Banking & Fintech /

New GIIF guidelines: Financial security measures for mobile payments and prepaid cards

On January 30, 2025, the General Inspector of Financial Information (GIFI) published Announcement No. 91, which provides important guidance on the application of financial security measures and notification procedures under the Anti-Money Laundering and Counter-Terrorist Financing Law (“AML Law”). Particular attention is paid to payment systems such as BLIK, Google Pay, Apple Pay and prepaid cards.

Scope and purpose of the communication

The communication is primarily addressed to banks, payment institutions and prepaid card providers. The purpose of the communication is to indicate the elements of notifications submitted under Articles 74, 86 and 90 of the AML Law.

Scope and purpose of the communication The communication is primarily addressed to banks, payment institutions and prepaid card providers. The purpose of the communication is to indicate the elements of notifications submitted under Articles 74, 86 and 90 of the AML Law.

Procedures for submitting notifications and their essential elements

The announcement emphasizes the important elements of notifications submitted to the GIFI in the cases specified in Art. 74, Art. 86 and Art. 90 of the AML Law, which consist of:

  • identification data of the client of the obligated institution, in accordance with Art. 36 of the AML Law,
  • identification data of other persons and entities related to the suspicious transaction or assets (according to Article 36 of the AML Law),
  • information on the type and size of assets and their location,
  • client account number (IBAN or other identifier, including country code),
  • the information referred to in Article 72(6) of the AML Law relating to transactions or attempted transactions,
  • information on the European Economic Area country with which the transaction may be associated (in the case of cross-border activity),
  • information about the recognized risk of money laundering or terrorist financing and about the prohibited act (predicate offense) from which the assets may originate,
    • justification for submitting the notification (Article 74(3)(8) of the Law and in connection with Article 86(2) and Article 90 of the AML Law), including, among others:a description of the financial security measures applied (Article 34 et seq. of the AML Law), including an assessment of the business relationships, information about their purpose and intended nature,information about the source of the assets at the client’s disposal,
    • a description of the analysis of transactions within the framework of economic relations, enabling a determination of whether they are consistent with the knowledge of the client, the nature and scope of their activities and the recognized risks,
    • a detailed description of the circumstances indicating suspicion of money laundering or terrorist financing,
    • information about the place and method of opening the account (including accounts opened online),
    • data obtained from other organizational units of the obligated institution (e.g. anti-money laundering unit, fraud and extortion unit, or unit dealing with the settlement house’s ICT system) and any documents from external sources (e.g. requests from law enforcement agencies, SWIFT communications, OGNIVO), justifying the suspicions,
    • copies of relevant contracts, identification documents, notifications to the prosecutor’s office, decisions of the prosecutor’s office, etc.

Procedures for submitting notifications and their essential elements The announcement emphasizes the important elements of notifications submitted to the GIFI in the cases specified in Art. 74, Art. 86 and Art. 90 of the AML Law, which consist of: identification data of the client of the obligated institution, in accordance with Art. 36 of the AML Law, identification data of other persons and entities related to the suspicious transaction or assets (according to Article 36 of the AML Law), information on the type and size of assets and their location, client account number (IBAN or other identifier, including country code), the information referred to in Article 72(6) of the AML Law relating to transactions or attempted transactions, information on the European Economic Area country with which the transaction may be associated (in the case of cross-border activity), information about the recognized risk of money laundering or terrorist financing and about the prohibited act (predicate offense) from which the assets may originate, justification for submitting the notification (Article 74(3)(8) of the Law and in connection with Article 86(2) and Article 90 of the AML Law), including, among others:

In the case of transactions made using BLIK, Google Pay, Apple Pay and GIIF Prepaid Cards, the communication specified the data that should be additionally provided in the notification, in the following cases:

  • payment transactions for goods in online/brick-and-mortar stores (debit transaction),
  • transactions for accepting payments for goods in online/brick-and-mortar stores (merchant’s account),
  • ATM withdrawals and phone transactions (P2P) carried out using BLIK and other mobile services.

What steps should be taken after sending the notification?

Submitting a notification to the General Inspector of Financial Information (GIIF) does not release the obliged institution from the obligation to apply financial security measures, nor does it reduce the level of risk assigned to a given client. It is still necessary to monitor the client relationship and individually analyze situations where certain security measures cannot be applied.

In such cases, it is worth considering refusing to enter into business relationships, not carrying out transactions or even terminating cooperation. Repeated cases of suspected money laundering or terrorist financing should be noted in internal procedures and risk analyses, providing a basis for further improvement of AML systems.

The full text of Announcement no. 91 is available here, on the website of the Ministry of Finance.

Do you have questions about AML?

If your company handles mobile payments, BLIK, Google Pay, Apple Pay or prepaid cards, you must adapt your AML procedures to the latest GIIF requirements.

Contact us to discuss the details and adapt your AML policy to legal requirements.

Author team leader DKP Legal
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Aleksandra Walas

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services