A mid-sized Warsaw accounting firm receives a new corporate client. The engagement looks routine. Three months later, the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) issues a notice of inspection. The firm has no internal AML procedures, no risk assessment, and no designated compliance officer. The window for voluntary remediation has closed. Penalties – including personal liability for management – are now in play.

Polish anti-money laundering law, grounded in the Act on Counteracting Money Laundering and Terrorist Financing (ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu, AML Act), imposes detailed obligations on a wide category of "obligated institutions" (instytucje obowiązane). These include financial institutions, legal and accounting professionals, real estate agents, and certain other businesses. Obligated institutions must maintain a written internal AML procedure, conduct customer due diligence, and report suspicious transactions to the GIIF. Failure to comply carries administrative fines of up to EUR 1,000,000 – or up to twice the benefit gained – and personal liability for board members.

This guide walks through the full compliance cycle: who is covered, what the procedure must contain, how to conduct risk assessments, and where companies most often go wrong. Three business scenarios illustrate the rules in practice. A checklist and FAQ close the guide.

Which Polish companies are "obligated institutions" under the AML Act?

The starting point is always scope. The AML Act defines obligated institutions by category, not by size or turnover. Getting this wrong – assuming you fall outside the regime – is the single most expensive mistake a Polish company can make. The consequences are not reversible once an inspection begins.

The categories most relevant to business clients include: banks and payment institutions supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF); notaries, attorneys, tax advisors, and accountants performing specified activities; real estate agents; virtual asset service providers; and companies providing trust and company services. Importantly, the category of "tax advisors and accountants" covers not only licensed professionals but also entities providing bookkeeping services commercially. A Warsaw IT company that invoices for payroll processing may qualify.

The National Court Register (Krajowy Rejestr Sądowy, KRS) entry does not determine scope. An entity must assess its actual activities against the statutory list each time it expands its service offering. We assisted a technology client in Mazowieckie region (spring 2025) in identifying that its new payment-facilitation module brought it within the AML Act's perimeter – a classification that had been overlooked during product launch.

Three threshold tests matter in practice. First, does the company perform activities listed in the AML Act? Second, does it do so as a regular business activity (not incidentally)? Third, are the transactions involved above de minimis thresholds – for example, cash transactions above EUR 10,000 trigger specific due diligence obligations regardless of client type. If all three tests are met, the full compliance framework applies.

  • Banks, credit institutions, and payment service providers supervised by KNF
  • Notaries, attorneys, legal counsels, and tax advisors performing AML-covered activities
  • Accountants and bookkeeping firms providing services commercially
  • Real estate agents and property managers
  • Virtual asset service providers registered with the relevant register

For foreign investors, the analysis extends one step further. A subsidiary registered in Poland is a Polish legal entity and subject to Polish AML law in full – regardless of its parent company's home jurisdiction. The parent's own AML programme does not substitute for a Polish-law-compliant procedure. This point is addressed in more detail in our guide on compliance programme design for United Kingdom subsidiaries in Poland.

What must an AML internal procedure contain?

Once an entity confirms it is an obligated institution, the AML Act requires it to adopt a written internal procedure (procedura wewnętrzna). This is not a policy statement. It is a binding operational document, and the GIIF will read it against a detailed statutory checklist during any inspection. Missing elements result in findings of non-compliance even where the entity has in practice applied sound controls.

The procedure must address: (1) the entity's risk assessment methodology; (2) customer due diligence (CDD) steps, including enhanced due diligence for high-risk clients; (3) the process for identifying beneficial owners (beneficjent rzeczywisty) and verifying their identity against the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR); (4) the process for reporting suspicious transactions to the GIIF; and (5) employee training obligations, with a minimum frequency of once per year.

A common mistake is treating the procedure as a static document. The AML Act requires it to be reviewed and updated whenever the entity's risk profile changes – for example, when a new product line is launched, a new market is entered, or the ownership structure changes. In practice, a 12-month review cycle should be the default, with ad hoc updates triggered by material changes.

The procedure must also designate a senior manager as AML compliance officer (osoba odpowiedzialna za wdrożenie obowiązków). In smaller entities, this is often the management board member responsible for operations. The designation must be documented. Where the entity has 50 or more employees, the AML Act requires a dedicated AML officer role – separate from the general counsel function.

One practical note: the procedure must be written in Polish, even where the company operates primarily in English or another language. A translation for group purposes is acceptable, but the Polish version governs. This catches several foreign-owned subsidiaries every year.

How does customer due diligence work in practice?

Customer due diligence (CDD) is the operational core of any AML programme. It determines who the entity does business with and at what level of scrutiny. The AML Act sets out three tiers: simplified, standard, and enhanced. Choosing the wrong tier – or applying no tier at all – is a direct compliance failure.

Standard CDD applies to all new clients and requires: identification of the client (name, address, registration number for legal entities); verification of identity against reliable documents or databases; identification of the beneficial owner and verification of their identity in the CRBR; and assessment of the purpose and nature of the business relationship. For legal entities, this means obtaining a current KRS extract – typically no older than three months – alongside constitutional documents.

Enhanced due diligence (EDD) applies in three mandatory situations: politically exposed persons (PEPs) and their family members or close associates; clients from high-risk third countries on the EU list; and any situation where the entity's own risk assessment identifies elevated risk. EDD requires additional steps – source-of-funds analysis, senior management approval for the relationship, and more frequent ongoing monitoring. The timeline for completing EDD before entering the relationship is strict: it must be done before the first transaction, not concurrently.

Ongoing monitoring is the element most often neglected. The AML Act requires obligated institutions to monitor existing client relationships continuously – reviewing transactions against the client's expected profile, updating CDD data when material changes occur, and re-screening clients against sanctions lists. The GIIF has flagged inadequate ongoing monitoring as one of the top three deficiencies found during inspections.

A manufacturing client in Silesia (autumn 2024) discovered during our compliance review that it had not updated CDD records for 40% of its long-standing clients in over three years. Several beneficial ownership structures had changed. Remediation required six weeks of intensive data collection and CRBR cross-referencing before the file was clean.

What are the penalties for AML non-compliance in Poland?

The penalty framework is serious enough to warrant its own section. Many Polish companies – particularly those entering the obligated institution perimeter for the first time – underestimate the exposure. The AML Act implements the EU's Fourth and Fifth Anti-Money Laundering Directives, and the Polish legislature has transposed the penalty provisions in full.

Administrative penalties imposed by the GIIF can reach EUR 1,000,000 for natural persons and EUR 5,000,000 (or up to 10% of annual turnover, whichever is higher) for legal entities. These are not theoretical maximums. The GIIF has issued public decisions in the PLN 500,000–2,000,000 range for systemic procedural failures. Publication of the decision on the GIIF's official website – a named-and-shamed outcome – is a standard element of significant enforcement actions.

Personal liability is the dimension that focuses management attention most sharply. Board members and senior managers can be held personally liable for AML failures where the failure results from their decision or inaction. The AML Act does not require proof of intent – negligence is sufficient. This means that a board member who approved a budget that excluded AML compliance resourcing may face a personal fine of up to EUR 1,000,000. That liability forfeits the protection of the corporate veil.

There is also an indirect cost that the penalty figures do not capture. An AML enforcement action triggers automatic notification to the KNF where the entity holds a licence. It may also affect the entity's ability to maintain banking relationships, as banks conduct their own AML due diligence on clients. A single enforcement action can therefore produce cascading consequences across the entity's operating infrastructure.

The window for voluntary remediation closes the moment the GIIF issues a formal inspection notice. Acting before that point – identifying gaps, documenting corrective measures, and briefing the compliance officer – is the only way to preserve the opportunity to present a credible defence.

Three business scenarios: manufacturing, IT, and foreign investor

Abstract rules become clearer through concrete situations. The three scenarios below illustrate how AML obligations differ depending on the business model – and where the compliance pressure points arise.

Scenario 1 – Manufacturing company. A Poznań-based manufacturer sells industrial equipment to clients across Central and Eastern Europe. It does not provide financial services. At first review, it appears to fall outside the AML Act. However, the company recently added a leasing-facilitation service – helping clients arrange financing through third-party lenders. This activity may constitute a "credit intermediary" function under Polish financial law, pulling the company into the obligated institution perimeter. The risk assessment must be conducted before the service goes live, not after the first transaction closes.

Scenario 2 – IT company. A Kraków-based software firm develops a platform that processes payments between merchants and consumers. It holds a registration as a small payment institution (mała instytucja płatnicza) with the KNF. It is unambiguously an obligated institution. Its CDD challenge is scale: the platform processes thousands of onboarding events per month. The internal procedure must include automated screening tools, with human review reserved for flagged cases. A manual-only process is operationally unworkable and creates documentation gaps that will surface in any inspection. Our work on corporate governance in Poland addresses the structural questions that arise when compliance functions are embedded in technology platforms.

Scenario 3 – Foreign investor. A German private equity fund acquires a majority stake in a Polish factoring company. The Polish subsidiary is an obligated institution. The fund's German AML programme does not satisfy Polish law. The subsidiary must have its own Polish-language internal procedure, its own designated AML officer, and its own CRBR verification workflow. The fund's legal counsel should review the subsidiary's compliance posture as part of pre-acquisition due diligence – AML gaps discovered post-closing become the buyer's problem immediately. The whistleblower channel requirements that often accompany AML frameworks are covered in our separate guide on whistleblower channel design and technical requirements.

What to prepare before your AML compliance review:

  • Current list of all business activities and a preliminary assessment of whether each falls within the AML Act's category list
  • Existing internal procedures, policies, and any prior GIIF correspondence
  • CDD files for the last 12 months, including beneficial ownership verification records
  • Training records for all employees involved in client onboarding or transaction monitoring
  • Board or management resolutions designating the AML compliance officer

Your company's specific AML exposure depends on facts that a general guide cannot fully resolve. Gaps identified after an inspection notice is issued cannot be remediated retroactively – the procedural record is fixed at that point. To receive an expert assessment of your AML compliance posture before any regulatory contact occurs, contact info@kordeckipartners.com.

If your company operates in an AML-sensitive sector – financial services, real estate, professional services, or payment technology – and has not conducted a formal compliance gap analysis in the past 12 months, the exposure is live. We will review your existing procedures, map them against current GIIF guidance, and produce a prioritised remediation plan: info@kordeckipartners.com.

Frequently asked questions

Q: Does the AML Act apply to small companies, or only to large financial institutions?

A: Size is not the determining factor. The AML Act applies to any entity that performs activities listed in the statute as an obligated institution, regardless of headcount or turnover. A two-person accounting firm providing bookkeeping services commercially is fully subject to the regime. The compliance obligations scale with complexity – a small firm may have simpler CDD workflows – but the requirement to have a written internal procedure, a designated AML officer, and a documented risk assessment applies equally.

Q: How long does it take to build a compliant AML programme from scratch?

A: For a mid-sized obligated institution with no prior programme, the process typically takes between six and twelve weeks from initial gap analysis to a fully documented, board-approved procedure. The timeline depends on the number of product lines, the complexity of the client base, and the availability of internal resources for data collection. Training all relevant employees – a statutory requirement – adds two to four weeks. Starting the process before any regulatory contact is the only way to control that timeline.

Q: Is it a misconception that a parent company's AML programme covers a Polish subsidiary?

A: Yes – this is one of the most common and costly misconceptions. A Polish subsidiary is a separate legal entity subject to Polish law. Even where the parent operates a group-wide AML framework that meets the standards of its home jurisdiction, the Polish subsidiary must maintain its own Polish-language internal procedure, conduct CDD under Polish law standards, verify beneficial owners in the CRBR, and report suspicious transactions to the GIIF. The parent's programme can inform the subsidiary's approach, but it cannot substitute for it.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.