Compliance programme design for Poland

A Polish subsidiary of a foreign group receives a dawn-raid notice from the Urząd Ochrony Konkurencji i Konsumentów (Office of Competition and Consumer Protection, UOKiK). The legal team discovers that the local entity has no documented compliance programme, no whistleblower channel, and no anti-money laundering (AML) controls. The parent group faces reputational damage, regulatory fines, and potential personal liability for board members – all of which could have been avoided.

Designing a compliance programme for a Poland-based subsidiary requires aligning Polish statutory obligations with group-level standards across at least four regulatory layers: corporate governance, AML, whistleblower protection, and ESG reporting. Polish law sets a 14-day deadline for appointing an AML compliance officer after the entity crosses the statutory threshold for obligated institutions. Failure to implement mandatory elements triggers fines of up to PLN 1 million for the entity and personal liability for management board members.

This guide walks through the full design process in five stages: risk mapping, structural decisions, implementation timelines, sector-specific scenarios, and the most common mistakes that undermine otherwise well-intentioned programmes. Each section includes at least one concrete figure so you can benchmark your own situation.

What legal framework governs compliance obligations for Polish subsidiaries?

Polish subsidiaries operate under a layered framework. Three primary statutes define the baseline: the Ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorism Financing Act, AML Act), the Ustawa o ochronie osób zgłaszających naruszenia prawa (Whistleblower Protection Act, WPA), and the Kodeks spółek handlowych (Commercial Companies Code, KSH). CSRD Poland obligations – flowing from the EU Corporate Sustainability Reporting Directive – add a fourth layer for entities meeting size thresholds. Each layer carries its own deadline, penalty structure, and documentation standard.

The National Court Register (KRS) records the entity's governance structure, which regulators use as the starting point for any inspection. The Polish Financial Supervision Authority (KNF) supervises financial-sector entities and applies AML Act requirements with particular rigour. The General Inspector of Financial Information (GIIF) receives suspicious-transaction reports and monitors AML programme quality. Understanding which regulator has primary jurisdiction over your subsidiary is the first decision in programme design – and it shapes every subsequent step.

Under Polish corporate legislation, management board members bear personal liability for compliance failures. This is not a theoretical risk. KSH creates a duty of care that courts interpret broadly: a board member who fails to implement a required programme cannot claim ignorance as a defence. The WPA requires entities with 50 or more employees to establish an internal reporting channel by a fixed statutory deadline – entities that missed the original 2023 deadline remain exposed today.

Two practical points follow from this framework. First, a group-level compliance policy does not automatically satisfy Polish law. Local implementation documents, in Polish, signed by the local board, are required. Second, regulators assess programme quality, not merely existence. A one-page policy uploaded to an intranet does not constitute a programme under the AML Act.

How do you map risks and set programme scope for a Polish subsidiary?

Risk mapping is the foundation. Without it, programme design defaults to copying a template – which rarely fits the subsidiary's actual exposure. The process has three steps: identify the entity's regulatory category, quantify inherent risk by activity, and assess existing controls. The output is a risk register that drives every subsequent design decision, including the budget.

Start with regulatory category. Polish law classifies "obligated institutions" under the AML Act – these include financial entities, accountants, lawyers, real-estate agents, and certain trading companies dealing in high-value goods above EUR 10,000 per transaction. If your subsidiary falls into this category, AML controls are mandatory, not optional. If it does not, AML best practice is still advisable, but the statutory penalties do not apply directly.

We secured a reversal of an AML supervisory decision for a fintech client in the Mazowieckie region (spring 2025). The regulator had issued a PLN 850,000 preliminary fine for programme deficiencies. Our review showed that the risk register predated the entity's product expansion by 18 months and had never been updated. Updating the register and demonstrating remediation reduced the final sanction to a formal warning.

Quantify inherent risk by mapping four dimensions: customer base (retail versus institutional, domestic versus cross-border), transaction types (cash, crypto, wire transfers above PLN 15,000), geography (presence in high-risk jurisdictions listed by the Financial Action Task Force), and product complexity. Score each dimension on a three-point scale. The aggregate score determines whether your programme needs a basic, standard, or enhanced structure – each with different cost and staffing implications.

Basic programme: suitable for low-risk, single-jurisdiction, non-AML-obligated entities – budget PLN 20,000–40,000 for design and implementation.
Standard programme: required for mid-size subsidiaries with mixed customer profiles – budget PLN 60,000–120,000.
Enhanced programme: mandatory for AML-obligated or CSRD-in-scope entities – budget PLN 150,000 and above, ongoing.

Assess existing controls honestly. Many subsidiaries inherit group policies that were designed for a different legal system. German or Dutch group standards often omit the GIIF reporting obligation entirely, because that obligation is specific to Polish law. A gap analysis comparing group standards against Polish statutory requirements typically identifies between 8 and 15 gaps in a mid-size subsidiary.

What does the step-by-step implementation process look like?

Implementation follows a six-phase process. Each phase has a defined output, a responsible owner, and a realistic timeline. The full cycle from risk mapping to first audit takes between 90 and 180 days, depending on subsidiary size and complexity. Rushing phases two through four – the documentation, training, and channel setup phases – is the single most common cause of programme failure.

Phase one (days 1–14): governance decision. The management board formally resolves to adopt a compliance programme. This resolution is recorded in the board minutes and filed with the KRS if it involves a structural change. The board appoints a compliance officer – either internal or external. For subsidiaries with fewer than 50 employees, an external compliance lawyer Warsaw-based or remote can fulfil this role cost-effectively.

Phase two (days 15–45): documentation. Draft the core policy set: AML internal procedure, whistleblower reporting procedure, conflicts-of-interest policy, and a data-protection compliance annex (GDPR intersects with whistleblower channel design in ways that regularly surprise clients). All documents must be in Polish. English summaries are useful for the parent group, but the operative documents must be in the language of the jurisdiction.

Phase three (days 46–75): channel setup. The WPA requires a technically secure, confidential reporting channel. Options include a dedicated email address with encryption, a third-party platform, or a telephone hotline. The channel must be accessible to employees, contractors, and – for entities above 249 employees – external stakeholders. Response to a whistleblower report must occur within 7 days of receipt.

Phase four (days 76–105): training. All employees must receive documented training on the programme. Board members require separate, more detailed training on personal liability exposure. Training records are the first document a regulator requests during an inspection. Keep them for at least 5 years.

Phase five (days 106–150): testing and audit. Run a tabletop exercise simulating a regulatory inspection. Identify gaps between the documented programme and actual employee behaviour. Remediate before the programme goes live. An internal audit report at this stage provides evidence of good faith if a regulator later finds residual deficiencies.

Phase six (ongoing): review and update. The programme must be reviewed at least annually and after any material change in the entity's business, ownership, or regulatory environment. ESG reporting obligations under CSRD Poland are evolving rapidly – subsidiaries of large groups may be pulled into scope earlier than they expect.

How do three business scenarios shape programme design differently?

Programme design is not one-size-fits-all. Three scenarios illustrate how the same framework produces materially different outputs depending on the subsidiary's profile. Each scenario also highlights a distinct compliance risk that generic templates miss.

Manufacturing subsidiary (Silesia region). A German automotive supplier sets up a production entity in Silesia with 320 employees. The entity is not an AML-obligated institution, but it procures from suppliers in jurisdictions flagged by the EU for forced-labour risk. CSRD Poland obligations apply at group level, and the Polish subsidiary feeds data into the parent's sustainability report. The programme must include a supply-chain due-diligence procedure, an ESG data-collection protocol, and a whistleblower channel accessible to both employees and external supply-chain workers. Budget: PLN 180,000 for year-one design; PLN 60,000 annually thereafter.

For cross-border compliance structures, our guide on compliance programme design for Czech Republic subsidiaries in Poland provides a parallel framework useful for multi-jurisdiction groups managing several Central European entities simultaneously.

IT and technology subsidiary (Mazowieckie region). A US-based SaaS company establishes a Polish subsidiary with 40 employees providing development services to group clients. The entity is below the 50-employee WPA threshold, so an internal whistleblower channel is not yet mandatory – but a voluntary channel is strongly advisable given the parent's US whistleblower obligations under Sarbanes-Oxley. The primary compliance risk is data protection: GDPR intersects with employee monitoring, IP ownership, and client data processing. The programme should prioritise a data-protection management system and an IP-assignment policy. Budget: PLN 35,000 for a basic programme.

Foreign investor entering through acquisition (Małopolska region). A French private equity fund acquires a Polish distribution company with 180 employees and a pre-existing, undocumented compliance culture. The acquisition triggers a 90-day integration window during which the new owner must assess inherited AML exposure, implement a WPA-compliant whistleblower channel, and align the Polish entity with the group's anti-bribery policy. We obtained interim contractual protections for a similar client in Małopolska (autumn 2024), securing representations and warranties covering undisclosed regulatory proceedings worth over PLN 3 million. Post-acquisition compliance integration in this scenario typically costs PLN 90,000–140,000 and takes 120 days.

For subsidiaries with Ukrainian or CIS ownership or operational links, the compliance programme design for Ukraine subsidiaries in Poland guide addresses the additional AML and sanctions-screening obligations that apply in those structures.

What are the most common mistakes that undermine compliance programmes in Poland?

Even well-resourced subsidiaries make predictable mistakes. Identifying them in advance is cheaper than remedying them after a regulatory inspection. The five mistakes below account for the majority of programme failures we encounter in practice.

Mistake 1: treating group policy as local compliance. A group anti-bribery policy governed by English law does not satisfy the AML Act's requirement for a Polish-language internal procedure adopted by the local board. Regulators reject the argument that group-level compliance substitutes for local implementation. Personal liability for the local board crystallises regardless of what the parent group has documented.

Mistake 2: static risk registers. The AML Act requires the risk register to be updated whenever the entity's business model, customer base, or product portfolio changes materially. Many subsidiaries update the register once – at programme launch – and then leave it unchanged for years. A risk register more than 12 months old without a documented review is a red flag in any regulatory inspection.

Mistake 3: inadequate whistleblower channel design. The WPA prohibits retaliation against whistleblowers and requires procedural confidentiality. Entities that route reports through HR managers who also manage the reported individuals create a structural conflict of interest. The channel must be independent. For smaller subsidiaries, an external provider or external counsel is the most practical solution.

Mistake 4: skipping AML training records. Training occurred but no attendance list was signed, no training materials were archived, and no completion certificates were issued. In a subsequent inspection, the entity cannot prove that training took place. Regulators treat undocumented training as no training. Keep records for 5 years minimum.

Mistake 5: ignoring CSRD Poland timelines. Subsidiaries of large groups are being pulled into CSRD reporting scope on a rolling basis. An entity that assumes it has until 2027 may discover it is already in scope for the 2025 financial year. ESG reporting failures are not yet subject to the same immediate fines as AML failures, but they create board liability and parent-group reputational risk that is increasingly material.

Labour law intersects with compliance programme design more often than clients expect. Whistleblower procedures, employee monitoring policies, and AML training obligations all interact with the Kodeks pracy (Labour Code). Our guide on severance pay calculation under the Polish Labour Code illustrates how employment law obligations can compound compliance costs when programme design fails to account for workforce changes.

What should you prepare before engaging a compliance lawyer?

Engaging external counsel without preparation wastes budget and extends timelines. The checklist below reflects the documents and decisions that allow a compliance lawyer to begin substantive work on day one rather than spending the first two weeks gathering basic information.

Current KRS extract showing ownership structure, board composition, and registered business activities.
Employee headcount and any planned changes in the next 12 months (relevant to WPA thresholds).
List of jurisdictions in which the subsidiary transacts, procures, or has counterparties.
Existing group compliance policies, even if unadopted locally – these accelerate gap analysis.
Any prior regulatory correspondence, inspection reports, or informal inquiries from UOKiK, KNF, GIIF, or the State Labour Inspectorate (PIP).

With these materials in hand, an experienced compliance lawyer can deliver a gap analysis within 10 business days and a full programme design proposal within 30 days. Without them, the timeline extends by 3–6 weeks and costs increase proportionally.

Your subsidiary's specific risk profile – its regulatory category, employee count, transaction volumes, and cross-border exposure – determines whether a basic, standard, or enhanced programme is appropriate. The difference in cost between getting this classification right at the outset and having to rebuild a programme after a regulatory inspection is typically a factor of four to six. Personal liability for board members, once crystallised, cannot be undone by retroactive programme implementation.

To receive an expert assessment of your subsidiary's compliance programme gaps and a tailored design proposal, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does a Polish subsidiary of a foreign group need its own compliance programme, or does the group programme suffice?

A: Polish law requires local implementation documents adopted by the Polish board. A group programme governed by foreign law does not satisfy the AML Act or the Whistleblower Protection Act. The local board bears personal liability for the absence of a compliant local programme, regardless of what the parent group has documented. In practice, the most efficient approach is to adapt group standards into Polish-law-compliant documents rather than drafting from scratch.

Q: How long does it take to implement a compliant programme from scratch?

A: For a mid-size subsidiary with 50–200 employees, the full cycle from risk mapping to first internal audit takes 90 to 150 days. Smaller entities with a basic-programme profile can complete implementation in 60 days. The timeline depends heavily on how quickly the local board approves documents and whether existing group policies can be adapted. Entities with prior regulatory correspondence should allow additional time for gap remediation before programme launch.

Q: Is the whistleblower channel mandatory even if the subsidiary has fewer than 50 employees?

A: The Whistleblower Protection Act sets a mandatory threshold of 50 employees for the internal reporting channel obligation. Subsidiaries below this threshold are not legally required to maintain an internal channel. However, if the parent group is subject to equivalent obligations in another jurisdiction – such as the EU Whistleblowing Directive as transposed in France, Germany, or the Netherlands – the group may require a channel at the Polish entity level as a matter of group policy. Additionally, entities that expect to grow past 50 employees within 12 months should implement the channel proactively to avoid a compliance gap at the threshold date.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating AML, whistleblower protection, and CSRD obligations. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.