AML Compliance in Poland: For Obligated Institutions
AML compliance in Poland for obligated institutions, covering who is in the scope, the Article 50 procedure, CDD, GIIF reporting, penalties and the 2027 EU rules.
LEGAL & REGULATORY BLOGS
In This Blog:
The sector by sector rules
AML compliance in Poland rests on one statute: the Act of 1 March 2018 on counteracting money laundering and terrorist financing. The myth worth dispelling early is that the Act speaks only to banks. In practice its reach is far wider, and the first place many firms discover this is a supervisory letter. A bookkeeping office in Kraków, an estate agency in Gdańsk and a trader who accepts large cash payments can each be an obligated institution in Poland, carrying the same core duties as a bank, scaled to size. This guide sets out those duties, the articles that impose them, what they cost when ignored, and what the European Union's single rulebook changes from July 2027. By the end you will be able to judge whether your firm is in scope and what a working system looks like.
Who in an obligated institution
The decisive factor is the nature of your business activity. Article 2(1) lists the entities that the Act binds, and the list is long: banks and payment institutions, certainly, but also investment firms, insurers, accountants and bookkeepers, tax advisers, legal advisers acting in defined situations, notaries, estate agents, company and trust service providers, dealers in goods who take cash of EUR 10,000 or more, providers of services in virtual currencies, and dealers in art, collectibles and antiques above the same cash figure.
Consider Office B, a bookkeeping practice in Kraków with a staff of four. Nothing about it resembles a bank, yet the moment it provides bookkeeping services for reward, it sits inside Article 2 and inherits the full set of obligations, proportioned to its scale. Proportionality matters here since a four-person office is not asked to build a bank's compliance function, only to do the same things, sensibly sized. Firms that misread their status tend to do so in one direction, assuming they fall outside the Act because they are small, then learning otherwise during an inspection. A short, documented assessment of your own status is the cheapest insurance available, and the starting point of who is an obligated institution in Poland.
The ten duties at a glance
Each duty traces to a specific article, which is precisely what your internal procedure should replicate as best practices.
The internal procedure
Article 50 requires every obligated institution to adopt a written internal AML/CFT procedure and to keep it under review. This is the document that turns scattered good intentions into a system someone can follow when a client behaves oddly. The Act specifies what it must address, including the steps taken to manage identified risk, the rules for recognising and assessing risk in business relationships and occasional transactions, the CDD measures applied, the rules on reporting to the GIIF, and the arrangements for retention and internal control.
A common failure is the downloaded generic procedure templates, where the firm's name is pasted in and usually never opened again. It reads well enough yet describes a firm that does not exist, and supervisors notice the inconsistency quickly because they interview staff. The procedure has to describe what your firm actually does, which is why it is written after the risk assessment and not before. Our AML/CFT Procedure Template Set exists precisely to be adapted to a real firm rather than adopted blind, or worse, generic. The companion guide on how to write your first AML procedure walks through the internal AML procedure in Poland clause by clause.
Why the risk assessment comes first
Article 27 obliges the firm to identify and assess the money-laundering and terrorist-financing risk in its own business, weighing factors tied to clients, geographies, products, services, transactions and delivery channels. The assessment is proportionate to the firm's nature and size, must be in paper or electronic form, and is updated as risk factors change and at least once every two years.
A procedure built on an honest risk assessment is short where risk is low and demanding where it is high. Office B in Kraków, for instance, might conclude that its highest exposure sits with newly formed companies whose owners it has never met and whose funds arrive from abroad. That finding shapes everything downstream: when it asks for source-of-funds evidence, which clients trigger enhanced measures, and what staff are trained to spot. Skipping the assessment results in assuming, and a guessed procedure tends to be either generic or needlessly heavy. The guide to the AML risk assessment in Poland sets out a method you can repeat each year.
Customer due diligence and the thresholds that trigger it
Customer due diligence, called financial security measures in the Act, is the heart of the entire practice. Articles 33 to 34 set out what the measures comprise including, identifying the client and verifying identity, identifying the beneficial owner and establishing ownership and control, understanding the purpose of the relationship, and monitoring it on an ongoing basis. Article 35 enunciate as to when these measures apply.
Two points to notice. First, the thresholds capture linked operations, so a client cannot stay below EUR 15,000 by splitting one payment into three. Second, suspicion overrides every threshold, in other words, a EUR 400 transaction that looks wrong still demands due diligence and, where warranted, a report. The standard measures, the lighter regime for lower risk, and the enhanced measures for higher risk are unpacked in the guide to customer due diligence in Poland.
Beneficial ownership and the CRBR
Knowing who ultimately owns or controls a client is half of due diligence, and Poland backs it with a public filing duty. Companies and other entities listed in the Act must identify their beneficial owners and report them to the Central Register of Beneficial Owners (CRBR) within 14 days of entry in the National Court Register, keeping the entry current thereafter (Articles 58 to 60). The figure is 14 days, not seven that older guidance still circulates.
For an obligated institution the register cuts both ways. The firm files its own beneficial owners, and consults the register as one input when verifying a corporate client, while remaining responsible for its own conclusion. The EU package tightens this area. The beneficial-ownership provisions of Directive 2024/1640 are due in national law by 10 July 2026, ahead of the main 2027 date. The detailed discussion, including a client whose ownership chain runs through several countries, sits in the guide to the beneficial owner register in Poland (CRBR).
Reporting to the GIIF
Poland's financial intelligence unit (FIU) is the General Inspector of Financial Information (GIIF), and reporting to it runs on two tracks. The threshold track under Article 72 covers routine cash deposits and withdrawals, as well as transfers above the equivalent of EUR 15,000. However, the suspicion track is the one that requires attention. Under Article 74 a firm notifies the GIIF of circumstances that may indicate money laundering or terrorist financing promptly, and no later than two business days after confirming the suspicion.
A third situation moves faster. Where a firm reasonably suspects that a specific transaction or specific assets relate to ML/TF, Article 86 requires immediate electronic notification, in principle before the transaction is carried out. A related route under Article 89 covers suspicion that assets stem from a predicate offence other than money laundering, with a freeze of up to 96 hours pending the prosecutor's decision. The practical drill on how to avoid tipping off the client is covered in GIIF reporting in Poland.
Sanctions and politically exposed persons (PEPs)
Active screening goes hand in hand with active due diligence. Obligated institutions check clients and transactions against the applicable sanctions lists, both EU and national, and freeze assets where a match is confirmed while reporting the freeze onward. This duty is absolute in a way risk-based measures typically lack, that is, a sanctions hit stays unaffected even to a low-risk client profile.
Politically exposed persons (PEPs) are handled under the enhanced-measures provisions. A PEP, a family member or known close associate is not a criminal by definition, yet the position carries higher bribery and corruption risk, so the firm establishes the source of wealth and funds, obtains senior approval, and monitors the relationship closely. Screening tools, the false-positive problem, and how to document a PEP decision are set out in sanctions and PEP screening in Poland.
The people who carry the duties, and their training
Article 7 requires a member of the management body to be responsible for implementing AML duties, placing accountability in the boardroom. Article 8 requires a senior employee responsible for compliance, the person who files notifications to the GIIF. Article 6 adds general senior-management responsibility. For a one-person business, Article 9 folds all of this into the proprietor.
Hence, the training follows from these roles named by the Act. Article 52 requires the firm to provide training programmes for everyone performing AML duties, covering the obligations themselves and data-protection considerations, and sized to the firm's activity. Training is framed as support for the obligations rather than a box to tick, and a training register is the evidence that it happened. The comprehensive AML/CFT training offered by Salwius & Lazareva educates trainees and institutions beyond the scope of the Polish AML act and addresses the aspects of foreseeable threats to your organisation. The scope, frequency and record-keeping are detailed in AML training in Poland.
Record-keeping
Article 49 sets the retention period at five years, counted from the end of the business relationship or the date of an occasional transaction. The records covered include the documents and information gathered through due diligence and the evidence and registers of transactions. The General Inspector may require retention for a further period of up to five years where it is needed for ongoing proceedings.
Storage format, what counts as a complete file, and how retention interacts with data-protection duties are covered in AML record-keeping in Poland. It is worth understanding that the discipline that matters here is the retrievability of your records and your record hygiene.
What non-compliance may cost
Penalties under Articles 147 to 160 extends further than fines. A supervisor may publish the breach, order the firm to stop specified activities, withdraw a licence or registration, and/or bar the responsible individual from a management position for up to a year.
For most obligated institutions that Salwius & Lazareva typically advises, Article 150(2) sets the pecuniary penalty at up to twice the benefit gained or loss avoided, or, where that cannot be established, up to the equivalent of EUR 1,000,000. For the financial sector listed in Article 150(3), the figures are far larger: up to EUR 5,000,000 or 10% of turnover for a legal person, and up to PLN 20,868,500 for a natural person. Two further numbers reach individuals and are often overlooked. Under Article 154 the responsible board member or officer can be fined up to PLN 1,000,000 personally, and under Article 153 a failure to file beneficial owners to the CRBR draws the same. The headline EUR 5,000,000 figure rarely applies to an accountancy or estate-agency practice; the personal exposure of the people who run it is the part that should focus attention. The full ladder is discussed in AML penalties in Poland.
What the EU AML package changes by 2027
Regulation (EU) 2024/1624, the AML Regulation, replaces much of the national detail with directly applicable rules and applies from 10 July 2027. Directive (EU) 2024/1640, the sixth AML directive, governs what each member state must build, with transposition phased: the beneficial-ownership register provisions by 10 July 2026 and the bulk by 10 July 2027. Regulation (EU) 2024/1620 creates the Authority for Anti-Money Laundering, AMLA, seated in Frankfurt, which begins directly supervising around forty of the highest-risk groups in 2028. A full reading of the EU AML package 2024–2027 tracks each change and its date.
The sector by sector rules
The duties usually remain uniform while the risks varies. An estate agency worries about buyers whose funds appear from nowhere. A bookkeeping firm sees companies formed that never seem to trade. A company service provider is the gatekeeper to structures that can hide ownership. A dealer in high-value goods lives at the cash threshold, and a virtual-asset provider faces a speed and pseudonymity the 2018 Act was amended to reach.
Each sector therefore reads the same articles through a different perspective, which is why the cluster carries dedicated 'walkthroughs' for AML for real estate agents in Poland, AML for accountants and bookkeepers in Poland, AML for company service providers in Poland, AML for dealers in high-value goods, and AML for crypto-asset service providers in Poland.
What to do now
Sources and further reading:
Act of 1 March 2018 on counteracting money laundering and terrorist financing, consolidated text: Internet System of Legal Acts (ISAP), Sejm. https://isap.sejm.gov.pl (Dz.U. 2018 poz. 723; t.j. Dz.U. 2025 poz. 644).
General Inspector of Financial Information (GIIF), Ministry of Finance. https://www.gov.pl/web/finanse/giif
Central Register of Beneficial Owners (CRBR), Ministry of Finance. https://www.podatki.gov.pl/crbr/
Regulation (EU) 2024/1624 (AML Regulation). https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng
Directive (EU) 2024/1640 (sixth AML Directive). https://eur-lex.europa.eu/eli/dir/2024/1640/oj/eng
Regulation (EU) 2024/1620 (establishing AMLA). https://eur-lex.europa.eu/eli/reg/2024/1620/oj/eng
Related Reads
EXPLORE
LEGAL
© 2026 Salwius & Lazareva Sp. z o.o. All rights reserved.