A Practical Guide to Annual Obligations for Registered VASPs in Poland (2026 Edition)

Your Polish company holds a VASP registration. You bank with an EMI in another EU country. Your AML and KYC procedures exist mainly because your EMI required them — not because of any meaningful interaction with IAS Katowice or GIIF. That is the operating reality for most international businesses holding a Polish VASP registration, and it is exactly the gap that gets registrations revoked.

A letter arrives from IAS Katowice or GIIF at your company's registered legal address — 7 or 14 days to respond. If that address is a virtual office nobody monitors, the deadline passes in silence. No response is treated as non-compliance. The registration gets revoked, the business becomes illegal overnight, and there are no new VASP registrations being issued in Poland to start over with.

The situation is made more critical by the fact that the Crypto-Assets Market Act has still not been signed into law. There is no CASP licensing framework under the Polish Financial Supervision Authority (KNF), and no clear timeline for one. Every registered VASP is in an extended transition period — still fully governed by IAS Katowice and GIIF under the existing AML Act, with obligations that are more demanding than most operators realize.

Here's a visual map of every annual obligation a registered Polish VASP carries today:

Let's walk through each of these in the detail they deserve.

The Regulatory Landscape Right Now — Understanding Your Status

Before diving into obligations, a quick orientation.

Your VASP registration sits in the Rejestr Działalności w Zakresie Walut Wirtualnych (RDWW), maintained by the Director of the Tax Administration Chamber in Katowice (Dyrektor IAS w Katowicach). This is the competent authority for the registry under the Polish AML Act (Ustawa z dnia 1 marca 2018 r. o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu, referred to throughout this article as "the AML Act").

Your compliance obligations, however, are overseen primarily by the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej — GIIF), which sits within the Ministry of Finance. These are two separate entities, and confusing their roles is one of the most common mistakes we see.

Under MiCA's transitional rules, Polish entities registered before 30 December 2024 may continue providing services until 1 July 2026, or until they obtain CASP authorization, or until authorization is refused — whichever comes first.

The bottom line: the existing AML Act obligations apply in full and without exception during this transition period. Uncertainty about MiCA is not a reason to slow down on compliance. It's a reason to be more rigorous.

Obligation 1 — Keep Your VASP DATA Accurate and Current

Your VASP registration in the Register of Virtual Currency Activity (RDWW) is a snapshot of your business at the time of application. Any subsequent change to your company must be reported to IAS Katowice through an amendment to your registration (wniosek o zmianę wpisu). This includes changes to:

• Company name or registered address

• Scope of virtual currency activities

• Directors, board members, or persons authorized to represent the entity (including UBO changes)

• Contact details used for correspondence with the registry

Where to go

https://www.gov.pl/web/ias-katowice/rejestr-dzialalnosci-w-zakresie-walut-wirtualnych

What happens if you don't update

 IAS Katowice can initiate removal proceedings if it becomes aware of material inaccuracies in the registration — for example, if a director listed in the registry no longer appears in KRS. Grounds for removal from the registry include non-fulfilment of the conditions for conducting virtual currency activity, false declarations, and — critically — removal at the request of GIIF following a penalty. 

One practical note: if your company suspends operations, you must submit a separate zawiadomienie o zawieszeniu działalności (notice of suspension). Closing your company in CEIDG or KRS does not automatically trigger clean removal from the RDWW — though IAS may remove you after the fact. Filing your own removal request is cleaner and faster.

Obligation 2 — Quarterly Statistical Reporting to GIIF

Who Must File

VASPs — entities conducting business activities in the field of virtual currencies — have been covered by the mandatory reporting of quarterly statistical data to the General Inspector of Financial Information (GIIF), as obliged institutions under the AML Act.

What the Report Covers

The quarterly form collects statistical data on your operations, including transaction volumes, types and numbers of transactions, client categories, and geographic distribution of counterparties. Questions available in the GIIF system that must be answered in quarterly reporting can be reviewed in advance by logging into the system and selecting the "I want to check messages to the obligated institution" tab.

When to Submit

Reports must be submitted on a quarterly basis within 18 days of the end of the quarter to which the data relates.

The deadlines for each quarter in 2026 are:

Quarter Covers Deadline

Q4 2025 Oct–Dec 2025 18 January 2026

Q1 2026 Jan–Mar 2026 18 April 2026

Q2 2026 Apr–Jun 2026 18 July 2026

Q3 2026 Jul–Sep 2026 18 October 2026

Where to Submit

Reporting is done exclusively through the dedicated GIIF IT system at: https://www.giif.mofnet.gov.pl/#/glowna

Before You Can File: Registration in the GIIF System first

Submitting a report requires prior registration of the obliged institution in the GIIF system. You must first complete the institution notification form by selecting "Chcę zgłosić lub zaktualizować dane instytucji obowiązanej" in the "Co chcesz zrobić?" section. After 1-2 business days, you will be able to log into your account and work on the report.

What You Need to Log In and Sign

Quarterly reports may be submitted only by a person who holds a Qualified Electronic Signature (QES). The Polish Trusted Profile, which is commonly used to incorporate a VASP, is not sufficient for this purpose.

Also you need to download Java 8, Szafir Host, Szafir SDK in your computer in order to use the Qualified Electronic Signature (QES) in the GIIF system.

What’s more, the GIIF system operates only on business days between 07:00 and 17:30 Polish time. Access to the system is blocked for IP addresses outside of Poland — a VPN with a Polish exit node is required if you are accessing from abroad.

What to You Need to Pay Attention to

On the quarterly report: if you have zero transactions in a quarter, you still file. The obligation is not conditional on activity. A nil return is still a return, and missing it is treated as non-compliance.

Obligation 3 — Maintaining Your AML/CFT Compliance Framework

Your VASP is an "obliged institution" (instytucja obowiązana) under the AML Act. This means you carry a permanent, ongoing set of anti-money laundering obligations that go well beyond filing reports.

Your Internal AML Procedure

You must have a written, implemented internal AML procedure. This document must be comprehensive and tailored to your specific business — not a generic template downloaded from the internet. It must address at minimum:

• Client identification and verification (KYC/CDD/EDD)

• Transaction monitoring rules and alert thresholds

• Procedures for identifying and reporting suspicious transactions

• Risk management, including methodology for assessing customer risk

• Rules for applying enhanced due diligence for high-risk clients

• Travel Rule compliance procedures (since 30 December 2024)

• Internal whistleblowing (sygnalista) mechanisms

• Staff training requirements and schedule

• Data retention rules

Critically, this procedure must be reviewed and updated regularly — at a minimum when there is a material change in your business, regulatory requirements, or risk environment. In practice, an annual review is best practice and the standard we recommend to all clients.

Appointing Your AML Officer and Senior Management Responsible Person

Under the AML Act, you are required to designate:

A senior management member responsible for AML/CFT (Article 6 AML Act) — this is a director or board member who carries personal accountability for the institution's AML framework. This person cannot simply be named on paper; they must be genuinely involved in oversight.

A dedicated AML/compliance officer — a person responsible for day-to-day execution of AML obligations: managing the KYC process, handling STR filings, conducting internal audits, and being the point of contact for GIIF in inspections.

In smaller VASPs, one person often fills both roles. This is legally acceptable as long as that person has the knowledge, authority, and dedicated time to perform both functions meaningfully. GIIF has scrutinized VASPs who use virtual offices and nominal compliance officers with no real operational presence — this approach carries significant inspection risk.

Know Your Customer (KYC) and Customer Due Diligence (CDD)

Every client relationship must be subject to CDD, which involves identifying and verifying the client's identity, understanding the nature and purpose of the relationship, and monitoring transactions on an ongoing basis.

Key points from the GIIF training sessions of 2024 and 2025:

• A client's self-declaration is not sufficient evidence of the source of funds. The GIIF was explicit on this point at its August 2025 training. Documentation must be requested and verified.

• Occasional transactions — even one-off exchanges — can give rise to an ongoing business relationship for CDD purposes if a pattern of activity develops. Do not set excessive transaction thresholds that would exclude clients from analysis.

• The primary verification document remains a national ID card or passport. Verify the document; do not rely on client declarations about the document.

• Enhanced Due Diligence (EDD) is required for PEPs (politically exposed persons), high-risk jurisdictions, and any client presenting elevated risk in your internal risk assessment.

Risk Assessment — Your Institution-Level Document

Every VASP must maintain an institution-level risk assessment (ocena ryzyka prania pieniędzy i finansowania terroryzmu). This is a formal analytical document — not a tick-box form — that evaluates the specific money laundering and terrorist financing risks your business faces given your client base, products, geographies, and delivery channels.

This document must be updated at least every two years, or whenever there is a material change in your business, new products or client types, or significant developments in the legal or risk environment. Given the MiCA transition, new regulatory developments in 2026 should trigger a review regardless of when you last updated.

Obligation 4 — Travel Rule Compliance (Mandatory Since 30 December 2024)

What the Travel Rule requires:

When you execute or receive a transfer of crypto-assets, you must collect, verify, and transmit information about:

• The originator (sender): name, crypto-asset account number/address, and — for transfers above €1,000 — residential address, national ID number, or date and place of birth

• The beneficiary (recipient): name and crypto-asset account number/address

This data must "travel" alongside the transfer — passed to the receiving VASP — and must be screened against sanctions lists before transmission.

Unhosted (self-custodied) wallets: For transactions involving unhosted wallets above €1,000, you must take additional steps to assess the ownership and control of the wallet. Methods include having clients sign messages with the private key associated with the address, or transfer a pre-agreed small verification amount — similar to the micro-transfer verification used in traditional banking.

Technical infrastructure: The Travel Rule cannot be implemented manually for any meaningful transaction volume. You need a compatible Travel Rule solution — whether an in-house API or a third-party Travel Rule protocol provider — that can communicate with counterpart VASPs/CASPs across the EU.

Failure to implement Travel Rule is not a minor compliance gap. Administrative penalties for non-compliance can reach up to €1,000,000 (or twice the benefit obtained), with higher limits for certain financial institution categories. Operational consequences include other financial institutions potentially refusing to cooperate with non-compliant CASPs.

Obligation 5 — Reporting Suspicious Transactions (STR) to GIIF

This obligation has a criminal law dimension that many VASPs underestimate.

When your transaction monitoring identifies a suspicious transaction — or where you have reasonable grounds to suspect money laundering or terrorist financing — you must report it to GIIF without delay via the GIIF IT system. The reporting obligation arises regardless of the transaction amount. There is no minimum threshold.

GIIF's statistics for Q3 2024 showed that not a single VASP filed an STR during that period. GIIF expressed serious concern about this and reminded obliged institutions that failure to report when required carries criminal liability under Article 156 of the AML Act — imprisonment from 3 months to 5 years.

This is not regulatory box-ticking. GIIF has made clear that it views the near-zero STR rate from the VASP sector as a systemic failure of the system, and inspections are being used, in part, to assess whether VASPs are genuinely monitoring transactions and acting on alerts.

Obligation 6 — Annual AML/CFT Staff Training

All persons who carry out AML/CFT obligations in your organisation must receive regular AML training. This includes not only dedicated compliance staff but also customer-facing staff who conduct KYC, analysts who monitor transactions, and anyone else involved in implementing your AML procedures.

Training must be:

• Documented — certificates, attendance records, and the content of training must be retained

• Tailored — generic online courses may supplement, but the training must address your specific risk profile and the specific roles of participants

• Current — when significant regulatory changes occur (as has happened repeatedly in recent years), training must reflect those changes

In practice, annual in-person or recorded training sessions with external AML specialists, combined with periodic internal refreshers when new guidance is issued, represent the standard that will satisfy GIIF during an inspection.

Obligation 7 — Data Retention

Transaction data and documentation must be retained for 5 years from the end of the business relationship — or from the date of an occasional transaction. This applies to:

• KYC/CDD documentation for all clients

• Transaction records

• STRs and supporting documentation

• Correspondence with GIIF and other authorities

• Internal AML assessments and training records

This data must be stored in a form that allows prompt retrieval during an inspection. Scattered files across personal email accounts is not an acceptable system. A structured document management system — even a simple shared drive with a clear folder structure — is the minimum.

What Happens When GIIF or IAS Katowice Contacts You — The Most Dangerous Gap

Here is the scenario that has ended several of our clients' registrations.

GIIF or IAS Katowice sends a letter to the contact address registered in the RDWW. It might be a request for information, a notice of inspection (kontrola), or a request to produce documentation within a specified deadline — often 7 or 14 days. The letter goes to an email address that nobody checks, or to a registered office provided by a virtual office service where mail piles up uncollected.

The deadline passes. A reminder may or may not follow. Eventually, the authority issues a decision to initiate removal proceedings. By the time the company's directors become aware, the window to respond has often closed.

How to protect yourself:

Keep your contact details in the RDWW scrupulously up to date. Monitor the email address used for official correspondence daily. If you use a virtual office, ensure there is a clear protocol for forwarding official correspondence immediately. Consider designating an external AML compliance advisor who is connected to this monitoring.

When a letter arrives from GIIF or IAS Katowice, treat it as urgent. Even if you believe you cannot meet the deadline, contact the authority promptly, acknowledge receipt, and request an extension if needed. Silence is treated as non-compliance. A polite, documented response — even without all the information requested — demonstrates good faith and almost always results in a more measured response from the authority.

Penalties for Non-Compliance — The Full Picture

The financial penalties are serious. The criminal liability for failing to report suspicious transactions is genuinely alarming. But in practice, the consequence that causes the most immediate business damage is de-banking. Polish banks and financial institutions, under pressure from KNF and GIIF, are extremely cautious about maintaining relationships with firms that do not meet regulatory requirements. Non-compliant entities can find it practically impossible to open or maintain bank accounts, which makes fiat-crypto operations unworkable.

The MiCA Transition — What It Actually Means for You Right Now

Let us be direct about the current situation, because there is a lot of noise and not much clarity in the market.

As of 12 February 2026, President Nawrocki's second veto of the Crypto-Assets Market Act means Poland has no national framework for CASP licensing, leaving around 1,300 registered entities operating in uncertainty ahead of the 1 July 2026 deadline.

Poland is the sole remaining EU country that has not passed the necessary legislation to align with MiCA. If no law is passed by 1 July 2026, there will be no authority in Poland capable of issuing CASP licences, and Polish firms that want to operate under MiCA will need to register in another EU member state.

What does this mean for you as a currently registered VASP?

You can continue operating under your RDWW registration until 1 July 2026 — provided you comply with all existing AML Act obligations. Your registration remains legally valid for this purpose.

You cannot obtain a CASP licence in Poland at this time, because there is no enabling law and no procedure. The KNF cannot accept applications.

Your Travel Rule obligations are already live, regardless of MiCA's national implementation status. EU Regulation 2023/1113 is directly applicable.

GIIF and IAS Katowice remain active supervisors. The legislative deadlock does not reduce supervisory activity; if anything, the public and political scrutiny on the VASP sector has increased.

You should be MiCA-ready in operational terms — even before you can formally apply. Firms that are already operating at MiCA-standard compliance (robust AML, proper governance, Travel Rule implemented, adequate capital planning) will be first through the door when a law is eventually passed.

A Final Word — Compliance Is Not Optional During Transition

The political turbulence around the MiCA implementation bill has led some operators to adopt a "wait and see" approach to compliance. That is a misreading of the situation.

The AML Act obligations that govern registered VASPs have not been suspended, modified, or relaxed. GIIF is actively training VASPs — most recently in August 2025 — and actively inspecting them. IAS Katowice continues to remove registrations for non-compliance. The Travel Rule has been live since the end of 2024. Every quarterly deadline has the same force it always has.

If your licence was the finish line, you've been standing on the starting blocks.

The good news: the obligations, while numerous, are manageable with a proper compliance programme and the right support. The VASPs that will be best placed when Poland finally resolves its legislative situation — and eventually a law will pass — are the ones operating at a genuine compliance standard today.

If you have any doubt about whether your current compliance programme meets the standards described in this article, treat that doubt as your signal to act.

This article reflects the legal and regulatory position as of April 2026. It is intended for general information purposes and does not constitute legal advice. The regulatory landscape around crypto-assets in Poland is evolving rapidly. We recommend seeking specialist legal advice before making compliance decisions for your specific circumstances. If any part of this article raises questions specific to your situation, we are happy to talk it through.