GIIF Conducting AML Inspection for Polish VASPs, What to Expect and How to Prepare?

Registration in Poland’s virtual currency activity register is not a license, and it does not place a company outside the reach of anti-money laundering oversight. 

We work with crypto businesses navigating the shift from national VASP regimes to MiCA-based CASP authorization, and the question we hear most often from Polish-registered operators is a practical one: if an AML inspector opened a file tomorrow, could the company prove its program works on paper. 

Below, we set out who can inspect a Polish VASP’s AML compliance, what an inspection covers, what penalties apply under the current AML Act, and why the MiCA transition makes readiness a near-term priority.

Received an inspection notice? Our team can help

Why You Shouldn’t Just Wait for a GIIF Inspection

Poland’s General Inspector of Financial Information can open an AML/CFT inspection under Article 130 of the AML Act of 1 March 2018 against any virtual currency register entrant with a registered seat in Poland. Most Polish VASPs have understood GIIF as the body to watch.

That assumption is now incomplete.

Current inspections are being conducted by specialized AML units within customs-tax offices, operating under the separate inspection powers granted by Chapter 12 of the AML Act. This is a new development. Companies that have been monitoring for GIIF activity and seen nothing may still receive a notice, from a different authority, through a different channel.

The practical implication is that a Polish-registered VASP should no longer treat the absence of GIIF contact as a signal that no review is coming. Both GIIF and customs-tax office units have independent authority to inspect, and current evidence suggests it is the latter that is moving first.

One boundary is worth noting. Entities entered in the register without a Polish seat fall outside GIIF’s inspection jurisdiction under Article 130. GIIF treats this as a market risk indicator, not a planning option.

What an Inspection Actually Covers

An AML inspection tests whether a company’s written program matches what it actually does. Inspectors typically request the firm’s AML/CFT procedures, its institutional risk assessment, and evidence that the assessment has been reviewed and updated rather than filed once and left untouched. 

Customer due diligence files come next: identity verification records, beneficial ownership documentation, and proof of sanctions and PEP screening at onboarding and on an ongoing basis.

Transaction monitoring is where smaller VASPs often fall short, not because monitoring is absent but because it is undocumented. Inspectors look for monitoring logs, escalation records, and a clear account of suspicious transaction reports filed with GIIF, including the reasoning behind transactions that were reviewed but not reported. 

Article 49 of the AML Act requires customer identification data and transaction records to be retained for five years from the end of the business relationship. Gaps in that retention are an easy finding for an inspector to make.

Received an inspection notice? Our team can help

What’s at Stake Under the AML Act

The AML Act’s Article 150 states that an obligated institution found in serious breach can face a fine of up to EUR 5,000,000 or 10% of its annual turnover, whichever figure is higher. That threshold applies at the company level.

Individual exposure exists separately. Under Article 154, a person designated as responsible for the company’s AML obligations, typically a board member or the appointed AML officer, can be fined personally, up to PLN 1,000,000, for failures that occurred during their tenure. 

Article 156 adds criminal liability for individuals who fail to pass required reports to GIIF. None of this requires proof of actual money laundering. A documentation gap or an unreported pattern is enough to start the process.

Why the MiCA Transition Raises the Stakes

Poland’s registered VASPs are moving toward CASP authorization under MiCA, supervised by KNF, but the transitional period does not suspend the existing AML Act framework. A registered VASP operating under transitional arrangements remains subject to GIIF inspection and the Article 130(2) authorities in the meantime.

That timing creates a practical problem. An open AML finding, an unresolved fine, or an unanswered information request from GIIF sits on a company’s record at exactly the point it needs a clean compliance history to support a CASP license application. 

Resolving AML documentation gaps after an inspection notice arrives is far harder than addressing them on a normal schedule, and it sends a different signal to KNF later.

How We Approach AML Inspection Readiness

We treat inspection readiness as a documentation exercise first. That means refreshing the institutional risk assessment so it reflects the business as it currently operates, not as it was described at registration. It means sampling a set of customer files to confirm that the policy on paper matches what onboarding actually produced, and checking that sanctions screening tools are configured correctly and that screening results are saved, not just generated and discarded.

We also reconcile the quarterly statistical reports filed with GIIF against internal transaction data, since a mismatch between what a company reports and what its own records show is one of the fastest ways to turn a routine review into a longer one. 

We confirm training records exist for staff and for the designated AML officer too, since training without a record is functionally indistinguishable from no training at all.

Received an inspection notice? Our team can help

FAQ

Who can inspect a Polish VASP’s AML compliance?

GIIF can inspect any virtual currency register entrant with a registered seat in Poland under Article 130 of the AML Act. Other authorities, including heads of customs-tax offices, hold separate inspection powers under Article 130(2) over institutions within their remit.

Does registration in the Polish VASP register mean my company is licensed or supervised?

No. GIIF has stated that virtual currency activity is not licensed and is not supervised in the way KNF supervises banks or payment institutions. Entry in the register is an evidentiary requirement, and representing it otherwise in marketing materials is treated as misleading by the regulator.

What are the maximum penalties for AML non-compliance in Poland?

Under Article 150 of the AML Act, an obligated institution can face a fine of up to EUR 5,000,000 or 10% of annual turnover, whichever is higher. Under Article 154, an individual responsible for AML compliance can be fined personally, up to PLN 1,000,000.

How does this affect my transition to a CASP license under MiCA?

The transitional period does not pause AML inspection authority. Any open finding from a GIIF or customs-tax office inspection becomes part of the compliance history KNF will weigh during CASP authorization, so resolving issues before that point matters.