AML Compliance Guidelines: Poland

Poland has a stable and steadily growing economy in Central Europe, thanks to its booming industrial base, strong export sector, high foreign direct investment, and growing connectivity with the international markets. Though these characteristics drive economic prosperity, they also bring challenges like money laundering and terrorism financing. Drug trafficking, organized crime, and VAT fraud are some of the most common crimes in Poland generating illicit funds that urge the need for money laundering.

Act of 2018 on Countering Money Laundering And Terrorism Financing (AML Act)

Act of 2018 on Countering Money Laundering And Terrorism Financing, commonly referred to as the AML Act, is the back of the Polish legal system fighting financial crimes and protecting their financial system. This Act incorporates the European Union’s Anti Money Laundering Directives (AMLD) in the Polish legal framework. It obligates financial institutions, regulated businesses, and gatekeeper professions (accountants, lawyers, real estate agent,s etc) to identify, mitigate, and report money laundering and terrorism financing concerns to the relevant authorities. The AML Act mandates the building of an AML compliance program by taking a risk-based approach to ML/TF risks. This approach complements international best practices set by the Financial Action Task Force (FATF) and promotes financial inclusion.

Regulatory Authorities

General Inspector of Financial Information (GIFI)

The General Inspector of Financial Information (GIFI) is the Polish AML regulatory framework’s primary body to prevent money laundering and terrorism financing in the country. The GIFI is part of the Polish Government’s Ministry of Finance. GIFI is responsible for monitoring and examining all AML-obligated institutions, including banks, fintechs, credit institutions, accountants, lawyers, and virtual asset service providers. In practice, GIFI is assisted by the other cooperating units of the government such as law enforcement, tax authorities PFSA, or any other state or local government authority to perform their functions.

Polish Financial Intelligence Unit (PFIU)

The Department of Financial Information of the Ministry of Finance undertakes the role of the Polish Financial Intelligence Unit (PFIU). After collecting and verifying the suspected reports of money laundering and terrorism financing from the obligated institutions, cooperating units and other foreign FIUs, significant concerns of money laundering and terrorism financing are forwarded to the Prosecutor’s Office. The aim is to indict the identified suspects with the cooperation of the law enforcement authorities.

Polish Financial Supervision Authority (PFSA)

PFSA, known as Komisja Nadzoru Finansowego (KNF) in Polish, is a supervisory authority for the banking sector, capital markets, insurance sector, open pension funds, payment service providers, and electronic money institutions. PFSA is the primary authority regulating the financial sector; with the help of the GIFI, it ensures that the Polish financial system is protected from money laundering and terrorism financing threats.

Regulated Entities

As per Article 2 of the Act of 2018 on countering money laundering and terrorism financing, the following is a list of AML-obligated institutions in Poland along with their supervisory authorities:

Entities Regulated in the Financial Sector

• Banks, Credit Institutions, Financial Institutions (Supervised by PFSA)
• Payment Institutions, Fintechs, and E-money Institutions (Supervised by PFSA)
• Investment Firms and Custodian Banks (Supervised by PFSA)
• Insurance Companies and Intermediaries (Supervised by PFSA)
• Currency Exchange Operators (Supervised by NBP)
• Cooperative Savings and Credit Unions (Supervised by National Cooperative Savings and Credit Union)

Poland’s AML Regulated Entities Regulated in Non-Financial Sector

• Notaries (Supervised by Presidents of courts of appeal)
• Lawyers, legal Professionals, and Tax Advisors (Respective professional chambers)
• Real Estate Intermediaries (Local trade organizations or chambers)
• Accountants (Supervised by Local trade organizations or chambers)
• Associations (Supervised by governors of provinces or districts)
• Foundations (Supervised by competent ministers or governors of districts)
• Postal Operators (Supervised by Office of Electronic Communications (UKE).
• Entrepreneurs Accepting Large Cash Payments (Supervised by Ministry of Finance)
• Gambling and Betting Sector(Supervised by Ministry of Finance)
• Virtual Asset Service Providers (VASPs) (Tax Administration Chamber in Katowice)
• Trust and Company Service Providers (TCSPs)(Tax Administration Chamber in Katowice)

Sector Specific AML Regulations

Insurance Sector

Insurance companies operating in Poland are required to implement robust AML/CFT measures as an integral part of their operations. Insurance and reinsurance companies must take appropriate steps to identify whether the beneficiaries of an insurance agreement or their ultimate owners are politically exposed persons. This verification process should occur before transferring the rights under the insurance agreement or paying any benefit.

Suppose an insurance company identifies a heightened risk of money laundering or terrorism financing, before transferring rights or paying benefits under an insurance agreement. In that case, it must implement customer due diligence and take further steps to:

• Conduct a thorough review of the business relationship with the customer.
• Notify senior management and obtain their approval before proceeding with the payment of benefits.

Non Profit Organizations (NPOs)

Associations and foundations in Poland can operate after registering with the National Court Register (KRS). These organizations closely resemble the NPO definition of the FATF. Under the AML Law, associations and foundations must comply with measures to prevent money laundering and terrorism financing. These organizations are regulated under AML law when they handle cash payments of €10,000 or more. Associations and foundations are also required to keep beneficial owner information updated with the Central Register of Beneficial Owners.

Gambling Sector

A company operating in games of chance, mutual betting, card games, and slot machine games is an obligated institution under the AML Act. Such operators must be licensed by the Ministry of Finance and implement measures relevant to AML/CFT requirements.

Virtual Asset Service Providers (VASPs)

Currently, cryptocurrency service providers in Poland operate by registering with the VASP Register, managed by the Tax Administration Chamber in Katowice. This registration process is valid until December 31, 2025. From January 1, 2026, VASPs must secure a full license from the Polish Financial Supervision Authority (PFSA) to continue their operations. After the Markets in Crypto-Assets Regulation (MiCA) adopted by the EU, which mandates uniform EU market rules for crypto-assets, reforms in the regulatory framework for VASPs are expected in Poland.

VASPs must adhere to Poland’s AML regulations, including implementing due diligence measures, record-keeping, and suspicious activity reporting to prevent money laundering and terrorist financing. Moreover, VASP is obligated to apply financial security measures (i.e., assessment of business relationships and, as applicable, obtaining information concerning its objective and intended nature) in relation to occasional transactions with a value equal to exceeding EUR 1,000.

The GIFI oversees compliance with these AML and CFT obligations. Non-compliance may result in significant civil penalties or legal actions.

Crypto Travel Rule Compliance Requirements in Poland
Starting December 30, 2024, VASPs and intermediary VASPs in Poland will be required to implement measures mentioned in Regulation (EU) 2023/1113, commonly called “Travel Rule”. Under these new rules, VASPs will be required to hold and transmit certain information about the originator and beneficiary along with tthe ransfer of crypto assets. Additionally, VASPs must identify ownership and control of unhosted wallets when such a wallet is involved in any transaction.

Trust and Company Service Providers (TCSPs)

Any natural or legal person performing activities such as company formation, providing business or registered office address, acting or enabling a person to act as nominee director, etc., must make entry into the TCSP register maintained by the Tax Administration Chamber in Katowice. These entities must adhere to CDD obligations mentioned in AML Law, which are examined and enforced by the GIFI.

Key Requirements of AML Act in Poland

Risk Assessment (Article 33)

• Risk assessment is the foundation of an AML compliance program; all subsequent measures depend on the accuracy of this first step. Obligated institutions must identify and assess the risk of money laundering and terrorism financing linked to a business relationship or occasional transaction. The risk assessment process involves the identification, assessment, and documentation of risks of a particular business. Considering factors such as:

• Type of client (individual, Business, etc.)
• Geographical area (connected countries or territories)
• Purpose of the account
• Types of products, services, and their delivery methods(online or in-perso,n etc.)
• Amount of assets or transaction values
• Business relationship objectives, regularity, or duration

Obligated entities must apply customer due diligence measures proportionate to the level of risk identified and their assessment.

Customer Due Diligence (Article 34)

Obligated institutions must apply the following customer due diligence measures to their customers:

• Identify the customer and verify their identity
• Verify the identity and authorization of individuals acting on behalf of the customer during the CDD process.
• Identify the beneficial owner and take justified measures to:
  • a) Verify their identity.
  • b) Determine the ownership and control structure for legal entities, organizational units without legal personality, or trusts.
• Evaluate the business relationship and gather information on its purpose and intended nature.

Ongoing monitoring

• Monitor transactions to ensure they align with the institution’s understanding of the customer and their potential money laundering or terrorism financing risks.
• Verify the source of customer assets when required.
• Keep all documents, data, and information about the business relationship updated regularly.

When should you apply CDD measures (Article 35)

• Establishing a business relationship
• Performing occasional transactions up to certain limits
• Suspected money laundering or terrorism financing
• Doubts about previously obtained identification documents
• Changes in the nature or circumstances of the business relationship.
• Updates to the customer or beneficial owner data.
• Before providing access to safe deposit boxes
• Required under any other legal provision

Simplified Due Diligence (Article 42)

Obligated institutions can apply simplified due diligence for entities assessed as low risk, including entities such as public finance companies, low-value transactions, regulated market-listed companies, EU residents, and state-owned enterprises.

Enhanced Due Diligence (Article 43)

Obligated Institutions must apply enhanced due diligence (EDD) measures when they assess the risks of money laundering or terrorism financing are higher, including in the following situations:

• Customers who are
  • Companies with bearer shares are not traded on regulated markets.
  • Residents of high-risk third countries (FATF’s Grey List).
  • Companies with complex ownership structures
• Significant cash transactions
• Non-associated third parties ordering transactions for customer
• Private banking products or services promote anonymity.
• Transactions without customer presence or electronic identification.
• Links to countries deemed to have elevated risk of crimes
• Links to countries with EU or UN-imposed sanctions
• Transactions involving high-risk goods (e.g., arms, precious metals, oil, or cultural artifacts).
• Transactions linked to foreign nationals applying for citizenship through investments.

Institutions must clarify the circumstances in which an occasional transaction is conducted or apply EDD measures to customers if such a transaction was conducted as part of a regular business relationship.

Politically Exposed Persons – PEPs (Article 46)

Who is a PEP in Poland?

A PEP is defined in Poland as persons holding significant public positions or fulfilling significant public functions, including their close associates and family members, not covering middle-ranking and more junior officials.

This definition doesn’t differentiate between domestic or foreign PEPs, nor defines what’s prominent position or function, but rather provides a list of exemplary positions. Aligning it with the FATF definition, it also extends to family members and close associates but clearly excludes middle-ranking or more junior-level officials.

Identification of PEP

AML-obligated entities should have management systems to identify PEPs based on the risk assessment. As per communication no. 42 of GIFI regarding PEPs, the obligated institutions always bear the liability to identify a PEP, so relying merely on the customer’s declaration may not be enough. For PEP identification, regulated entities should take into account any lists published by authorities, external databases, as well as information from other reliable sources.

Due Diligence measures for PEPs

Before establishing a business relationship with politically exposed persons (PEPs), obligated institutions must:

• Obtain Senior Management Approval: For establishing or continuing a relationship with a PEP.
• Verify Wealth Sources: Establish the origin of the PEP’s wealth and assets.
• Enhanced Due Diligence: Apply intensified customer due diligence measures.

Institutions must apply measures reflecting the associated risk for at least 12 months after someone ceases to be a PEP (or longer if deemed high-risk). These rules also apply to PEP family members and close associates.

Reporting (Articles 72 and 74)

Suspicious Transactions: The obligated institutions must report a transaction to GIFI for which they have reasonable grounds to suspect that it involves money laundering or terrorism financing.

Threshold Transactions: the obliged institutions must notify the GIFI of threshold transactions – transactions whose value exceeds EUR 15,000 and which are:

• cash payments or withdrawals (cash transactions),
• transfers of funds initiated outside the territory of Poland
• purchase or sale of foreign currency,
• notarial acts specified in the AML/CFT law.

Record-Keeping (Article 49)

Reporting entities must document and maintain record of all due diligence and risk assessment activities, including details of customers and transaction,s for at least five years after ceasing a business relationship with a client.

Administrative Penalties (Article 150)

This article states different types of administrative penalties which could result in the event of a violation of any provision of the AML Act. These penalties include banning or restricting certain activities, canceling license or registration, prohibition on holding a managerial position, and imposition of fines. Depending upon the context and scope of the violation committed, a fineof  up to EUR1,000,000 can be imposed by the authorities.

Challenges in AML Compliance in Poland

Compliance with AML regulations is challenging for businesses in Poland. Specially, the application of a risk-based approach (RBA) is a strenuous task that requires maintaining accurate risk profiles, determining an appropriate level of due diligence measures, and allocation of the right amount of resources. Also, it is important to comply with the changing and sometimes unclear expectations of the regulators. Moreover, the requirement to incorporate EU AML directives (AMLD) into the national regulatory framework of the EU member countries adds to the regulatory burden. False positives, resource-intensive investigations, and evolving criminal tactics make it even more challenging to maintain compliance.

AML Compliance Solution for Obliged Sectors in Poland

The basic building block of a risk-based approach is accurate risk assessment. The goal of a better risk assessment can be achieved with a screening solution utilizing better data that enables businesses to identify potential risks in advance.

AML Watcher is a modern AML solution powered by a proprietary, real-time global database covering virtually every jurisdiction. Its extensive scope includes government watchlists, law enforcement records, wanted lists, PEP lists, court filings, news, and press releases providing actionable risk-intelligence for risk management.

AML Watcher enables businesses in Poland to conduct accurate risk assessments, apply proportionate CDD measures, customize controls for transaction monitoring, and free up resources by automation. This effective approach not only helps meet regulatory requirements but also avoids reputational and financial losses.

Sanctions Compliance in Poland

United Nations and European Union Sanctions

Being a member of the European Union and United Nations, Poland implements UN and EU sanctions. UN measures (UN Security Council resolutions) shall be applied by countries – UN Member States. UN Sanctions are implemented at the European Union level in a unified manner through the EU Council, and the EU Member States undertake actions under national law complementary to the measures provided by EU regulations. Since EU regulations are directly applicable in the EU Member States, the obligation to apply them has not been referred to in the provisions of the AML Act.

Restrictive measures to Combat Terrorism

Additionally, under Article 117(1) of the AML Act, obligated institutions must apply restrictive measures such as asset freezing against the entities on the GIFI list maintained under Article 118. This list implements explicitly the United Nations Security Council Resolution under Chapter 7 concerning terrorist acts that target Tthe aliban, ISIL (Da’esh), and Al-Qaeda. Violations of these provisions may result in specific penalties, including revocation of license or registration and a fine of up to an amount of EUR 1,000,000.

Polish Autonomous Sanctions Regime

Poland also implements an autonomous sanctions regime by introducing the Act On Counteracting Support For Aggression Against Ukraine (Polish Sanction Act) in April 2022. These sanctions primarily target entities and individuals seeking to benefit Belarussian or Russian governments. Any individual or entity that fails to implement restrictive measures or any provision of the Polish Sanctions Act could be liable to an administrative fine of up to PLN 20,000,000, imposed by the Head of the National Revenue Administration.

International Sanction

In addition to the above sanction regimes, Polish individuals and entities are advised to consider the implications of the other international sanctions, especially, sanctions implemented by the OFAC of the US Department of  Treasury and OFSI of the UK HM Treasury, depending upon the links established due to their cross-border operations.

Challenges in Sanction Compliance in Poland

Complexity is a significant challenge in sanctions compliance, particularly in a country like Poland, where multiple sanctions regimes are applicable. Keeping track of frequently changing sanctions lists is another challenge. Furthermore, the severe penalties for violations intensify the pressure on sanctions compliance. Staying compliant with this constantly changing sanctions regime is an ongoing and demanding task.

Sanctions Compliance Solution in Poland

Using the right tools can simplify sanctions compliance. In particular, screening software with a global database of sanctions lists that are updated in real-time can be a reliable partner in sanctions compliance.

1. ML Act
2.  Regulation (EU) 2023/1113
3. Communication 42
4. Polish Sanctions Act