AML & CFT in Poland – Introduction
Poland is located in Central Europe and classified as a high-income economy by the World Bank1, with sixth-largest economy in the EU2. It shares borders with Lithuania, Belarus, Ukraine, Slovakia, Czech Republic, Germany and Russia's Kaliningrad enclave, and as such it is exposed to medium money laundering (ML) and terrorism financing (TF) risks, which emanate from tax offences, corruption, illicit trafficking of narcotic drugs and psychotropic substances, human trafficking and immigrant smuggling, offences against property and economic transactions, offences related to the infringement of copyright, financial crime, offences related to illegal gambling and document forgery.
The latest evaluation conducted by Monneyval on May 21, 2021 deemed Poland compliant for 2 and Largely Compliant for 21 of the FATF 40 Recommendations (the full report can be found in the link: https://www.fatf-gafi.org/media/fatf/documents/reports/mer-fsrb/MONEYVAL-MER-Poland-2022.pdf).
Since 2018 Poland has introduced a significant number of reforms to strengthen its AML/CFT regime. The legal framework has been enhanced in several aspects, such as the customer due diligence requirements, the Financial Intelligence Units, and TF-related targeted financial sanctions. Nevertheless, several issues remain to be improved, including criminalisation of TF, new technologies, and early detection of suspicious business relationships and transactions.
The following report focuses on responsibilities of obligated institutions functioning in Poland, with a hope it helps the reader to decide whether to invest, or operate in Poland.
AML legal system in Poland
Polish AML/CFT system is based mainly on Combating Money Laundering and the Financing of Terrorism Act of March 1, 2018 (lates amendment implemented on February 24, 2022, hereinafter: "AML Act").The most relevant institutions in the field of practical use of AML/CFT are:
- General Inspector of Financial Information (GIFI) responsible for preparing a national risk assessment of money laundering and terrorist financing and strategies to counter these crimes; conducting the analysis of financial information provided by the obliged institutions; exchanging information, and cooperating with units and foreign FIUs; supervising and controlling the fulfilment of AML/CFT obligations stemming from the AML Act,
- Polish Financial Supervisory Authority (Komisja Nadzoru Finansowego; abbr.: KNF) which supervises the financial market in Poland, including AML/CFT area. It exercises oversight of the banking sector, the capital, insurance, pension market, supervision over payment institutions and payment service offices, electronic money institutions and the savings and credit union sector,
- Public Prosecutor's Office (PPO) responsible for investigating and prosecuting ML, TF and other predicate offences,
- National Revenue Administration (KAS) responsible for collecting, controlling and enforcement of taxes, customs duties, and other revenues of the state budget from public levies, as well as combating tax and customs crime.
Obliged institutions in Poland
The list of such obligated institutions set out in AML Act includes, among others, domestic banks, branches of foreign banks, branches of credit institutions, financial institutions having their registered office in the territory of the Republic of Poland, and branches of financial institutions not having their registered office in the territory of the Republic of Poland, cooperative savings and credit funds and the National Cooperative Savings and Credit Fund (Krajowa Spóldzielcza Kasa Oszczednosciowo-Kredytowa), domestic payment institutions, domestic electronic money institutions, branches of EU payment institutions, branches of EU and foreign electronic money institutions, small payment institutions, payment services bureaus and settlement agents, investment firms, custodian banks, branches of foreign investment firms, foreign legal persons conducting brokerage activities in the territory of the Republic of Poland, investment funds, alternative investment companies, investment fund companies, ASI managers, branches of management companies and branches of EU managers located in the territory of the Republic of Poland, insurance companies, entrepreneurs conducting cantor activities, entities conducting business activity consisting in rendering services within the scope of: (a) exchange between virtual currencies and means of payment, (b) exchange between virtual currencies, (c) intermediation in the exchange referred to in points (a) or (b), as well as lending institutions.
Obliged institutions statutory tasks
Under AML Act, each obliged institution (hereinafter: "OI") must inter alia:
- designate senior executives responsible for carrying out the duties set forth in the AML Act,
- *if the OI has a management body, then it is required to appoint from among the management body a person responsible for implementing the duties specified in AML Act,
- designate an employee in a managerial position responsible for ensuring compliance of the activities of the OI and its employees and other persons performing activities on behalf of the obligated institution with the provisions on anti-money laundering and terrorist financing,
- assess 2 types of risks - (i) a "general risk assessment" of money laundering and terrorist financing relating to the obliged institution's general activities, and (ii) a "case-by-case risk assessment" which relates to the identification, and assessment of money laundering and terrorist financing risks relating to the obliged institution's specific and individual business relationship with a customer or to a specific and individual occasional transaction,
- implement an internal procedure within the scope of anti-money
laundering and financing of terrorism that specifies:
- the activities or actions taken with the aim of mitigating the risk of money laundering and terrorist financing as well as appropriate management of the identified risk of money laundering and terrorist financing,
- the rules for recognizing and assessment of the risk of money laundering and terrorist financing associated with the given business relationships or an occasional transaction, including the rules for verification and updating of the assessment of the risk of money laundering and terrorist financing made previously,
- the measures applied for the purpose of appropriate management of the recognized risk of money laundering or terrorist financing associated with the given business relationships or an occasional transaction,
- the rules for the application of financial security measures,
- the rules for storing documents and information,
- the rules for the fulfilling the obligations including providing to the GIFI of information on transactions and notifications,
- the rules for disseminating among employees of an obliged institution knowledge in the field of the provisions on combating money laundering and terrorist financing,
- the rules for reporting by employees of actual or potential breaches of the provisions on combating money laundering and terrorist financing,
- the rules for internal control or supervision of compliance of activity of an obliged institution with the provisions on combating money laundering and terrorist financing as well as the ruls of conduct determined in the internal procedure,
- the rules for noting discrepancies between the information gathered in the Central Register of Beneficial Owners and the information on beneficial owners of the customer in connection with the application of the AML Act,
- the rules for documenting impediments determined in connection with verification of the identity of the beneficial owner as well as activities undertaken in connection with identification, as the beneficial owner, a natural person occupying a post in senior management.
- apply financial security measures,
- file SARs reports and notify relevant authorities, including prosecutors of suspicious transactions and potential crime.
AML officer duties and responsibilities in Poland (AMLO and MLRO)
As outlined above, under the AML Act it is mandatory to appoint an AML and terrorist financing officer. Such a person should have a managerial status and will be responsible for ensuring compliance of the entire institution with the provisions of the Polish AML Act and, in addition, for reporting the notifications referred to in the aforementioned Act to the Financial Intelligence Units.
The scope of AMLO (MLRO) responsibilities can be divided into three groups:
- (statutory obligation) ensuring compliance of the activities of the obliged institution and its employees and other persons performing activities for the benefit of this obliged institution with the provisions on anti-money laundering and terrorist financing (performance of tasks of a security guarantor),
- (statutory obligation) submitting on behalf of the obliged institution the notifications referred to in Article 74(1) (notifying the GIIF of circumstances that may indicate a suspicion of money laundering or terrorist financing), Article 86(1) (notifying the GIIF in the event of a justified suspicion that a specific transaction or specific assets may be related to money laundering or terrorist financing), Article 89 (1) (notification to the competent prosecutor in the case of a justified suspicion that property values being the subject of a transaction or accumulated on the account come from an offence other than money laundering or terrorist financing or a fiscal offence, or are connected with an offence other than money laundering or terrorist financing or a fiscal offence), and Article 90 AML Act (notification to the GIIF of a suspicious transaction in the situation where the obliged institution had no possibility of prior notification of the transaction before its execution),
- performing other tasks related to AML/CFT, e.g. supervising and verifying risk-based AML/CFT assessment, preparing internal AML procedure, organising external trainings for designated employees, self-education, participation in courses, trainings, symposia meetings etc. related to AML/CFT, cooperation with prosecutor's office and services which are cooperating units (Police, ABW, CBA, KAS) - the above in accordance with the internal system of the obliged institution.
Depending on the internal structure of the obligated institution, the duties set forth in 1 - 3 above may be organised under a single position or may be performed by different individuals.
For the purposes of this compilation, a person performing all of the above functions will be considered an AMLO as a shortcut.
Violation of AMLO's obligations is punishable by a fine of up to PLN 1,000,000 (administrative liability).
AMLO is liable to a fine from 3 months to 5 years of imprisonment for (i) failure to notify the General Inspector on circumstances that may indicate a suspicion that money laundering or terrorist financing has been committed, or failure to notify the GIFI on a reasonable suspicion that a specific transaction or assets subject to such transaction may be related to money laundering or terrorist financing, or (ii) provision to the GIFI of false or concealed data on transactions, accounts or persons. In the case of an unintentional act, he/she shall be liable to a fine.
Identifying UBO in Poland
Under Polish AML Act, any natural person who directly or indirectly exercises control over an entity (client of the obliged institution) through the powers he or she holds, which arise from legal or factual circumstances, enabling him or her to exert a decisive influence on actions or activities undertaken by the entity (client), or any natural person on whose behalf economic relations are established or an occasional transaction is carried out, including for companies:
- an individual who is a shareholder with ownership rights to more than 25% of the total number of shares of that legal entity,
- a natural person holding more than 25% of the total number of votes in the governing body of such a legal person, also as a pledgee or usufructuary or under agreements with other persons entitled to vote,
- a natural person exercising control over a legal person or legal persons which together hold more than 25% of the total number of shares or which together hold more than 25% of the total number of votes in the constituting body of such legal person, also as a pledgee or usufructuary or under agreements with other persons entitled to vote,
- a natural person controlling a legal person through holding special powers referred to in 3.1.37 of the Accounting Act of 29 September 1994 (e.g. power to govern the financial and operating policies of a subsidiary, either alone or through persons designated by it; power to appoint and dismiss the majority of the members of a subsidiary's management, supervisory or administrative bodies),
- a natural person holding a senior management position in case of documented impossibility of establishing or doubts about the identity of the natural persons referred to in the first-fourth indent and in case no suspicion of money laundering or terrorist financing is established.
In order to identify the ultimate beneficial owner of a company, it is necessary to delve into the ownership structure and the ability to analyse many different sources. In terms of the Polish entities KRS register (https://ekrs.ms.gov.pl/web/wyszukiwarka-krs/strona-glowna/index.html) and CEIDG register (https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/Search.aspx) might come in handy.
Apart from identifying UBO, obliged institution must introduce in its internal AML and terrorist financing procedure rules for noting discrepancies between the information collected in the Central Register of Beneficial Owners and the information on the customer's beneficial owners determined in connection with the application of the Act. Such obligation is imposed on the entity by Article 50(1)(10) of the AML Act. Such procedure shall be approved by the management board (senior management) of the obliged institution before coming into force. Failure to have a complete AML procedure exposes the obliged institution to an administrative penalty.
Central Register for the Beneficial Owners - UBO Register
Central Register of Beneficial Owners (CRBR) has been operating in Poland since of 2019. This register is an open and publicly accessible ICT system that has the following functionalities:
- allows the notification of beneficiaries and representatives of entities (e.g. companies),
- enables searching for a real beneficiary or company (on the basis of NIP tax identification number or PESEL number, and for persons who do not have PESEL number - on the basis of first name, surname and date of birth),
- allows you to report corrections of data and information about beneficiaries, as well as report discrepancies between the actual state and the information appearing in the register.
CRBR available exclusively in Polish at https://crbr.podatki.gov.pl/adcrbr/#/ and is maintained by the Minister of Public Finance.
All the entities listed below, that are entered into the Polish company register - National Court Register (KRS) or their information has changed, are obliged to report the change (update) to CRBR within 7 days of change in KRS:
- general partnerships, partnerships, limited partnerships, limited joint-stock partnerships,
- limited liability companies, simple joint stock companies, and joint stock companies (except public companies),
- trusts whose trustees or persons in equivalent positions (i) are domiciled or established in the Republic of Poland or (ii) enter into a business relationship or acquire real property in the Republic of Poland on behalf of or for the benefit of the trust,
- European economic interest groupings,
- European companies,
- cooperatives, including European cooperatives,
- associations subject to registration in the National Court Register,
Foreign companies operating in Poland in the form of a branch registered with the National Court Register are not subject to the obligation to notify the CRBR.
Obliged institutions that (i) failed to comply with the obligation to report or update information to the CRBR by the statutory deadline or (ii) provided information that is inconsistent with the facts are subject to a monetary penalty of up to PLN 1,000,000.
Outsourcing security measures under Polish AML Act
As part of business strategy, obliged institutions may decide to outsource the application of financial security measures as well as conducting and documenting the results of the ongoing analysis of transactions to other entities. It should be stressed, however, that outsourcing does not release the obliged institution from responsibility for the application of financial security measures. Therefore, any mistakes made by the third party will burden the obliged institution with administrative penalties (contractual liability between the institution and the third party is obviously a separate issue).
Application of security measures may be entrusted to: (i) a natural person, (ii) a legal person, or (iii) an organisational unit without legal personality. The necessary condition of the entrustment is to regulate mutual relations in such a way that the entity a) acts in the name and on behalf of the obliged institution, and b) is treated as a part of the obliged institution (this obligation must result from an agreement binding the parties). There must be a genuine organisational relationship between the obligated institution and the third party that makes it clear that the third party is considered part of the obligated institution. The third party does not have to be the obligated institution or another entity obligated by its own regulations to perform AML/CFT duties.
An agreement binding the parties must be in writing. Most often it will be an agency agreement or an outsourcing agreement. It is worth noting that an outsourcing (agency) agreement also does not exempt AMLO from liability if the scope of tasks performed by him includes activities undertaken with respect to the outsourcing entity.
Financial institutions that are under Polish Financial Supervisory Authority (KNF) should additionally consider applying rules outlined in the KNF'sPosition Paper on selected issues related to the entry into force of the EBA Outsourcing Guidelines and their consideration in banks' activities dated 16 September 2019.
The most significant issues raised in the above position of the KNF include:
- indicating that the outsourcing contract should contain a closed catalog of processes, services and activities to be outsourced together with an unambiguous indication of the decision-making entity responsible for all stages of their performance. Appendices to the outsourcing contract should include graphic representations of the individual processes to be outsourced together with an indication of the individual activities/steps in the process and identification of the decision-making entity,
- recommendation that financial institutions (obligated) identify, assess and monitor any risks arising from outsourcing arrangements to which they are or may be exposed and should manage those risks,
- information that, when entering into outsourcing agreements, obliged institutions outsourcing activities should take into account the consequences, including those of an organizational and legal nature, resulting from the location of the service provider,
- information that, the EBA guidelines provide for the need to notify or enter into a dialogue with the supervisory authority with regard to the planned outsourcing of critical or important functions, or where the function to be outsourced acquires such a character,
- indication that the contract under which the activity is entrusted should include an undertaking that the service provider will ensure the protection of confidential, personal or other sensitive information and comply with all legal data protection requirements that apply to mandatory institutions (e.g. protection of personal data, and where applicable, compliance with confidentiality obligations in relation to customer information),
- recommendation that the outsourcing obligated institution have sufficient resources and capacity to control the outsourced activities and ensure their compliance with applicable laws, supervisory standards and obligations under the outsourcing agreement.
Violation of the AML Act in Poland
If an obligated institution fails to comply with its obligations outlined in the AML Act, it may be subject to an administrative penalty. It should be noted that the potential penalty is threatened not only by the obliged institution itself, but also by members of its management board, senior management, as well as employees in a managerial position whose responsibilities include ensuring that the activities of the obliged institution and its employees and other persons performing activities for the obliged institution comply with the provisions of the Act.
The grounds for imposing an administrative penalty are detailed in Articles 147 - 149 of the AML Act, and the most common include:
- failure to prepare a risk assessment on money laundering and terrorist financing relating to the activities of the obliged institution and failure to update it, which should be prepared at least every 2 years,
- failure to apply financial security measures, including, but not limited to, recognizing the risk of money laundering and terrorist financing by the obligated institution with respect to business relationships, the obligated institution, or occasional transactions,
- failure to implement an internal procedure for anonymous reporting of anti-money laundering and counter-terrorist financing violations,
- failure to provide notices of suspected money laundering or terrorist financing (SAR filings),
- failure to comply with disclosure obligations.
Administrative penalties are imposed by decision of the General Inspector for Financial Information, the President of the National Bank of Poland and the Polish Financial Supervision Authority. When imposing a penalty, the competent authority takes into account factors that influence the penalty, including the gravity and duration of the breach, the financial capacity of the obligated institution, the scale of profits gained by the entity, losses incurred by third parties in connection with the breach, the degree of cooperation of the obligated institution with the competent authorities in anti-money laundering matters, as well as whether the entity has previously committed a breach of the AML Act provisions.
The catalogue of administrative penalties is closed and they are:
- publication of information on the obliged institution and the scope of the violation of the AML Act by the institution in the Public Information Bulletin on the website of the office that serves the minister in charge of public finance (which involves the risk of a loss of reputation by the obliged institution, which in turn may adversely affect its position in the market),
- an order to stop the obligated institution from taking certain actions,
- withdrawal of a concession or permit or striking off the register of regulated activities,
- prohibiting a person responsible for a violation of the Act by an obligated institution from performing duties in a managerial position for a period not exceeding one year,
- a pecuniary penalty (up to twice the amount of the benefit gained or loss avoided, with the maximum pecuniary penalty being EUR 1,000,000). In the case of obliged institutions that are banks, credit institutions, cooperative savings and credit unions, domestic payment institutions, small payment institutions, investment firms and other entities referred to in 2.1.1-5, 7-11, 24 and 25 of the AML Act, the fine is higher and amounts to, respectively, up to EUR 5,000,000 (or up to 10% of the turnover shown in the last approved financial statement) for legal persons and up to PLN 20,868,500 for natural persons.
In justified cases where (i) the gravity of the breach is negligible and the obliged institution has ceased the breach, or (ii) another authorised public administration body has already imposed a penalty on the obliged institution for the same behaviour or the obliged institution has been validly punished for a misdemeanour or fiscal misdemeanour or validly convicted of a crime or fiscal offence and the previous penalty meets the objectives for which the administrative penalty was to be imposed, the above-mentioned bodies may refrain from imposing such an administrative penalty. This occurs by decision and is a power, not an obligation of the authority.
Particular attention should be paid to the obligation of commercial companies to report information on beneficial owners and to update such information within 7 days from the date of entry in the National Court Register or change in the data. The financial penalty in this case is up to PLN 1,000,000.
Under the Polish AML Act, a beneficial owner who fails to provide an obligated institution with all the information and documents necessary for notification/updating to the CRBR is subject to a fine of up to PLN 50,000. The new provisions of the AML Act also provide for a pecuniary penalty of up to PLN 100,000 for entities (i) conducting activities for companies or trusts without obtaining an appropriate entry in the register of such activities and (ii) conducting virtual currency activities without first obtaining an entry in the relevant register.
Polish law permits imposition of penalties on persons who perform management functions in obliged institutions, i.e. members of senior management, the person responsible for implementing the obligations set forth in the act, and the employee responsible for supervising compliance of the obliged institution with the regulations. The above-mentioned individuals may be fined up to PLN 1,000,000 if an obliged institution they manage is found to have violated the obligations set forth in Art. 147 and 148 of the AML Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.