AML and CTF law and regulation in Poland

The AML/CTF measures are regulated in the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing as amended (the “Polish AML Act”).

Currently, the Polish AML Act implements the 4^th AML Directive. However, the 5th AML Directive was scheduled to be implemented in Q2 of this year, but it seems that it will be delayed to the second half of the year due to the COVID-19 pandemic.

The main AML/CTF supervisory authority is the General Inspector for Financial Information (the “GIFI”), but there are also other authorities supervising compliance with the Polish AML Act, e.g. the Polish Financial Supervision Authority regarding regulated entities.

Furthermore, in the AML/CTF matters GIFI cooperates with other institutions, e.g. government administrative bodies, the bodies of local governmental units, other state organisational units, and the National Bank of Poland (NBP).

The Polish AML Act generally follows the 4^th AML Directive, except that it extends the scope in some cases, e.g. to virtual currency entities. These entities are considered to be obliged entities under the Polish AML Act:

1. domestic banks, branches of foreign banks, branches of credit institutions, financial institutions with their registered office in Poland, and branches of financial institutions that do not have their registered office in Poland;
2. savings and credit unions;
3. domestic payment institutions, domestic electronic money institutions, branches of EU payment institutions, branches of EU and foreign electronic money institutions, small payment institutions, payment service offices, and paying agents;
4. investment firms, custodian banks, and branches of foreign investment firms within the meaning of that Act, conducting activity in Poland;
5. foreign legal entities conducting brokerage activity in Poland, including those conducting such activity in the form of a branch, and commodity brokerage houses;
6. companies operating a regulated market (in some cases);
7. investment funds, alternative investment companies, investment fund corporations, AIC managers, branches of management companies, and branches of managers from the EU located in Poland;
8. insurance undertakings (in some cases);
9. insurance intermediaries (in some cases);
10. Krajowy Depozyt Papierów Wartościowych S.A. (the national depository);
11. entrepreneurs conducting exchange office activity, other entrepreneurs providing a foreign exchange service or a foreign exchange intermediation service, which are not other obliged institutions, and branches of foreign entrepreneurs conducting such activity in Poland;
12. entities conducting economic activity consisting in providing services in the area of: (a) exchange between virtual currencies and means of payment; (b)exchanges of virtual currencies; (c) intermediation in these exchanges; (d) the operation of certain accounts;
13. notaries within the scope of acts performed in the form of a notarial deed;
14. attorneys, legal counsels, foreign lawyers, and tax advisors (in some cases);
15. entrepreneurs which are not other obliged institutions, providing trust and related services;
16. entities conducting activity in the provision of bookkeeping services;
17. real estate agents;
18. postal operators;
19. entities conducting gambling activity;
20. foundations, associations and entrepreneurs which receive or make cash payments having a value equal to or exceeding the equivalent of EUR 10,000;
21. entrepreneurs which conduct activity consisting in providing safe deposit boxes, and branches of foreign entrepreneurs conducting such activity in Poland; and
22. lending institutions.

The Polish AML Act closely follows the 4^th AML Directive regarding the KYC and the UBO register. Polish entities such as general partnerships, limited partnerships, limited joint-stock partnerships, limited liability companies, and joint-stock companies except public companies are obliged to report relevant information of their UBOs to the Central Register of Beneficial Owners. The deadline for initial reports for existing companies was 13 July 2020.

There is no specific legislation, but online onboarding is generally possible.

The Polish AML Act generally closely follows the 4^th AML Directive. We have not identified any     major discrepancies or obligations going beyond what is required by the Directive.

Yes, the National Risk Assessment considers the following areas to be the most exposed to AML/CTF risks:

1. cash operations and physical transfers through borders;
2. virtual currencies;
3. cashless money exchange;
4. fiscal frauds;
5. crowdfunding.

The main CTF measures are implemented in the Polish AML Act and include transaction suspensions and account holds, specific restrictive measures such as freezing assets without prior notice, keeping a list of persons and entities against whom restrictive measures are applied, the obligation of no criminal record for UBOs and representatives in the companies’ structures, and administrative penalties for obliged institutions which fail to fulfil AML/CTF obligations (the main obligation is to notify the GIFI immediately of all reasonable suspicions that a transaction or assets may be linked to money laundering or terrorist financing).

Legal entities and obliged institutions may be subject to both criminal and regulatory liability while their representatives may be individually subject to criminal liability.

Pursuant to the Polish Criminal Code, any individual person who receives, possesses, uses, conveys or transports abroad, conceals, transfers or converts legal tenders, financial instruments, securities, foreign exchange, property rights or other movable or immovable property, which are connected to criminal offence, is liable to imprisonment of between six months to ten years. This sanction also applies to an employee or anyone acting in the name of or for the benefit of a bank, financial or credit institution, or another entity legally obliged to register transactions who receives legal tenders, financial instruments, securities, foreign exchange, transfers or converts them, or receives them in circumstances raising a reasonable suspicion that they have been the object of money laundering.

A representative acting in the name of an obliged institution who fails to comply with the obligation of reporting to the GIFI or who provides the GIFI with false data or fails to disclose true data concerning transactions, accounts or persons, may be subject to imprisonment for from three months to five years. The same penalty applies to unauthorised disclosing or using information gathered in accordance with the Polish AML Act. Additionally, whoever prevents or inhibits the performance of inspection or controlling the institutions may be subject to a fine.

Representatives of legal entities may also potentially face criminal liability based on AML-specific provisions for inflicting substantial material damage (more than PLN 200,000) by abusing granted authority or failing to fulfil duties, subject to imprisonment between three months and five years. For example, this may apply if the representative fails to comply with AML/CTF regulations and then the authorities freeze funds, which cause damage to the entity.

The quasi-criminal liability of legal entities is regulated by the act of criminal liability of collective entities for punishable offences. The collective entity may be responsible, provided other prerequisites are met, for offences related to economic activity, penal and fiscal offences, public corruption and corruption of business, including crimes of money laundering. The act provides a range of sanctions such as a monetary penalty ranging from PLN 1,000 to PLN 5,000,000 (which however cannot exceed 3% of the revenue earned in the business year in which the offence was committed), or the forfeiture of proceeds of the crime.

An obliged institution that fails to fulfil its obligations under the Polish AML Act may be subject to an administrative penalty, which may take various forms, including the publication of information about the breach in the public information bulletin, an order to stop undertaking certain activities, the withdrawal of a licence or permit, deletion from a regulated activity register, a prohibition on performing duties in a managerial position by a person responsible for the breach, or a financial penalty. The financial penalty may be imposed up to twice the amount of the benefit achieved or the loss avoided by the obliged institution as a result of a breach or where it is impossible to determine this amount, up to EUR 1m. For financial institutions the limits are higher, and the penalty is up to EUR 5m or 10% of the turnover reported in the preceding financial statement.