Compliance programme design for Switzerland

A Zurich-based holding company acquires a mid-sized Polish distributor. Within six months, the subsidiary faces a whistleblower report, a Polish Financial Supervision Authority (KNF) query, and a CSRD Poland gap identified by group auditors. None of these were anticipated at closing. Each could have been managed – or prevented – with a properly structured compliance programme built before operations began.

Designing a compliance programme for a Swiss-owned subsidiary in Poland requires mapping three overlapping frameworks: Polish statutory obligations, Swiss group standards, and European Union directives transposed into Polish law. The programme must address whistleblower protection, anti-money laundering (AML), ESG reporting, and internal control architecture within a single coherent structure. A well-designed programme typically takes between 10 and 16 weeks to implement from initial gap assessment to first operational review.

This guide walks through the step-by-step design process, identifies the most common mistakes Swiss parent companies make when entering Poland, and provides three concrete business scenarios drawn from manufacturing, IT services, and financial distribution. The goal is a programme that satisfies both Polish regulators and Swiss group governance requirements – without duplicating effort or creating conflicting obligations.

What legal framework applies to Swiss subsidiaries operating in Poland?

Swiss subsidiaries incorporated in Poland are Polish legal entities. They are subject to Polish law in full – including the Kodeks spółek handlowych (Commercial Companies Code, KSH), the Act on Counteracting Money Laundering and Financing of Terrorism (AML Act), and the whistleblower protection law that transposed the EU Whistleblowing Directive. Swiss law governs the parent company. It does not override Polish obligations at the subsidiary level. This distinction matters enormously in compliance design.

Three Polish institutions have direct supervisory relevance. The National Court Register (KRS) handles corporate filings and transparency obligations. The General Inspector of Financial Information (GIIF) oversees AML compliance for obligated entities. The National Labour Inspectorate (PIP) enforces employment-related compliance, including whistleblower channel requirements. Swiss subsidiaries with more than 50 employees must operate a certified internal reporting channel under Polish law – a deadline that passed in September 2024 for most entities.

EU directives add a further layer. The Corporate Sustainability Reporting Directive (CSRD) will require Polish subsidiaries of large Swiss groups to produce ESG reporting aligned with European Sustainability Reporting Standards (ESRS) from the 2025 financial year onward (reports due in 2026). Swiss parent companies subject to their own Swiss sustainability disclosure rules face a dual reporting obligation. Aligning both frameworks early reduces duplication and avoids conflicting disclosures.

The compliance programme must therefore be built on three pillars: Polish statutory obligations, group-level Swiss standards, and EU directive requirements. Treating these as separate workstreams creates gaps. Treating them as a single integrated structure is the correct approach.

How should the compliance programme be designed step by step?

The design process begins with a gap assessment. This involves mapping current controls against required obligations under Polish law, identifying missing policies, and flagging areas where Swiss group standards conflict with or exceed Polish requirements. A gap assessment for a mid-sized Polish subsidiary typically takes three to four weeks. It produces a prioritised remediation list – not a generic compliance manual.

Step two is policy architecture. The programme needs at minimum: an AML policy (mandatory for obligated entities under the AML Act), a whistleblower reporting procedure, a conflicts-of-interest policy, a data protection framework under GDPR, and an ESG disclosure procedure where CSRD applies. Each policy must be adopted by the management board and recorded in the KRS-accessible corporate documentation. Swiss group templates can be adapted – but must be reviewed against Polish law before adoption. We secured a full policy architecture alignment for a Zurich-based financial distribution group's Polish subsidiary in Mazowieckie (autumn 2025), avoiding a GIIF remediation request.

Gap assessment against Polish statutory obligations (weeks 1–4)
Policy drafting and board adoption (weeks 5–8)
Whistleblower channel setup and staff training (weeks 7–10)
AML risk assessment and customer due diligence procedures (weeks 8–12)
ESG baseline data collection and CSRD readiness review (weeks 10–16)

Step three is implementation. Policies on paper do not constitute a compliance programme. Implementation requires staff training, designated compliance officer appointment, and a testing cycle. The compliance officer role can be filled internally or outsourced. For subsidiaries with fewer than 100 employees, outsourced compliance function is often more cost-effective – typically PLN 3,000 to PLN 8,000 per month depending on scope.

Step four is the first operational review, conducted at the 12-month mark. This review tests whether controls are functioning, whether the whistleblower channel has been used correctly, and whether ESG data collection is on track for the first CSRD reporting cycle.

What are the most common mistakes Swiss companies make when designing compliance for their Polish subsidiaries?

The most frequent error is assuming Swiss group compliance covers Polish obligations. It does not. A Swiss parent may operate under FINMA supervision and have a mature internal audit function. None of that substitutes for the Polish AML Act registration, the whistleblower channel under Polish law, or the CSRD Poland reporting chain. Relying on group-level coverage without local adaptation is the single fastest route to regulatory exposure.

The second mistake is delaying AML registration. Polish law requires entities qualifying as obligated institutions – including certain financial intermediaries, tax advisors, and auditors – to register with the GIIF within 14 days of commencing relevant activity. Missing this deadline triggers administrative sanctions and, in serious cases, personal liability for board members. Swiss subsidiaries providing financial services or acting as payment agents frequently fall into the obligated category without realising it.

The third mistake is treating whistleblower compliance as an HR matter. The Polish whistleblower law imposes specific procedural requirements: a written internal reporting procedure, a register of reports, a 7-day acknowledgement deadline, and a 3-month response deadline. Failure to implement these correctly precludes the subsidiary from invoking procedural defences if a report is mishandled – forfeiting legal protection at exactly the moment it is most needed.

(A related issue: Swiss group whistleblower hotlines do not satisfy Polish law requirements unless the channel is specifically adapted for Polish jurisdiction and operated under Polish procedural rules.)

The fourth mistake is underestimating CSRD timelines. ESG reporting requires baseline data collection starting from the first day of the reporting year. Subsidiaries that begin CSRD preparation in the second half of the year lose data points that cannot be reconstructed. For Swiss groups where the Polish subsidiary contributes to the consolidated sustainability report, this gap affects the entire group disclosure.

How do compliance requirements differ across three business scenarios?

Compliance programme design is not one-size-fits-all. The obligations, costs, and timelines differ materially depending on the subsidiary's sector and size. Three scenarios illustrate the range.

Manufacturing subsidiary (150 employees, Silesia). Primary obligations: whistleblower channel (mandatory above 50 employees), CSRD readiness (likely in scope from 2025 financial year if part of a large group), employment compliance, and environmental permitting documentation. AML obligations are minimal unless the entity processes financial instruments. Programme design cost: PLN 35,000 to PLN 60,000 for initial setup. Timeline: 12 to 14 weeks. The main challenge is integrating Swiss group ESG KPIs with Polish CSRD ESRS requirements – they often use different metrics and base years.

IT services subsidiary (40 employees, Warsaw). Primary obligations: GDPR data protection programme, whistleblower channel (mandatory above 50 employees, but good practice below that threshold), IP protection policies, and AI Act readiness if the entity develops or deploys high-risk AI systems. AML obligations depend on whether the entity handles payments. Programme design cost: PLN 20,000 to PLN 40,000. Timeline: 8 to 10 weeks. The key risk is GDPR cross-border data transfers between the Polish entity and Swiss parent – Switzerland is an adequate country under GDPR, but transfer mechanisms must still be documented. For a comparison with how Luxembourg structures these obligations, see our guide on compliance programme design for Luxembourg subsidiaries in Poland.

Financial distribution subsidiary (25 employees, Kraków). Primary obligations: AML Act registration, customer due diligence (CDD) procedures, beneficial ownership reporting to the Central Register of Beneficial Owners (CRBR), and KNF notification if distributing financial products. Programme design cost: PLN 50,000 to PLN 90,000 due to AML complexity. Timeline: 14 to 16 weeks. This scenario carries the highest regulatory risk. GIIF can impose fines of up to EUR 1 million for AML non-compliance. Our team obtained a clean GIIF compliance confirmation for a Swiss-owned distribution entity in Małopolska (spring 2025), following a full AML programme rebuild.

Understanding your scenario determines your budget, timeline, and risk prioritisation. A manufacturing subsidiary and a financial distributor need fundamentally different programmes – even if both are wholly owned by the same Swiss parent.

What should a compliance programme checklist include?

A practical compliance programme for a Swiss subsidiary in Poland should be assessed against a minimum checklist before sign-off. Missing items are not minor gaps – they are open regulatory exposure points. For more detail on AML-specific obligations, see our article on AML compliance obligations for Polish companies. For KSeF implications for Swiss-group entities, see what KSeF means for your business in Switzerland.

Board-adopted AML policy and GIIF registration (where obligated entity status applies)
Whistleblower reporting procedure with 7-day acknowledgement and 3-month response cycle
CRBR beneficial ownership filing current and accurate
CSRD baseline data collection initiated for current financial year
Compliance officer appointed or outsourced function contracted

Each item on this checklist corresponds to a specific Polish legal obligation with a defined sanction for non-compliance. The checklist is not aspirational – it is the minimum threshold for a defensible compliance position. Swiss parent companies should request confirmation of each item from subsidiary management on at least an annual basis.

A compliance programme that passes this checklist is not automatically excellent. But a programme that fails it is demonstrably deficient – and that distinction matters when regulators or counterparties conduct due diligence.

Designing compliance as a one-time exercise is also a mistake. Polish law changes. The CSRD reporting scope expands. AML guidance is updated by GIIF. A programme designed in 2024 may require material updates by 2026. Build the review cycle into the programme from day one.

Frequently asked questions

Q: How long does it take to build a compliant whistleblower channel for a Swiss subsidiary in Poland?

A: Setting up a legally compliant internal reporting channel typically takes four to six weeks from instruction. This includes drafting the written procedure, configuring the reporting tool, training designated handlers, and establishing the report register. The acknowledgement deadline under Polish law is seven days from receipt of a report, so the channel must be operational – not just documented – before it receives its first submission.

Q: Does our Swiss group's AML policy satisfy Polish AML Act requirements?

A: Not automatically. The Polish AML Act requires a specific risk assessment and written internal procedure tailored to the Polish entity's activities, customer base, and geographic exposure. Swiss group AML policies can serve as a starting point, but they must be adapted to Polish regulatory requirements and adopted by the Polish management board. Using the group policy verbatim without adaptation is one of the most common compliance gaps identified in Polish subsidiary reviews.

Q: What does CSRD compliance cost for a Polish subsidiary of a Swiss group?

A: Costs vary significantly by scope. An initial CSRD gap assessment for a mid-sized Polish subsidiary typically costs PLN 15,000 to PLN 30,000. Full programme implementation – including data collection systems, disclosure procedures, and first-year reporting support – ranges from PLN 40,000 to PLN 120,000 depending on company size and reporting complexity. Subsidiaries that form part of a large Swiss group's consolidated sustainability report should begin preparation at least 18 months before the first report is due.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, AML programme design, and whistleblower compliance for foreign-owned subsidiaries. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.