A Warsaw-based technology company expands its client base into new markets, onboards several high-value corporate clients, and begins processing payments across multiple jurisdictions. Six months later, a routine inspection by the Generalny Inspektor Informacji Finansowej (General Inspector of Financial Information, GIIF) reveals that the firm never established a formal anti-money laundering programme. The consequences are immediate: administrative fines, a suspension of business relationships, and – in serious cases – personal liability for board members who failed to act.
Polish AML law, rooted in the Ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Act on Counteracting Money Laundering and Terrorism Financing, AML Act), imposes binding compliance obligations on a broad category of "obligated institutions." These entities must implement internal procedures, conduct customer due diligence, appoint a compliance officer, and submit suspicious transaction reports to the GIIF. Administrative penalties for non-compliance reach PLN 1,000,000 for natural persons and up to PLN 5,000,000 – or 10% of annual turnover – for legal entities.
This service page explains who qualifies as an obligated institution, what specific measures Polish law requires, where companies most commonly fail, and how foreign-owned subsidiaries should approach cross-border AML alignment. A practical self-assessment checklist closes the guide.
Who qualifies as an obligated institution under Polish AML law?
The AML Act casts a wide net. The definition of "obligated institution" extends well beyond banks and payment processors. Any company that falls within a listed category must build a full compliance programme – regardless of size or ownership structure.
The categories most relevant to commercial operators include: financial institutions supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF); virtual asset service providers registered with the Departament Informacji Finansowej (Financial Information Department); notaries, lawyers, and tax advisors when providing specific services; real estate agents and developers; and accounting firms handling client funds. The list has expanded significantly since Poland implemented the EU's Fourth and Fifth AML Directives.
One misconception deserves attention. Many mid-size Polish companies assume that AML obligations apply only to regulated financial entities. In practice, a management consulting firm that assists clients in structuring transactions, or a law firm advising on corporate acquisitions, may qualify. The trigger is the nature of the service rendered – not the sector in which the company formally operates.
The Krajowa Administracja Skarbowa (National Revenue Administration, KAS) conducts on-site inspections and has the power to impose sanctions without prior warning. A company that incorrectly concludes it falls outside the AML Act's scope forfeits the opportunity to implement a compliant programme before enforcement begins. That window, once closed, does not reopen.
- Banks, credit unions, and payment institutions supervised by KNF
- Virtual asset service providers (crypto exchanges, custodians)
- Real estate agents and property developers handling cash
- Lawyers, notaries, and tax advisors on qualifying transactions
- Accounting firms and company formation agents
For foreign investors establishing Polish subsidiaries, the question of obligated-institution status must be resolved at the incorporation stage – not after the first client contract is signed. Misclassification is one of the most common and most costly errors we encounter.
What internal procedures does the AML Act require?
Once an entity qualifies as an obligated institution, Polish AML law prescribes a specific set of internal measures. These are not optional best-practice recommendations. They are statutory requirements, each with its own timeline and documentation standard.
The core obligation is a written internal procedure document (procedura wewnętrzna). This document must describe the company's risk assessment methodology, customer due diligence (CDD) steps, enhanced due diligence (EDD) triggers, transaction monitoring rules, suspicious activity reporting channels, and employee training schedule. The procedure must be updated whenever the regulatory framework changes – and it must be approved by senior management, not delegated entirely to a compliance function.
Customer due diligence sits at the heart of day-to-day AML compliance. For every new business relationship, the obligated institution must verify the client's identity, identify beneficial owners holding 25% or more of shares or voting rights, and assess the purpose of the relationship. Enhanced due diligence applies automatically to politically exposed persons (PEPs), clients from high-risk third countries, and any transaction with an unusual pattern relative to the client's profile.
We secured a full compliance programme review and remediation plan for a fintech client in the Mazowieckie region (spring 2025), after a KAS inspection identified gaps in their beneficial ownership verification process. The remediation was completed within 60 days and no administrative penalty was imposed.
The AML Act also requires obligated institutions to appoint a senior compliance officer (kierownik jednostki odpowiedzialny za wdrożenie obowiązków) at board level. This person carries personal liability for systemic compliance failures. That liability is not transferred by delegation – it follows the office.
How does suspicious transaction reporting work in Poland?
Suspicious transaction reporting is the operational centrepiece of any AML programme. Polish law sets a 24-hour deadline for submitting a suspicious transaction report (STR) to the GIIF once the institution identifies grounds for suspicion. Missing this deadline triggers penalties independently of whether the underlying transaction was actually criminal.
The GIIF operates an electronic reporting platform (System Informacji Finansowej, SIF). All obligated institutions must register on SIF and submit STRs electronically. The report must describe the transaction, the basis for suspicion, and the client's identity data. Institutions are prohibited from tipping off the client that a report has been filed – a "tipping-off" breach carries criminal consequences for the compliance officer and board members involved.
Beyond STRs, the AML Act requires the filing of cash transaction reports (CTRs) for transactions exceeding PLN 15,000 – whether conducted in a single operation or as linked transactions that together cross the threshold. Many companies underestimate the linked-transaction rule. Two payments of PLN 8,000 from the same client within 24 hours must be aggregated and reported.
A practical question arises frequently: what constitutes "grounds for suspicion"? Polish law does not provide an exhaustive list. Institutions must assess context – inconsistency between the client's declared business and transaction volume, unusual geographic routing, rapid movement of funds through multiple accounts, or reluctance to provide beneficial ownership information. These red flags must be documented and reviewed at least quarterly.
For a tailored strategy on building a defensible STR workflow, reach out to info@kordeckipartners.com.
Where do Polish companies most commonly fail AML audits?
Enforcement patterns from GIIF and KAS inspections reveal recurring weaknesses. Identifying them in advance is the most direct route to a defensible compliance posture. The pitfalls cluster around four areas.
First, beneficial ownership identification. Many companies conduct identity checks on their direct contractual counterpart but fail to trace the ownership chain to the ultimate beneficial owner. Under Polish corporate legislation, beneficial ownership must be disclosed in the Centralny Rejestr Beneficjentów Rzeczywistych (Central Register of Beneficial Owners, CRBR). Relying solely on CRBR data without independent verification is insufficient – the register may be outdated or deliberately inaccurate.
Second, risk assessment methodology. The AML Act requires a documented, risk-based approach. Inspectors consistently find that companies produce a risk matrix at the time of initial programme design and then never update it. A risk assessment that does not reflect changes in the client portfolio, service offering, or geographic exposure fails the statutory standard.
Third, training records. The obligation to train all relevant employees is clear. What is less clear to many companies is that training must be role-specific, documented, and repeated when procedures change. A single all-staff briefing from three years ago does not satisfy the requirement.
Fourth, transaction monitoring. Automated monitoring tools must be calibrated to the institution's actual risk profile. Generic rule-sets purchased from a software vendor and applied without customisation are a common source of both false positives (operational burden) and false negatives (missed STRs). Either failure attracts regulatory scrutiny.
- Incomplete beneficial ownership chains – stopping at the first legal entity
- Static risk assessments never updated after initial programme launch
- Training records that are incomplete or not role-specific
- Transaction monitoring thresholds not calibrated to client risk profile
We obtained a favourable outcome in an administrative review for a real estate developer in Lower Silesia (autumn 2024), where the GIIF had initially proposed a penalty of PLN 400,000 for inadequate CDD documentation. The penalty was reduced to a formal warning after we demonstrated that the procedural gaps had been remediated before the inspection concluded.
How should foreign-owned subsidiaries approach cross-border AML alignment?
For foreign investors operating Polish subsidiaries, AML compliance presents a layered challenge. The Polish subsidiary is subject to Polish law. Its parent is subject to the law of its home jurisdiction. Where those frameworks differ, the subsidiary must meet both – and document how it does so.
The EU's Sixth AML Directive (6AMLD), implemented in Poland, introduced harmonised predicate offences and extended criminal liability to legal persons. A German or Czech parent whose Polish subsidiary commits an AML violation may face reputational and regulatory consequences in its home jurisdiction as well. Group-wide compliance programmes that do not account for Polish-specific requirements – such as the CRBR filing obligation, the 24-hour STR window, or the SIF registration requirement – create gaps that local inspectors will find.
Polish law also requires that group compliance policies be translated into Polish and adapted to local procedures. A parent-company policy written in English and circulated to the Warsaw office does not satisfy the statutory documentation requirement. This point is frequently overlooked by multinationals entering the Polish market for the first time.
For subsidiaries of Romanian-registered companies operating in Poland, our team has developed a cross-border alignment methodology. You can find an overview of that approach at compliance programme design for Romania subsidiaries in Poland. For Czech Republic-based groups, a comparable framework is described at compliance programme design for Czech Republic subsidiaries in Poland.
One further cross-border issue deserves attention: real estate transactions. Foreign nationals and foreign-owned entities purchasing Polish property are subject to AML obligations at the transactional level, independent of whether they operate an obligated institution in Poland. The relevant procedural background is covered in our guide on buying property in Poland.
To receive an expert assessment of your group's cross-border AML exposure in Poland, contact info@kordeckipartners.com.
AML compliance self-assessment checklist
Before engaging external counsel, many companies benefit from a structured internal review. The checklist below identifies the minimum documentation and process requirements under the AML Act. Each item corresponds to a statutory obligation that inspectors will examine.
- Obligated institution status confirmed – written legal analysis on file, reviewed within the past 12 months
- Internal procedure document approved by senior management – version-controlled, updated after each regulatory change
- Risk assessment conducted and documented – covers client portfolio, geographic exposure, and service-specific risk factors; updated at least annually
- Beneficial ownership verification process in place – goes beyond CRBR cross-check to independent source verification
- SIF registration completed and STR/CTR workflow tested – 24-hour reporting deadline built into escalation protocol
Companies that can answer "yes" to all five points have a defensible baseline. Those with gaps should prioritise remediation before the next scheduled inspection cycle – GIIF has indicated that inspection frequency for mid-size obligated institutions will increase through 2026.
Specific situations require tailored analysis. A company processing cross-border payments in multiple currencies faces different calibration challenges than a domestic real estate agent. The checklist above identifies the floor, not the ceiling, of what a sound programme requires.
Frequently asked questions
Q: How long does it take to build a compliant AML programme from scratch?
A: For a mid-size company with a defined client base and straightforward service offering, the core documentation – internal procedure, risk assessment, and training materials – can typically be completed within 60 to 90 days. SIF registration and staff training add approximately two to four weeks. Companies with complex group structures or multi-jurisdictional client portfolios should budget four to six months for a fully integrated programme.
Q: Is it a common misconception that small companies are exempt from AML obligations?
A: Yes. The AML Act does not contain a general small-business exemption. An obligated institution is defined by the nature of its activities, not its size or annual revenue. A sole-practitioner tax advisor who assists clients with corporate restructuring qualifies as an obligated institution and must implement the full statutory programme. The only sector-specific thresholds relate to transaction value – for example, the PLN 15,000 cash transaction reporting trigger – not to company size.
Q: What is the penalty for failing to register on the SIF platform?
A: Failure to register on the SIF platform is treated as a systemic compliance failure rather than a single procedural lapse. Under Polish AML legislation, administrative penalties for legal entities in this category can reach PLN 5,000,000 or 10% of annual turnover, whichever is higher. For natural persons – including board members with designated AML responsibility – the personal penalty ceiling is PLN 1,000,000. Penalties are published in the GIIF's public register, creating reputational consequences that extend beyond the financial sanction.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AML compliance, ESG reporting, whistleblower compliance, and CSRD Poland implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.