• Post comments:0 Comments

AML audit in Poland – no findings

AML Audit in Poland, Law Firm in Poland

Public discussion around crypto in Poland has recently been dominated by negative narratives and regulatory concerns. This creates the impression that the sector lacks structure or operates outside of a clear compliance framework.

In practice, however, this picture is incomplete. There are market participants that operate in a structured, compliant and transparent manner, fully aligned with Polish AML requirements as obliged entities.

One such example is a Polish VASP I represented in a over year-long AML audit in Poland. I have been involved with this client since its early stage in 2017, including its initial structuring and company formation. As a result, I have had direct insight into how its operational model and AML framework have been implemented in practice over time.

This article presents a practical case study of an AML audit in Poland and highlights what regulators actually focus on in practice.

Although this audit concerned a VASP under the current Polish AML framework, the same practical expectations will apply to CASPs under the MiCA regime. This case provides a forward-looking view of how AML audits in Poland of crypto-asset service providers are likely to be conducted.

AML Audit in Poland, no findings, Law Firm in Poland
Official notice issued by the Head of the Customs and Tax Office in Łódź confirming the completion AML audit, with no irregularities found in the scope of AML/CFT compliance.

The Company’s business model

The client, SMARTECH SOLUTIONS Sp. z o.o., is a Polish virtual asset service provider operating in the crypto exchange sector. The business has been active since 2017 and has conducted activities in the field of virtual currencies since it was established, including a period before registration as a VASP was formally required under Polish law.

On 2 December 2021, the Company was entered into the Polish register of activities in the field of virtual currencies under number RDWW-8.

The client transferred its business model developed in Greece to the Polish market. The activity focuses on the exchange of crypto-assets for fiat currency through crypto ATM infrastructure. This type of activity is considered high-risk from an AML perspective, as it involves direct interaction between cash-based transactions and crypto-assets.

As a side note, one of the crypto ATMs is located at my law firm’s office, making it one of the first law firms in Poland to host a crypto ATM.

In addition, the Company operates a B2B segment involving the exchange of crypto-assets for funds with business counterparties.

In light of the current classification under the MiCA Regulation, the Company’s activity can be qualified as the provision of services consisting of the exchange of crypto-assets for funds.

Scope of audit

The AML audit was conducted by the Polish customs and tax authority and covered a period of two full years, from 1 January 2023 to 31 December 2024. The audit lasted over a year, from 25 March 2025 to 13 April 2026.

As part of the audit, the authority issued a detailed request for information and documentation covering both the Company’s AML framework and its practical application.

In particular, the authority required the Company to provide:

  1. a complete list of all clients with whom business relationships were established or maintained during the audit period, including identification data, wallet addresses, risk assessments and total transaction volumes,
  2. a list of all occasional transactions exceeding EUR 1,000, including detailed transactional and identification data,
  3. information on whether business relationships and transactions were conducted without the physical presence of the client, together with corresponding client and transaction data,
  4. copies of agreements, accounting records (including JPK data), and internal regulations governing the Company’s services,
  5. documentation confirming the implementation of AML governance requirements, including the designation of responsible persons and internal procedures,
  6. information on employees involved in AML processes and evidence of AML training,
  7. the Company’s risk assessment (Article 27 Polish AML Act), including updates and any correspondence with the financial intelligence unit (GIIF),
  8. internal AML procedures and documentation confirming their implementation and application in practice,
  9. a detailed description of how customer due diligence measures were applied, including risk assessment methodology and frequency of reviews,
  10. information on the application of enhanced and simplified due diligence measures,
  11. evidence of ongoing transaction monitoring and identification of unusual or suspicious transactions,
  12. information and documentation relating to PEP identification and monitoring,
  13. information on reporting obligations towards GIIF, including transaction reports and suspicious activity notifications,
  14. all correspondence with GIIF and information on persons responsible for regulatory reporting.

The above list reflects the starting point of the AML audit in Poland. It does not capture the full extent of the authority’s requests. As the audit progressed, the authority issued multiple follow-up requests focused on specific aspects of the Company’s operations. These became increasingly detailed and required clear explanations of how the business functioned in practice.

A practical challenge

One of the practical challenges during the audit was linking specific crypto-asset purchases executed on the Kraken exchange to individual sales transactions carried out for business clients.

The authority expected a clear presentation of the full transaction flow, including fiat inflows, crypto-asset purchases and subsequent transfers to specific counterparties.

In practice, it was not possible to directly match a specific purchase on the exchange to a specific sale to the final client.

This was due to the nature of the business model. Funds were used across multiple transactions, involving different crypto-assets, and operations were not linear. There was no simple structure such as one deposit, one purchase and one transfer to the final client.

The data was available in separate datasets, including deposits, trades and withdrawals. However, linking them directly to specific business relationships required additional explanation.

In response, a sample set of transactions for a selected period was provided, together with an explanation of how the transactions were executed in practice.

This illustrates a broader point. In crypto-asset businesses, the key is not the ability to produce perfectly linked reports, but the ability to clearly explain the logic of transactions and the flow of funds.

The key elements of a clean audit outcome

The audit did not focus on a single element of the AML framework. It assessed the overall consistency between documentation, risk assessment and actual operations.

In practice, the key question was simple. The Company had to clearly explain its clients, their activity and the flow of transactions. This understanding also had to be properly documented and supported by internal procedures.

The no-findings outcome was not the result of a single factor. It reflected the consistency of the entire AML framework.

This included, in particular:

  • maintaining complete and well-organised AML documentation,
  • ensuring that internal documentation was compliant with legal requirements and kept up to date,
  • applying a customer due diligence framework adapted to the scale and nature of the business,
  • maintaining a documented overall risk assessment and assigning individual risk levels to clients, based on their activity, transaction patterns and geographic exposure,
  • ensuring that personnel involved in AML processes were properly trained,
  • applying clear rules for documenting client activity and transaction flows.

Equally important was the ability to demonstrate all of the above during the audit. Having procedures on paper was not enough. The Company was able to show how they worked in practice.

This level of consistency across documentation, operations and transaction analysis ultimately determined the outcome of the audit.

Conclusion

This case shows how an AML audit in Poland is conducted in practice and what is expected from VASPs and CASPs.

In practice, everything related to AML should be approached from the very beginning with a potential audit in mind. This is something I see both as an AML Officer at a Polish VASP and as an Attorney-at-Law with over 10 years of experience in this sector.

This applies not only to documentation, but also to how the business operates on a daily basis. If something cannot be clearly explained and demonstrated to a regulator, it is likely to become a problem during an audit.

This case shows that a clean audit outcome is achievable. It requires consistency across documentation, risk assessment and day-to-day operations. Most importantly, it requires the ability to answer questions from a regulator with clear and consistent explanations.

Leave a Reply