A mid-sized Polish manufacturing company operating across three voivodeships discovered, during a routine internal audit, that several procurement contracts had been awarded without documented competitive procedures. Payments to intermediaries lacked proper justification. The board faced a difficult question: was this a process failure, or something more serious?

Anti-corruption compliance under Polish law draws on three interlocking bodies of regulation: the Penal Code provisions on bribery, the Act on Counteracting Money Laundering and Terrorist Financing (AML Act), and the Act on the Protection of Whistleblowers, which entered into force in September 2024. Together, these create personal liability for board members, compliance obligations for entities above 50 employees, and mandatory internal reporting channels. Failure to implement the required framework within the statutory deadlines precludes reliance on the "adequate procedures" defence in enforcement proceedings.

This case study traces how the company moved from a compliance gap to a functioning anti-corruption framework within four months. The account covers background, the legal strategy adopted, the build-out process, and the lessons that transfer to other Polish entities.

What was the compliance gap, and why did it matter?

The internal audit identified three distinct problem areas. First, no written anti-corruption policy existed. Second, the company had not established an internal reporting channel despite employing over 200 people – a threshold the Act on the Protection of Whistleblowers set at 50 employees for private-sector entities. Third, no AML risk assessment had been prepared, even though the company's turnover exceeded the threshold triggering obligatory institution status under the AML Act.

Each gap carried a separate legal consequence. The absence of an internal reporting channel exposed the company to fines of up to PLN 5 million under the Whistleblower Act. The missing AML risk assessment created direct personal liability for the management board under Polish financial-supervision rules enforced by the General Inspector of Financial Information (GIIF). The National Court Register (KRS) records showed no compliance-related entries, which a future acquirer or lender would immediately flag.

The board's concern was not abstract. A competitor in the Mazowieckie region had faced a GIIF inspection in autumn 2024 that resulted in a corrective order and reputational damage. That precedent concentrated minds quickly. The company retained our compliance team within two weeks of the audit findings.

How did the legal strategy address Polish regulatory requirements?

The strategy had three pillars. First, triage: map every statutory obligation by deadline and penalty severity. Second, sequencing: implement obligations in the order that reduced personal board liability fastest. Third, integration: avoid building siloed policies and instead create one interlocking compliance framework covering anti-corruption, AML, and whistleblower protection.

On triage, the most time-sensitive obligation was the internal reporting channel. The Act on the Protection of Whistleblowers required private entities above 50 employees to have a functioning channel by 25 September 2024. The company was already in breach. Establishing the channel within 30 days of engagement became the first milestone.

On sequencing, anti-corruption policy came second. Polish criminal law does not prescribe a single code, but the "adequate procedures" defence – analogous to the UK Bribery Act's equivalent – requires documented risk assessment, a written policy, training records, and a review mechanism. The company needed all four elements before any enforcement inquiry could arise. We structured the policy around five risk categories: procurement, third-party intermediaries, public-official contact, gifts and hospitality, and political contributions.

On integration, the AML risk assessment was aligned with the anti-corruption risk map. This avoided duplication and reduced the compliance burden on the finance team. For guidance on structuring compliance programmes for entities with cross-border ownership, see our compliance programme design guide for Luxembourg subsidiaries in Poland.

What did the build-out process involve?

The process ran across four months and four workstreams. Month one covered the internal reporting channel: drafting the procedure, selecting an internal channel manager, preparing a staff notice, and testing the submission mechanism. The company chose an internal channel rather than an external provider – a decision that saved approximately PLN 18,000 annually but required a dedicated HR contact trained to handle reports confidentially.

Month two addressed the anti-corruption policy. We conducted a risk workshop with procurement, finance, and sales leads. The output was a risk register with 22 identified scenarios and 14 mitigating controls. The policy document ran to 18 pages and included a gifts-and-hospitality register, a third-party due diligence checklist, and a conflicts-of-interest declaration form.

Month three covered AML. The company qualified as an obligated institution under the AML Act because it provided certain financial services ancillary to its manufacturing operations. The GIIF requires obligated institutions to conduct and document a risk assessment at least every two years. We completed the initial assessment and established a customer due diligence procedure covering 12 counterparty categories.

Month four delivered training and documentation. All 200-plus employees received a 90-minute e-learning module. Management received a separate four-hour in-person session. Training records were retained for five years – the period required under Polish administrative law for AML documentation. We also assisted the company in reviewing its restructuring exposure; entities with compliance deficiencies often face complications in insolvency proceedings, as detailed in our restructuring practice overview.

We secured a documented compliance baseline for a manufacturing client in Małopolska by spring 2026, enabling the company to pass a lender's ESG due diligence review and proceed with a refinancing of over PLN 12 million.

Specific situations require tailored assessment. If your company has identified a compliance gap and needs to map its exposure before an inspection or transaction, email info@kordeckipartners.com to receive a structured gap analysis.

What lessons transfer to other Polish entities?

Four lessons emerged from this engagement. They apply broadly to Polish companies above 50 employees and to foreign-owned subsidiaries subject to Polish law.

  • Start with the whistleblower channel. It is the fastest obligation to implement, carries the largest standalone fine, and signals good faith to regulators.
  • Align anti-corruption and AML risk maps from the outset. Separate processes create inconsistencies that enforcement bodies exploit.
  • Document training. A policy without training records offers no protection in a criminal or administrative proceeding.
  • Review third-party relationships annually. Intermediaries, agents, and consultants represent the highest-risk category in Polish enforcement cases.

A second transferable point concerns cross-border structures. Foreign investors owning Polish subsidiaries often assume that a group-level compliance policy satisfies Polish requirements. It does not. Polish whistleblower law requires a locally adapted procedure in Polish, with a locally accessible reporting channel. ESG reporting obligations under CSRD Poland transposition add a further layer for entities above the relevant thresholds. For entities structured through Switzerland, the equivalent considerations are covered in our compliance programme design guide for Switzerland subsidiaries in Poland.

The checklist below summarises what a Polish entity should have in place:

  • Written anti-corruption policy with a documented risk assessment
  • Internal reporting channel compliant with the Whistleblower Act
  • AML risk assessment (if the entity qualifies as an obligated institution)
  • Training records retained for at least five years
  • Annual third-party due diligence review

We assisted a logistics company in Silesia (winter 2025) in implementing a full compliance framework within six weeks, allowing it to satisfy the conditions of a public procurement contract worth over PLN 8 million. Speed of implementation, not perfection of documentation, was the decisive factor.

Your company's specific compliance exposure depends on sector, headcount, ownership structure, and transaction history. These factors determine which obligations apply and in what sequence they should be addressed. To receive a tailored assessment of your anti-corruption compliance framework, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does a Polish company need a separate anti-corruption policy if it already has a group-level code of conduct?

A: A group-level code does not satisfy Polish legal requirements on its own. The Act on the Protection of Whistleblowers requires a locally adapted internal reporting procedure in Polish, with a designated contact person accessible to employees in Poland. The "adequate procedures" defence in Polish criminal law also requires documented local risk assessment and training records. A group policy without local implementation leaves the Polish entity and its board exposed.

Q: How long does it take to implement a compliant internal reporting channel?

A: A basic internal channel can be operational within two to four weeks. This covers drafting the procedure, designating a channel manager, notifying employees, and testing the submission mechanism. A more complete framework – including a linked anti-corruption policy and AML risk assessment – typically takes eight to twelve weeks for a company of 50 to 300 employees. The timeline depends on management availability and the complexity of the third-party network.

Q: Is whistleblower compliance the same as AML compliance?

A: No. These are separate legal regimes with different obligations and enforcement bodies. The Act on the Protection of Whistleblowers is supervised by the Labour Inspectorate and the State Prosecutor's Office. AML obligations are overseen by the General Inspector of Financial Information (GIIF). A company may be fully compliant under one regime and in breach under the other. The most efficient approach is to build both frameworks simultaneously, aligning the risk maps where they overlap.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption frameworks, and whistleblower programme design. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.