Crypto Custody in Poland 2026: Custody Models, Bank‑onboarding Playbook & a Mica‑ready Compliance Checklist

Designing compliant crypto custody in Poland has never been more operationally complex, or more commercially urgent. The EU Markets in Crypto-Assets Regulation (MiCA) is directly applicable across Poland, yet the national implementing act needed to stand up the domestic CASP licensing regime has been vetoed multiple times by the President of Poland, leaving firms in a regulatory halfway house. The Polish Financial Supervision Authority (KNF) has responded with transitional statements allowing registered VASPs to continue operating under national law, but banks, payment service providers and institutional counterparties are raising their due-diligence thresholds in parallel.

This article delivers a practical playbook: which crypto custody models meet MiCA expectations today, how to structure AML/KYC controls for the Polish market, and a step-by-step bank-onboarding template that firms can deploy immediately.

Executive Summary: What Crypto Custody Firms Must Do Now

Poland sits in a unique position among EU member states. MiCA is binding EU law, but without a functioning domestic CASP licence route, firms must simultaneously operate under the existing VASP registration while preparing documentation, governance and custody architectures that will satisfy CASP requirements the moment a national act takes effect. Industry observers expect this window to close quickly once legislative gridlock resolves.

The practical consequence is that crypto custody firms in Poland cannot afford to wait. Banks are already tightening onboarding criteria, the KNF is signalling supervisory expectations through public statements, and the General Inspector of Financial Information (GIIF) continues to flag AML risks associated with virtual-currency trading. Firms that invest in MiCA-grade custody and compliance infrastructure today will be better positioned for both bank acceptance and future CASP authorisation.

Five actions to take immediately:

• Formalise your custody model. Document your key-management architecture, segregation policies and reconciliation procedures in a format auditors and banks can review.
• Update AML/KYC manuals. Align customer due diligence, transaction monitoring and SAR/STR procedures with both Polish AML Act obligations and MiCA expectations.
• Commission a third-party security attestation. An independent penetration test and custody-controls review materially improves bank-onboarding outcomes.
• Prepare your bank packet. Use the 14-day bank-onboarding template detailed below to assemble legal opinions, UBO disclosures, proof-of-controls documentation and liability-allocation proposals.
• Monitor legislative developments weekly. The Sejm may reintroduce the Crypto-Assets Market Act at any session; readiness to apply for a CASP licence on day one is a competitive advantage.

Regulatory Status: MiCA vs the National Act and the KNF Position

MiCA Basics

MiCA (Regulation (EU) 2023/1114) is a directly applicable EU regulation. It does not require transposition into national law to be binding, it takes effect across all member states automatically. For crypto custody specifically, MiCA sets requirements around asset segregation, governance, record-keeping and client disclosures that apply regardless of whether a member state has adopted supplementary national legislation. For a comprehensive overview of Poland’s crypto licence requirements under MiCA 2026, see our detailed guide.

Polish Crypto‑Assets Market Act, Timeline and Vetoes

On 26 September 2025, the Sejm of the Republic of Poland adopted the Crypto-Asset Market Act, which was intended to ensure the full application of MiCA domestically and establish the KNF as the competent supervisory authority for CASP licensing. However, the President of Poland vetoed the legislation. A subsequent version was also vetoed on 12 February 2026. These repeated vetoes mean that Poland still lacks the domestic procedural framework, the application forms, fee schedules, supervisory powers and transitional arrangements, necessary for the KNF to accept and process CASP licence applications.

KNF Transitional Statement and Its Practical Effect

The KNF has issued a public statement clarifying that the MiCA transitional regime allows entities lawfully providing crypto-asset services under applicable national law before 30 December 2024 to continue operating until 1 July 2026, or until they receive or are denied a CASP licence, whichever comes first. In practical terms, this means Poland’s VASP register (maintained by the Tax Administration Chamber) remains the operative domestic authorisation mechanism. Firms on the register may continue offering custody, exchange and other services listed in their registration. However, the KNF has also warned that this transitional window is finite, and firms should be preparing for the full MiCA supervisory regime.

Understanding why firms need a crypto licence and how to obtain one remains essential background for this transition.

Crypto Custody Models: Comparison and Recommended Designs for Poland

Choosing the right custody model is the single most consequential operational decision a crypto firm makes in Poland. The model must satisfy MiCA custody requirements, asset segregation, governance controls, reconciliation and client-asset protection, while also being intelligible to Polish banks and auditors who will scrutinise the design during onboarding.

Hot and Custodial Wallets

Hot wallets remain necessary for operational liquidity, processing withdrawals, funding trades and paying fees, but should never hold more than a defined percentage of total client assets. Industry observers expect that MiCA-aligned supervisors will look for policies capping hot-wallet exposure at a maximum of 2–5% of total assets under custody, with automated sweeps transferring excess to cold or MPC-secured reserves.

Cold and Air-Gapped Cold Storage

Air-gapped cold storage, where private keys are generated and stored on hardware that has never been connected to the internet, remains the gold standard for high-value asset protection. For crypto custody in Poland, firms should implement geographically distributed cold-storage facilities, each with dual-control access requirements, tamper-evident seals, and CCTV logging. The operational trade-off is slower withdrawal processing; firms typically mitigate this with pre-signed transaction batches authorised under multi-signature schemes.

Hybrid Models and MPC

Multi-party computation eliminates the single private key as a point of failure. Instead, cryptographic key shares are distributed across multiple independent parties, the firm, a co-signer and optionally a disaster-recovery service. This architecture allows real-time transaction signing without any single party holding a complete key, while maintaining auditability. For CASP Poland applicants, MPC models are increasingly viewed favourably provided the firm can demonstrate key-share governance policies, periodic key-rotation procedures and independent audits of the MPC protocol.

Using Qualified Third-Party Custodians: Local vs EU Passported

Qualified custody providers, whether Polish-domiciled or EU-passported, offer the clearest path to satisfying MiCA custody requirements and gaining bank acceptance. When selecting a provider, firms should verify SOC 2 Type II attestations, insurance coverage, regulatory status in the provider’s home jurisdiction, and the contractual framework for asset segregation and insolvency protection. Early indications suggest that Polish banks are more comfortable with EU-passported providers that hold authorisations in jurisdictions where MiCA implementation is further advanced, such as France, Germany or the Netherlands.

AML/KYC and Custody Operational Controls Mapped to MiCA and Poland

Custody AML KYC in Poland must satisfy two overlapping frameworks: Poland’s existing Anti-Money Laundering Act (which governs VASP-registered entities today) and MiCA’s own requirements for CASPs, which will apply fully once the domestic licensing regime becomes operational. Designing controls that meet both frameworks simultaneously is not optional, it is a prerequisite for bank onboarding and future CASP authorisation.

Customer Due Diligence and Onboarding (KYC)

The Polish AML Act already requires VASPs to perform customer identification and verification before establishing a business relationship. Under MiCA, CASPs must additionally apply enhanced due diligence for higher-risk clients and transactions. Practical implementation should include:

• Identity verification. Government-issued ID, liveness checks and address verification for natural persons; registry extracts, UBO declarations and corporate-structure charts for legal entities.
• Customer risk scoring. Assign each customer a risk rating (low, medium, high) based on jurisdiction, transaction profile, source of funds and political exposure. Automate scoring using configurable rule engines.
• Source-of-funds and source-of-wealth checks. For deposits above defined thresholds, require documentary evidence of the origin of crypto assets (e.g. wallet provenance, exchange withdrawal records, mining-income documentation).
• Sanctions and PEP screening. Screen against EU consolidated sanctions lists, Polish national lists and global watchlists at onboarding and on a continuous basis.

Ongoing Monitoring and Transaction Screening

Transaction monitoring for custodial services must cover both fiat and on-chain movements. The General Inspector of Financial Information has specifically flagged risks associated with trading through entities headquartered outside Poland and the EU, reinforcing the expectation that firms implement robust ongoing monitoring. Key controls include:

• Blockchain analytics. Integrate a chain-analysis tool to flag transactions involving sanctioned addresses, darknet markets, mixers/tumblers, and high-risk exchanges.
• Threshold-based alerts. Configure alerts for single transactions and cumulative daily volumes exceeding defined thresholds (calibrate to the firm’s risk appetite and average client profile).
• Behavioural-pattern detection. Flag rapid movement of assets through custody accounts, unusual withdrawal patterns, and transactions inconsistent with the customer’s declared profile.
• SAR/STR filing. Establish a documented procedure for filing Suspicious Activity Reports with the GIIF within statutory timeframes. Designate a named AML officer responsible for escalation and filing decisions.

Wallet Controls and Treasury Segregation

MiCA requires clear separation between client assets and the firm’s own treasury. In practical custody architecture, this translates to:

• Wallet labelling. Maintain an immutable internal registry that maps every wallet address to either “client omnibus,” “client segregated,” or “firm treasury,” with timestamps and audit trails for any re-designation.
• Automated reconciliation. Run daily automated reconciliation between on-chain balances (hot wallets + cold reserves) and the firm’s internal ledger. Discrepancies above a de minimis threshold should trigger immediate investigation and escalation.
• Segregation of duties. No single individual should have the ability to initiate, approve and execute a withdrawal. Implement at least dual-approval workflows, with higher thresholds requiring additional sign-offs from senior management or compliance.

Bank-Onboarding Playbook: 14-Day Template, Required Documents and Negotiation Tactics

Securing a banking relationship is the most common bottleneck for crypto firms operating in Poland. Bank onboarding for crypto in Poland requires meticulous preparation: banks conduct detailed AML, legal, operational and reputational due diligence, and the absence of any single document can delay the process by weeks or result in outright refusal.

Preparing the Bank Packet

Assemble the following documents before your first bank meeting. Present them in a single, indexed PDF binder with a cover letter summarising your firm, its regulatory status and the specific banking services requested.

• VASP registration certificate issued by the relevant Tax Administration Chamber, confirming current registration status.
• AML/KYC manual. The complete, board-approved anti-money laundering and counter-terrorism financing programme, including customer due diligence procedures, transaction monitoring rules, SAR/STR escalation protocols and training records.
• Custody architecture document. A technical summary of the firm’s custody model, key-management design, hot/cold allocation policies, reconciliation procedures and disaster-recovery plan.
• Third-party security attestation. An independent penetration-test report and custody-controls review conducted within the preceding 12 months.
• UBO disclosure. Ultimate beneficial ownership declarations for all entities in the corporate chain, with supporting identity documents.
• Legal opinion. A memorandum from Polish counsel confirming the firm’s regulatory status, the applicability of the KNF transitional regime, and the legal basis for continued operations.
• Financial statements. Audited (or reviewed) financial statements for the most recent fiscal year, plus interim management accounts.
• Insurance documentation. Details of any professional indemnity, cyber-liability or crime insurance policies held by the firm or its custody provider.
• Liability-allocation proposal. A draft term sheet addressing how liabilities, indemnities and termination rights will be allocated between the firm and the bank.

Typical Bank Due-Diligence Requests and How to Respond

Expect the bank’s compliance and risk team to request the following within the first 5–7 business days after receiving your packet:

• “Describe your customer base.” Respond with anonymised, aggregated data: jurisdictions served, customer types (retail vs institutional), average transaction sizes and volumes.
• “How do you ensure asset segregation?” Provide the custody-architecture document, wallet-labelling registry and a sample reconciliation report. If using a third-party custodian, include the custodian’s SOC 2 report and your contractual segregation provisions.
• “What is your regulatory roadmap?” Present a timeline showing current VASP registration, anticipated CASP application milestones and any legal opinions on the transitional regime.
• “Who are your UBOs and directors?” Provide certified copies of identity documents, proof of address, CVs and criminal-record checks for all UBOs and board members.
• “What happens if you are hacked or face insolvency?” Share your incident-response plan and business-continuity documentation (covered in the next section).

Negotiation Points and Red Flags for Banks

Banks in Poland are not uniformly hostile to crypto firms, but they are cautious. The following tactics improve outcomes:

• Start with smaller, digitally oriented banks. Several mid-tier and neobanks in Poland have dedicated fintech onboarding teams and shorter decision cycles.
• Offer a trial period. Propose a limited initial account with transaction caps, allowing the bank to observe your compliance performance before extending full services.
• Avoid red flags. Banks will typically decline firms that cannot provide a clear UBO structure, have directors with adverse media hits, serve jurisdictions on FATF grey/black lists without enhanced controls, or rely exclusively on hot-wallet custody.
• Demonstrate MiCA readiness. Show that your governance, controls and documentation already meet CASP standards, this signals lower long-term risk to the bank.

Sample 14-day timeline:

• Day 1–2: Submit complete bank packet with cover letter.
• Day 3–5: Bank compliance reviews packet; initial clarification requests received.
• Day 5–7: Respond to all clarification requests with supplementary documentation.
• Day 7–10: Bank conducts internal risk-committee review; may request a call with your AML officer or CTO.
• Day 10–12: Bank issues preliminary decision (approve, approve-with-conditions, or decline).
• Day 12–14: Negotiate account terms, SLA conditions and transaction limits; sign account-opening documentation.

Operational Readiness and Incident Response

Incident Triage and Forensic Steps

Custody failures, whether from theft, smart-contract exploits, insider threats or court-ordered seizures, require a pre-documented response. Poland’s criminal-law framework allows prosecutors to serve formal freeze orders on centralised exchanges and custodial service providers, making incident-response readiness a legal necessity as well as an operational one.

• Immediate containment. Isolate compromised wallets, revoke relevant API keys and suspend withdrawal functionality within the first 30 minutes.
• Forensic preservation. Capture blockchain transaction data, server logs, access logs and key-ceremony records before any remediation. Maintain chain-of-custody documentation for all digital evidence.
• Root-cause analysis. Engage an independent forensic team to determine the attack vector, scope of loss and whether any insider involvement is suspected.
• Regulatory notification. Notify the GIIF if the incident triggers SAR/STR obligations. If a CASP licence is in force, notify the KNF within the timeframe specified under MiCA.

Communication Checklist: Regulators, Banks and Customers

• Regulators (KNF / GIIF): File required notifications; provide a preliminary incident summary within 24 hours; follow up with a detailed report within 72 hours.
• Banks and PSPs: Inform your banking partner’s compliance contact immediately, withholding information risks account termination. Provide a factual incident summary and your remediation plan.
• Customers: Issue a transparent customer notification covering what happened, what assets are affected, what actions the firm is taking, and expected resolution timelines. Avoid speculation; update as facts emerge.

MiCA-Ready Documentation Checklist for Crypto Custody in Poland

Use this custody operational checklist to assess your firm’s readiness across governance, technical, AML, operational and bank-facing dimensions. Each item is labelled by priority level.

• Governance, Required now: Board-approved custody policy; named compliance officer; conflict-of-interest policy; outsourcing register (if using third-party custody).
• Governance, Required for CASP application: Programme of operations; organisational chart mapping custody functions to named individuals; fit-and-proper declarations for all senior managers.
• Technical, Required now: Custody-architecture document; key-management policy; hot/cold allocation thresholds; disaster-recovery and business-continuity plan.
• Technical, Recommended: Independent penetration-test report (≤ 12 months old); SOC 2 Type II attestation (if available); MPC key-share governance documentation.
• AML, Required now: Board-approved AML/CFT manual; customer risk-scoring methodology; SAR/STR procedures; sanctions-screening implementation records; training logs.
• AML, Required for CASP application: Transaction-monitoring rule library with documented calibration rationale; annual AML audit report.
• Operational, Required now: Daily reconciliation procedures and sample reports; wallet-labelling registry; segregation-of-duties matrix; incident-response plan.
• Bank packet, Required now: Indexed binder containing all items listed in the bank-onboarding section above.
• Legal, Required now: Legal opinion on regulatory status and transitional-regime applicability; UBO disclosures; corporate-structure chart.
• Legal, Required for CASP application: Draft CASP application (pre-filled to the extent possible without published forms); evidence of minimum capital requirements compliance.

30/60/90-Day MiCA-Readiness Roadmap

• Days 1–30, Foundations: Complete governance documentation; finalise and board-approve custody policy and AML manual; commission third-party security attestation; begin assembling bank packet.
• Days 31–60, External engagement: Submit bank packet to at least two target banks; schedule meetings with bank compliance teams; conduct internal mock CASP-application review against known MiCA requirements; complete AML officer training refresher.
• Days 61–90, Application readiness: Resolve any bank-onboarding conditions or requests; finalise CASP application draft; ensure all technical documentation is current; establish monitoring cadence for legislative developments (weekly Sejm tracking and KNF announcements).

Conclusion

Crypto custody in Poland in 2026 demands a dual-track approach: operate compliantly under the existing VASP registration and KNF transitional framework while building the documentation, controls and institutional relationships that a full CASP licence will require. The firms that treat MiCA readiness as an operational priority, not a future compliance exercise, will secure banking relationships faster, reduce regulatory friction and position themselves to apply for CASP authorisation on day one. Use the checklists, templates and the 14-day bank-onboarding playbook in this article as a starting point, and seek specialist legal counsel to tailor them to your firm’s specific custody architecture and risk profile.

Sources

1. Polish Financial Supervision Authority (KNF), Transitional Statement
2. Polish FinTech Office, Crypto-Assets Market Act Announcement
3. Gov.pl, GIIF Communication on Virtual Currency Trading Risks
4. Dudkowiak & Putyra, VASP / Crypto Licensing in Poland
5. Dudkowiak & Putyra, Crypto-Assets Market Act Vetoed Again
6. CMS Law, Expert Guide to Crypto Regulation in Poland
7. CGO Legal, Crypto License in Poland 2026
8. Hacken, MiCA Regulation Explainer
9. BitGo, Qualified Custody Solutions
10. Chambers Practice Guides, Blockchain & Crypto-Assets 2026 (Poland)