How do I register as a VASP in Poland?

Entities must apply for entry onto the VASP register maintained by GIIF (or the relevant tax administration body for legacy registrations). The filing must include AML policies, the risk assessment, AMLRO appointment evidence and fit‑and‑proper declarations. A parallel CASP readiness pack should be maintained for KNF once the MiCA authorisation pathway opens.

What documents prove AML compliance?

The minimum document suite includes the AML Risk Assessment, AML/KYC/CFT Policy, transaction monitoring rulebook, SAR procedures, Travel Rule policy, sanctions and PEP screening logs, independent audit report, AMLRO appointment, business plan and record‑keeping SOPs. The full checklist is set out in the required‑documents table above.

How long does AML implementation typically take?

The internal build, from gap analysis through pilot testing, typically takes 10–16 weeks. Regulator processing and bank onboarding can add a further 4–12 weeks. The most common delays arise from bank risk reviews and independent‑audit scheduling.

Can a foreign company operate for Polish customers without a local entity?

Operating without a Polish or EU corporate presence is impractical. Registration on the VASP register, AML obligations and banking access all require a locally registered entity or a branch of an EU‑registered company. Establishing the correct corporate structure before commencing operations is strongly recommended.

What happens if a SAR filing is late?

Late or missing suspicious‑activity reports expose the entity to regulatory fines, supervisory escalation by GIIF and, in serious cases, criminal liability for responsible officers. If a filing is overdue, the recommended course is to file immediately, disclose the delay to GIIF and document the remediation steps taken.

When should we engage specialist legal counsel?

Engage a lawyer experienced in VASP compliance in Poland before drafting AML policies and before any regulator filing. Early legal input reduces the risk of structural errors that are costly to remediate once the programme is operational.

How To Build An AML Compliance Programme For Crypto Exchanges Poland

Understanding how to build an AML compliance programme for crypto exchanges in Poland is now a threshold requirement for any virtual‑asset service provider (VASP) that wants to operate, bank and scale in the Polish market. Poland’s anti‑money‑laundering framework rests on the Ustawa of 1 March 2018 on Counteracting Money Laundering and the Financing of Terrorism (the “AML Act”), which classifies entities dealing in virtual currencies as obliged institutions and subjects them to the full range of customer due diligence, transaction monitoring, record‑keeping and suspicious‑activity‑reporting obligations.

Compliance leads must now design programmes that satisfy both the domestic AML Act regime, overseen by the Generalny Inspektor Informacji Finansowej (GIIF), and the incoming MiCA/CASP supervisory expectations of the Komisja Nadzoru Finansowego (KNF), while also absorbing the practical impact of Poland’s 2026 Payment Systems Amendment on reporting and direct‑access licensing. This guide delivers the operational playbook the market has lacked: a single, step‑by‑step procedure covering eligibility, required documents, realistic timelines, costs and the most common pitfalls that delay go‑live.

Overview of the AML Compliance Process and Who It Applies To

Polish law draws a clear line between two regulatory labels that crypto operators will encounter. A VASP (Virtual Asset Service Provider) is the legacy designation under the AML Act; a CASP (Crypto‑Asset Service Provider) is the EU‑level classification introduced by the Markets in Crypto‑Assets Regulation (MiCA). During the current transition period, operators must hold a valid domestic VASP registration while simultaneously preparing the documentation needed for a future CASP authorisation under KNF supervision.

The AML requirements in Poland 2026 apply to every entity that, on behalf of third parties, provides exchange services between virtual currencies and fiat, exchange services between virtual currencies, custodial wallet services, or brokerage and transfer facilitation. The legal basis is set out in the consolidated text of the AML Act, which added dedicated provisions on virtual‑currency activities. GIIF, operating under the Ministry of Finance, serves as the national Financial Intelligence Unit (FIU) and the primary AML registration authority. KNF takes on the supervisory role for MiCA/CASP licensing and prudential reporting, including the new quarterly obligations introduced by the 2026 Payment Systems Amendment.

The practical effect of this dual‑track regime is that founders, general counsel and compliance officers must design a single AML/CFT programme capable of satisfying both the legacy GIIF registration requirements and the enhanced documentation and governance expectations that KNF will impose when CASP applications open.

Eligibility and Prerequisites for VASP Compliance in Poland

Before any AML compliance steps can begin, an exchange operator must confirm that the foundational prerequisites are in place. The following requirements apply to every entity offering exchange, custody or brokerage services for virtual currencies to third parties in Poland.

Corporate presence. The entity must be registered in Poland (or operate through a branch of an EU‑registered company) and appear in the National Court Register (KRS). A bare shelf company is insufficient, the KRS entry must reflect the actual business activity code covering virtual‑currency services.
Senior management fit‑and‑proper checks. Members of the management board and beneficial owners are subject to criminal‑record verification. The AML Act requires that no person convicted of certain categories of financial crime may serve in a senior management or compliance role at an obliged institution.
Appointment of an AML/CFT Officer (AMLRO). The entity must appoint a dedicated officer responsible for ensuring compliance with the AML Act. This person must have the seniority, resources and direct reporting line to the board necessary to carry out the role effectively. A formal board resolution appointing the AMLRO, together with a written job description, forms part of the evidence pack submitted to regulators and banking partners.
Compliance governance structure. An internal compliance function, or a clearly documented outsourcing arrangement, must be in place before registration. The function is responsible for risk assessment, policy drafting, training, monitoring and reporting.
Technical prerequisites. The entity must demonstrate, at a minimum, the capacity to perform automated transaction monitoring, sanctions and PEP screening, identity verification consistent with KYC requirements for crypto in Poland, and Travel Rule data exchange with counterparty VASPs. Wallet controls (cold‑hot separation, multi‑signature arrangements and withdrawal limits) must also be documented.

Collectively, these prerequisites answer the frequently asked question: What AML/KYC requirements must crypto exchanges meet in Poland? The answer is that every obliged institution must satisfy corporate, governance, personnel and technical thresholds before it may lawfully onboard its first customer.

Step‑by‑Step AML Compliance Procedure for Crypto Exchanges in Poland

The following seven‑step procedure translates the AML Act’s requirements into an operational sequence. Each step identifies the responsible owner, the key deliverables and a realistic duration. The summary table below the steps consolidates the AML timeline for onboarding in Poland at a glance.

Step 1, Conduct an AML/CFT Gap Analysis and Risk Assessment

Owner: Compliance / external AML consultant.

The starting point for any AML risk assessment checklist is a thorough mapping of the exchange’s business model against the risk factors specified in the AML Act. This exercise covers:

Customer type mapping, retail versus institutional, resident versus non‑resident, PEP exposure.
Channel risk, web, mobile, API‑only, peer‑to‑peer features.
Geographic risk, jurisdictions of customers, counterparty VASPs and fiat on/off‑ramp banks.
Product and token risk, privacy coins, decentralised finance (DeFi) integration, non‑fungible tokens (NFTs).

The output is a formal, written AML Risk Assessment document, signed by the AMLRO and countersigned by the CEO or a board member. This document must be treated as a living instrument and reviewed at least annually, or whenever the business model, product mix or regulatory environment changes materially.

Step 2, Draft Core AML/CFT Policies and Governance Documents

Owner: Legal + Compliance.

With the risk assessment complete, the next AML compliance step is to translate identified risks into enforceable internal policies. The minimum policy suite for a Polish crypto exchange includes:

AML/KYC/CFT Policy (master document).
Transaction Monitoring Policy and Rulebook.
Politically Exposed Persons (PEP) Policy.
Sanctions Screening Policy.
Travel Rule / VASP Data Sharing Policy.
Internal Reporting and SAR Policy (governing escalation to GIIF).
Record‑Keeping and Data Retention Policy.

Each policy must reference the specific provisions of the AML Act on which it is based, name the responsible officer, and set out the escalation and approval workflow. Industry observers expect that the policy drafting phase typically runs concurrently with the risk assessment and takes 3–6 weeks for a moderately complex exchange.

Step 3, Build Technical Controls and Onboarding Flows

Owner: CTO + Compliance.

Policies have no enforcement value without supporting technology. This step covers the integration and configuration of the systems that operationalise KYC requirements for crypto in Poland:

KYC provider integration. Select and integrate an identity‑verification vendor capable of handling Polish ID documents (dowód osobisty, passport), liveness checks and, for corporate clients (KYB), automated extraction of KRS and beneficial‑ownership data.
Sanctions and PEP screening. Configure real‑time screening against EU, UN and OFAC sanctions lists, plus national PEP lists. Set alert thresholds and false‑positive triage SOPs.
Transaction monitoring engine. Implement rule‑based and/or behaviour‑based monitoring. Typical rules cover unusually large transactions, rapid sequence patterns, structuring below reporting thresholds, and cross‑chain transfers involving high‑risk protocols.
Wallet controls. Document cold‑hot wallet separation, multi‑signature schedules, and withdrawal limits. Produce an IT security policy that covers key management, disaster recovery and penetration testing.
Travel Rule readiness. Implement a protocol or vendor solution for VASP‑to‑VASP data exchange, ensuring that originator and beneficiary information accompanies virtual‑asset transfers as required.

The technical build phase is typically the longest single step, ranging from 4 to 12 weeks depending on the complexity of the exchange’s product offering and the maturity of its existing technology stack.

Step 4, Prepare Regulator Filings and Register as a VASP

Owner: Legal.

Under the AML Act, entities dealing in virtual currencies must be entered on the register maintained by GIIF (or the relevant tax administration body for legacy registrations). The registration filing must include evidence of the AMLRO appointment, criminal‑record checks for senior management, the AML Risk Assessment, core policies, and proof of the entity’s KRS registration.

Document preparation typically takes 1–3 weeks; regulator processing times vary. Legacy VASP registrations remain relevant during the MiCA transition period, early indications suggest that holding a valid domestic registration will be a prerequisite for any future CASP application to KNF.

Even where KNF has not yet opened the national CASP application pathway, prudent operators should maintain a complete MiCA/CASP readiness pack (governance documents, capital adequacy evidence, complaints‑handling procedures and business continuity plans) so that the application can be submitted promptly once the process opens.

Step 5, Test Controls Through Pilot Onboarding and Independent Review

Owner: Compliance + Internal Audit / external reviewer.

Before going live, the exchange must validate that its controls work as designed. This step involves:

Conducting sample onboarding of test customers across all risk tiers (low, medium, high, PEP, corporate).
Running a SAR simulation, generating a synthetic suspicious‑transaction scenario, escalating it through the internal reporting chain, and producing a draft SAR for GIIF review.
Commissioning an independent review or audit of the AML programme. The AML Act mandates independent testing; this can be performed by an external compliance firm or, in larger organisations, by a separate internal audit function.

Allow 2–4 weeks for this phase, including remediation of any gaps identified during testing.

Step 6, Secure Bank Relationships and Complete Third‑Party Due Diligence

Owner: CEO / Legal.

Banking access remains one of the most significant practical bottlenecks for crypto exchanges in Poland. Polish banks routinely request a comprehensive evidence pack before opening accounts for VASP clients. The pack should include:

The signed AML Risk Assessment and master AML/KYC/CFT Policy.
Screenshots and documentation of the KYC onboarding flow.
Transaction monitoring rule documentation and sample alert‑triage outputs.
SAR escalation procedure and evidence of GIIF registration.
A business model and operations plan, including projected volumes and jurisdictional footprint.

Bank risk‑review timelines vary widely, 2 to 8 weeks is common, though some institutions take considerably longer. Beginning the bank relationship process in parallel with technical build (Step 3) can reduce total elapsed time.

Step 7, Go Live and Establish Ongoing Monitoring

Owner: Compliance / AMLRO.

Once the exchange is operational, the AML programme shifts to continuous execution. Ongoing obligations include:

Real‑time transaction monitoring and alert triage.
Periodic (at minimum quarterly) reviews of the AML Risk Assessment.
Annual independent testing of the entire AML programme, as required under the AML Act.
Regular AML training for all staff, with enhanced training for customer‑facing and compliance personnel.
Timely filing of SARs/STRs with GIIF whenever suspicious activity is detected.

AML Programme Implementation Timeline

Step	Who Does It	Typical Duration
1. AML gap analysis & risk assessment	Compliance / external AML consultant	2–4 weeks
2. Draft policies & governance (AML/KYC/CFT, SAR, Travel Rule)	Legal + Compliance	3–6 weeks (concurrent with Step 1)
3. Technical build: KYC integration + transaction monitoring	CTO + vendors	4–12 weeks (complexity dependent)
4. Prepare regulator filings / VASP register entry	Legal	1–3 weeks document prep; regulator processing varies
5. Pilot onboarding & independent review	Compliance + external auditor	2–4 weeks
6. Bank onboarding & operational go‑live	CEO / Legal / Compliance	2–8 weeks (may be longer due to bank risk appetite)
7. Ongoing monitoring & reporting	Compliance / AMLRO	Continuous; quarterly reviews and annual independent testing

Required Documents Needed for AML VASP Compliance in Poland

The following table consolidates every document that a crypto exchange must prepare and maintain to demonstrate a defensible AML programme under the Polish AML Act. This checklist also serves as the evidence pack for GIIF registration, bank onboarding and future MiCA/CASP applications to KNF. Operators should treat it as a living inventory and review completeness at every programme milestone.

Document	Notes
AML Risk Assessment (written)	Prepared by Compliance; signed by AMLRO and CEO. Living document; mandatory annual review at minimum.
AML/KYC/CFT Policy	Master internal policy signed by the board or CEO. Must include SAR procedures, enhanced due diligence triggers and record‑retention rules.
Customer Identification & KYC Procedures (individual + corporate KYB)	Screenshots of onboarding flows, ID‑verification provider reports, corporate extracts (KRS), and beneficial‑owner statements.
Transaction Monitoring Policy & Rulebook	Technical documentation of thresholds, risk‑scoring models, vendor rule descriptions, and alert‑triage SOPs.
SAR / STR Reporting Procedure and Forms	GIIF reporting template or internal SAR form; escalation matrix with named decision‑makers; retention schedule.
Travel Rule / VASP Data Sharing Policy	Process for VASP‑to‑VASP originator/beneficiary data exchange; encrypted transmission SOPs; vendor integration details.
Sanctions and PEP Screening Logs	Provider reports, screening policy document, false‑positive remediation logs, and list‑update schedule.
Independent Audit / Test Report	External AML audit results or independent internal‑audit report; penetration test results; annual testing schedule.
Governance Documents (org chart, AMLRO appointment)	Signed board minutes appointing the AMLRO; CVs; fit‑and‑proper declarations; compliance reporting lines.
Business Model & Operations Plan	Product‑flow diagrams, projected volumes, jurisdictional footprint, 3‑year forecasts. Used in bank and regulator reviews.
Bank Account Proof & Banking Onboarding Evidence	Bank letters of acceptance or account confirmation; AML due‑diligence response pack provided to the banking partner.
Data Retention & Record‑Keeping SOPs	Documented retention periods (minimum five years under the AML Act); secure‑storage proof; destruction schedules.
IT & Wallet Controls Documentation	Cold‑storage policies, multi‑signature schedules, transaction withdrawal limits, key‑management procedures, disaster recovery plan.

Taken together, these documents form the core evidence pack that answers the question: What documents and policies are required to prove AML compliance? Operators who maintain every item on this list in an up‑to‑date, version‑controlled repository will be substantially better positioned for regulatory inspections, banking reviews and the eventual CASP application.

AML Timeline and Key Deadlines for Onboarding in Poland

Realistic planning requires operators to distinguish between internal build timelines (largely within the operator’s control) and external regulatory and banking timelines (which introduce variability). The implementation timeline table in the procedure section above shows that the internal build, from gap analysis through pilot testing, can typically be compressed to 10–16 weeks for a focused team, but external dependencies extend the overall elapsed time significantly.

Filing / Milestone	To Whom	Typical Regulatory Timeline
Entry onto the Polish VASP register (legacy AML regime)	GIIF / relevant tax administration	Registration acknowledgement within weeks; substantive checks take longer. Legacy registrations remain relevant during MiCA transition.
MiCA / CASP readiness pack submission	KNF (when national enabling legislation and KNF process open)	Timing dependent on KNF; prepare complete CASP pack in advance (3–6 months preparation recommended).
Quarterly reports (if direct access to clearing systems required under the 2026 Payment Systems Amendment)	KNF / NBP	Quarterly; specific templates expected per the 2026 amendment.
Independent AML testing	Internal Audit / external provider	Annual; mandated by the AML Act.

The most common sources of delay are bank risk reviews (which can extend well beyond 8 weeks for first‑time VASP applicants), independent audit scheduling (particularly during peak filing seasons), and regulator processing backlogs during transition periods. Operators should begin bank relationship discussions and independent‑audit procurement no later than the start of the technical‑build phase.

Costs, Fees and Tax Considerations for AML Compliance in Poland

Budgeting for an AML programme involves both one‑off implementation costs and recurring operational expenses. The table below provides indicative ranges based on practitioner estimates; actual costs vary with the complexity of the exchange’s product offering and transaction volumes.

Item	Typical Amount (PLN / EUR)	Notes
AML programme drafting (legal + compliance templates)	PLN 20,000–80,000 (≈ EUR 4,200–17,000)	Depends on complexity and degree of bespoke policy work.
Transaction monitoring system (vendor + integration)	PLN 100,000–600,000+ (≈ EUR 21,000–125,000)	One‑off integration plus annual licence; costs scale by volume and rules complexity.
KYC/KYB onboarding provider (per user)	EUR 0.50–8.00 per check	Varies by depth: basic ID verification versus enhanced due diligence with liveness and KYB.
Independent AML audit / testing	PLN 15,000–60,000 (≈ EUR 3,200–12,500)	Annual engagement; scope‑dependent.
Legal / filing fees (regulatory pack)	PLN 5,000–40,000	Covers legal advisory on filings and liaison with GIIF, KNF and banking partners.
Bank onboarding compliance evidence	Opportunity cost; legal assistance variable	Banks may require bespoke documentation, raising advisory costs further.

Beyond programme costs, operators should account for standard Polish corporate tax and financial‑reporting obligations, including annual KRS filings, CIT returns and any VAT or withholding‑tax obligations arising from fee income. These are separate from AML programme costs but must be budgeted in parallel.

What Changes in 2026: the Payment Systems Amendment and MiCA Context

Poland’s 2026 Payment Systems Amendment introduces direct‑access rights that allow qualifying non‑bank fintech operators, including crypto exchanges that process fiat settlement, to access payment and clearing infrastructure previously reserved for banks. The amendment also imposes new prudential reporting obligations on entities exercising these access rights, including quarterly statistical reports to KNF and, where applicable, the National Bank of Poland (NBP).

For AML programme design, the 2026 amendment has several practical consequences. First, exchanges seeking direct clearing access must integrate quarterly AML‑related statistical reporting into their compliance calendars, using templates expected from KNF. Second, the evidence standards for demonstrating operational resilience and AML programme adequacy have been raised: non‑bank applicants must produce documentation at a level historically required only of licensed payment institutions. Third, the amendment interacts with the MiCA/CASP transition by creating an additional regulatory touchpoint that will likely overlap with KNF’s eventual CASP authorisation review.

The likely practical effect is that exchanges planning to operate fiat on‑ramps or payment‑processing flows in Poland should treat the 2026 amendment’s documentation requirements as an addendum to their existing AML programme. Operators who have already built the full document suite described in this guide will be well positioned; those who have not will face a compressed timeline to close gaps before the amendment’s reporting obligations take effect.

Common Pitfalls in Building an AML Programme and How to Avoid Them

Under‑documented customer onboarding. Retain screenshots, verification reports and rejection logs for every onboarding decision, not only approvals.
Insufficient corporate and PEP due diligence. Many exchanges apply retail‑grade KYC to corporate clients. Implement dedicated KYB procedures with UBO verification and PEP/sanctions checks on all beneficial owners.
Weak transaction monitoring rules. Generic vendor defaults are not sufficient. Calibrate rules to the exchange’s specific risk profile, token mix and customer base; document every calibration decision.
Lack of Travel Rule readiness. Failure to transmit originator and beneficiary data on qualifying transfers is a compliance gap that regulators and banking partners increasingly flag.
Missing SAR escalation evidence. Maintain a complete audit trail for every suspicious‑activity assessment, including decisions not to file, with named reviewers and time stamps.
Poor bank evidence packs. Present the AML programme to banking partners proactively, in an organised format. Incomplete or disorganised packs are the leading cause of delayed or refused bank accounts.
Absence of independent testing. The AML Act requires independent testing. Scheduling this as an afterthought leads to delays; build it into the project plan from the outset.
Poor record retention. The AML Act mandates retention of transaction and CDD records for a minimum of five years. Confirm that your data‑retention SOPs comply, including secure‑destruction schedules.
Inadequate AML training. All staff, not just compliance personnel, must receive role‑appropriate AML training on a regular schedule. Document attendance and content.
Gaps in sanctions screening. Ensure screening runs against current EU, UN and OFAC lists, with automated list updates. Test screening accuracy quarterly and log all results.

Conclusion

Building an AML compliance programme for crypto exchanges in Poland requires a disciplined, seven‑step process that moves from risk assessment through policy drafting, technical build, regulator filings, independent testing, bank onboarding and continuous monitoring. The AML requirements in Poland 2026 have been raised by both the Payment Systems Amendment and the approach of MiCA/CASP supervision under KNF, making a comprehensive and well‑documented programme more important than at any previous point. Operators who follow the procedure, maintain every document on the checklist and build 2026‑specific reporting into their compliance calendars will be positioned to register, bank and scale with confidence.

Those who have not yet begun the process should treat the steps in this guide as an immediate priority and seek qualified legal and compliance advice without delay.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Aaron Glauberman at LegalBison, a member of the Global Law Experts network.