Compliance programme design for Poland

A Warsaw-based subsidiary of a foreign group passes its third year of Polish operations without a formal compliance programme. Regulators have not knocked yet. Then a whistleblower report lands with the Polish Financial Supervision Authority (KNF), and the board discovers that no internal reporting channel exists, no anti-money laundering (AML) procedures are documented, and the parent's global code of conduct has never been localised. The window to act proactively has closed.

Designing a compliance programme for a Poland subsidiary means mapping Polish statutory obligations – including the whistleblower protection law, AML legislation, and emerging CSRD Poland requirements – onto the group's existing governance framework. The exercise typically takes eight to twelve weeks and produces a documented, audit-ready system. Gaps identified after a regulatory investigation are far harder and more expensive to close than those addressed at the design stage.

This service page explains the regulatory baseline every Poland subsidiary must meet, the instruments used to build a working compliance programme, the pitfalls that most commonly derail implementation, and the cross-border considerations that matter for foreign-owned entities. A self-assessment checklist closes the page.

What regulatory baseline must every Poland subsidiary meet?

Polish law imposes three overlapping compliance obligations on subsidiaries operating in Poland. First, the whistleblower protection act – implementing EU Directive 2019/1937 – requires companies with 50 or more employees to operate an internal reporting channel, appoint a channel manager, and retain reports for at least three years. Second, AML legislation applies to any entity classified as an "obligated institution," which covers financial intermediaries, real estate agents, tax advisers, and certain corporate service providers. Third, CSRD Poland obligations are phasing in from 2025 onward for large entities, requiring double-materiality assessments and audited sustainability reporting.

The National Court Register (KRS) records the subsidiary's legal form and determines which board members bear direct regulatory responsibility. The General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) supervises AML compliance. The Office of Competition and Consumer Protection (Urząd Ochrony Konkurencji i Konsumentów, UOKiK) enforces antitrust obligations. Each regulator operates its own inspection calendar and sanction scale.

Non-compliance carries asymmetric consequences. A failure to establish a whistleblower channel can result in fines reaching PLN 1.5m per violation. AML breaches expose the entity – and personally liable board members – to penalties up to PLN 5m or twice the benefit obtained. Antitrust infringements attract fines up to 10 percent of annual turnover. These are not theoretical risks. Each of the three Polish regulators listed above has increased its inspection activity since 2023.

Whistleblower channel: mandatory for entities with 50+ employees
AML register and transaction monitoring: mandatory for obligated institutions
CSRD double-materiality assessment: phased from 2025 for large entities
Antitrust compliance policy: recommended for all market participants
Data protection (RODO/GDPR): continuous obligation for all subsidiaries

A compliance lawyer Warsaw-based clients engage will typically start with a gap analysis against this baseline before designing any programme instrument. The gap analysis maps existing group policies to Polish statutory requirements and identifies the items that need localisation, translation, or fresh drafting.

Which instruments form the core of a compliance programme design?

A working compliance programme in Poland rests on four instruments: a policy framework, an internal reporting system, a training architecture, and a monitoring mechanism. Each instrument must be adapted to Polish law – importing a parent company's English-language documents without localisation does not satisfy Polish regulators and will not hold up in court. The programme design phase typically produces between eight and fourteen written documents, depending on the subsidiary's sector and headcount.

The policy framework begins with a code of conduct localised into Polish, followed by sector-specific policies covering gifts and hospitality, conflicts of interest, data protection, and – where applicable – AML. Polish employment law under the Kodeks pracy (Labour Code) requires that internal regulations binding on employees be issued as a formal workplace regulation (regulamin). This procedural requirement is frequently missed by foreign groups that simply translate a global policy document without issuing it through the correct employment-law channel. The consequence is that the policy is unenforceable as a disciplinary matter.

We secured the successful localisation of a multinational compliance framework for a manufacturing client in the Mazowieckie region (autumn 2025). The engagement identified three policies that had never been issued as regulamin documents, leaving the client exposed to disciplinary challenges from employees for over two years.

The internal reporting system – required under whistleblower law within 14 days of the channel going live – must include a written procedure, a designated channel manager, and a feedback loop back to the reporter. The monitoring mechanism should schedule at least one internal audit per calendar year and a full programme review every 24 months. ESG reporting obligations now require that the monitoring results feed into the sustainability disclosure.

What are the most common pitfalls in programme implementation?

Implementation failures cluster around three patterns. The first is policy-without-process: the subsidiary drafts documents but does not embed them in day-to-day workflows. A code of conduct that employees sign once on joining and never revisit provides almost no protection in a regulatory investigation. Polish courts have consistently held that passive knowledge of a policy does not constitute effective compliance. Annual training completion rates below 80 percent are treated by regulators as a red flag.

The second pattern is localisation gaps. Group-level AML policies drafted for a UK or German parent may reference institutions, thresholds, or procedures that have no Polish equivalent. The GIIF expects AML documentation to reference Polish statutory thresholds – currently EUR 15,000 for cash transaction reporting – and Polish beneficial ownership register obligations under the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR). A policy that references HMRC or BaFin instead of GIIF and CRBR will not pass a Polish AML audit.

Our team obtained a clean AML audit outcome for a financial services client in Lower Silesia (spring 2026) after a full localisation of the group's transaction monitoring procedures to Polish statutory thresholds and GIIF reporting formats.

The third pattern is ESG reporting disconnected from the compliance function. CSRD Poland requires that sustainability data be collected systematically, with audit trails. Companies that treat ESG reporting as a communications exercise rather than a compliance obligation find themselves unable to produce the underlying data when auditors arrive. The compliance programme design must include data collection workflows from the outset, not as a retrofit.

For subsidiaries that also operate in neighbouring jurisdictions, it is worth reviewing how compliance programme design for Slovakia subsidiaries in Poland differs from the Polish baseline – the AML thresholds and whistleblower channel requirements diverge in ways that matter for cross-border groups.

How do cross-border structures affect compliance programme design in Poland?

Foreign-owned subsidiaries face a specific design challenge: the programme must satisfy Polish law while remaining consistent with group-level governance standards. These two requirements are not always compatible. Where they conflict, Polish statutory obligations take precedence. A parent company's decision not to maintain a local whistleblower channel because the group operates a centralised global hotline does not satisfy Polish law for subsidiaries with 50 or more employees. The Polish channel must be separate, Polish-language, and operated by a person with authority to act on reports within seven days.

Transfer pricing documentation, which sits within the tax compliance perimeter, has a direct interface with the compliance programme. The Ordynacja podatkowa (Tax Ordinance) requires transfer pricing master files and local files to be ready within nine months of the financial year-end. Compliance programme design for foreign-owned subsidiaries should map this deadline into the monitoring calendar to avoid a situation where the compliance officer is unaware of a tax documentation gap until an audit begins.

German and Swiss parent groups in particular often underestimate the gap between their home-country compliance frameworks and Polish requirements. For Swiss-headquartered groups, the article on compliance programme design for Switzerland subsidiaries in Poland provides a detailed comparison. Real estate subsidiaries also face a distinct compliance layer: lease structures and property management arrangements generate AML and beneficial ownership obligations that must be reflected in the programme. The article on office lease review for Poland tenants addresses the documentation requirements that feed into this layer.

Cross-border groups should also account for Pillar Two obligations if the group's consolidated revenue exceeds EUR 750m. The Polish minimum tax rules interact with the compliance monitoring calendar and require a separate set of internal controls that the compliance programme must document.

What does a self-assessment checklist for Poland compliance look like?

Before engaging external counsel, a subsidiary's management can run a preliminary self-assessment. The checklist below covers the five areas that Polish regulators examine first. A "no" answer to any item signals a gap that should be addressed within 30 days.

Is a Polish-language whistleblower reporting channel in place, with a named channel manager and a written feedback procedure?
Are AML policies localised to Polish statutory thresholds and GIIF reporting formats, and updated within the last 12 months?
Have all compliance policies been issued as formal regulamin documents under the Labour Code, with employee acknowledgement records?
Is there a documented annual training programme with completion records for the current calendar year?
Does the monitoring plan include a CSRD double-materiality assessment for the next reporting period?

This checklist is a starting point, not a substitute for a full gap analysis. The self-assessment takes approximately two hours of management time. A professional gap analysis, which produces a written report and a prioritised remediation roadmap, typically takes two to three weeks and costs between PLN 15,000 and PLN 45,000 depending on the subsidiary's size and sector complexity.

Whistleblower compliance, AML, and ESG reporting are not static obligations. Each area has a legislative amendment cycle of roughly 18 to 24 months. A compliance programme without a scheduled review mechanism becomes outdated faster than most management teams expect. Building the review trigger into the programme at the design stage costs almost nothing. Retrofitting it after a regulatory inquiry can cost significantly more.

Your subsidiary's compliance exposure is specific to its sector, headcount, and ownership structure. Waiting for a regulatory inquiry to identify gaps forfeits the ability to remediate on your own timeline and at a manageable cost.

To receive an expert assessment of your Poland subsidiary's compliance programme design, contact info@kordeckipartners.com. Our team will conduct a structured gap analysis, produce a prioritised remediation roadmap, and draft or localise the policy documents your programme requires.

Frequently asked questions

Q: How long does it take to design and implement a compliance programme for a Poland subsidiary from scratch?

A: The design phase – gap analysis, policy drafting, and system setup – typically takes eight to twelve weeks for a subsidiary with up to 250 employees. Implementation, including training delivery and regulamin registration, adds a further four to six weeks. The full process from engagement to an audit-ready programme therefore runs between three and four months. Subsidiaries with sector-specific AML obligations or active CSRD reporting requirements should allow additional time for data workflow design.

Q: Does a Poland subsidiary with fewer than 50 employees need a compliance programme at all?

A: Yes, though the scope differs. The whistleblower channel obligation applies from 50 employees, but AML, antitrust, data protection, and CSRD obligations apply regardless of headcount (subject to sector and revenue thresholds). A common misconception is that small subsidiaries are exempt from compliance obligations entirely. In practice, a subsidiary with 20 employees that qualifies as an obligated institution under AML law faces the same GIIF inspection risk as a larger entity. A proportionate compliance programme – lighter on procedure, but covering the statutory minimum – is still required.

Q: Can a Poland subsidiary rely on its parent group's global compliance programme without local adaptation?

A: Not without localisation. Polish regulators assess compliance against Polish statutory requirements, not group-level governance standards. A global code of conduct not issued as a regulamin under the Labour Code is unenforceable as a disciplinary instrument. AML policies that reference foreign institutions and thresholds will not pass a GIIF audit. The compliance programme must be localised to Polish law before it can be treated as effective. The localisation exercise does not require replacing the group framework – it requires adapting it to Polish statutory requirements and issuing it through the correct legal channels.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating AML, CSRD, whistleblower protection, and cross-border compliance obligations. To discuss your situation, contact info@kordeckipartners.com.