sized obligated institution takes between eight and twelve weeks from project launch to a defensible compliance position. The timeline breaks into four phases, each with a concrete deliverable. Rushing the process produces documentation that looks complete on paper but fails under regulatory scrutiny – a result that is worse than starting late, because it creates a false sense of security.
Phase 1 – Scoping (weeks 1–2): Confirm whether the entity qualifies as an obligated institution. Map the business activities, client types, transaction volumes, and cash payment exposure. Identify the AML officer candidate. This phase costs relatively little but is the most important: an incorrect scoping decision propagates errors through every subsequent step.
Phase 2 – Risk assessment and procedure drafting (weeks 3–6): Produce the written business risk assessment. Draft the internal AML procedure document tailored to the risk profile identified in Phase 1. At this stage, the institution should also review its sanctions screening process against EU and Polish national sanctions lists – a requirement that sits alongside, but is legally distinct from, AML obligations.
Phase 3 – Implementation and training (weeks 7–10): Adopt the procedures at management level. Train all relevant staff. Document the training with attendance records and content summaries. Integrate the CDD workflow into the client onboarding process. If the institution uses third-party software for transaction monitoring, verify that it is calibrated to the institution's specific risk thresholds.
Phase 4 – Testing and review (weeks 11–12): Conduct a walkthrough of the CDD process using sample client files. Check that the suspicious activity reporting chain is functional. Confirm that the five-year retention schedule is operational. Assign a date for the first annual review. The output of this phase is a compliance memo confirming readiness – a document that carries real value if a GIIF inspection or bank due diligence request arrives shortly afterwards.
For a practical comparison with the compliance programme requirements that apply to Ukrainian subsidiaries operating in Poland, see our guide on compliance programme design for Ukraine subsidiaries in Poland.
What are the three most common implementation mistakes?
Polish AML enforcement has become noticeably more active since 2023. The GIIF has increased inspection frequency, and KNF has issued a series of post-inspection recommendations to supervised entities. Three mistakes account for the majority of deficiencies identified in those inspections – and all three are avoidable with proper preparation.
Mistake 1 – Generic documentation. The most frequent finding is an internal procedure document that does not reflect the institution's actual business. Supervisors look for evidence that the document was written for this specific entity. A firm that copied a template without adaptation will struggle to explain, during an inspection, why the document references product lines or client types that the firm does not have. We obtained a full remediation outcome for an accounting firm in the Małopolska region (spring 2026) after demonstrating to the GIIF that the firm's revised procedures accurately reflected its client base – avoiding a fine that had been provisionally assessed at PLN 150,000.
Mistake 2 – Disconnected risk assessment. Institutions produce the risk assessment as a standalone document but never use it. The CDD questionnaire asks the same questions of every client regardless of risk level. Enhanced due diligence is never triggered. This defeats the purpose of the risk-based approach and is easily identified during an inspection by comparing the risk assessment categories with the actual client files.
Mistake 3 – Absent or undocumented training. The AML Act requires training for all staff involved in AML-relevant activities. "We told them in a meeting" does not satisfy this requirement. The institution needs dated records showing who was trained, on what content, and when the next training session is scheduled. This is one of the lowest-cost elements of an AML programme – and one of the most consistently missing.
Whistleblower compliance intersects with AML at this point. Polish law implementing the EU Whistleblowing Directive requires companies above a certain threshold to maintain internal reporting channels. An AML suspicious activity reporting procedure can be designed to work alongside – rather than in parallel with – the whistleblower channel, reducing administrative duplication. This is a design question that is worth resolving at Phase 2, not after both systems are already live.
How do three business scenarios approach AML compliance differently?
The AML Act's obligations are uniform in their structure but vary significantly in their practical application. A manufacturing company, an IT services firm, and a foreign investor entering Poland through a new entity each face a different risk profile and a different implementation priority.
Manufacturing company (Mazowieckie region): A mid-sized manufacturer selling industrial equipment to domestic and export clients. Its primary AML exposure is the EUR 10,000 cash threshold and any transactions involving high-value goods. The risk assessment will likely show a low-to-medium risk profile. The main implementation task is establishing a clear policy on cash payments, screening counterparties against sanctions lists, and training the finance team. The procedure document can be relatively focused. Total implementation cost for a firm of this type typically falls in the range of PLN 8,000 to PLN 15,000 if handled with external legal support.
IT services firm: A software company providing services to international clients, including clients in higher-risk jurisdictions. This firm may not initially appear to be an obligated institution – but if it provides services that constitute "trust and company services" or handles client funds in any form, the analysis changes. The risk assessment must address cross-border exposure, beneficial ownership verification for corporate clients, and the use of virtual payment methods. ESG reporting obligations under CSRD Poland requirements may also intersect here, particularly if the firm is preparing for sustainability disclosures that include governance and anti-corruption indicators.
Foreign investor (new Polish entity): A German investor establishing a spółka z ograniczoną odpowiedzialnością (private limited liability company, sp. z o.o.) to operate a financial intermediary business in Poland. This entity will be supervised by the KNF from the first day of operation. AML compliance must be in place before the first client is onboarded. The investor should also plan for the interaction between AML requirements and the liquidation process if the entity is ever wound down – the five-year record retention obligation survives the company's operational phase. For a detailed overview of that process, see our guide on the liquidation of sp. z o.o.: process and timeline.
The decision matrix is straightforward: higher regulatory risk profile → more detailed risk assessment → more granular CDD procedures → more frequent internal review cycle. The cost of building a proportionate programme is always lower than the cost of remediation after an inspection finding.
For companies also subject to ESRS sustainability reporting requirements, AML governance documentation can feed directly into anti-corruption and governance disclosures. See our detailed breakdown of ESRS implementation steps for Polish reporting entities for the connection between AML and ESG reporting frameworks.
What to prepare: AML compliance checklist
Before engaging external counsel or beginning the implementation process, a company should assemble the following materials. Having these ready shortens Phase 1 significantly and reduces overall project cost.
- List of all business activities, products, and services offered
- Overview of client types (individuals, corporates, public entities, non-residents)
- Records of cash transactions in the past 12 months, including amounts and counterparties
- Existing internal policies on client onboarding and transaction approval
- Organisational chart showing who currently handles compliance, finance, and client relations
This checklist applies regardless of company size. A sole-practitioner accountant and a 200-person brokerage both need to answer the same scoping questions – the answers will differ, but the questions are the same. Starting with documented answers rather than verbal summaries saves time at every subsequent phase.
Specific situations require tailored analysis. If your company is approaching an AML implementation project – or has received a regulatory inquiry – the specifics of your business model determine which obligations apply and in what sequence. Delayed action forfeits the ability to demonstrate proactive compliance, which supervisors treat as a mitigating factor in enforcement proceedings.
To receive an expert assessment of your company's AML compliance position, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does a small accounting firm with only five employees need to implement the full AML programme?
A: Yes. The AML Act does not provide a size exemption for obligated institutions. A five-person accounting firm providing bookkeeping services to clients is fully subject to the AML Act's requirements, including the written risk assessment, internal procedures, AML officer designation, and staff training. The procedures can be proportionate to the firm's risk profile – shorter and less complex than those of a bank – but they must exist and must be documented. Absence of documentation is the most common enforcement finding against small professional service firms.
Q: How long does it take to complete an AML implementation, and what does it cost?
A: A standard implementation for a non-financial obligated institution takes eight to twelve weeks from project start to a defensible compliance position. External legal support for a firm with a straightforward risk profile typically costs between PLN 8,000 and PLN 20,000, depending on complexity and the number of staff requiring training. Firms with complex client bases, cross-border exposure, or existing compliance gaps should budget toward the higher end. The cost of a GIIF administrative fine – which can reach PLN 1 million or more for serious deficiencies – makes the investment straightforward to justify.
Q: Can the AML officer role be outsourced to an external provider?
A: Polish AML law requires the AML officer to be a member of senior management or a person directly accountable to senior management within the institution. Pure outsourcing of the AML officer function to an external party – where no internal person holds formal responsibility – does not satisfy this requirement. However, external advisors can support the AML officer with documentation, training, and regulatory monitoring. Some smaller firms designate an internal manager as AML officer and use external counsel for ongoing support, which is a compliant and cost-effective structure. The internal designation must be documented in a board resolution or equivalent management decision.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance, ESG reporting, and AML programme design. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating regulatory obligations under Polish and EU law. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.