A Guide for Entrepreneurs and Foreign Investors | ATL Law 2026

The Strategic Importance of AML/KYC Compliance for Business in Poland

Anti-money laundering and counter-terrorist financing regulations represent one of the most critical compliance areas for businesses operating in Poland. The obligations arising from the AML (Anti-Money Laundering) and KYC (Know Your Customer) framework apply to a broad range of entities – from financial institutions, through law firms and advisory companies, to real estate agents and providers of crypto-asset services. Non-compliance exposes businesses to severe administrative and criminal penalties and, for regulated entities, the risk of losing operating licences.

Poland’s AML framework is primarily based on the Act of 1 March 2018 on Counteracting Money Laundering and the Financing of Terrorism (hereinafter: the AML Act), which implemented the requirements of the Fourth AML Directive (Directive 2015/849/EU) and its amendments under the Fifth AML Directive (Directive 2018/843/EU). The Act has been amended on multiple occasions, with particularly significant changes taking effect between 2021 and 2024 to align Polish law with the evolving standards of the Financial Action Task Force (FATF) and the requirements of the EU AML/CFT legislative package.

For foreign investors entering the Polish market – and in particular for entities planning to operate in AML-regulated sectors – a thorough understanding of Polish KYC/AML requirements is an essential prerequisite for lawful and compliant business operations. This article provides a comprehensive overview of the key obligations, procedures and legal risks associated with the AML/KYC regime in Poland, with particular emphasis on the perspective of foreign entities.

Legal Framework of AML/KYC Regulation in Poland

The AML Act and Its Key Principles

The AML Act of 2018, as repeatedly amended, provides the comprehensive legal basis for the system of counteracting money laundering and terrorist financing in Poland. Its architecture rests on several fundamental pillars: defining the catalogue of obliged entities, imposing on them extensive customer due diligence obligations, introducing requirements for the identification of beneficial owners, establishing the obligation to report suspicious transactions, and designating specialised supervisory authorities responsible for oversight and enforcement.

The Act is built around a risk-based approach, meaning that the intensity of the customer due diligence measures applied should be proportionate to the identified level of money laundering and terrorist financing risk associated with a specific customer, type of business relationship or transaction. This approach, which represents the standard developed by the FATF and adopted in EU AML directives, places significant responsibility on obliged entities to correctly identify, assess and manage risk.

The Role of Supervisory Authorities – GIIF and Sectoral Supervisors

The central institution of the Polish AML system is the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej – GIIF), functioning as Poland’s national Financial Intelligence Unit (FIU). The GIIF operates within the structure of the Ministry of Finance and is responsible for receiving and analysing reports of suspicious transactions and cash transfers, cooperating with foreign financial intelligence units, maintaining registers required under the AML Act, and issuing interpretations and guidance on the application of AML provisions.

Alongside the GIIF, sectoral supervisory authorities play a key role in monitoring compliance with AML obligations. The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego – KNF) supervises financial institutions, banks, insurance companies, investment fund management companies and other capital market participants. The National Bar Council (Krajowa Izba Radców Prawnych), the Polish Bar Council (Naczelna Rada Adwokacka) and the National Council of Notaries (Krajowa Rada Notarialna) supervise the respective legal professions. The GIIF directly supervises entities including currency exchange operators and crypto-asset service providers that are not subject to other sectoral supervisors.

The EU AML Package – An Outlook for 2025–2026

Polish AML law is undergoing significant changes in connection with the adoption of the EU’s new AML/CFT legislative package, comprising the AML Regulation (AMLR), the Sixth AML Directive (AMLD6) and the regulation establishing the Anti-Money Laundering Authority (AMLA) with its seat in Frankfurt. The AMLR, which will apply directly in member states without the need for national implementation, will harmonise the catalogue of obliged entities, tighten customer due diligence requirements and expand beneficial ownership identification obligations. Businesses operating in Poland should monitor legislative developments and prepare to align their internal procedures with the new requirements, which will gradually take effect from 2027 onwards.

The Catalogue of Obliged Entities

Entities Subject to the AML Regime in Poland

The AML Act specifies a closed catalogue of obliged entities, imposing on them extensive procedural and documentary requirements. However, this catalogue is broad enough to cover a very diverse range of entities, including financial institutions such as banks, national payment institutions, insurance undertakings and investment fund management companies, as well as other financial market participants. AML obligations also apply to real estate sector entities, that is, real estate agents and entities accepting cash payments of at least EUR 10,000. Obliged entities further include tax advisers, statutory auditors and accounting firms providing certain services to clients, as well as notaries and lawyers carrying out activities covered by the Act.

The catalogue additionally includes entities engaged in currency exchange services, including physical exchange offices and online currency exchange platforms. The AML Act covers entrepreneurs accepting or making cash payments equal to or exceeding EUR 10,000, irrespective of the nature of their business. An important expansion of the catalogue was the inclusion of crypto-asset service providers – entities providing virtual currency exchange services and cryptocurrency custody services.

Assessing Obliged Entity Status for Foreign Entities

Foreign investors conducting business in Poland through capital companies, branches or representative offices must carry out a careful assessment of whether their activities qualify them as obliged entities under the Polish AML Act. The status of an obliged entity gives rise to very specific procedural and documentary obligations, and failure to fulfil them creates a risk of administrative sanctions. The assessment should take into account the nature of the services provided, the legal form of the business, the geographical scope of the clients served and the type of transactions conducted.

Customer Due Diligence Measures and KYC Procedures

The Scope and Nature of Customer Due Diligence Measures

Customer due diligence (CDD) measures constitute the primary mechanism for verifying client identity and assessing AML risk. The AML Act distinguishes three levels of CDD, the application of which depends on the identified level of risk: simplified due diligence (SDD), standard due diligence and enhanced due diligence (EDD). The selection of the appropriate level of CDD must be justified by a risk assessment and properly documented in each case.

Standard customer due diligence comprises four key components. First, identifying the customer and verifying their identity on the basis of documents or information obtained from credible and independent sources. Second, identifying the beneficial owner and taking reasonable measures to verify their identity. Third, assessing the business relationship and, where necessary, obtaining information on the purpose and intended nature of that relationship. Fourth, ongoing monitoring of the client’s business relationship, including scrutinising transactions conducted within that relationship.

Customer Identification and Identity Verification

The KYC procedure – Know Your Customer – is the practical implementation of the obligation to identify and verify the identity of customers. For natural persons, identity verification involves obtaining identifying data (name, nationality, date and place of birth, PESEL number or date of birth, series and number of the identity document) and verifying this data on the basis of an identity document or data from credible, independent sources. The AML Act permits identity verification to be carried out remotely, using a qualified electronic signature certificate, a trusted profile, or through video identification – which is particularly significant for institutions serving foreign clients.

The identification of legal persons – companies, foundations, associations and other organisational units – requires establishing, among other things, the entity’s name, organisational form, registered office and address, tax identification number (NIP) or equivalent number assigned in the country of registration, and the details of the beneficial owner. For foreign entities, it is necessary to obtain registration documents from the country of incorporation, which often requires engaging foreign correspondents or accessing online registries available in other EU member states.

Enhanced Due Diligence

Enhanced due diligence (EDD) applies where a higher level of risk has been identified. The AML Act specifically enumerates situations in which the application of EDD is mandatory: establishing a business relationship or conducting a transaction with a customer who is a politically exposed person (PEP) or their close associate; transactions involving third countries identified by the European Commission as high-risk; transactions whose purpose or effect is to conceal the identity of the customer or beneficial owner; and any case in which the obliged entity identifies a higher risk level in its own internal assessment.

Under EDD, the obliged entity should obtain additional information about the customer and beneficial owner, including information on the source of wealth and the source of funds used in the transaction, conduct enhanced ongoing monitoring of the business relationship, and – in the case of a PEP – obtain the approval of senior management for establishing or continuing the business relationship. These requirements are particularly significant for financial institutions serving clients with a political profile or connected to higher-risk jurisdictions.

Simplified Due Diligence

Simplified due diligence measures may only be applied when the obliged entity has identified a lower level of money laundering and terrorist financing risk in relation to specific customers, products, services or distribution channels. The AML Act contains an indicative list of lower-risk factors that may justify the application of SDD; however, the decision must always be based on the entity’s own risk assessment and properly documented. The application of SDD does not mean a complete waiver of CDD – the obliged entity remains required to identify the customer and beneficial owner, but the scope and intensity of the measures taken may be reduced.

Beneficial Ownership – Identification and the Central Register

The Concept of Beneficial Ownership

The correct identification of the beneficial owner (Ultimate Beneficial Owner – UBO) is one of the most important and practically challenging obligations arising from the AML regime. The AML Act defines a beneficial owner as any natural person who exercises direct or indirect control over a customer through rights arising from legal or factual circumstances that enable them to exert a decisive influence on the actions or activities undertaken by the customer.

In the case of legal persons, a beneficial owner is any natural person who directly or indirectly holds more than 25% of the total votes in the governing body of the customer, or more than 25% of the shares, stocks or profit interests. Where identification of the beneficial owner on the basis of ownership or voting criteria is not possible or does not yield definitive results, it is necessary to identify persons who exercise control through other factual or legal rights. As a last resort, where no natural person can be identified as a beneficial owner, the natural person holding the most senior management position is treated as the beneficial owner.

The Central Register of Beneficial Owners (CRBR)

Poland has established the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych – CRBR), a public register maintained by the Ministry of Finance, to which information on the beneficial owners of entities registered in the National Court Register (KRS) must be entered. The obligation to register in the CRBR applies to general partnerships, limited partnerships, limited joint-stock partnerships, limited liability companies, joint-stock companies (except listed companies), simple joint-stock companies, professional partnerships, foundations and associations registered in the KRS.

Entries in the CRBR are made free of charge through the Ministry of Finance’s IT system. The deadline for making the initial entry following registration in the KRS is 14 days, and any changes must be updated within 14 days of the change occurring. Responsibility for the accuracy of the data entered in the CRBR lies with the entity obliged to make the submission, and failure to comply carries a financial penalty of up to PLN 1,000,000. For foreign investors creating corporate structures in Poland, updating CRBR data with every group restructuring is an obligation of fundamental practical importance.

Verification of Beneficial Ownership by Obliged Entities

Obliged entities are required to verify information on the beneficial owners of their customers, including by reference to data contained in the CRBR. At the same time, the regulations do not exempt obliged entities from conducting their own assessment and verification – CRBR data constitutes one source of information, but is not the sole basis for identifying a beneficial owner. Where there are discrepancies between the data declared by the customer and the data disclosed in the CRBR, the obliged entity is required to document those discrepancies and, in justified cases, to notify the Ministry of Finance.

Risk Assessment – Institutional and Client Level

Institutional Risk Assessment

Every obliged entity is required to develop, implement and regularly update an assessment of the money laundering and terrorist financing risks associated with its business activities. This assessment – sometimes referred to as an institutional or sectoral assessment – should take into account the types of customers with whom the entity establishes business relationships, the products and services offered and their distribution channels, as well as the geographical areas of operation. The risk assessment should be prepared in documentary form, taking into account the findings of the national risk assessment prepared by the GIIF and the supranational risk assessment prepared by the European Commission.

Client and Transaction Risk Assessment

At the level of the relationship with a specific customer, the obliged entity is required to carry out a risk assessment in relation to that customer and the business relationship being established. This assessment should take into account risk factors relating to the customer, such as their PEP status, country of origin, nature of their business, ownership structure and history of the relationship with the institution. The client risk assessment should be documented and updated throughout the duration of the business relationship, particularly when circumstances arise that suggest a change in the risk profile.

The catalogue of risk factors includes both lower-risk and higher-risk factors. Higher-risk factors listed in the AML Act include, among others: customers who are PEPs or their close associates, business relationships or transactions connected with third countries identified as high-risk, transactions of an unjustified or unusually complex nature, entities operating in sectors historically associated with higher AML risk (arms trading, art dealing, real estate transactions given their scale), and customers who cannot be present in person when establishing a business relationship.

Reporting Obligations and Disclosures to the GIIF

Suspicious Transaction Reports

The fundamental reporting obligation of obliged entities is to promptly notify the GIIF of circumstances that may indicate a suspicion of money laundering or terrorist financing. The notification should be prepared in the form prescribed by implementing regulations and submitted via the GIIF’s IT system. Importantly, the reporting obligation is independent of the customer’s intent – the obliged entity is required to report whenever justified grounds arise, without needing to hold evidence of an actual crime being committed.

The AML Act contains a prohibition on disclosing to the customer or third parties information about a suspicious transaction report submitted to the GIIF. This prohibition, known as the tipping off ban, is designed to preserve operational confidentiality and protect the integrity of any investigative proceedings. Violation of the tipping off ban constitutes a criminal offence. Obliged entities should therefore implement internal procedures for handling information about submitted reports, restricting access to such information to only those individuals who strictly need it.

Reporting Threshold Transactions

Obliged entities are required to register threshold transactions, meaning cash transactions with a value equal to or exceeding EUR 15,000, or several cash transactions that appear to be linked and collectively reach the EUR 15,000 threshold. The registration obligation applies to all such transactions, regardless of any risk assessment related to the customer or transaction. Data on threshold transactions must be retained by the obliged entity for five years and made available on request to the GIIF or other authorised authorities.

Transaction Suspension and Account Blocking

An obliged entity has both the right and the obligation to suspend a transaction or block an account where it has formed a reasonable suspicion that the transaction being carried out or the funds held are connected with money laundering or terrorist financing. Suspension of a transaction takes effect for the period necessary to obtain a resolution from the GIIF, which may issue an order to suspend the transaction or block the account for up to 96 hours. In cases where there is a reasonable suspicion of a money laundering offence, the GIIF may apply to the prosecutor for a longer precautionary measure.

Internal AML Procedure – Obligation to Develop and Implement

Mandatory Elements of the Internal AML Procedure

Every obliged entity is required to develop and implement an internal anti-money laundering and counter-terrorist financing procedure. This procedure should reflect the specific nature of the entity’s business and the identified level of risk. Its minimum content includes: the actions and measures taken to mitigate money laundering and terrorist financing risk, the rules for applying customer due diligence measures, the rules for documenting risk assessments and the CDD measures applied, and the rules for retaining documents and information.

The procedure must also regulate the rules for employees to report actual or potential violations of AML regulations to a designated senior officer, the rules for protecting employees making such reports, and the rules for fulfilling GIIF notification obligations. The obliged entity must designate a senior officer responsible for implementing the AML procedure – typically referred to as a Compliance Officer or AML Officer – and information on their appointment should be communicated to the relevant supervisory authority.

Employee AML Training

The AML Act imposes on obliged entities an obligation to ensure that employees receive regular training on anti-money laundering and counter-terrorist financing legislation. Training should cover applicable regulations, identification of suspicious transactions, reporting procedures and the consequences of non-compliance. The frequency and content of training should be tailored to the employee’s role and responsibilities. Documentation of training completed forms part of the records required by law and may be inspected in the course of regulatory reviews.

Anonymous Whistleblowing Channel

Obliged entities meeting the employment thresholds specified in the regulations are required to implement an anonymous channel for reporting AML violations by employees and other persons who interact with the entity in a professional capacity. This channel should guarantee the confidentiality of the reporting person’s identity and provide protection against retaliation by the employer. The provisions in this area correspond to the whistleblower protection regulations arising from the implementation of the EU Whistleblower Protection Directive (2019/1937).

Sanctions for Violation of AML Provisions – Administrative and Criminal Liability

Administrative Sanctions

The AML Act provides for an extensive catalogue of administrative sanctions, imposed by the relevant supervisory authorities for violations of anti-money laundering and counter-terrorist financing regulations. The most serious sanctions include: a financial penalty of up to twice the benefit obtained by the obliged entity as a result of the violation or – where it is not possible to determine that amount – up to EUR 1,000,000; for financial and credit institutions, the financial penalty may amount to up to 10% of annual turnover as shown in the last approved financial statements, or the equivalent of EUR 5,000,000, whichever is higher.

In addition to financial penalties, supervisory authorities have other enforcement tools at their disposal, including: withdrawal of licences to conduct regulated activities, banning individuals responsible for violations from holding management positions, public disclosure of information about the entity and the nature of the violation, and ordering the cessation of certain activities. Supervisory practice – in particular that of the KNF in relation to financial institutions – indicates growing enforcement activity in the AML area and a readiness to impose substantial penalties for identified irregularities.

Criminal Liability

The AML Act, in conjunction with the provisions of the Polish Penal Code, establishes a system of criminal liability for offences related to money laundering and terrorist financing. The offence of money laundering carries a custodial sentence of between 6 months and 8 years, and where committed as part of an organised criminal group or involving property of significant value, a custodial sentence of between 1 and 10 years. Criminal liability applies not only to the perpetrators of the predicate offence, but also to persons who violate AML regulations – for example by facilitating a suspicious transaction or breaching the tipping off prohibition.

AML/KYC Specifics for Foreign Investors in Poland

Requirements When Incorporating and Opening Bank Accounts

Foreign investors establishing companies in Poland must account for the KYC requirements imposed by banks and other financial institutions both at the time of opening accounts and throughout the ongoing business relationship. KYC procedures applied by Polish banks to newly established entities with foreign ownership are generally more extensive than those applied to domestic entities. Banking institutions typically require the presentation of full corporate documentation, identity documents of beneficial owners, information on the sources of business financing and descriptions of the planned business operations.

Particular scrutiny is applied to structures involving entities registered in jurisdictions listed as non-cooperative territories or as third countries high-risk under AML regulations. The presence of entities registered in such jurisdictions within the ownership structure of a Polish company may result in a refusal to open an account or the imposition of enhanced due diligence measures by the bank. It is therefore advisable for foreign investors planning to enter the Polish market to consult with a legal adviser on their planned ownership structure prior to its implementation.

Corporate Groups – Group Standards vs. Polish Requirements

For multinational corporate groups, a particular challenge is harmonising internal AML/KYC standards applicable across the group with the requirements arising from the Polish AML Act. Requirements applicable to obliged entities belonging to corporate groups include the obligation to apply group-wide policies and procedures, provided they are at least as stringent as Polish AML regulations. Where group standards are less restrictive than Polish requirements, the Polish entity is required to comply with Polish law.

The issue of intra-group information flows for AML purposes is particularly significant. The Polish AML Act permits the exchange of information on customers, transactions and suspicious transaction reports between entities belonging to the same corporate group, subject to certain conditions. At the same time, data protection regulations (GDPR) impose additional requirements on the cross-border transfer of data within a group, necessitating the development of appropriate legal frameworks for such transfers.

Virtual Asset Service Providers (VASPs)

A specific area in which foreign investors should pay particular attention to Polish AML regulations is the crypto-asset sector. Polish law has imposed registration requirements and a full AML regime on virtual asset service providers (VASPs), equivalent to the obligations applicable to financial institutions. The VASP register is maintained by the Director of the Regional Tax Administration Chamber in Katowice, and providing services in Poland without being registered constitutes a criminal offence. For foreign entities planning to provide crypto-asset services to Polish clients, it is essential to analyse whether their activities qualify for the Polish registration requirement.

Conclusions and Practical Recommendations

The AML/KYC regime in Poland creates a complex and dynamically evolving set of regulatory obligations, non-compliance with which exposes businesses to serious legal and reputational consequences. Effective compliance requires a systemic approach based on a thorough risk assessment, the implementation of appropriate internal procedures and the provision of regular employee training.

For foreign investors entering the Polish market, the primary step should be a careful analysis of whether the planned activity qualifies them as an obliged entity under the Polish AML Act. If so, it is necessary to develop comprehensive AML documentation – including an institutional risk assessment, KYC procedures and internal guidelines on handling suspicious transactions – as well as to complete any registrations and notifications required by law. Equally important is ensuring that CRBR data is kept up to date with every change in ownership structure.

From a strategic perspective, building a culture of AML compliance within the organisation – through regular employee training, the implementation of technology tools supporting transaction monitoring and client verification (RegTech), and maintaining an ongoing dialogue with supervisory authorities – is an investment that protects businesses from the risk of sanctions and builds trust with both clients and business partners. Professional legal advice on AML/KYC matters, reflecting the current state of regulations and the practice of supervisory authorities, is an indispensable element for any organisation operating on the Polish market as an obliged entity.

ABOUT ATL LAW

ATL Law is a law firm specialising in comprehensive legal services for foreign investors on the Polish market. We offer multilingual advisory services (Polish, English, German) in the areas of tax law, corporate law, transfer pricing and employment law. We support our clients at every stage of their entry into the Polish market – from selecting the optimal legal structure, through ongoing compliance services, to representation in tax and court proceedings. We have extensive experience in implementing comprehensive AML/KYC procedures, including the preparation of risk assessments, internal procedures and representation before the GIIF and sectoral supervisory authorities.

www.atl-law.pl | office@atl-law.pl