AML Regulation in Poland

Updated: 29.01.2024

1. AML Policy in Poland

Every obligated institution in Poland must have and comply with an internal anti-money laundering and counter-terrorist financing procedure.

A detailed catalog of obliged institutions is indicated in Article 2 (1) of the AML/CFT Act. The minimum provisions of the internal AML/CFT procedure (AML policy) shall include a determination of:

• the activities or actions taken with the aim of mitigating the risk of money laundering and terrorist financing as well as appropriate management of the identified risk of money laundering and terrorist financing;
• the rules for recognizing and assessment of the risk of money laundering and terrorist financing associated with the given business relationships or an occasional transaction, including the rules for verification and updating of the assessment of the risk of money laundering and terrorist financing made previously;
• the measures applied for the purpose of appropriate management of the recognized risk of money laundering or terrorist financing associated with the given business relationships or an occasional transaction;
• the rules for the application of financial security measures; the rules for storing documents and information;
• the rules for the fulfillment of the obligations including providing to the General Inspector of information on transactions and notifications;
• the rules for disseminating among employees of an obliged institution knowledge in the field of the provisions on combating money laundering and terrorist financing;
• the rules for reporting by employees of actual or potential breaches of the provisions on combating money laundering and terrorist financing;
• the rules for internal control or supervision of compliance of activity of an obliged institution with the provisions on combating money laundering and terrorist financing as well as the rules of conduct determined in the internal procedure;
• the rules for noting discrepancies between the information gathered in the Central Register of Beneficial Owners and the information on beneficial owners of the customer in connection with the application of the Act;
• the rules for documenting impediments determined in connection with verification of the identity of the beneficial owner as well as activities undertaken in connection with identification, as the beneficial owner, a natural person occupying a post in senior management.

2. The risk-based approach in Anti Money Laundering

A risk-based approach means that countries, supervisory authorities and, most importantly, obliged institutions assess and understand the money laundering and terrorist financing risks they face and take appropriate risk mitigation measures appropriate (commensurate) with the level of those risks.

The risk-based approach is a fundamental principle to be followed by the obligated institutions in their operational activities and comes down to the fact that it is the obligated institution that decides how it should apply financial security measures. At the same time, the assessment and measures adopted must be explainable by the obligated institution in accordance with the principle of accountability.

In practice, a risk-based approach will consist of:

• preparing risk assessments both at the level of individual obligated institutions, at the national level and at the European level,
• deciding, on the basis of a prepared and ongoing risk assessment, about the scope and intensity of the financial security measures applied. Each obliged institution independently decides which financial security measures and at what intensity it will apply to a given client, which means that it bears full responsibility for selecting these measures in a manner commensurate with the situation. In the case of control or supervision, the obliged institution will have to prove that in the light of the circumstances surrounding the given client the financial security measures applied were adequate to the diagnosed risk,
• the possibility of using enhanced or simplified financial security measures, depending on the circumstances.

It should be borne in mind that the risk-based approach is not a zero-one approach, meaning “zero failure”. Indeed, there may be situations where an obliged institution has taken reasonable AML/CFT measures to identify and mitigate risks, but has nonetheless been used for purposes contrary to the Act (FATF Guidelines on a risk-based approach to money or value transfer services – https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf).

Nor should obligated institutions try to avoid risk altogether by massively severing relationships with clients in certain sectors. Indiscriminate denial of services or discontinuation of services to a particular group of customers may result in the risk of financial exclusion, and may also result in reputational risk.

The Financial Action Task Force (FATF – the intergovernmental organization established to combat money laundering and terrorist financing) recommends that obligated institutions consider the level of risk for each individual customer and any applicable risk mitigation measures. The EBA assumes that the risk associated with each type of customer group is not static and it is expected that within a given customer group, based on various factors, individual customers can also be classified into risk categories such as low, medium or high risk, as appropriate. Risk mitigation measures should be applied accordingly.

3. Risk assessment – AML requirements

Risk assessment is the most important part of an obligated institution’s efforts to prevent money laundering and terrorist financing. This is because it is the starting point for building internal procedures, creating business relationships with clients and administrative responsibility of the obliged institution. Issues concerning risk assessment have been shaped both by Polish law, as well as by supervisory authorities, such as the Polish Financial Supervision Authority (UKNF position on risk assessment of an obliged institution of April 15, 2020 ) and the General Inspector of Financial Information (Notification no. 36 on risk assessment of an obliged institution ).

According to the GIIF release, the following points should be noted:

• the obliged institution assesses 2 types of risks
  • (i) a “general risk assessment” of money laundering and terrorist financing relating to the obliged institution’s general activities, and
  • (ii) a “case-by-case risk assessment” which relates to the identification and assessment of money laundering and terrorist financing risks relating to the obliged institution’s specific and individual business relationship with a customer or to a specific and individual occasional transaction,
• conclusions resulting from individual risk assessments should influence ongoing updates to the overall risk assessment,
  the overall risk assessment must necessarily be tailored to the nature and scope of the activities carried out by the obligated institution,
  using generic templates without carefully tailoring them to the specific and individual nature and scope of the business exposes the obligated institution
• to charges of failing to comply with a statutory obligation.

3.1 Scope of risk assessment

The minimum scope concerning the risk assessment of obliged institutions is regulated in Article 27 of the AML Act of Poland and includes the following factors:

• customers,
• countries or geographic areas,
• products,
• services,
• transactions or their delivery channels.

The above factors should be subject to analysis, the scope and complexity of which should depend on the nature of the activities of the obligated institution and the scale of those activities.

As the catalog of factors subject to risk assessment is open, UKNF states in its position quoted above that obliged institutions may extend this minimum scope and undertake additional analysis including, for example:

• IT tools and systems used by the obligated institution (e.g., systems supporting the transaction analysis process, systems for verifying customers against sanction lists, etc.),
• the degree of dependence of the obligated institution in the area related to AML on external suppliers,
  outsourcing of AML-related processes,
• the adequacy of the organizational structure and number of staff responsible for performing AML/CFT duties in relation to the identified risk,
• scale of turnover of employees and management of units responsible for AML processes,
• the effectiveness of the internal control system and its adequacy in relation to the size of the obligated institution,
• the effectiveness of the AML training system,
• changes in business operations planned by the obligated institution,
• expected changes in the structure and number of customers, revenues, transaction volumes, etc. ,
• planned changes in the organizational structure of the obligated institution,
• planned activities resulting from the strategy of the obligated institution, in particular planned mergers and acquisitions or changes in the ownership
• structure of the obligated institution,
• the ability to ensure continuity of AML processes in the event of crisis situations beyond the control of the obligated institution,
• significant changes in the legal environment related to anti-money laundering and terrorist financing.

Moreover, the analysis should also take into account elements indicating a higher risk of money laundering and terrorist financing, an open catalog of which was included by the legislator in Article 43 (2) of the AML Act.

While analyzing risk, obligated institutions may be guided by:

• national risk assessment,
• European Commission’s report on risk assessment on money laundering and terrorist financing,
• results of audits, both internal and external,
• internal documents of the obliged institution,
• procedures and documents developed by other institutions within the same group,
• expertise,
• positions or announcements of relevant authorities, such as the Polish Financial Supervision Authority (UKNF), the General Inspector of Financial
• Information (GIIF), the National Bank of Poland,
• studies by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA),
• studies of industry institutions operating within the areas supervised by UKNF,
• studies of international institutions dealing with money laundering, in particular Financial Action Task Force (FATF), Moneyval, United Nations.

3.2 Risk assessment methodology

The Polish legislator does not indicate a specific methodology to be applied in the course of preparing a risk assessment. Among others, obliged institutions may use

• (i) quantitative methods, consisting in determining the value of effect and probability of materialization of a given risk,
• (ii) qualitative risk assessment, which is an individual assessment based, inter alia, on good practices and experience, as well as
• (iii) mixed methods, using elements of qualitative and quantitative method.

Description of methodology should be one of the elements of risk assessment. However UKNF expects that the minimum standard of the methodology will include 4 elements:

• an assessment of the inherent risk, i.e. the risk that exists in the absence of actions taken to reduce the likelihood of the risk occurring and/or to reduce its effects, for each risk factor listed in Article 27(1) of the AML Act,
• identification of risk mitigants and evaluation of their effectiveness,
• assessment of residual risk, i.e., the risk remaining after risk control procedures, mitigants, and their effectiveness have been implemented,
• actions planned by the obligated institution to manage residual risk (if planned).

After assessing the inherent and residual risks associated with each risk factor, the obligated institution should determine the entity’s final vulnerability to money laundering and terrorist financing risks.

When the outcome of the risk assessment results in the identification of areas requiring correction, or the level of residual risk exceeds the entity’s risk appetite, the obligated institution should indicate the actions it will take to address the identified deficiencies or to reduce the risk to an acceptable level. In addition, the obligated institution should develop a schedule and an indication of the entity responsible for implementing the planned actions and include this in the risk assessment.

3.3 Documenting the risk analysis

According to Article 27(3) of the AML Act, the risk assessment should be prepared in paper or electronic form.

The risk analysis should be updated:

• (i) not less frequently than every 2 years,
• (ii) in the event of changes in risk factors relating to customers, countries or geographical areas, products, services, transactions or their delivery channels or documents,
• (iii) the UKNF suggests that an update of the risk assessment should be carried out in the event of significant and long-lasting changes in the economic environment that may have a significant impact on the operational activities of the obliged institution and the manner in which its products and services are used.

Whenever the risk analysis is updated, the institution should simultaneously assess the timeliness and appropriateness of the methodology used to develop the risk assessment and the implementation of the actions that have been taken by the obligated institution to manage the residual risk identified in the risk assessment.

3.4 Validation of risk assessment

Pursuant to Article 7 of Polish AML Act, within an obliged institution, a person shall be designated from among the members of the management board to be responsible for the implementation of the obligations set forth in the Act. Accordingly, the person designated on this basis should approve the risk assessment and its update each time.

The risk assessment should be presented to the management and supervisory board of the obliged institution, if any, as it is a document containing up-to-date information about the institution’s risk exposure, identified threats and gaps in the AML process and planned actions to manage the residual risk. UKNF pays particular attention to the fact that the risk assessment and its updates were approved by the management board and the supervisory board when:

• the risk level of the obligated institution will be determined to be high,
• the level of risk deviates from the institution’s risk appetite,
• large-scale actions are planned to effectively manage residual risk.

3.5 Most common errors

The experience of the inspections conducted by the UKNF indicates that among the most common mistakes made by obliged institutions were:

• omission of certain risk factors,
• failure to indicate the final conclusions of the risk assessment,
• lack of a schedule of planned activities of the obligated institution to mitigate the risk or unreasonable deadlines included in the schedule of activities,
• misunderstanding the difference between inherent and residual risk,
• inappropriate selection of methodologies that do not take into account risk factors that are important from the point of view of the obliged institution or that
• define vulnerability to risk in a way that is inadequate for the scale and type of activity.

3.6 Consequences of not producing a risk assessment or updating it

Failure by an obligated institution to prepare a risk assessment and its update is subject to administrative and legal liability and is punishable by an administrative penalty, including a fine.

4. AML officer in Poland (AMLO and MLRO)

The Polish AML Law introduces an obligation for an obligated institution to appoint an AML and terrorist financing officer. Such a person should have a managerial status and will be responsible for ensuring compliance of the entire institution with the provisions of the Polish AML Law and, in addition, for reporting the notifications referred to in the aforementioned Act to the Financial Intelligence Units.

Violation of the obligation to appoint an AML officer is subject to administrative penalties for the obligated institution.

4.1 AMLO Officer (MLRO) – Responsibilities

The scope of AMLO (MLRO) activities can be divided into three groups:

• (statutory obligation) ensuring compliance of the activities of the obliged institution and its employees and other persons performing activities for the benefit of this obliged institution with the provisions on anti-money laundering and terrorist financing (performance of tasks of a security guarantor),
• (statutory obligation) submitting on behalf of the obliged institution the notifications referred to in Article 74(1) AML Act (notifying the GIIF of circumstances that may indicate a suspicion of money laundering or terrorist financing), Article 86(1) AML Act (notifying the GIIF in the event of a justified suspicion that a specific transaction or specific assets may be related to money laundering or terrorist financing), Article 89 (1) AML Act (notification to the competent prosecutor in the case of a justified suspicion that property values being the subject of a transaction or accumulated on the account come from an offence other than money laundering or terrorist financing or a fiscal offence, or are connected with an offence other than money laundering or terrorist financing or a fiscal offence), and Article 90 AML Act (notification to the GIIF of a suspicious transaction in the situation where the obliged institution had no possibility of prior notification of the transaction before its execution),
• performing other tasks related to AML/CFT, e.g. supervising and verifying risk-based ZML/CFT assessment, preparing internal AML procedure, organizing external trainings for designated employees, self-education, participation in courses, trainings, symposia meetings etc. related to AML/CFT, cooperation with prosecutor’s office and services which are cooperating units (Police, ABW, CBA, KAS) – the above in accordance with the internal system of the obliged institution.

Depending on the internal structure of the obligated institution, the duties set forth in 1 – 3 above may be organized under a single position or may be performed by different individuals.

For the purposes of this compilation, a person performing all of the above functions will be considered an AMLO as a shortcut.

In the case of division of duties to different managerial staff, we can speak of the position of AML Compliance Officer (AMLO) and Money Laundering Reporting Officer (MLRO) respectively. The nomenclature is, of course, of little relevance to the functioning of the AML system in obliged institutions. However, it is important to clearly define the duties of such a person in the entity’s internal AML procedure and to regulate in detail the relationship between the obliged institution and the employee (the scope of duties should be indicated in the employment contract/civil law agreement).

4.2 Is holding an executive position the same as being a board member?

No. A clear distinction should be made between the concept of a management position and a member of the management board, which is a qualified concept in relation to an AML officer. The AML legislation imposes the obligation to appoint, on the one hand, an AMLO (a management position – under Article 8 of the AML Act) and, on the other hand, a member of the management board responsible for implementing the statutory obligations in the obliged institution (a person elected from the governing body – under Article 7 of the AML Act). The purpose of such an arrangement is to cause the AML officer to have an adequate reporting channel to the persons responsible for the management of the obliged institution, as well as adequate independence in performing the tasks entrusted to him. It is good practice for the AML risk management system of an obliged institution to have a triple line of defence.

• AML’s first line of defense: operational employees,
• the second line of AML defense: an AML officer functioning within the chief compliance officer (CCO) or within a division reporting directly to the CCO,
• AML’s third line of defense: internal audit.

4.3 Criminal and administrative liability of AML Officer

Violation of AML Officers’s obligations (as indicated in Articles 147 and 148 of the Polish UAML) is punishable by a fine of up to PLN 1,000,000 (administrative liability).

AML Officer is liable to a fine from 3 months to 5 years of imprisonment for:

• (i) failure to notify the General Inspector on circumstances that may indicate a suspicion that money laundering or terrorist financing has been committed, or failure to notify the General Inspector on a reasonable suspicion that a specific transaction or assets subject to such transaction may be related to money laundering or terrorist financing, or
• (ii) provision to the General Inspector of false or concealed data on transactions, accounts or persons. In the case of an unintentional act, he shall be liable to a fine.

4.4 Is the appointment of an AML officer mandatory under Polish law?

Yes. Pursuant to the Polish AML Law (Art. 147), an obliged institution that fails to appoint an AML and terrorist financing officer commits an administrative tort and is subject to an administrative penalty, i.e.:

• publication of information on the obliged institution and the scope of violation of the Act by this institution in the Public Information Bulletin on the website of the office serving the minister responsible for public finance,
• an order to stop the obligated institution from taking certain actions,
• withdrawal of a concession or permit or removal from the register of regulated activities,
• prohibiting a person responsible for a violation of the Act by an obligated institution from performing duties in a managerial position for a period not exceeding one year,
• fine.

5. Who is Politically Exposed Person (PEP) in Poland?

Pursuant to the Polish AML Law, Politically Exposed Persons (PEP) are defined as natural persons who perform significant public functions or occupy significant public positions. The circle of PEP does not include persons holding middle and lower level positions. A detailed catalog of PEPs is provided in Article 2.2.11 of the AML Law. It should be noted that this is an open catalog.

If an obliged institution determines that its customer or the customer’s beneficial owner is a PEP, additional obligations arise on its side in respect of the applied financial security measures. Importantly, Polish law does not prohibit the provision of services to clients with PEP status.

5.1 AML Procedures for PEP

The definition of PEP should apply both to a person who currently holds a prominent public position and to a person who has held that position in the past. During the period from the date on which a person ceases to hold a politically exposed position until the date on which it is determined that no higher risk is associated with that person, but for no less than 12 months, the obligated institution shall apply measures to such person that take into account that risk.

The primary responsibility of any obligated institution in its relationship with a PEP is to determine whether the customer or beneficial owner is a PEP. The primary method used by most obligated institutions is to collect statements from clients as to their status. It is recommended that the statements include a provision confirming awareness of the client’s criminal liability for making a false statement. Other ways of verifying clients/real beneficiaries in the context of their status include analysis of databases provided by commercial entities, examination of publicly available records and information.

It should be noted that for obliged institutions whose business profile does not pose a higher risk of money laundering or terrorist financing related to the handling of PEPs, it should be sufficient to collect the statement instead of verifying all customers in commercial databases.

Second, obligated institutions, must obtain senior management approval to enter into or continue a business relationship with a politically exposed person. Care must be taken to document such approval.

The next action is to determine (i) the source of the client’s assets and (ii) the source of the assets at the client’s disposal in the course of a business relationship or transaction.

As regards the sources of a client’s assets, an obliged institution should rely on publicly available sources of information (asset declarations submitted by PEPs), information from commercial databases and other sources (if it has access to them and the scale of operations of the obliged institution allows it) or information obtained from the client itself.

In relation to PEP, it is also necessary to intensify the ongoing monitoring of economic relations consisting of:

• analyze transactions conducted in the course of a business relationship to ensure that the transactions are consistent with the obligated institution’s knowledge of the customer, the nature and scope of the customer’s business, and consistent with the money laundering and terrorist financing risks associated with that customer,
• examination of the source of origin of property values being at the disposal of the client – in cases justified by the circumstances,
• ensuring that documents, data or information held about the business relationship are kept up to date.

5.2 Family members and persons known to be close associates of PEP

An obligated institution shall also apply the aforementioned obligations to persons who are family members of a person with PEP status or persons known to be close associates of a person with PEP status.

PEP family member means:

• spouse or person cohabiting with a politically exposed person,
• a child of a politically exposed person and his or her spouse or cohabitant,
• parents of a politically exposed person.

In contrast, individuals known to be close associates of PEP are:

• natural persons who are the beneficial owners of legal persons, unincorporated organizational units or trusts jointly with a politically exposed person or who have other close business relations with such person,
• individuals who are the sole beneficial owner of a corporation, unincorporated business entity, or trust known to have been created for the purpose of obtaining an actual benefit from a politically exposed person.

5. UBO Verification in Poland

As a result of the amendment to the AML and CFT Act introduced in Poland in 2021, obliged institutions (such as banks, financial institutions, small payment institutions, domestic payment institutions, entrepreneurs offering currency exchange services, lending institutions or entities operating with virtual currencies) are obliged to both identify and verify the beneficial owners of their clients.

In addition, starting in 2021, obligated institutions must put in place procedures for noting discrepancies between information collected in the Central Register of Beneficial Owners and established information about a customer’s beneficial owner and plan a system for taking action to resolve the reasons for these discrepancies.

6.1 Process for full verification of the beneficial owner

According to Article 61a (1) of the Polish AML Law, an obliged institution is obliged to take the following steps to properly verify the beneficial owner (hereinafter also: “UBO” of its customer:

• identify the beneficial owner (by name and surname; nationality; Personal Identification Number (PESEL) – or if none has been issued, date and country of birth; series and number of the identity document; address of residence; and if that person also conducts business activity – then the name (business name) of such activity, its Tax Identification Number (NIP) and the address of its main place of activity),
• take steps to establish the structure of ownership and control – in the case of a client who is a legal person, an organizational unit without legal personality or a trust (in particular, ask the client to describe such structure in detail; and to provide the obliged institution with documentation from company registration process – for example, a memorandum of association or an agreement on the transfer of shares of the company),
• identify and record discrepancies between the information collected in the CRBR and the established information about the customer’s beneficial owner (the obligated institution’s internal procedure should include rules for recording discrepancies),
• take actions to clarify the reasons for discrepancies – in accordance with the latest recommendations of the GIIF, it is recommended to contact the customer in order to (i) clarify the way the customer determined the beneficial owner, (ii) clarify the way the customer determined the ownership and control structure, clarify whether the way the obliged institution determined the beneficial owner and the ownership and control structure of the customer was correct, (iii) clarify the reason why the customer considered the person to be the beneficial owner, (iv) collect new information and documents,
• confirm the discrepancies noted – i.e., for example, (i) confirm that the obligated institution did not make an error in determining the beneficial owner and the customer’s ownership and control structure, (ii) confirm, to the extent possible, that the CRBR’s beneficial owner information is not correct, (iii) confirm the reasons for the discrepancy, (iv) determine whether the discrepancy is apparent or actual,
• prepare a justification of discrepancies –  – in this respect the General Inspector of Financial Information points out that the Polish obliged institution should: (i) indicate and document what actions it took to identify and verify the beneficial owner and the ownership and control structure of the customer, (ii) what information and documents were the basis for the institution’s determination of the beneficial owner of the customer and the ownership and control structure of the customer, (iii) what information or documents were the basis for the discrepancies, (iv) what actions the institution took to confirm the noted discrepancies, (v) what information the institution received in the course of confirming the noted discrepancies, (vi) what conclusions were drawn from the analysis of the information and documents collected, (vii) the reasons the obligated institution concluded that the discrepancy was factual in nature,
• transmit to the competent authority verified information on these discrepancies together with justification and documentation on recorded discrepancies together with justification (communication with GIIF is done in electronic form).

6.2 Practical remarks of the GIIF on verification of the UBO

The GIIF notes the following:

• failure to report beneficial owner information in CRBR is a discrepancy,
• recording discrepancies cannot consist only in a simple and mechanical comparison of information gathered in the CRBR with the client’s KRS excerpt – an obliged institution should verify other documents – for example, the company’s agreement or the agreement on the transfer of company shares,
• obliged institutions are not obliged to compare the information on persons authorized by law who have made a notification to the CRBR with the data of persons comprising the body authorized to represent the entity (indicated in the extract from the National Court Register),
• obligated institutions should not transmit to the competent authority:
  • unverified discrepancy information,
  • information without justification or with a perfunctory explanation,
  • information about possible minor typing errors in the CRBR (for example, an obvious typo in the beneficiary’s name),
  • information about possible inaccuracies in the client’s KRS transcript (for example, an immaterial error in the value of the client’s shares),
  • information about failure to report information in CRBR by entities not required to make such reports (for example, an ordinary association),
  • information about inaccuracies that do not affect the determination of the actual beneficiary (for example, failure to include the beneficiary’s middle name).

6.3 Lack of adequate internal policies for UBO verification – implications

From 2021, each obliged institution must introduce in its internal AML and terrorist financing procedure rules for noting discrepancies between the information collected in the Central Register of Beneficial Owners and the information on the customer’s beneficial owners determined in connection with the application of the Act. Such obligation is imposed on the entity by Article 50(1)(10) of the AML Law. Such procedure shall be approved by the management board (senior management) of the obliged institution before coming into force.

Penalties for failure to have a complete AML procedure

Fine	a financial penalty (the amount of which varies depending on the obliged institution) of up to EUR 5,000,000 or up to 10% of the turnover shown in the last approved financial statements for the financial year
Ban on managers	ban on the person responsible for the obliged institution’s violation of the Act from performing duties in a managerial position for a period not exceeding one year
License revocation	withdrawal of the license or permit or removal from the register of regulated activities
Public announcement	publication of information on the obliged institution and the scope of the breach of the Act by the institution in the Public Information Bulletin on the website of the office that serves the minister responsible for public finance
Order to limit activity	an order to cease certain activities by the obliged institution

Responsibility of an obliged institution for violation of the AML Law in Poland

If an obligated institution fails to comply with its obligations of AML Law, it may be subject to an administrative penalty. It should be noted that the potential penalty is threatened not only by the obliged institution itself, but also by members of its management board, senior management (as defined in Art. 6 of the AML Law), as well as employees in a managerial position whose responsibilities include ensuring that the activities of the obliged institution and its employees and other persons performing activities for the obliged institution comply with the provisions of the Act (Art. 8 of the UAML).

The grounds for imposing an administrative penalty are detailed in Articles 147 – 149 of the AML Law, and the most common include:

• failure to prepare a risk assessment on money laundering and terrorist financing relating to the activities of the obliged institution and failure to update it, which should be prepared at least every 2 years,
• failure to apply financial security measures, including, but not limited to, recognizing the risk of money laundering and terrorist financing by the obligated institution with respect to business relationships, the obligated institution, or occasional transactions,
• failure to implement an internal procedure for anonymous reporting of anti-money laundering and counter-terrorist financing violations,
• failure to provide notices of suspected money laundering or terrorist financing (SAR filings),
• failure to comply with disclosure obligations.

Administrative penalties are imposed by decision of the General Inspector for Financial Information, the President of the National Bank of Poland and the Polish Financial Supervision Authority. When imposing a penalty, the competent authority takes into account factors that influence the penalty, including the gravity and duration of the breach, the financial capacity of the obligated institution, the scale of profits gained by the entity, losses incurred by third parties in connection with the breach, the degree of cooperation of the obligated institution with the competent authorities in anti-money laundering matters, as well as whether the entity has previously committed a breach of the AML Law provisions.

The catalog of administrative penalties for AML infringements in Poland

Public announcement	publication of information on the obliged institution and the scope of the violation of the Act by the institution in the Public Information Bulletin on the website of the office that serves the minister in charge of public finance (which involves the risk of a loss of reputation by the obliged institution, which in turn may adversely affect its position in the market)
Order to limit activity	an order to stop the obligated institution from taking certain actions
License revocation	withdrawal of a concession or permit or striking off the register of regulated activities
Ban on individuals	prohibiting a person responsible for a violation of the Act by an obligated institution from performing duties in a managerial position for a period not exceeding one year
Pecuniary penalty	(up to twice the amount of the benefit gained or loss avoided, with the maximum pecuniary penalty being EUR 1,000,000). In the case of obliged institutions that are banks, credit institutions, cooperative savings and credit unions, domestic payment institutions, small payment institutions, investment firms and other entities referred to in Art. 2.1.1-5, 7-11, 24 and 25 of the AML Law, the fine is higher and amounts to, respectively, up to EUR 5,000,000 (or up to 10% of the turnover shown in the last approved financial statement) for legal persons and up to PLN 20,868,500 for natural persons.

In justified cases where (i) the gravity of the breach is negligible and the obliged institution has ceased the breach, or (ii) another authorised public administration body has already imposed a penalty on the obliged institution for the same behaviour or the obliged institution has been validly punished for a misdemeanour or fiscal misdemeanour or validly convicted of a crime or fiscal offence and the previous penalty meets the objectives for which the administrative penalty was to be imposed, the above-mentioned bodies may refrain from imposing such an administrative penalty. This occurs by decision and is a power, not an obligation of the authority.

Particular attention should be paid to the obligation of commercial companies to report information on beneficial owners and to update such information within 7 days from the date of entry in the National Court Register or change in the data. The financial penalty in this case is up to PLN 1,000,000.

Under the Polish AML Law, a beneficial owner who fails to provide an obligated institution with all the information and documents necessary for notification/updating to the CRBR is subject to a fine of up to PLN 50,000. The new provisions of the AML Law also provide for a pecuniary penalty of up to PLN 100,000 for entities (i) conducting activities for companies or trusts without obtaining an appropriate entry in the register of such activities and (ii) conducting virtual currency activities without first obtaining an entry in the relevant register.

Polish law permits imposition of penalties on persons who perform management functions in obliged institutions, i.e. members of senior management (Art. 6 of the UAML), the person responsible for implementing the obligations set forth in the act (Art. 7 of the AML Law) and the employee responsible for supervising compliance of the obliged institution with the regulations (Art. 8 of the AML Law). The above-mentioned individuals may be fined up to PLN 1,000,000 if an obliged institution they manage is found to have violated the obligations set forth in Art. 147 and 148 of the AML Law.

8. KYC in Poland – EDD and CDD

As a principle, Poland has introduced an obligation to apply financial security measures to the customers of the institution. The Polish AML Law provides that the scope and intensity of financial security measures should be adjusted by the obliged institution to the identified risk of money laundering or terrorist financing.

This means that obliged institutions always apply all basic financial security measures and, depending on the identified risk, adjust their intensity, i.e. apply simplified or enhanced financial security measures.

8.1 Basic financial security measures

According to Article 33 of the Polish AML Law, basic financial security measures include:

• customer identification and verification of customer identity;
• identification of the beneficial owner and taking reasonable steps to:
  • verification of his identity,
  • determine the structure of ownership and control – in the case of a client who is a legal person, an organizational unit without legal personality or a trust,
• evaluation of the business relationship and, as appropriate, obtain information on its purpose and intended nature,
• ongoing monitoring of client business relationships, including:
  • analysis of transactions conducted in the course of a business relationship to ensure that the transactions are consistent with the obligated institution’s
  • knowledge of the customer, the nature and scope of the customer’s business, and consistent with the money laundering and terrorist financing risks
  • associated with that customer,
  • examination of the source of origin of property values being at the disposal of the client – in cases justified by the circumstances,
  • ensuring that documents, data or information held on business relationships are kept up to date.

An obliged institution, on the basis of a customer risk assessment, may apply simplified or enhanced financial security measures in accordance with the risk-based approach principle.

8.2 Simplified due diligence financial security measures

On the basis of a risk assessment of a given client, obliged institutions may apply simplified due diligence (SDD) measures. It is important to be aware that the application of SDD is the prerogative of the institution, and in no case mandatory. Therefore, even when an obligated institution identifies a lower risk of money laundering or terrorist financing, it may still apply the full range of financial security measures.

At the same time, even if SDD is applied, Polish law does not provide for the possibility of waiving any of the security measures. The exception is Article 38 of the UAML. It follows from the above that lower intensity of the applied financial security measures should be understood in particular as the use of only the customer’s declaration regarding the beneficial owner, reducing the intensity of monitoring business relationships, or updating customer information.

8.3 SDD catalog

There is no SDD catalog in the Polish AML Law or in EU regulations. The primary examples of SDDs are identified by the FATF in Recommendation 10:

• verification of the identity of the customer and the beneficial owner after a business relationship has been established (e.g., if account transactions exceed a certain monetary threshold),
• reduction in the frequency of customer identification updates,
• reduction in the degree of ongoing monitoring and control of transactions, based on a reasonable monetary threshold,
• ommision to collect certain information or take certain actions to understand the nature of the business relationship, and infer the purpose and nature based on the type of transaction or business relationship the customer has established.

Extended examples of SDD can be found in the Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence measures and factors to be taken into account by financial institutions when assessing the risk of money laundering or terrorist financing in connection with individual business relationships and occasional transactions of 4 January 2018, published by EBA, ESMA and EIOPA (pp. 18-20), according to which:

Simplified due diligence measures that companies may use include, but are not limited to, those listed below:

• adjusting the timing of customer due diligence measures, for example, if a product or transaction has features that limit its ability to be used for money laundering or terrorist financing purposes, such as by:
  • verifying the identity of the customer or beneficial owner in the course of establishing a business relationship; or
  • verifying the identity of the customer or beneficial owner when the transaction exceeds a specified ceiling or after a reasonable period of time. Institutions must be confident that:
    • this will not de facto lead to an exemption from customer due diligence measures, meaning that firms must ensure that the identity of the customer or beneficial owner of the customer is ultimately verified,
    • the cap or time limit has been set at a reasonably low level (although, when it comes to terrorist financing, companies should keep in mind that a low cap alone may not be enough to mitigate risk),
    • have implemented a system that can detect when a ceiling or time limit has been reached and
    • not defer customer due diligence measures or delay obtaining relevant customer information where applicable law, for example Regulation (EU) 2015/847 or national law, requires such information to be obtained immediately,
• adjusting the amount of information obtained for identification, verification, or monitoring, for example, by:
  • a background check based on information obtained from only one reliable, credible and independent document or data source; or
  • making assumptions about the nature and purpose of the economic relationship because the product is intended for one specific purpose, as in the case of an employee pension scheme or a gift card to a shopping center,
• adjusting the quality or source of information obtained for identification, verification, or monitoring purposes, for example, by:
  • accepting information obtained from the customer instead of from an independent source when verifying the identity of the beneficial owner (note that this is not permitted when verifying the identity of the customer); or
  • if the risks associated with all aspects of the business relationship are very low, relying on the source of the assets to satisfy certain customer due diligence requirements, for example if the funds come from government benefits or if the funds were transferred from an account in the customer’s name to an EEA company,
• adjusting the frequency of updates and reviews of customer due diligence measures in the business relationship, for example, conducting updates and reviews only when triggering events occur, i.e. when a new product or service is intended to be used, or if a certain transaction ceiling is reached; firms need to be sure that this does not actually lead to a waiver of the customer due diligence update obligation,
• adjusting the frequency and intensity of transaction monitoring, for example by monitoring transactions only above a certain threshold. If firms choose to do so, they must ensure that the ceiling is set at a reasonable level and ensure that systems are in place to identify related transactions that, collectively, would exceed the ceiling.

8.4 Enhanced financial security measures – enhanced due diligence

Unlike in the case of simplified financial security measures, the application of which is voluntary, the Polish AML Law provides for the obligation to apply enhanced due diligence (EDD) measures in the case of:

• identification of a higher risk of money laundering or terrorist financing,
• business relationships or transactions involving a high-risk third country,
• as well as directly in the cases indicated in Articles 44-46 of the UAML.

The essence of EDDs is that in addition to standard financial security measures, the obligated institution must also apply EDDs. Thus, EDDs cannot replace standard customer due diligence measures.

8.5 EDD Catalog

The Polish AML Law does not contain a catalog of enhanced financial security measures. The obliged institution decides which EDD, to what extent and with what intensity it will apply, taking into consideration the level of risk specific to the customer.

The final guidelines of EBA, ESMA and EIOPA of 4 January 2018 (indicated in section 8.3 above) prove useful in this respect, which indicate as an illustrative catalog of enhanced financial security measures:

• relative to PEP:
  • take additional measures to establish the source of assets and the source of origin of assets used in business relationships so that the obligated institution can be sure that it is not dealing with funds derived from corruption or other criminal activity. The source of the assets and the source of the assets should be verified on the basis of reliable and independent data, documents or information if the risk associated with the PEP is particularly high,
  • obtain approval from senior management to enter into or maintain a business relationship with a politically exposed person. An appropriate hierarchical level of approvers should be identified for the level of heightened risk associated with the business relationship, and the senior executive approving the business relationship with the politically exposed person should occupy an appropriately high hierarchical level and exercise sufficient control to make informed decisions on matters that directly affect the risk profile of the firm,
  • in deciding whether to approve a business relationship with a politically exposed person, senior management should base its decision on the level of money laundering or terrorist financing risk to which the obligated institution would be exposed if it entered into such a business relationship and the tools that enable it to manage those risks effectively,
  • apply enhanced ongoing monitoring of both transactions and risks associated with the business relationship. Obligated institutions should identify unusual transactions and regularly review the information in their possession to ensure that any new or emerging information that may affect the risk assessment is addressed in a timely manner. The frequency of ongoing monitoring should depend on the level of high risk associated with the business relationship.
• with correspondent relationships (apply correspondent banking guidelines by analogy):
  • establish and verify the identity of the respondent and its beneficial owner. Accordingly, correspondents should obtain sufficient information about the respondent’s business and reputation to determine whether the money laundering risk associated with the respondent has increased. Specifically, correspondents should: (i) obtain information about the respondent’s management and consider the relevance of any possible links of management or owners to politically exposed persons or other high-risk persons, in the context of preventing financial crime; (ii) consider, on a risk-sensitive basis, whether it would be appropriate to obtain information about the respondent’s core business, the types of customers it attracts, and the quality of its anti-money laundering and control system (including publicly available information on recent criminal or regulatory sanctions for money laundering irregularities). If the respondent is a branch, subsidiary or affiliate, correspondents should also consider the parent company’s AML status, reputation and controls,
  • establish and document the nature and purpose of the service to be provided, as well as the responsibilities of each institution. This may include delineating in writing the scope of the relationship, identifying the products and services that will be provided, and how the correspondent’s banking infrastructure and its users will be used (e.g., whether it can be used by other banks as part of the relationship with the respondent).
  • monitor business relationships, including transactions, to identify changes in the respondent’s risk profile and to detect unusual or suspicious behavior, including activities that are inconsistent with the purpose of the service provided or that are contrary to commitments made between the correspondent and the respondent. If the correspondent institution allows the respondent’s customers direct access to accounts (e.g., suspense accounts or nested accounts), the obligated institution should conduct enhanced ongoing monitoring of the business relationship,
  • Provide updates on the performance of customer due diligence measures.
• for unusual transactions:
  • take reasonable and appropriate measures to understand the basis and purpose of these transactions, for example, by determining the source and destination of these monies or obtaining additional information about the customer’s business to be certain that this is a transaction that the customer would engage in; and
  • monitor the business relationship and resulting transactions more frequently and with greater attention to detail. A firm may decide to monitor individual transactions if this is consistent with the risks identified,
• when dealing with natural or legal persons resident or established in a high-risk third country:
  • gather more information obtained for customer due diligence purposes (first, obtaining and evaluating information about the reputation of the customer or beneficial owner and evaluating any negative opinions about the customer or beneficial owner – e.g. (i) information about family members and close business partners, (ii) information about the past and present business activities of the client or beneficial owner, (iii) media searches for negative information; and secondly, gathering information about the purported nature of the business relationship in order to obtain assurance that the nature and purpose of the business relationship is legitimate, and to assist the firm in obtaining a more complete risk profile of the client. This may include obtaining information on (i) the number, size and frequency of transactions that may pass through the account to enable the firm to detect suspicious deviations, (ii) the reason why the customer is seeking a special product or special service, particularly if it is not clear why the customer’s needs cannot be better met in another way or in another jurisdiction, (iii) the destination of the funds, (iv) the nature of the customer’s business or beneficial owner to enable the firm to better discern the likely nature of the business relationship,
  • confirm the identity of the customer or beneficial owner by, among other things: (i) requiring that the first payment be made through an account established in a manner verifiable as to the customer’s name with a bank subject to customer due diligence standards, (ii) determining that the customer’s assets and funds used in the business relationship are not derived from criminal activity and that the source of the assets and funding is consistent with the firm’s knowledge of the customer and the nature of the business relationship. In some cases where the risks associated with the business relationship are particularly high, verifying the source of the assets and the source of the monetary values may be the only adequate way to mitigate the risks. The source of financing or assets can be verified by reference to VAT or income tax returns, copies of audited accounts, salary confirmations, deeds or independent media reports, among others,
  • increase the frequency of reviews to gain assurance that the firm is still able to manage the risks associated with an individual business relationship, or to determine that the relationship no longer meets the firm’s risk appetite, and to help detect any transactions that require further review, including by: (i) increasing the frequency of reviews of the business relationship to verify that the client’s risk profile has not changed and that the risk can still be managed, (ii) obtaining senior management’s approval to initiate or continue the business relationship to gain assurance that senior management is aware of the firm’s risk exposure and can make an informed decision on the tools at the firm’s disposal to manage the risk, (iii) reviewing the business relationship at more regular intervals to ensure that any changes to the client’s risk profile have been detected, assessed and appropriate action taken where necessary, (iv) conducting more frequent and in-depth monitoring of transactions to identify any unusual or unexpected transactions that may raise suspicion of money laundering or terrorist financing. This may include determining the destination of funds or determining the reason for certain transactions.

8. Transactions that raise suspicion of money laundering in Poland

The Polish AML Law, as well as the GIIF and the Prosecutor’s Office draw attention to the following situations, which may be associated by obliged institutions with suspicion of money laundering or terrorist financing:

• the occurrence of a high amount of monthly turnover in the account, in particular when the certificate of entry in the register of economic activity shows that the activity has been conducted for a short time or has just begun,
• high-volume transactions by persons whom the obligated institution’s employees know or suspect do not have the cash to complete the transactions,
• location of the entity’s headquarters in a “virtual office”,
• a high frequency of transfers ordered in a short period of time to the same beneficiary by different principals that is not justified by the beneficiary’s type of business,
• a jump in transactions in relation to the value of transactions previously carried out by a given customer, with no apparent economic justification for such an increase,
• cash deposits if they represent the majority of transactions made on the account, unless justified by the nature of the business,
• absence of encumbrances indicating actual business activity (e.g., absence of remittances to relevant tax offices, Social Security Office, and other payments typical for a given type of activity),
• the business entity transacts only with the same small circle of counterparties (e.g., only a few entities), while there are other circumstances indicating that the entity is not actually conducting business,
• frequent crediting of the bank account with large amounts of money as “return of debt”, “donation”, “loan”,
• frequent cash deposits and withdrawals that are not justified by the type of earning activity,
• executing high-dollar transactions through accounts that were previously “dormant.”
• transactions are related to high-risk third countries Afghanistan, Bahamas, Barbados, Botswana, Cambodia, Ghana, Iraq, Iran, Jamaica, Mauritius, Myanmar/Burma, Nicaragua, Pakistan, Panama, Democratic People’s Republic of Korea (DPRK), Syria, Trinidad and Tobago, Uganda, Vanuatu, Yemen, Zimbabwe or countries identified by FATF as having strategic AML deficiencies: i.e. Albania, Burma Faso, Cayman Islands, Haiti, Turkey and Turkey.Albania, Burkina Faso, Cayman Islands, Haiti and Turkey, among others,
• Customer’s use of services or products that promote anonymity or make it difficult to identify Customer,
• the names of the principals or beneficiaries of the transfers indicate that the entity may actually be engaged in business activities other than those declared,
• numerous transactions with vague, laconic titles (e.g., cash deposits, wire transfers),
• frequent transactions of the same type in a single day, without justification by the type of business conducted,
• the customer’s unreasonable choice of an obligated institution’s facility located far from the customer’s residence/site or place of business,
• Customer’s refusal or apparent unwillingness to produce identification documents,
• a Customer who purports to operate or represent a business entity is unable to answer questions about the nature of the business,
• during the assignment, the client is accompanied by other persons who are not related to him/her personally or socially, in particular when the client shows nervousness due to their presence
• in response to a question from the staff of an obliged institution concerning the presentation of documents justifying the disposal of specific assets – the presentation of documents prepared in a hurry, containing errors, raising doubts as to their authenticity (e.g., antidated),
• exerting pressure on employees of an obligated institution to complete transactions quickly, without applying all required financial security measures,
• making transactions in a way that involves high costs, lack of interest in opportunities to reduce those costs,
• appointment of multiple proxies for the client for persons who are not co-owners or persons who are not part of the company’s governing bodies.

10. Blocking a bank account in Poland

In the case of suspicion that a specific transaction or assets may be related to money laundering or financing of terrorism, the bank (obliged institution) is obliged to notify the General Inspector of Financial Information. Within 24 hours of confirmation of receipt of the notification, the bank shall not carry out the transaction on which a reasonable suspicion has been raised, nor shall it carry out transactions debiting the account on which the assets have been accumulated. The GIFI may submit to the bank a request to block the account for a period not longer than 96 hours, counting from the date and time indicated in the notification acceptance confirmation. The GIFI shall notify a competent prosecutor about a suspicion of money laundering or terrorist financing crime. The public prosecutor may by decision suspend the transaction or block the account for a specified period, not longer than 6 months. The blocking of the account shall expire if, within the aforementioned six-month period, the public prosecutor fails to issue another order – in this case: (i) a decision on securing property or (ii) a decision on material evidence.

As of January 12, 2022, the Prosecutor may by order extend the suspension of transactions or the blockade of an account for a further specified period of time, not exceeding another 6 months. Thus, the total duration of the blockade of a bank account is 12 months, and in the event of an additional extension of the blockade beyond 12 months, the Prosecutor will have to issue an order recognizing the funds accumulated in the accounts as material evidence in the case / issue a freezing order. Such decision is no longer limited in time and it is solely up to the Prosecutor to decide when and if the funds will be released from the blockade.

So far, practice has shown that law enforcement have extended the blocking of accounts beyond the initial 6-month period by issuing a decision on material evidence, which appeared to be inconsistent with both the law and the guidelines of the General Prosecutor’s Office, which led to changes in the law:

• the Supreme Court has held that funds (existing as entries in bank accounts) cannot be considered physical evidence,
• in response to the Supreme Court’s resolution, the Polish legislator introduced Article 236b of the Code of Criminal Procedure, which, contrary to the position of the Supreme Court, explicitly allows for the funds in a bank account to be considered an item,
• the newly introduced Article 86(11a) of the UAML allows the blockade to be extended 1 time for an additional 6 months, i.e. for a total of 12 months,
• the law in this respect is retroactive – i.e. if the prosecutor issued the first decision to block the account before the above provision came into force, e.g. on November 20, 2021, then the prosecutor may extend it for another 6 months. If the Act did not contain Article 18, then the Prosecutor would be obliged to issue an order on property security or an order on material evidence, and otherwise the account blockade would fall.

As a result, it should be assumed that instead of speeding up the proceedings, law enforcement agencies will take even longer to conduct them, which will obviously have a negative impact on the business activities of entities whose accounts have been blocked. All this may take place even without anyone being charged with a crime of money laundering or terrorist financing. In such a situation, the “bank account holder” is not a party to the pre-trial proceedings, and thus does not have the opportunity to actively participate in the proceedings. He does not even have access to the case file. The only way to verify the correctness of the above decisions is to appeal them, and then to have their legality reviewed by the court. This usually takes several months, during which the holder of the funds cannot dispose of them. Usually the courts agree with the prosecutor and allow the blockade to continue.

The aforementioned changes in the law will most likely contribute to more frequent and longer bank account freezes.

11. Remedies against block of Polish bank account

Entities whose bank accounts (payment accounts) have been blocked may use the following measures to protect their rights:

Step 1 – complaint

Within 7 days of receipt of the prosecutor’s decision to block the account, file a complaint against it. Usually the Prosecutor’s Office justifies its decisions in very general terms, therefore polemics with the law enforcement authority is difficult. In order to explain the situation to the prosecutor you should consider providing him with documents and information confirming the legality of the transaction/business activity. In the absence of sufficient explanation, it may be expected that the court will uphold the appealed decision, thus maintaining the blockade,

Step 2 – participate in interrogations

In the course of verification activities, the company managers should, upon the request of the Police, take part in the interrogation in order to clarify the nature of the business activity, the sources of funds on the account and to explain the basis of the transactions conducted,

Step 3 – submit evidence

Those whose funds have been blocked may submit additional evidence and explanations at any stage of the case.

Most of the activity will come down to clarifying the legality of the sources of the transactions and constantly monitoring the progress of law enforcement.

11. UBO register in Poland

As of 2019, the Central Register of Beneficial Owners (CRBR / UBO register) is operational in Poland. This register is an open and publicly accessible ICT system that has the following functionalities:

• allows the notification of beneficiaries and representatives of entities (e.g. companies),
• enables searching for a real beneficiary or company (on the basis of NIP tax identification number or PESEL number, and for persons who do not have PESEL number – on the basis of first name, surname and date of birth),
• allows you to report corrections of data and information about beneficiaries, as well as report discrepancies between the actual state and the information appearing in the register.

Beneficial owner / CRBR / UBO  register in Poland – key facts

UBO Register website	CRBR available at https://crbr.podatki.gov.pl/adcrbr/#/ and is maintained by the Minister of Public Finance
Deadline to report	Within 7 days of the date of entry into the National Court Register (KRS)
Who is obliged to report to UBO register	general partnerships, partnerships, limited partnerships, limited joint-stock partnerships, limited liability companies, simple joint stock companies, and joint stock companies (except public companies), trusts whose trustees or persons in equivalent positions (i) are domiciled or established in the Republic of Poland or (ii) enter into a business relationship or acquire real estate in Poland on behalf of or for the benefit of the trust, European economic interest groupings, European companies, cooperatives, including European cooperatives, associations subject to registration in the National Court Register, foundations.
Who is not obliged to report o UBO register	Foreign companies operating in Poland in the form of a branch registered with the National Court Register are not subject to the obligation to notify the CRBR.
Registration fee and method	The notification shall be made free of charge by means of electronic communication. A qualified electronic signature or a signature confirmed by a trusted profile (ePUAP) is required to complete the application.
Criminal liability UBO	The person making the notification shall at the same time make a statement about the truthfulness of the information reported to the CRBR. The declaration referred to is made under pain of criminal liability for making a false declaration. The person making the statement is obliged to include the following clause: “I am aware of the criminal liability for making a false statement”.
More about UBO in Poland	Detailed information on the obligations to notify the obligated institution to the CRBR can be found on the website of the Ministry of Finance: https://www.gov.pl/web/finanse/zgloszenie-informacji-do-centralnego-rejestru-beneficjentow-rzeczywistych

Penalty for not reporting or improper UBO reporting

Not reporting within the deadline	monetary penalty of up to PLN 1,000,000
Inconsistent reporting	monetary penalty of up to PLN 1,000,000

12.1 Determining beneficial owner in Poland – who is a UBO?

According to the Polish AML Law, any natural person who directly or indirectly exercises control over an entity (client of the obliged institution) through the powers he or she holds, which arise from legal or factual circumstances, enabling him or her to exert a decisive influence on actions or activities undertaken by the entity (client), or any natural person on whose behalf economic relations are established or an occasional transaction is carried out, including:
for companies:

Question 1 – 25 % of shares?

An individual who is a shareholder with ownership rights to more than 25% of the total number of shares of that legal entity

Question 1 – 25 % of votes?

A natural person holding more than 25% of the total number of votes in the governing body of such a legal person, also as a pledgee or usufructuary or under agreements with other persons entitled to vote

Question 3 – control exceeding 25 %?

A natural person exercising control over a legal person or legal persons which together hold more than 25% of the total number of shares or which together hold more than 25% of the total number of votes in the constituting body of such legal person, also as a pledgee or usufructuary or under agreements with other persons entitled to vote

Question 4 – special powers?

A natural person controlling a legal person through holding special powers referred to in Art. 3.1.37 of the Accounting Act of 29 September 1994 (e.g. power to govern the financial and operating policies of a subsidiary, either alone or through persons designated by it; power to appoint and dismiss the majority of the members of a subsidiary’s management, supervisory or administrative bodies)

Question 5 – impossibility to establish UBO – management board?

A natural person holding a senior management position in case of documented impossibility of establishing or doubts about the identity of the natural persons referred to in the first-fourth indent and in case no suspicion of money laundering or terrorist financing is established,

12.2 Notification to UBO register in Poland

A notification to the CRBR may be made in accordance with Article 61(1) of the AML Law only by a person statutorily authorised to represent the obliged institution (e.g. the management board) or a trustee or person holding an equivalent position in the case of trusts. Where in a company a proxy is authorised to represent the company then he may notify the information to the CRBR.

13. Use of security measures and outsourcing – requirements of the Polish AML Law

Pursuant to Article 48 of the UAML, obliged institutions may outsource the application of financial security measures as well as conducting and documenting the results of the ongoing analysis of transactions to other entities. It should be stressed, however, that outsourcing does not release the obliged institution from responsibility for the application of financial security measures. Therefore, any mistakes made by the third party will burden the obliged institution with administrative penalties (contractual liability between the institution and the third party is obviously a separate issue).

13.1 To whom AML responsibilities may be delegated

The Polish AML Law indicates that the application of security measures may be entrusted to: (i) a natural person, (ii) a legal person, or (iii) an organisational unit without legal personality. The necessary condition of the entrustment is to regulate mutual relations in such a way that the entity a) acts in the name and on behalf of the obliged institution, and b) is treated as a part of the obliged institution (this obligation must result from an agreement binding the parties). There must be a genuine organisational relationship between the obligated institution and the third party that makes it clear that the third party is considered part of the obligated institution. The third party does not have to be the obligated institution or another entity obligated by its own regulations to perform AML/CFT duties.

An agreement binding the parties must be in writing. Most often it will be an agency agreement or an outsourcing agreement.

It is worth noting that an outsourcing (agency) agreement also does not exempt AMLO from liability if the scope of tasks performed by him includes activities undertaken with respect to the outsourcing entity.

13.2 The position of the Polish Financial Authority on guidelines for outsourcing

On 16 September 2019, the Polish Financial Supervision Authority issued a Position Paper on selected issues related to the entry into force of the EBA Outsourcing Guidelines and their consideration in banks’ activities. In the text of the position, the UKNF indicated that although it relates directly to banks, it should also be adopted by payment institutions (e.g. national payment institutions or small payment institutions) as part of good practice. This position is a general guideline for the outsourcing of activities by financial institutions, and is therefore also relevant in the case of outsourcing of activities.

The most significant issues raised in the above position of the UKNF include:

• indicating that the outsourcing contract should contain a closed catalog of processes, services and activities to be outsourced together with an unambiguous indication of the decision-making entity responsible for all stages of their performance. Appendices to the outsourcing contract should include graphic representations of the individual processes to be outsourced together with an indication of the individual activities/steps in the process and identification of the decision-making entity,
• recommendation that financial institutions (obligated) identify, assess and monitor any risks arising from outsourcing arrangements to which they are or may be exposed and should manage those risks,
• information that, when entering into outsourcing agreements, obliged institutions outsourcing activities should take into account the consequences, including those of an organizational and legal nature, resulting from the location of the service provider,
• information that, the EBA guidelines provide for the need to notify or enter into a dialogue with the supervisory authority with regard to the planned outsourcing of critical or important functions, or where the function to be outsourced acquires such a character,
• indication that the contract under which the activity is entrusted should include an undertaking that the service provider will ensure the protection of confidential, personal or other sensitive information and comply with all legal data protection requirements that apply to mandatory institutions (e.g. protection of personal data, and where applicable, compliance with confidentiality obligations in relation to customer information),
• recommendation that the outsourcing obligated institution have sufficient resources and capacity to control the outsourced activities and ensure their compliance with applicable laws, supervisory standards and obligations under the outsourcing agreement.

14. General Inspector for Financial Information in Poland

The General Inspector of Financial Information (GIIF) is one of the two administrative authorities (along with the Minister of Finance) tasked with preventing money laundering and terrorist financing in Poland. The GIIF, as the central element of the Polish system, has relatively the greatest impact on the activities of the entire system. From the point of view of the obliged institutions, as well as market participants (e.g. persons holding bank accounts), the GIIF is also the main point of information, as it receives notifications of actual or potential violations of UAML and terrorist financing regulations from employees, former employees of the obliged institutions or other persons, who perform or have performed activities for the benefit of obliged institutions on a basis other than employment.

The GIIF performs such tasks as:

• analyzing the information concerning property values, which the Inspector General suspects to be related to the crime of money laundering or terrorist financing,
• conducting a transaction hold or account blocking procedure ,
• requesting and sharing transaction information,
• providing authorized authorities with information and documents justifying a suspicion that a crime has been committed,
• exchanging information with cooperating entities,
• preparing a national risk assessment of money laundering and terrorist financing and strategies to counter these crimes in cooperation with cooperating units and obliged institutions,
• exercising control over compliance with anti-money laundering and counter-terrorist financing regulations,
• issuing decisions in matters of entry on or removal from the list of persons and entities to which specific restrictive measures referred to in Article 117 of the UAML apply, and maintaining the list,
• cooperation with the competent authorities of other countries, as well as foreign institutions and international organizations dealing with counteracting
• money laundering or terrorist financing,
• exchanging information with foreign financial intelligence units, including maintaining a point of contact for such exchange,
• imposing administrative penalties as referred to in the Act,
• making the knowledge and information on the regulations on counteracting money laundering and terrorist financing available in the Public Information Bulletin at the website of the office that serves the minister in charge of public finance,
• processing of information in the manner prescribed by the Act,
• initiating other activities to prevent money laundering and terrorist financing.

The Inspector General is the administrator of the ICT system for counteracting money laundering and terrorist financing available at the following link: www.giif.mofnet.gov.pl/nowa

News and announcements on the activities of the General Inspector of Financial Information (which relate to the practical application of the provisions of the Polish UAML) can be found on the website of the Ministry of Finance: https://www.gov.pl/web/finanse/komunikaty-giif.

15. Reporting of information to GIIF

Domestic obligated institutions under the UAML are required to:

• report an entity as an obliged institution to the GIFI,
• report on suprathreshold transactions (Article 72 of the UAML),
• notify the GIIF about the possibility of committing a crime (art. 74 of the UAML),
• notify the GIF of a suspicious transaction (Art. 86 of the UAML),
• notify the competent prosecutor in the event of a reasonable suspicion that the assets transacted or accumulated in the account are the proceeds of an offence other than money laundering or terrorist financing or a fiscal offence, or are connected to an offence other than money laundering or terrorist financing or a fiscal offence (Article 89(8) of the UAML).

Re A. Identification form

In order to fulfill the obligations provided for by the UAML and imposed on obliged institutions as regards provision of information to the GIIF concerning transactions and making notifications indicated in items B – D above, an obliged institution is obliged to provide the GIIF with an obliged institution identification form.

The form should include the following:

• the name (business name) together with an indication of the organizational form of the obliged institution,
• TIN of the obligated institution,
• identify the type of activity conducted by the obligated institution,
• registered or business address, with the conjunction “or” indicating that one of these addresses is sufficient,
• the name, position, telephone number and electronic mailbox address of the employee referred to in Article 8 of the UAML, i.e. the so-called AML Officer,
  names, surnames, positions, telephone numbers and electronic mailbox addresses of other employees responsible for the implementation of the provisions of the Act whom the obliged institution wishes to designate for contact with the GIIF,
• the name (business name) and NIP or the name, surname and PESEL of the intermediary entity referred to in Article 73(1) of the UAML, if the intermediary entity is used.

In the case of a change of the above data, with the exception of a change of NIP number of an obliged institution, there is a need to immediately update the data reported to the GIIF.

The form identifying the obliged institution is submitted to the GIIF by means of electronic communication.

The Mandatory Institution Identification Form can be submitted in several ways:

• by SI*GIIF using an e-signature,
• using dedicated software, e.g. SI*GIIF Client application, also using e-signature,
• in the form of a paper copy of the form, signed by the responsible person and delivered by an officer of the company or by mail carrier.
• Detailed instructions can be found on the website: https://www.giif.mofnet.gov.pl/nowa/#/glowna/jak-dodac-io

Re B. Suprathreshold transactions

A supra-threshold transaction is a transaction of the equivalent of EUR 15,000 or more (which is translated at the average exchange rate announced by the National Bank of Poland (NBP) in effect on the day the transaction is effected or the day the transaction is ordered to be effected), regardless of whether the transaction is effected as a single operation or as several operations that appear to be linked.

Obliged institutions (in addition to foreign exchange or exchange businesses, notaries, attorneys and tax advisors, real estate agents) are required to provide the GIIF with information on

• an accepted deposit or made withdrawal of funds with an equivalent value exceeding €15,000 [in accordance with GIIF message number 11 of 11 July 2019, this obligation applies only to transactions of accepted deposit in cash (to the cashier of the reporting obliged institution or to a payment account maintained by the reporting obliged institution) or made withdrawal in cash (from the cashier of the reporting obliged institution or from a payment account maintained by the reporting obliged institution). Specifically: the colloquial understanding of the phrase “deposit to an account” to mean a transfer of funds to an account or to mean a transfer of funds to an account held at an institution other than the one receiving the deposit actually refers to a transfer of funds (which is therefore reported as a transfer by the institution making it. At the same time, it should be pointed out that paying for a transaction using a payment/credit card does not constitute a cash deposit. Also, paying for a transaction partly with cash and partly by other means (e.g., payment card, wire transfer, etc.) necessitates a determination of the reasonableness of reporting the cash deposit. Pursuant to Article 72 (1) para. 1 of the UAML, the obliged institution shall provide information on the (cash) deposit accepted and not on the purchase transaction or conclusion of any other related agreement. For example, when payment for goods worth PLN 80,000 – PLN 20,000 was paid in cash at the seller’s cash desk and PLN 60,000 was transferred to the seller’s payment account. The seller is not obliged to provide information on payment of PLN 80k – the obligation applies to information on accepted cash payment exceeding EUR 15k, and in this case the seller accepted PLN 20k in cash, i.e. an amount below the threshold set forth in the Act].
• an executed transfer of funds with an equivalent value exceeding €15,000, except:
  • transfer funds between a payment account and a term deposit account that belong to the same customer at the same obligated institution,
  • domestic transfer of funds from another obligated institution,
  • a transaction related to the obliged institution’s own economy, which was carried out by the obliged institution in its own name and on its own behalf,
  • including a transaction concluded on the interbank market,
  • transaction conducted on behalf or for the benefit of public finance sector entities, referred to in Art. 9 of the Act of 27 August 2009 on public finance,
    a transaction carried out by a bank associating cooperative banks, if information about the transaction was provided by the associated cooperative bank,
  • transfer for security of assets executed for the duration of the transfer agreement with the obligated institution.

The obligation set out in section 2 above only applies to the provision of information by the institution executing the transfer (executing the customer’s order/disposition in this regard, with the exception of information on transactions referred to in paragraph 2 of Article 72 of the UAML) – thus, it only applies to payment service providers.

It should be noted that the obligation to provide information referred to in point 2 above also applies to the transfer of funds from outside the territory of the Republic of Poland to a payee whose payment service provider is an obliged institution.

Deadline to report suprathreshold transactions 7 days from:

• accepting a deposit or making a withdrawal of funds,
• the execution of a payment transaction to transfer funds,
• making funds available to the payee,
• carrying out or brokering the purchase or sale of foreign exchange.

The notification obligation primarily includes the identification of the underlying subject matter, as well as:

• the unique identifier of the transaction in the records of the obligated institution,
• the date or the date and time of the transaction,
• the identification data referred to in Article 36.1 of the UAML of the client giving the instruction or order to carry out the transaction,
• identification data in its possession, as referred to in Article 36 (1) of the UAML, of the other parties to the transaction,
• the amount and currency of the transaction or the weight and purity of the foreign exchange gold or foreign exchange platinum involved in the transaction,
• type of transaction,
• transaction title,
• the method of issuing an instruction or order to execute a transaction,
• the account numbers of the accounts used to carry out the transaction marked with the International Bank Account Number (IBAN) identifier or an identifier containing the country code and the account number in case of accounts not marked with IBAN.

Sending information about a suprathreshold transaction is done in 3 steps:

• fill out an appropriate form of information on a suprathreshold transaction in SI*GIIF or in dedicated software, e.g. SI*GIIF Client application,
• generate a preview of the document using e-signature,
• save the generated document on your computer disk and send it to GIIF,
• log in to SI*GIIF and check the status of the sent information.

Detailed instructions can be found at: https://www.giif.mofnet.gov.pl/nowa/#/glowna/jak-wyslac-transakcje

Re C. Notifying the General Inspector of Financial Information of a possible crime

In particular, unusual, unclear, doubtful, abnormal, unusual or extraordinary circumstances, which consist of actions inconsistent with the known and documented nature of the customer’s business, or the occurrence of unusual turnover for a particular type of account, agreement or contract, which may be symptoms of a reasonable suspicion of money laundering, are considered circumstances that give rise to a suspicion of money laundering.

KIP is obliged to notify the GIIF within 2 working days of circumstances justifying the commission of a crime. The notification should include information indicated in article 74 section 3 AML. The notification is submitted in an electronic form within the GIIF system in a tab “I want to send an e-notification”: https://www.giif.mofnet.gov.pl/nowa/#/glowna

Re D. Notifying the General Inspectorate of Financial Information of a suspicious transaction

If an obliged institution has a reasonable suspicion that a particular transaction or assets may be related to money laundering or terrorist financing, it is obliged to immediately notify the GIFI. The notification is submitted in the same manner as in point C.

In the content of the notification the Company should include the information indicated in Article 74(3) UAML. Upon receipt of the notification, the GIIF shall confirm its receipt in the form of an official acknowledgement of receipt, containing in particular the date and time of receipt of the notification. Until the receipt of an appropriate request or a waiver from the GIIF, but no longer than for 24 hours, counting from the moment of the acknowledgement of receipt of the notification, the Company shall not carry out transactions or other transactions debiting the account on which the assets have been accumulated.

The notification is submitted in an electronic form within the GIIF system in a bookmark “I want to send an e-notification” https://www.giif.mofnet.gov.pl/nowa/#/glowna

Re E. Notifying the Prosecutor of a Suspicious Transaction

Pursuant to Article 89 of the AML Law of Poland, an obliged institution shall immediately notify the competent prosecutor if it has a reasonable suspicion that the assets transacted or accumulated in the account are derived from, or are connected with, an offence other than money laundering or terrorist financing or a fiscal offence. The obliged institution shall then immediately notify the GIIF of (any) decision of the prosecutor. The Act does not provide for a specific form of communication with the prosecutor, but given the purpose of the notification and the need for prompt action, the literature assumes that the notification may be submitted electronically, e.g. via the ePUAP platform or at least the e-mail address of the relevant prosecutor.

16. Does non-payment activity fall under Polish AML?

Under the Polish AML Law, domestic payment institutions, domestic electronic money institutions, branches of EU payment institutions, branches of EU and foreign electronic money institutions, small payment institutions, payment service bureaus and settlement agents are considered obligated institutions, which means that they should comply with the provisions of the AML Law of Poland, including the obligation to apply financial security measures / KYC to their customers.

An important question arises – should a hybrid payment institution apply financial security / KYC measures to its customers when providing non-payment services?

According to the Financial Information Department of the Ministry of Finance, if an entity provides payment services as a (e.g. domestic/small) payment institution and this part of its activity is formally separated and separate records are kept for it with respect to these services, the UAML does not prohibit such an entity from conducting other business activity, which (other activity) will not be subject to requirements applicable to institutions obliged under the UAML.

It should also be noted that the obliged institutions, in accordance with Article 50 of the AML Act, implement an internal procedure to prevent money laundering and terrorist financing, and in the case described above, should clearly define the rules of conduct applied by the obliged institution with respect to this part (non-payment) of its activities.

17. AML Regulation in Poland – FAQ

Who are the AML obliged institutions in Poland?

List of AML obliged institutions extensive and included in AML Act of Poland. It includes e.g. Domestic banks, Branches of foreign banks, Branches of credit institutions, EU payment institutions, Domestic electronic money institutions, Small payment institutions

Is holding an executive position the same as being a board member?

No. A clear distinction should be made between the concept of a management position and a member of the management board, which is a qualified concept in relation to an AML officer.

Who is Politically Exposed Person (PEP) in Poland?

Pursuant to the Polish AML Law, Politically Exposed Persons (PEP) are defined as natural persons who perform significant public functions or occupy significant public positions.

Is there a UBO register in Poland?

Yes, there is a public UBO register in Poland – https://crbr.podatki.gov.pl/adcrbr/#/

Who is considered as beneficial owner in Poland under AML regulation?

According to the Polish AML Law, any natural person who directly or indirectly exercises control over an entity  through the powers he or she holds, which arise from legal or factual circumstances, enabling him or her to exert a decisive influence on actions or activities undertaken by the entity, or any natural person on whose behalf economic relations are established or an occasional transaction is carried out, including: for companies, e.g. holds 25 % of shares?