Poland's #FATF#AML Report (2021)

Poland's #FATF#Anti-Money Laundering Report (2021)

The Council of Europe’s MONEYVAL Committee calls on Polish authorities to improve the regulatory framework and to strengthen the practical application of measures meant to stop money laundering and financing of terrorism.

Most legal requirements and practical actions put in place by the authorities ensure a satisfactory level of transparency of legal persons, arrangements, and their "BO".

The report acknowledges that the private sector demonstrated a substantial level of effectiveness in applying the money laundering (ML) and terrorist financing (TF) preventive measures, including customer due diligence and internal controls. Positive conclusions have been drawn on Poland’s capacity to co-operate internationally.

However, further improvements are needed to enhance the country’s capacity to understand ML threats emanating from certain types of predicate offences, given that authorities did not display a comprehensive view of the factual and potential amounts of criminal proceeds. More efforts are needed to ensure a uniform and comprehensive understanding of ML/TF vulnerabilities and appropriate identification and reliable assessment of TF risks.

While the Polish Financial Intelligence Unit is a key source of financial intelligence, with full access to a wide variety of information from the private and public sectors, the results of their analysis are not sufficiently exploited at the investigative stage. MONEYVAL encourages Poland to take procedural and institutional measures to ensure that ML is detected and investigated efficiently, including by adopting a coherent practice in tasking law enforcement agencies with ML investigations, and detailed guidelines on effective parallel financial investigations. Fundamental improvements are needed regarding the seizure and confiscation of proceeds of crime from ML and associated predicate offences.

Moreover, the authorities should take measures to clarify that terrorism financing is a stand-alone crime and not a by-product of terrorism in terms of risk and criminalization. The cash control mechanisms at the border should be strengthened by providing a legal basis to stop and restrain suspicious assets. A specific risk assessment on the NPO sector’s exposure to TF risks should be conducted, and targeted measures should be applied for those entities which are more vulnerable to TF abuse.

Poland should address the existing gaps in relation to preventing criminal ontrol of obliged institutions and provide resources to allow for the comprehensive exercise of those controls and supervision. This should include additional domestic coordination to ensure that supervision by each individual authority is risk-based and effective.

Finally, the report states that a supervisory system, including a sanctioning regime, on proliferation financing must be urgently put in place.

Regulat Body?

Polish Financial Supervisory Authority (Komisja Nadzoru Finansowego; abbr.: KNF) which supervises the financial market in Poland, including AML/CFT area.

Who regulates banks in Poland?

The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) is the financial regulatory authority in Poland, responsible for supervision of the financial market, which includes oversight over banking, capital markets, insurance, pension schemes, and electronic money institutionsm

The basics: CFT / UBO / KYC / 

1. AML Policy in Poland

Every obligated institution in Poland must have and comply with an internal anti-money laundering and counter-terrorist financing procedure.

AML obliged institutions covers:

Domestic banks Branches of foreign banks

Branches of credit institutions Financial institutions having their registered office in Poland

Branches of financial institutions not having their registered office in Poland Cooperative savings and credit funds and the National Cooperative Savings and Credit Fund

Domestic payment institutions Branches of EU payment institutions

Domestic electronic money institutions Small payment institutions

Branches of EU and foreign electronic money institutions Payment services bureaus and settlement agents

Investment firms Custodian banks

Branches of foreign investment firms Foreign entities conducting brokerage activities 

Investment funds Alternative investment companies

Investment fund companies ASI managers

Investment funds Intermediaries to crypto exchange

Branches of management companies and branches of EU managers located in Poland

Insurance companies

Providers of exchange between virtual currencies and means of payment Entrepreneurs conducting cantor activities

A detailed catalog of obliged institutions is indicated in Article 2 (1) of the AML/CFT Act. 

The minimum provisions of the internal AML/CFT procedure (AML policy) shall include a determination of:

*the activities or actions taken with the aim of mitigating the risk of money laundering and terrorist financing as well as appropriate management of the identified risk of money laundering and terrorist financing;

*the rules for recognizing and assessment of the risk of money laundering and terrorist financing associated with the given business relationships or an occasional transaction, including the rules for verification and updating of the assessment of the risk of money laundering and terrorist financing made previously;

*the measures applied for the purpose of appropriate management of the recognized risk of money laundering or terrorist financing associated with the given business relationships or an occasional transaction;

*the rules for the application of financial security measures; the rules for storing documents and information;

*the rules for the fulfillment of the obligations including providing to the General Inspector of information on transactions and notifications;

*the rules for disseminating among employees of an obliged institution knowledge in the field of the provisions on combating money laundering and terrorist financing;

*the rules for reporting by employees of actual or potential breaches of the provisions on combating money laundering and terrorist financing;

*the rules for internal control or supervision of compliance of activity of an obliged institution with the provisions on combating money laundering and terrorist financing as well as the rules of conduct determined in the internal procedure;

The UBO 

*the rules for noting discrepancies between the information gathered in the Central Register of Beneficial Owners and the information on beneficial owners of the customer in connection with the application of the Act;

*the rules for documenting impediments determined in connection with verification of the identity of the beneficial owner as well as activities undertaken in connection with identification, as the beneficial owner, a natural person occupying a post in senior management.

The RBA 

A risk-based approach means that countries, supervisory authorities and, most importantly, obliged institutions assess and understand the money laundering and terrorist financing risks they face and take appropriate risk mitigation measures appropriate (commensurate) with the level of those risks.

The risk-based approach is a fundamental principle to be followed by the obligated institutions in their operational activities and comes down to the fact that it is the obligated institution that decides how it should apply financial security measures. At the same time, the assessment and measures adopted must be explainable by the obligated institution in accordance with the principle of accountability.

In practice, the polish RBA  consist of:

*preparing risk assessments both at the level of individual obligated institutions, at the national level and at the European level,

*deciding, on the basis of a prepared and ongoing risk assessment, about the scope and intensity of the financial security measures applied.

Each obliged institution independently decides which financial security measures and at what intensity it will apply to a given client, which means that it bears full responsibility for selecting these measures in a manner commensurate with the situation. 

In the case of control or supervision, the obliged institution will have to prove that in the light of the circumstances surrounding the given client the financial security measures applied were adequate to the diagnosed risk,

*the possibility of using enhanced or simplified financial security measures, depending on the circumstances.

It should be borne in mind that the risk-based approach is not a zero-one approach, meaning “zero failure”. Indeed, there may be situations where an obliged institution has taken reasonable AML/CFT measures to identify and mitigate risks, but has nonetheless been used for purposes contrary to the Act (FATF Guidelines on a risk-based approach to money or value transfer services – https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf).

Nor should obligated institutions try to avoid risk altogether by massively severing relationships with clients in certain sectors. Indiscriminate denial of services or discontinuation of services to a particular group of customers may result in the risk of financial exclusion, and may also result in reputational risk.

The Financial Action Task Force (FATF – the intergovernmental organization established to combat money laundering and terrorist financing) recommends that obligated institutions consider the level of risk for each individual customer and any applicable risk mitigation measures. 

The EBA assumes that the risk associated with each type of customer group is not static and it is expected that within a given customer group, based on various factors, individual customers can also be classified into risk categories such as low, medium or high risk, as appropriate. Risk mitigation measures should be applied accordingly.

3. Risk assessment of an obliged institution in Poland – AML requirements

Risk assessment is the most important part of an obligated institution’s efforts to prevent money laundering and terrorist financing. This is because it is the starting point for building internal procedures, creating business relationships with clients and administrative responsibility of the obliged institution. Issues concerning risk assessment have been shaped both by Polish law, as well as by supervisory authorities, such as the Polish Financial Supervision Authority (UKNF position on risk assessment of an obliged institution of April 15, 2020 ) and the General Inspector of Financial Information (Notification no. 36 on risk assessment of an obliged institution ).

According to the GIIF release, the following points should be noted:

*the obliged institution assesses 2 types of risks:

(i) a “general risk assessment” of money laundering and terrorist financing relating to the obliged institution’s general activities, and

(ii) a “case-by-case risk assessment” which relates to the identification and assessment of money laundering and terrorist financing risks relating to the obliged institution’s specific and individual business relationship with a customer or to a specific and individual occasional transaction,

conclusions resulting from individual risk assessments should influence ongoing updates to the overall risk assessment,

the overall risk assessment must necessarily be tailored to the nature and scope of the activities carried out by the obligated institution,

using generic templates without carefully tailoring them to the specific and individual nature and scope of the business exposes the obligated institution

to charges of failing to comply with a statutory obligation.

3.1 Scope of risk assessment

The minimum scope concerning the risk assessment of obliged institutions is regulated in Article 27 of the AML Act if Poland and includes the following factors:

-customers,

-countries or geographic areas,

-products,

-services,

-transactions or their delivery channels.

The above factors should be subject to analysis, the scope and complexity of which should depend on the nature of the activities of the obligated institution and the scale of those activities.

As the catalog of factors subject to risk assessment is open, UKNF states in its position quoted above that obliged institutions may extend this minimum scope and undertake additional analysis including, for example:

IT tools and systems used by the obligated institution (e.g., systems supporting the transaction analysis process, systems for verifying customers against sanction lists, etc.),

the degree of dependence of the obligated institution in the area related to AML on external suppliers,

outsourcing of AML-related processes,

the adequacy of the organizational structure and number of staff responsible for performing AML/CFT duties in relation to the identified risk,

scale of turnover of employees and management of units responsible for AML processes,

the effectiveness of the internal control system and its adequacy in relation to the size of the obligated institution,

the effectiveness of the AML training system,

changes in business operations planned by the obligated institution,

expected changes in the structure and number of customers, revenues, transaction volumes, etc. ,

planned changes in the organizational structure of the obligated institution,

planned activities resulting from the strategy of the obligated institution, in particular planned mergers and acquisitions or changes in the ownership

structure of the obligated institution,

the ability to ensure continuity of AML processes in the event of crisis situations beyond the control of the obligated institution,

significant changes in the legal environment related to anti-money laundering and terrorist financing.

Moreover, the analysis should also take into account elements indicating a higher risk of money laundering and terrorist financing, an open catalog of which was included by the legislator in Article 43 (2) of the AML Act.

While analyzing risk, obligated institutions may be guided by:

National Risk Assessment,

European Commission’s report on risk assessment on money laundering and terrorist financing,

Results of audits, both internal and external,

Internal documents of the obliged institution,

Procedures and documents developed by other institutions within the same group,

expertise,

Positions or announcements of relevant authorities, such as the Polish Financial Supervision Authority (UKNF), the General Inspector of Financial

Information (GIIF), the National Bank of Poland,

Studies by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA),

Studies of industry institutions operating within the areas supervised by UKNF,

Studies of international institutions dealing with money laundering, in particular Financial Action Task Force (FATF),

Moneyval, United Nations.

3.2 Risk assessment methodology

The Polish legislator does not indicate a specific methodology to be applied in the course of preparing a risk assessment. Among others, obliged institutions may use

(i) quantitative methods, consisting in determining the value of effect and probability of materialization of a given risk,

(ii) qualitative risk assessment, which is an individual assessment based, inter alia, on good practices and experience, as well as

(iii) mixed methods, using elements of qualitative and quantitative method.

Description of methodology should be one of the elements of risk assessment. However UKNF expects that the minimum standard of the methodology will include 4 elements:

an assessment of the inherent risk, i.e. the risk that exists in the absence of actions taken to reduce the likelihood of the risk occurring and/or to reduce its effects, for each risk factor listed in Article 27(1) of the AML Act,

identification of risk mitigants and evaluation of their effectiveness,

assessment of residual risk, i.e., the risk remaining after risk control procedures, mitigants, and their effectiveness have been implemented,

actions planned by the obligated institution to manage residual risk (if planned).

After assessing the inherent and residual risks associated with each risk factor, the obligated institution should determine the entity’s final vulnerability to money laundering and terrorist financing risks.

When the outcome of the risk assessment results in the identification of areas requiring correction, or the level of residual risk exceeds the entity’s risk appetite, the obligated institution should indicate the actions it will take to address the identified deficiencies or to reduce the risk to an acceptable level. In addition, the obligated institution should develop a schedule and an indication of the entity responsible for implementing the planned actions and include this in the risk assessment.

3.3 Documenting the risk analysis

According to Article 27(3) of the AML Act, the risk assessment should be prepared in paper or electronic form.

The risk analysis should be updated:

(i) not less frequently than every 2 years,

(ii) in the event of changes in risk factors relating to customers, countries or geographical areas, products, services, transactions or their delivery channels or documents,

(iii) the UKNF suggests that an update of the risk assessment should be carried out in the event of significant and long-lasting changes in the economic environment that may have a significant impact on the operational activities of the obliged institution and the manner in which its products and services are used.

Whenever the risk analysis is updated, the institution should simultaneously assess the timeliness and appropriateness of the methodology used to develop the risk assessment and the implementation of the actions that have been taken by the obligated institution to manage the residual risk identified in the risk assessment.

3.4 Validation of risk assessment

Pursuant to Article 7 of Polish AML Act, within an obliged institution, a person shall be designated from among the members of the management board to be responsible for the implementation of the obligations set forth in the Act. Accordingly, the person designated on this basis should approve the risk assessment and its update each time.

The risk assessment should be presented to the management and supervisory board of the obliged institution, if any, as it is a document containing up-to-date information about the institution’s risk exposure, identified threats and gaps in the AML process and planned actions to manage the residual risk. UKNF pays particular attention to the fact that the risk assessment and its updates were approved by the management board and the supervisory board when:

the risk level of the obligated institution will be determined to be high,

the level of risk deviates from the institution’s risk appetite,

large-scale actions are planned to effectively manage residual risk.

3.5 Most common errors

The experience of the inspections conducted by the UKNF indicates that among the most common mistakes made by obliged institutions were:

omission of certain risk factors,

failure to indicate the final conclusions of the risk assessment,

lack of a schedule of planned activities of the obligated institution to mitigate the risk or unreasonable deadlines included in the schedule of activities,

misunderstanding the difference between inherent and residual risk,

inappropriate selection of methodologies that do not take into account risk factors that are important from the point of view of the obliged institution or that

define vulnerability to risk in a way that is inadequate for the scale and type of activity.

3.6 Consequences of not producing a risk assessment or updating it

Failure by an obligated institution to prepare a risk assessment and its update is subject to administrative and legal liability and is punishable by an administrative penalty, including a fine.

4. AML officer duties and responsibilities in Poland (AMLO and MLRO)

The Polish AML Law introduces an obligation for an obligated institution to appoint an AML and terrorist financing officer. Such a person should have a managerial status and will be responsible for ensuring compliance of the entire institution with the provisions of the Polish AML Law and, in addition, for reporting the notifications referred to in the aforementioned Act to the Financial Intelligence Units.

Violation of the obligation to appoint an AML officer is subject to administrative penalties for the obligated institution.

4.1 AMLO Officer (MLRO) Responsibilities

The scope of AMLO (MLRO) activities can be divided into three groups:

(statutory obligation) ensuring compliance of the activities of the obliged institution and its employees and other persons performing activities for the benefit of this obliged institution with the provisions on anti-money laundering and terrorist financing (performance of tasks of a security guarantor),

(statutory obligation) submitting on behalf of the obliged institution the notifications referred to in Article 74(1) AML Act (notifying the GIIF of circumstances that may indicate a suspicion of money laundering or terrorist financing), Article 86(1) AML Act (notifying the GIIF in the event of a justified suspicion that a specific transaction or specific assets may be related to money laundering or terrorist financing), Article 89 (1) AML Act (notification to the competent prosecutor in the case of a justified suspicion that property values being the subject of a transaction or accumulated on the account come from an offence other than money laundering or terrorist financing or a fiscal offence, or are connected with an offence other than money laundering or terrorist financing or a fiscal offence), and Article 90 AML Act (notification to the GIIF of a suspicious transaction in the situation where the obliged institution had no possibility of prior notification of the transaction before its execution),

performing other tasks related to AML/CFT, e.g. supervising and verifying risk-based ZML/CFT assessment, preparing internal AML procedure, organizing external trainings for designated employees, self-education, participation in courses, trainings, symposia meetings etc. related to AML/CFT, cooperation with prosecutor’s office and services which are cooperating units (Police, ABW, CBA, KAS) – the above in accordance with the internal system of the obliged institution.

Depending on the internal structure of the obligated institution, the duties set forth in 1 – 3 above may be organized under a single position or may be performed by different individuals.

For the purposes of this compilation, a person performing all of the above functions will be considered an AMLO as a shortcut.

In the case of division of duties to different managerial staff, we can speak of the position of AML Compliance Officer (AMLO) and Money Laundering Reporting Officer (MLRO) respectively. The nomenclature is, of course, of little relevance to the functioning of the AML system in obliged institutions. However, it is important to clearly define the duties of such a person in the entity’s internal AML procedure and to regulate in detail the relationship between the obliged institution and the employee (the scope of duties should be indicated in the employment contract/civil law agreement).

4.2 Is holding an executive position the same as being a board member?

No. A clear distinction should be made between the concept of a management position and a member of the management board, which is a qualified concept in relation to an AML officer. The AML legislation imposes the obligation to appoint, on the one hand, an AMLO (a management position – under Article 8 of the AML Act) and, on the other hand, a member of the management board responsible for implementing the statutory obligations in the obliged institution (a person elected from the governing body – under Article 7 of the AML Act). The purpose of such an arrangement is to cause the AML officer to have an adequate reporting channel to the persons responsible for the management of the obliged institution, as well as adequate independence in performing the tasks entrusted to him. It is good practice for the AML risk management system of an obliged institution to have a triple line of defence.

AML’s first line of defense: operational employees,

the second line of AML defense: an AML officer functioning within the chief compliance officer (CCO) or within a division reporting directly to the CCO,

AML’s third line of defense: internal audit.

4.3 Criminal and administrative liability of AML Officer

Violation of AML Officers’s obligations (as indicated in Articles 147 and 148 of the Polish UAML) is punishable by a fine of up to PLN 1,000,000 (administrative liability).

AML Officer is liable to a fine from 3 months to 5 years of imprisonment for:

(i) failure to notify the General Inspector on circumstances that may indicate a suspicion that money laundering or terrorist financing has been committed, or failure to notify the General Inspector on a reasonable suspicion that a specific transaction or assets subject to such transaction may be related to money laundering or terrorist financing, or

(ii) provision to the General Inspector of false or concealed data on transactions, accounts or persons. In the case of an unintentional act, he shall be liable to a fine.

4.4 Is the appointment of an AML officer mandatory under Polish law?

Yes. Pursuant to the Polish AML Law (Art. 147), an obliged institution that fails to appoint an AML and terrorist financing officer commits an administrative tort and is subject to an administrative penalty, i.e.:

publication of information on the obliged institution and the scope of violation of the Act by this institution in the Public Information Bulletin on the website of the office serving the minister responsible for public finance,

an order to stop the obligated institution from taking certain actions,

withdrawal of a concession or permit or removal from the register of regulated activities,

prohibiting a person responsible for a violation of the Act by an obligated institution from performing duties in a managerial position for a period not exceeding one year,

fine.

5. Who according to the Polish AML Law is a Politically Exposed Person (PEP)?

Pursuant to the Polish AML Law, Politically Exposed Persons (PEP) are defined as natural persons who perform significant public functions or occupy significant public positions. The circle of PEP does not include persons holding middle and lower level positions. A detailed catalog of PEPs is provided in Article 2.2.11 of the AML Law. It should be noted that this is an open catalog.

If an obliged institution determines that its customer or the customer’s beneficial owner is a PEP, additional obligations arise on its side in respect of the applied financial security measures. Importantly, Polish law does not prohibit the provision of services to clients with PEP status.

5.1 AML Procedures for PEP

The definition of PEP should apply both to a person who currently holds a prominent public position and to a person who has held that position in the past. During the period from the date on which a person ceases to hold a politically exposed position until the date on which it is determined that no higher risk is associated with that person, but for no less than 12 months, the obligated institution shall apply measures to such person that take into account that risk.

The primary responsibility of any obligated institution in its relationship with a PEP is to determine whether the customer or beneficial owner is a PEP. The primary method used by most obligated institutions is to collect statements from clients as to their status. It is recommended that the statements include a provision confirming awareness of the client’s criminal liability for making a false statement. Other ways of verifying clients/real beneficiaries in the context of their status include analysis of databases provided by commercial entities, examination of publicly available records and information.

It should be noted that for obliged institutions whose business profile does not pose a higher risk of money laundering or terrorist financing related to the handling of PEPs, it should be sufficient to collect the statement instead of verifying all customers in commercial databases.

Second, obligated institutions, must obtain senior management approval to enter into or continue a business relationship with a politically exposed person. Care must be taken to document such approval.

The next action is to determine (i) the source of the client’s assets and (ii) the source of the assets at the client’s disposal in the course of a business relationship or transaction.

As regards the sources of a client’s assets, an obliged institution should rely on publicly available sources of information (asset declarations submitted by PEPs), information from commercial databases and other sources (if it has access to them and the scale of operations of the obliged institution allows it) or information obtained from the client itself.

In relation to PEP, it is also necessary to intensify the ongoing monitoring of economic relations consisting of:

analyze transactions conducted in the course of a business relationship to ensure that the transactions are consistent with the obligated institution’s knowledge of the customer, the nature and scope of the customer’s business, and consistent with the money laundering and terrorist financing risks associated with that customer,

examination of the source of origin of property values being at the disposal of the client – in cases justified by the circumstances,

ensuring that documents, data or information held about the business relationship are kept up to date.

5.2 Family members and persons known to be close associates of PEP

An obligated institution shall also apply the aforementioned obligations to persons who are family members of a person with PEP status or persons known to be close associates of a person with PEP status.

PEP family member means:

spouse or person cohabiting with a politically exposed person,

a child of a politically exposed person and his or her spouse or cohabitant,

parents of a politically exposed person.

In contrast, individuals known to be close associates of PEP are:

natural persons who are the beneficial owners of legal persons, unincorporated organizational units or trusts jointly with a politically exposed person or who have other close business relations with such person,

individuals who are the sole beneficial owner of a corporation, unincorporated business entity, or trust known to have been created for the purpose of obtaining an actual benefit from a politically exposed person.

5. Verification of beneficial ownership and AML

As a result of the amendment to the AML and CFT Act introduced in Poland in 2021, obliged institutions (such as banks, financial institutions, small payment institutions, domestic payment institutions, entrepreneurs offering currency exchange services, lending institutions or entities operating with virtual currencies) are obliged to both identify and verify the beneficial owners of their clients.

In addition, starting in 2021, obligated institutions must put in place procedures for noting discrepancies between information collected in the Central Register of Beneficial Owners and established information about a customer’s beneficial owner and plan a system for taking action to resolve the reasons for these discrepancies.

6.1 Process for full verification of the beneficial owner

According to Article 61a (1) of the Polish AML Law, an obliged institution is obliged to take the following steps to properly verify the beneficial owner (hereinafter also: “UBO” of its customer:

identify the beneficial owner (by name and surname; nationality; Personal Identification Number (PESEL) – or if none has been issued, date and country of birth; series and number of the identity document; address of residence; and if that person also conducts business activity – then the name (business name) of such activity, its Tax Identification Number (NIP) and the address of its main place of activity),

take steps to establish the structure of ownership and control – in the case of a client who is a legal person, an organizational unit without legal personality or a trust (in particular, ask the client to describe such structure in detail; and to provide the obliged institution with documentation – for example, a memorandum of association or an agreement on the transfer of shares of the company),

identify and record discrepancies between the information collected in the CRBR and the established information about the customer’s beneficial owner (the obligated institution’s internal procedure should include rules for recording discrepancies),

take actions to clarify the reasons for discrepancies – in accordance with the latest recommendations of the GIIF, it is recommended to contact the customer in order to (i) clarify the way the customer determined the beneficial owner, (ii) clarify the way the customer determined the ownership and control structure, clarify whether the way the obliged institution determined the beneficial owner and the ownership and control structure of the customer was correct, (iii) clarify the reason why the customer considered the person to be the beneficial owner, (iv) collect new information and documents,

confirm the discrepancies noted – i.e., for example, (i) confirm that the obligated institution did not make an error in determining the beneficial owner and the customer’s ownership and control structure, (ii) confirm, to the extent possible, that the CRBR’s beneficial owner information is not correct, (iii) confirm the reasons for the discrepancy, (iv) determine whether the discrepancy is apparent or actual,

prepare a justification of discrepancies –  – in this respect the General Inspector of Financial Information points out that the Polish obliged institution should: (i) indicate and document what actions it took to identify and verify the beneficial owner and the ownership and control structure of the customer, (ii) what information and documents were the basis for the institution’s determination of the beneficial owner of the customer and the ownership and control structure of the customer, (iii) what information or documents were the basis for the discrepancies, (iv) what actions the institution took to confirm the noted discrepancies, (v) what information the institution received in the course of confirming the noted discrepancies, (vi) what conclusions were drawn from the analysis of the information and documents collected, (vii) the reasons the obligated institution concluded that the discrepancy was factual in nature,

transmit to the competent authority verified information on these discrepancies together with justification and documentation on recorded discrepancies together with justification (communication with GIIF is done in electronic form).

6.2 Practical remarks of the GIIF on verification of the UBO

The GIIF notes the following:

failure to report beneficial owner information in CRBR is a discrepancy,

recording discrepancies cannot consist only in a simple and mechanical comparison of information gathered in the CRBR with the client’s KRS excerpt – an obliged institution should verify other documents – for example, the company’s agreement or the agreement on the transfer of company shares,

obliged institutions are not obliged to compare the information on persons authorized by law who have made a notification to the CRBR with the data of persons comprising the body authorized to represent the entity (indicated in the extract from the National Court Register),

obligated institutions should not transmit to the competent authority:

unverified discrepancy information,

information without justification or with a perfunctory explanation,

information about possible minor typing errors in the CRBR (for example, an obvious typo in the beneficiary’s name),

information about possible inaccuracies in the client’s KRS transcript (for example, an immaterial error in the value of the client’s shares),

information about failure to report information in CRBR by entities not required to make such reports (for example, an ordinary association),

information about inaccuracies that do not affect the determination of the actual beneficiary (for example, failure to include the beneficiary’s middle name).

6.3 Lack of adequate internal policies for UBO verification – implications

From 2021, each obliged institution must introduce in its internal AML and terrorist financing procedure rules for noting discrepancies between the information collected in the Central Register of Beneficial Owners and the information on the customer’s beneficial owners determined in connection with the application of the Act. Such obligation is imposed on the entity by Article 50(1)(10) of the AML Law. Such procedure shall be approved by the management board (senior management) of the obliged institution before coming into force.

Penalties for failure to have a complete AML procedure

Fine a financial penalty (the amount of which varies depending on the obliged institution) of up to EUR 5,000,000 or up to 10% of the turnover shown in the last approved financial statements for the financial year

Ban on managers ban on the person responsible for the obliged institution’s violation of the Act from performing duties in a managerial position for a period not exceeding one year

License revocation withdrawal of the license or permit or removal from the register of regulated activities

Public announcement publication of information on the obliged institution and the scope of the breach of the Act by the institution in the Public Information Bulletin on the website of the office that serves the minister responsible for public finance

Order to limit activity an order to cease certain activities by the obliged institution

Responsibility of an obliged institution for violation of the AML Law in Poland

If an obligated institution fails to comply with its obligations of AML Law, it may be subject to an administrative penalty. It should be noted that the potential penalty is threatened not only by the obliged institution itself, but also by members of its management board, senior management (as defined in Art. 6 of the AML Law), as well as employees in a managerial position whose responsibilities include ensuring that the activities of the obliged institution and its employees and other persons performing activities for the obliged institution comply with the provisions of the Act (Art. 8 of the UAML).

The grounds for imposing an administrative penalty are detailed in Articles 147 – 149 of the AML Law, and the most common include:

failure to prepare a risk assessment on money laundering and terrorist financing relating to the activities of the obliged institution and failure to update it, which should be prepared at least every 2 years,

failure to apply financial security measures, including, but not limited to, recognizing the risk of money laundering and terrorist financing by the obligated institution with respect to business relationships, the obligated institution, or occasional transactions,

failure to implement an internal procedure for anonymous reporting of anti-money laundering and counter-terrorist financing violations,

failure to provide notices of suspected money laundering or terrorist financing (SAR filings),

failure to comply with disclosure obligations.

Administrative penalties are imposed by decision of the General Inspector for Financial Information, the President of the National Bank of Poland and the Polish Financial Supervision Authority. When imposing a penalty, the competent authority takes into account factors that influence the penalty, including the gravity and duration of the breach, the financial capacity of the obligated institution, the scale of profits gained by the entity, losses incurred by third parties in connection with the breach, the degree of cooperation of the obligated institution with the competent authorities in anti-money laundering matters, as well as whether the entity has previously committed a breach of the AML Law provisions.

The catalog of administrative penalties for AML infringements in Poland

Public announcement publication of information on the obliged institution and the scope of the violation of the Act by the institution in the Public Information Bulletin on the website of the office that serves the minister in charge of public finance (which involves the risk of a loss of reputation by the obliged institution, which in turn may adversely affect its position in the market)

Order to limit activity an order to stop the obligated institution from taking certain actions

License revocation withdrawal of a concession or permit or striking off the register of regulated activities

Ban on individuals prohibiting a person responsible for a violation of the Act by an obligated institution from performing duties in a managerial position for a period not exceeding one year

Pecuniary penalty (up to twice the amount of the benefit gained or loss avoided, with the maximum pecuniary penalty being EUR 1,000,000). In the case of obliged institutions that are banks, credit institutions, cooperative savings and credit unions, domestic payment institutions, small payment institutions, investment firms and other entities referred to in Art. 2.1.1-5, 7-11, 24 and 25 of the AML Law, the fine is higher and amounts to, respectively, up to EUR 5,000,000 (or up to 10% of the turnover shown in the last approved financial statement) for legal persons and up to PLN 20,868,500 for natural persons.

In justified cases where 

(i) the gravity of the breach is negligible and the obliged institution has ceased the breach, or 

(ii) another authorised public administration body has already imposed a penalty on the obliged institution for the same behaviour or the obliged institution has been validly punished for a misdemeanour or fiscal misdemeanour or validly convicted of a crime or fiscal offence and the previous penalty meets the objectives for which the administrative penalty was to be imposed, the above-mentioned bodies may refrain from imposing such an administrative penalty. This occurs by decision and is a power, not an obligation of the authority.

Particular attention should be paid to the obligation of commercial companies to report information on beneficial owners and to update such information within 7 days from the date of entry in the National Court Register or change in the data. The financial penalty in this case is up to PLN 1,000,000.

Under the Polish AML Law, a beneficial owner who fails to provide an obligated institution with all the information and documents necessary for notification/updating to the CRBR is subject to a fine of up to PLN 50,000. The new provisions of the AML Law also provide for a pecuniary penalty of up to PLN 100,000 for entities 

(i) conducting activities for companies or trusts without obtaining an appropriate entry in the register of such activities and (ii) conducting virtual currency activities without first obtaining an entry in the relevant register.

Polish law permits imposition of penalties on persons who perform management functions in obliged institutions, i.e. members of senior management (Art. 6 of the UAML), the person responsible for implementing the obligations set forth in the act (Art. 7 of the AML Law) and the employee responsible for supervising compliance of the obliged institution with the regulations 

(Art. 8 of the AML Law). The above-mentioned individuals may be fined up to PLN 1,000,000 if an obliged institution they manage is found to have violated the obligations set forth in Art. 147 and 148 of the AML Law.

8. KYC in Poland – practical differences between EDD and CDD

As a principle, Poland has introduced an obligation to apply financial security measures to the customers of the institution. The Polish AML Law provides that the scope and intensity of financial security measures should be adjusted by the obliged institution to the identified risk of money laundering or terrorist financing.

This means that obliged institutions always apply all basic financial security measures and, depending on the identified risk, adjust their intensity, i.e. apply simplified or enhanced financial security measures.

8.1 Catalogue of basic financial security measures

According to Article 33 of the Polish AML Law, basic financial security measures include:

customer identification and verification of customer identity;

identification of the beneficial owner and taking reasonable steps to:

verification of his identity,

determine the structure of ownership and control – in the case of a client who is a legal person, an organizational unit without legal personality or a trust,

evaluation of the business relationship and, as appropriate, obtain information on its purpose and intended nature,

ongoing monitoring of client business relationships, including:

analysis of transactions conducted in the course of a business relationship to ensure that the transactions are consistent with the obligated institution’s

knowledge of the customer, the nature and scope of the customer’s business, 

and consistent with the money laundering and terrorist financing risks associated with that customer,

examination of the source of origin of property values being at the disposal of the client – in cases justified by the circumstances,

ensuring that documents, data or information held on business relationships are kept up to date.

An obliged institution, on the basis of a customer risk assessment, may apply simplified or enhanced financial security measures in accordance with the risk-based approach principle.

8.2 Simplified due diligence financial security measures

On the basis of a risk assessment of a given client, obliged institutions may apply simplified due diligence (SDD) measures. It is important to be aware that the application of SDD is the prerogative of the institution, and in no case mandatory. Therefore, even when an obligated institution identifies a lower risk of money laundering or terrorist financing, it may still apply the full range of financial security measures.

At the same time, even if SDD is applied, Polish law does not provide for the possibility of waiving any of the security measures. The exception is Article 38 of the UAML. It follows from the above that lower intensity of the applied financial security measures should be understood in particular as the use of only the customer’s declaration regarding the beneficial owner, reducing the intensity of monitoring business relationships, or updating customer information.

8.3 SDD catalog

There is no SDD catalog in the Polish AML Law or in EU regulations. The primary examples of SDDs are identified by the FATF in Recommendation 10:

verification of the identity of the customer and the beneficial owner after a business relationship has been established (e.g., if account transactions exceed a certain monetary threshold),

reduction in the frequency of customer identification updates,

reduction in the degree of ongoing monitoring and control of transactions, based on a reasonable monetary threshold,

ommision to collect certain information or take certain actions to understand the nature of the business relationship, and infer the purpose and nature based on the type of transaction or business relationship the customer has established.

Extended examples of SDD can be found in the Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence measures and factors to be taken into account by financial institutions when assessing the risk of money laundering or terrorist financing in connection with individual business relationships and occasional transactions of 4 January 2018, published by EBA, ESMA and EIOPA (pp. 18-20), according to which:

Simplified due diligence measures that companies may use include, but are not limited to, those listed below:

adjusting the timing of customer due diligence measures, for example, if a product or transaction has features that limit its ability to be used for money laundering or terrorist financing purposes, such as by:

verifying the identity of the customer or beneficial owner in the course of establishing a business relationship; or

verifying the identity of the customer or beneficial owner when the transaction exceeds a specified ceiling or after a reasonable period of time. Institutions must be confident that:

this will not de facto lead to an exemption from customer due diligence measures, meaning that firms must ensure that the identity of the customer or beneficial owner of the customer is ultimately verified,

the cap or time limit has been set at a reasonably low level (although, when it comes to terrorist financing, companies should keep in mind that a low cap alone may not be enough to mitigate risk),

have implemented a system that can detect when a ceiling or time limit has been reached and

not defer customer due diligence measures or delay obtaining relevant customer information where applicable law, for example Regulation (EU) 2015/847 or national law, requires such information to be obtained immediately,

adjusting the amount of information obtained for identification, verification, or monitor.