A Warsaw-based fintech startup receives its first institutional client. The onboarding team asks whether a formal AML programme is in place. There is no programme. The client walks. That moment – preventable, irreversible – is where AML compliance stops being paperwork and starts being a business condition.
Polish anti-money laundering law, built on the ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Act on Counteracting Money Laundering and Terrorist Financing, the AML Act), requires designated entities – including financial institutions, lawyers, accountants, real estate agents, and certain trading companies – to implement internal control procedures, conduct customer due diligence, and report suspicious transactions to the General Inspector of Financial Information (GIIF). Failure to implement a compliant programme exposes the company and its management to administrative fines reaching PLN 5 million or 10% of annual turnover, whichever is higher. The obligation is not optional, and non-compliance forfeits the ability to work with regulated counterparties.
This guide walks through the step-by-step process of building an AML compliance programme in Poland: who is covered, what the programme must contain, how long implementation takes, what it costs, and where companies most commonly go wrong. Three business scenarios – manufacturing, IT, and a foreign investor – illustrate how the rules apply in practice.
Which Polish companies are obliged to implement AML procedures?
The AML Act defines a closed list of "obligated institutions" (instytucje obowiązane). If your company falls within that list, the obligations apply in full – regardless of size, turnover, or whether you have ever encountered a suspicious transaction. The National Court Register (KRS) entry does not itself trigger coverage; the nature of the business activity does.
The list is broader than most managers expect. Banks and payment institutions are obvious examples. Less obvious are: tax advisory firms, auditors, notaries, lawyers and legal counsels when they participate in real estate or corporate transactions, virtual asset service providers, and dealers in high-value goods (goods exceeding EUR 10,000 in a single cash transaction). An IT company building payment infrastructure may qualify as a payment service provider. A manufacturing company accepting large cash payments from distributors may qualify as a high-value goods dealer.
The Polish Financial Supervision Authority (KNF) supervises financial sector entities. The Ministry of Finance supervises accountants and tax advisors. Regional bar councils supervise lawyers. The General Inspector of Financial Information (GIIF) sits at the centre, receiving suspicious transaction reports (STRs) from all obligated institutions. Understanding which supervisor oversees your sector matters – inspection approaches differ, and the KNF is considerably more active than some sectoral bodies.
Three questions help determine coverage quickly:
- Does the company conduct transactions that could involve proceeds of crime?
- Does the company handle cash payments above EUR 10,000?
- Does the company provide financial, legal, or advisory services to third parties?
If the answer to any of these is yes, a formal legal review is warranted before assuming no obligation exists.
What must an AML compliance programme contain?
The AML Act sets out minimum content requirements for internal procedures. A compliant programme is not a single document – it is a system of interlocking components. Implementation typically takes between 4 and 12 weeks depending on company size and sector. Missing even one mandatory element exposes the company to supervisory findings.
The core components are: a risk assessment of customers, products, and geographies; customer due diligence (CDD) procedures tailored to risk level; a suspicious transaction reporting procedure; a training programme for employees; record-keeping rules covering at least 5 years; and a designated AML compliance officer (pracownik odpowiedzialny za AML). For larger entities, an internal audit function must also review AML compliance annually.
Risk assessment is the foundation. The company must assess its exposure to money laundering risk across four dimensions: customer risk, product/service risk, geographic risk, and transaction channel risk. The assessment must be documented, reviewed periodically (at minimum every two years), and updated whenever the business model changes. A generic "low risk" self-assessment without supporting analysis will not survive supervisory scrutiny.
We secured a favourable supervisory outcome for a payment technology client in the Mazowieckie region (spring 2025) after their initial risk assessment was challenged during a GIIF inspection. The key issue was that the assessment had not been updated following a product launch eighteen months earlier. A revised, product-specific assessment resolved the finding within six weeks.
CDD procedures must distinguish between simplified, standard, and enhanced due diligence. Enhanced due diligence applies automatically to politically exposed persons (PEPs), customers from high-risk third countries, and complex or unusually large transactions. The company must also screen customers against sanctions lists maintained by the Office of Foreign Assets Control (OFAC) and EU consolidated lists – an obligation that intersects directly with compliance programme design for Luxembourg subsidiaries in Poland.
How does the step-by-step implementation process work?
Implementation follows a defined sequence. Skipping steps – particularly risk assessment before drafting procedures – produces a programme that looks complete on paper but fails under inspection. The timeline below reflects a medium-complexity obligated institution with 20–100 employees.
Step 1 – Scoping (weeks 1–2). Confirm whether the company is an obligated institution. Identify the applicable supervisor. Map all products, services, customer segments, and transaction channels. Appoint the AML compliance officer. This step costs between PLN 5,000 and PLN 15,000 in external advisory fees.
Step 2 – Risk assessment (weeks 2–4). Conduct the formal risk assessment across all four dimensions. Document findings. Identify high-risk customer segments and geographies. The output is a written risk assessment report, which becomes the backbone of the entire programme.
Step 3 – Procedure drafting (weeks 3–6). Draft internal AML procedures tailored to the risk assessment findings. Generic templates purchased online fail this requirement. Procedures must reflect the company's actual products and customer base. Total external cost for a medium-sized entity: PLN 15,000–40,000.
Step 4 – Training (weeks 6–8). Train all relevant employees. The AML Act requires documented, periodic training. First-time implementation training should cover risk indicators, CDD requirements, STR obligations, and record-keeping. Training records must be retained.
Step 5 – Go-live and monitoring (week 8 onward). Implement CDD procedures for new customers. Begin periodic review of existing customer relationships. Establish an STR submission process to the GIIF. Schedule the first annual review of the programme for 12 months after go-live.
For a foreign investor entering Poland, implementation overlaps with entity setup. Coordinating AML onboarding with corporate registration at the KRS reduces duplication. This intersection is covered in detail in our guide on compliance programme design for UAE subsidiaries in Poland.
What are the most common AML compliance mistakes?
Supervisory inspections reveal the same failures repeatedly. Knowing them in advance is cheaper than discovering them during an audit. The most expensive mistake – a programme that exists on paper but has never been operationalised – triggers personal liability for the management board, not merely a corporate fine.
The first common mistake is treating AML as a one-time exercise. The risk assessment must be reviewed at least every two years and after any material change in business activity. A company that drafted its programme in 2021 and has not revisited it since is almost certainly non-compliant today, particularly given amendments to the AML Act that entered into force in subsequent years.
The second mistake is failing to identify beneficial owners (UBOs). Polish law requires obligated institutions to verify the ultimate beneficial owner of every corporate customer. Accepting a company extract from the KRS without tracing ownership to the natural person level is insufficient. Where UBO verification is impossible, the institution must apply enhanced due diligence and may need to decline the business relationship – a decision that forfeits revenue but avoids regulatory sanction.
The third mistake is inadequate STR discipline. Many companies confuse internal "red flag" processes with actual STR submission. A suspicious transaction report must be submitted to the GIIF within a defined timeframe after the suspicion arises – not after internal approval committees have deliberated for weeks. Delayed STR submission is itself a violation, even if the underlying transaction was not ultimately linked to money laundering.
We obtained a reversal of an administrative penalty exceeding PLN 800,000 for a real estate intermediary in Małopolska (autumn 2024) where the original finding had cited both inadequate risk assessment and delayed STR submissions. The reversal was based on demonstrating that the STR delays resulted from a documented system failure rather than deliberate non-compliance.
Whistleblower compliance intersects here. Under the ustawa o ochronie sygnalistów (Whistleblower Protection Act), obligated institutions must also operate internal reporting channels. An employee who identifies an AML risk but finds no internal channel to report it may escalate directly to regulators – creating supervisory exposure that could have been avoided. This overlap between AML obligations and ESG reporting frameworks is increasingly relevant for companies subject to CSRD Poland requirements.
How do AML obligations apply across three business scenarios?
Abstract rules become clear when applied to specific business models. The three scenarios below cover the most common fact patterns we encounter: a manufacturing company, a Polish IT firm, and an incoming foreign investor. Each faces a different entry point into AML compliance.
Scenario 1 – Manufacturing company. A Silesian manufacturer sells industrial equipment to distributors, occasionally accepting cash payments above EUR 10,000. This triggers the high-value goods dealer classification. The company must implement CDD for any transaction meeting the cash threshold, retain records for 5 years, and submit STRs where suspicion arises. The programme can be relatively lean – risk assessment, a single CDD procedure, an STR template, and annual training. Total implementation cost: PLN 8,000–18,000.
Scenario 2 – IT company. A Warsaw-based software house builds payment processing infrastructure for e-commerce clients. If it qualifies as a payment service provider under Polish payment law, it becomes a fully obligated institution subject to KNF supervision. The programme must be materially more detailed: enhanced CDD for corporate clients, sanctions screening, transaction monitoring procedures, and a dedicated compliance officer with documented authority. Implementation timeline: 10–14 weeks. Budget: PLN 40,000–80,000 for initial build-out, plus ongoing advisory. For companies with cross-border operations, the guide on hiring foreign nationals in Poland addresses how employment structure affects compliance officer appointment.
Scenario 3 – Foreign investor. A German investor acquires a Polish financial advisory firm. From day one, the acquired entity's AML programme is the acquirer's liability. Pre-acquisition AML due diligence must assess: whether the existing programme is compliant, whether the risk assessment is current, whether STR records are complete, and whether any open supervisory proceedings exist. Gaps found post-closing are inherited. An AML compliance lawyer Warsaw-based teams engage at the letter of intent stage – not at closing.
Frequently asked questions
Q: Does a small company with fewer than 10 employees need a full AML programme?
A: Size does not determine the obligation – business activity does. A two-person virtual asset exchange is fully obligated under the AML Act and must implement all mandatory programme components. The programme can be proportionate in scope (a lean risk assessment, a short procedure document, basic training), but it cannot be absent. Supervisors have fined sole-trader obligated institutions as well as large corporations.
Q: How long does it take to become compliant, and what does it cost?
A: For a straightforward obligated institution – such as a high-value goods dealer or a small accounting firm – a compliant programme can be implemented in 4–6 weeks at a cost of PLN 8,000–20,000 in external advisory and training fees. A payment institution or virtual asset service provider should budget 10–14 weeks and PLN 40,000–80,000 for initial implementation. Ongoing annual review and training typically adds PLN 5,000–15,000 per year. These figures assume no prior programme exists.
Q: Is it a misconception that AML compliance only matters for banks?
A: Yes – and it is the most expensive misconception in this area. The AML Act covers over 25 categories of obligated institution, including lawyers, notaries, accountants, real estate agents, dealers in high-value goods, virtual asset service providers, and certain corporate service providers. Non-bank entities have been fined by Polish supervisors for non-compliance, and the fines can reach PLN 5 million. The General Inspector of Financial Information has intensified inspections of non-financial sector obligated institutions since 2023.
Bridge: The specific structure of your company's AML exposure depends on business model, customer base, and supervisory jurisdiction. Without a tailored assessment, generic programme templates create the appearance of compliance while leaving material gaps – gaps that become irreversible findings once a supervisory inspection begins.
To receive an expert assessment of your AML compliance obligations and programme design, contact info@kordeckipartners.com. Our team will review your business model, identify your supervisory category, and deliver a programme implementation roadmap within two weeks.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.