Fintech 2022 Comparisons

Fintech Market Development in 2021

Despite the ongoing COVID-19 pandemic, the fintech market saw growth in Poland in 2021. The number of entities operating in the industry increased, especially in the field of crowdfunding platforms, financial comparison sites, and artificial intelligence. In contrast, there was a decline in lending companies, which was thought to be related to the weak economy and newly emerging regulations.

According to data published by the National Bank of Poland (NBP), in 2021 an increase in the number of payment card transactions was observed in Poland. The latest data relates to the third quarter of 2021 and the recorded growth is 14.9% compared to the previous year. The value of payment card transactions made in this period was also higher – an increase of 14% compared to the data from 2020.

Activity of the Polish Authorities and Planned Changes of Law

In 2021, the Polish Financial Supervision Authority, known in Poland as the "KNF", introduced a number of measures aimed at improving the operation of the fintech sector in Poland. For instance, the KNF adopted a position as providers of crowdfunding services to secure ongoing functioning of that market irrespective of the lack of adaptation of the Polish legal system in due time to the rules of the Regulation (EU) 2020/1503 of the EP and of the Council of 7 October 2020 on European crowdfunding service providers for business. In addition, the KNF activated a website dedicated to the fintech industry (www.fintech.gov.pl) to communicate with the sector and provide information on news and trends in the development, as well as the positions and communications, of the KNF that are particularly relevant for innovative entities. The KNF has also published further responses to questions from financial institutions regarding the use of cloud computing to address the concerns of supervised entities.

A number of pieces of legislation are currently under development, an example of which is the draft act on amending certain laws in connection with ensuring the development of the financial market and the protection of investors in this market. The purpose of the planned regulations is, inter alia, to facilitate outsourcing of activities by banks and to extend and strengthen the supervisory powers of the KNF.

Barriers and Challenges

One of the biggest barriers to growth for the fintech market in Poland is the legal uncertainty in relation to that sector. Although countermeasures are being taken by the Polish regulator, it is believed that these should be further intensified. A further challenge is the need for electronification of selected aspects of conducting business by financial market entities. In order to enable broader development of the fintech sector, it is necessary to eliminate handwritten signatures on selected documents and replace them with electronic signatures. The excessive duration of license proceedings conducted by the KNF should also be pointed out.

Due to the expected adoption of a Regulation of the European Parliament and of the Council on digital operational resilience in the financial sector ("DORA"), the next significant challenge, due to the wide scope of the act and the numerous obligations it introduces, will be the adjustment of the entities present on the Polish market to its regulations. It is also necessary to adopt an act enabling the application of Regulation (EU) 2020/1503 on crowdfunding.

In Poland, fintech business activities are conducted mainly on the payment market. Some payment-related services (see Article 3 of Payment Services Directive 2 or PSD2) may be provided solely on the basis of general freedom of entrepreneurship. However, providing payment and e-money services typically requires proper authorisation from the KNF. Payment market participants may choose from several types of authorisations depending on the type of services they intend to provide.

Small Payment Institutions

Currently, the most common way to start a business pertaining to traditional payment services is to obtain the status of a "small payment institution". This status allows a business to provide a wide range of such services, it can be obtained relatively quickly, and it ensures a clear path for becoming a fully regulated payment institution without the risk of constraining a flourishing business in the process. The small payment institution was introduced in June 2018 when the Polish legislator decided to broaden the use of the exemption specified in Article 32 of PSD2. Before then, most payment service providers (PSPs) in Poland would start by obtaining authorisation as a payment institution.

Small payment institutions are not allowed to provide account information services (AIS), payment imitation services (PIS) or e-money services. Under the legislative proposal of 11 January 2021 for an amendment to the Act on Payment Services, entities applying to the KNF, to be registered as small payment institutions, will be subject to the requirement to submit information regarding the anti-money laundering (AML) compliance procedures and information concerning any other activity (in the case of conducting activity as hybrid small payment institutions).

AIS Providers and Payment Institutions

All major legacy players on the payment market conduct business as a payment institution. Businesses seeking to provide AIS typically register as an AISP (an institution provided for under Article 33 of PSD2) or as a fully regulated payment institution. A payment institution is additionally entitled to provide PIS and e-money services (although only on a small scale with respect to the latter). In order to provide unlimited e-money services, it is necessary to acquire the status of an electronic money institution. Polish payment services law also provides for a separate, simple form of registration for small money remittance providers.

Payment Regulations

Payment and e-money services in Poland are regulated primarily by the Act on Payment Services and its implementing regulations. This act transposes both PSD2 and the EU’s second E-Money Directive (EMD2) into the national legal system. Commission Delegated Regulation (EU) 2018/389 also applies fully in Poland regarding the strong customer authentication (SCA) measures and the communication framework between account servicing payment service providers (ASPSPs) and third-party providers (TPPs). 

General Financial Regulations

Furthermore, Polish payment and e-money service providers are subject to general financial regulations, such as the Act on Counteracting Money Laundering and Terrorist Financing, the GDPR, the Act on the Protection of Personal Data, and the Act on the Handling of Complaints by Financial Market Organisations and the Financial Ombudsman. Where credit transactions are offered to consumers in relation to the payment services provided, the requirements set out in the Act on Consumer Credit have to be fulfilled.

.

Per-transaction and Periodic Fees

PSPs are allowed to charge users primarily as agreed in their mutual contract. Depending on the type of payment services, the most common models are per-transaction fees (either a fixed amount per transaction or a percentage of the transaction’s amount) and periodic fees (eg, a fixed monthly fee, irrespective of frequency of service usage).

Payment Service Providers

Restrictions on charging consumers

PSPs are, however, subject to some restrictions on charging users that are consumers, for example:

• the obligation to provide users that are consumers with information on all payable charges and a breakdown of the amounts of such charges (if applicable); and
• the prohibition to charge such users for fulfilment of disclosure obligations or performing corrective and preventative measures required under Polish payment services law, as well as for users' termination of the framework contract (there are some detailed exceptions to these general prohibitions).

These restrictions may not apply in whole or in part to payment service users (PSUs) that are not consumers, if so agreed with their PSPs. Such agreements between professional business parties are common practice in Poland.

The EU Payment Account Directive (PAD) is also implemented in the Polish legal system. Thus, account servicing PSPs are subject to additional disclosure obligations towards consumers (eg, providing them with a fee information document before entering into a contract for a payment account and periodic statements of fees while the contract is in force). 

Restrictions on Charging Merchants

PSPs that are acquirers must comply with specific restrictions on charging merchants (eg, maximum limits on interchange fees) as Regulation (EU) 2015/751 on interchange fees for card-based payment transactions ("IF Reg") is fully applicable in Poland.

Payment Industry Participants Other than PSPs

Restrictions on charging customers

Payment industry participants other than PSPs (eg, merchants) are also subject to some restrictions on charging their customers. These restrictions relate mainly to charges for using certain payment methods. As a general rule, business professionals may not charge fees beyond the cost of enabling consumers to use a given payment method. Charging a fee for the use of payment instruments (surcharging) for which interchange fees are regulated under the IF Reg is, however, not possible in any case. The surcharge ban is not applicable to other payment methods, as the Polish legislator decided not to introduce any local regulations under Article 62(5) of PSD2.

Fintech industry participants are not subject to separate regulation in Poland. They have to comply with the same regulations as all other financial service providers, including legacy players. However, there are some legal frameworks designed specifically for fintech players (especially for fintech start-ups), the small payment institution being a prime example (with time, legacy players tend to evolve into fully regulated payment institutions or credit institutions). Another example is the possibility to apply for an individual ruling from the KNF pertaining to the legal framework for providing innovative products or services on the Polish financial market.

The Innovation Hub Programme

The KNF is in the process of developing a regulatory sandbox in Poland. The process was initiated in 2018. To date, the KNF has successfully introduced the Innovation Hub Programme for supporting the development of financial innovation (fintech) as part of the regulatory sandbox. The programme is intended first and foremost for start-ups in the financial market, with innovative products or services based on modern information technology. Established entities supervised by the KNF which plan to implement such innovative products or services may also participate in the programme. 

Participation in the programme

Fintech entities wishing to participate in the programme have to complete a dedicated contact form and submit it via the KNF’s webpage. The contact form is then assessed by the KNF based on the eligibility criteria for participation in the programme, which primarily include the innovative nature of the solution and a preliminary analysis of the legal and regulatory environment and the real need for support (lack of legal certainty as to whether the solution is compatible with the existing legal framework). The main benefits of participating in the programme include assistance from the KNF in:

• identifying the optimal regulatory framework for the planned innovative solution;
• testing the chosen regulatory framework via the Virtual Sandbox; and
• obtaining appropriate authorisation for the purpose of legally conducting business (if necessary).

The Special Task Force for Financial Innovation in Poland

Another project within the regulatory sandbox initiative was the creation of the Special Task Force for Financial Innovation in Poland (fintech). The task force brought together representatives of the KNF, the Polish legislator, and various institutions supervised by the KNF, in order to identify the legal barriers preventing further development of the fintech sector in Poland and to propose solutions aimed at eliminating them. A list of those barriers was published in a special report and the proposed solutions are currently being implemented.

Further Projects

Further projects under the KNF’s regulatory sandbox were expected but were suspended in 2020. The regulatory sandbox is being developed using EU funds from the 2017–2020 Structural Reform Support Programme with the support of the European Bank for Reconstruction and Development.

The main regulator in the fintech sector in Poland is the KNF. Supervision of payment schemes and payment organisations (three and four-party payment card and non-payment card schemes), and settlement system operators, is exercised by the NBP. Acquirers are subject to joint oversight by the NBP and the KNF. In the area of AML regulation, oversight is also conducted by the General Inspector for Financial Information.

Outsourcing operational activities may not lead to the cessation of the actual provision of payment services or involve the transfer of the right to represent the PSP. In the case of a bank and a co-operative savings and credit union, an internal audit may not be outsourced.

Where operators of key services or critical infrastructure operators (eg, designated banks) use cloud computing services, the KNF recommends that data processing centres located in Poland be used first.

Currently, work is pending on the amendment to the act on the national cybersecurity system (including, among others, the addition of the KNF to the national cybersecurity system), in which Poland participates.

Obligations of PSPs

PSPs are subject to the obligations set down in the Polish Act on Payment Services, in the Banking Law and in the Act on Co-operative Savings and Credit Unions. The KNF guidelines on cloud computing had to be implemented by 1 November 2020. In each case, a written outsourcing contract is required. Furthermore, work is currently underway to amend certain acts in respect of ensuring the development of the financial market and the protection of investors in this market, in which Poland participates on the side of the chambers of commerce. The aim is to adjust Polish regulations on outsourcing to the EBA guidelines. Unfortunately, no major exemptions apply in the case of outsourcing to a regulated financial entity, ie, another payment institution or bank. However, the aforementioned amendment is planning to liberalise the regulations in this respect. In order to facilitate the application and understanding of the KNF Cloud Communication and to remove any potential ambiguity in this regard, the KNF published a Q&A on 17 December 2020, which was subsequently updated sequentially on 25 March 2021 and 18 October 2021.

Regulated Fintech Providers

Regulatory liability for uncovering and reporting suspicious or unlawful behaviour lies first and foremost with market participants that are subject to the Polish AML Act (obliged institutions). Most regulated fintech providers fall under these regulations and are therefore deemed as “gatekeepers” in Poland. On top of that, payment service providers must report operational or security incidents and fraud to the KNF (and the customers involved, in some cases) in line with Article 96 of PSD2.

Non-regulated Fintech Providers

On the other hand, there are no regulations forcing non-regulated fintech providers to actively look for suspicious or unlawful behaviour while providing services or to report such behaviour to the relevant supervisory authorities. However, due to the nature of fintech services, financial institutions often expect non-regulated fintech providers to perform anti-fraud checks and report any irregularities back to them. The scope and severity of such assistance are primarily left to the discretion of the parties, which derives from contractual freedom. At the same time, there are certain regulations which directly require financial institutions to stipulate subcontractors’ assistance in contractual terms (eg, the GDPR).       

In 2021 the KNF did not impose sanctions on market participants that were directly related to the fintech area. 

The main penalties imposed by the KNF on entities providing financial services in Poland were:

• breach of information obligations towards supervisory authorities;
• violation of duties of an investment fund depositary (penalties imposed on banks);
• improper supervision of entities entrusted with the management of an investment portfolio (penalties imposed on investment fund companies); and
• delays in the consideration and payment of compensation (penalties imposed on insurance companies).

In one case, the KNF limited the scope of the brokerage house authorisation due to the infringements identified.

In a few cases where an entity was judged by the KNF to have provided services without appropriate authorisation, the KNF notified the applicable prosecutor’s office of a suspected criminal offence. When such notification is submitted by the KNF, the entity concerned is placed on the list of entities that have had public warnings published on the KNF website. 

The use of social media and similar tools within the fintech sector is subject to general regulations on advertising, personal data protection, and telecommunications law, as well as to regulations on providing electronic services. In response to the growing popularity of the use of social media by supervised entities and the legal and reputational risks associated with this phenomenon, the KNF has published a draft of its position in this regard. The purpose of the publication is to provide uniform rules for the use of social media by financial institutions. The document applies to all supervised entities and contains a number of recommendations concerning their and their employees' conduct on social media. It includes risk assessment, establishing internal procedures regarding supervision of the published content, archiving of the activity, cybersecurity, and issues of co-operation with influencers. The authority indicates in its draft position that the supervised entity should develop and implement a policy on the use of social media, specifying the minimum scope of issues that should be regulated. The policy of the entity should determine, for instance, the catalogue of social media used and the accounts that can be used in a given medium for communication, the people authorised to use the social media accounts of the supervised entity and their roles, the groups of people authorised to create social media accounts, the rules for creating accounts and possible restrictions on the scope of information that can be published. The draft position of the KNF will be subject to further market consultations, after which the final content on its position will be published.

Independent Auditors

Most entities that conduct regulated or large-scale operations are required to have their financial statements audited by an independent auditor. Depending on the particular nature of the activity of a given fintech entity, it may also be subject to specific external audits, eg, acquirers who process card payments are subject to audits with respect to compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Trade Organisations

Additionally, several trade organisations operate in the financial market, representing the interests of their members by participating in the legislative process, issuing joint positions or opinions, etc. Trade organisations in the fintech sector include the Foundation for the Development of Cashless Payments and the Polish Chamber of Information Technology and Telecommunications.

Entities that conduct regulated activities in Poland may – as a rule – also offer unregulated services or products. In some cases (eg, banks), there are restrictions on the types of unregulated activities that an entity may undertake. In other cases (eg, payment institutions), no such restrictions are in place. Entities operating in the fintech sector, in particular payment institutions, relatively often engage in such hybrid activities.

In exceptional cases, if an institution’s activities violate or could possibly compromise its financial stability or limit the ability of the KNF to exercise supervision over the institution, the KNF may order the legal and organisational separation of unregulated activities.

See 2.8 Gatekeeper Liability.

EBA Definition

Robo-advisers are a relatively new type of service on the financial market and have many applications. The EBA Glossary for Financial Innovation defines robo-advisers as: “Applications that combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisers may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions.”

Legal Qualification of Robo-Advisers in Poland

The regulations of Polish law which govern the provision of investment advisory do not distinguish between "traditional" advisory and that based on technical solutions. For this reason, the provision of services using technology in that process does not change the legal qualification of robo-advisers.

The use of robo-advisory may therefore be considered as investment advisory, and consequently, as brokerage activity referred to in Article 69 of the Act on Trading in Financial Instruments (TFI). The KNF has said that robo-advisory may consist of preparing recommendations based on the client’s situation and needs in terms of sale, subscription, exchange, purchase or redemption of certain financial instruments, or refraining from entering into transactions in those instruments.

The KNF issued its Position on Robo-Advisory Services on 4 November 2020. This comprehensively addresses the most important issues related to robotic advisory, which should be considered by supervised entities in their operations. The document covers the whole process, starting from the design phase of such a service, to its practical implementation and monitoring of already functioning solutions. The KNF emphasises that a robo-advisory service can be outsourced, which means that it may be performed as part of cloud computing.

The introduction of robo-advisers in Poland is a slow process, and thus the number of such services is still low. Robo-advisers are found mainly on trading platforms, such as the EXERIA platform. The process of implementation of the working advisers also applies to legacy players. PZU, one of the largest insurance companies in Poland, has launched the inPZU platform, where investment strategies can be constructed with the assistance of a "helper".

Robo-advisory services are also offered by Aion Bank, which debuted in Poland in August 2021. The introduction of the "Aion Global Investments" service to the bank's offering was made possible by the earlier acquisition of ETFmatic. It enables passive investment in exchange-traded funds (ETFs). Investment decisions are made by robo-advisers based on a completed questionnaire that determines the level of risk acceptable to the user.

As indicated in 3.1 Requirement for Different Business Models, the regulations which govern the provision of investment advisory do not distinguish between "traditional" advisory and that based on technical solutions. For this reason, the services provided by robo-advisers should be executed in accordance with the Markets in Financial Instruments Directive 2 (MiFID II) and the Act on TFI. This means that orders must be discharged on the terms most favourable to clients.

The key difference in the business or regulation of loans is related to whether loans are provided to consumers or to business entities.

Loans to Consumers

Lending to consumers is a strictly regulated business activity. It is regulated primarily by the Consumer Credit Act of 12 May 2011 (CCA), which sets out rules for such areas of the lending business as advertising, pre-contractual information and contract content, maximum costs, the right of early repayment, and the right of withdrawal. Moreover, lending to consumers requires proper prior authorisation from the KNF, as such activity may only be performed by lending institutions (the simplest form), credit unions, credit institutions or banks. Consumer loan intermediaries are also subject to authorisation by the KNF. Currently, there is a strong legislative initiative in Poland to counter usury in non-banking lending business. This initiative aims to amend the CCA and, among other things, tighten KNF’s supervision of lending institutions.

Providing mortgage loans to consumers is separately regulated by the Mortgage Loans Act of 23 March 2017 (MLA). The act sets out the rules for such activity in similar areas to the CCA. Lending institutions are not allowed to provide mortgage loans to consumers.

Loans to Businesses

On the other hand, professionals that provide loans to other business entities are not subject to detailed regulations in Poland. This area is regulated primarily by the general principle of freedom of establishment and by the rules laid down in the Polish Civil Code. Under new legislation from January 2021, there are some differences depending on whether a client is a sole proprietor that enters into an agreement in a relationship not relating to their profession, or a different form of enterprise, as some consumer laws are now applicable to the former (eg, regulations concerning unfair terms in consumer contracts).

Furthermore, the provision of credit is also regulated by the Banking Act of 29 August 1997 and the Act of 29 September 1997 on Mortgage Bonds and Mortgage Banks. Credit related to payment services offered by payment institutions and e-money institutions is also subject to the Act on Payment Services. These acts establish additional, subsidiary requirements which are, however, generally very similar when it comes to providing such loans to consumers and to business entities.

Crowdfunding and Crowdlending

The main regulation regarding crowdfunding and crowdlending in Poland is the Regulation (EU) 2020/1503 on European crowdfunding service providers for business which has applied in Poland since 10 November 2021. The Regulation constitutes legal requirements regarding providing services as a European crowdfunding service provider, including matching investors and project owners within the functionalities of online platforms. The Regulation distinguishes between two general forms of crowdfunding: crowdinvesting (facilitation of acquisition of a share of ownership interests in the entity-project owner) and crowdlending (the facilitation of granting loans).

However, there is still no specific Polish legal act covering the aforementioned Regulation, as the transposition of the Regulation into Polish law is at the preliminary stages.

Client Creditworthiness

Most regulations on lending (providing credit) require lenders to assess the creditworthiness of their clients (eg, the CCA, the MLA, the Banking Act). Those regulations are, however, general in nature and do not dictate specific, obligatory measures to be used in the process. They also do not specify criteria that lenders ought to apply to decide whether a prospective borrower is creditworthy. Rules for assessing creditworthiness by banks, credit institutions and credit unions are detailed in soft law instruments. In particular, the KNF has issued an array of recommendations applicable to such assessments (eg, Recommendation T concerning best practices in the management of the risk of retail credit exposures). In general, the legal frameworks are very similar, whether the process is performed online or face to face. 

In business practice, however, distinct measures are used to assess creditworthiness online and face to face. Lenders employ various solutions ranging from external databases (eg, the Credit Information Bureau, business information bureaus) and information and documents received from clients, to automated profiling and decision-making, including behavioural models and AI tools. The choice depends mainly on the type of loan and client.

Polish AML Law

Additionally, all lenders are subject to the Polish AML law, and typical AML obligations are applicable in underwriting processes. These obligations include identification and verification of the customer (borrower) and their beneficial owner, conducting a risk-based assessment of the business relationship and monitoring it on an ongoing basis, including analysing transactions. Performing AML obligations in the online environment differs vastly from doing so face to face, as under AML regulations such circumstances qualify as a factor potentially increasing the risk. In order to mitigate that risk, lenders mainly apply technological solutions such as electronic signatures, trusted profiles (eg, the e-government website ePUAP), document scans, verification of payments or video-conference tools.

Lenders raise funds for providing loans from various sources, such as taking deposits, own funds, securitisations and peer to peer. The range of sources allowed depends mainly on the nature of the lender. 

For example, only banks, credit institutions and credit unions are entitled to provide loans from received deposits. There are several safeguarding regulations pertaining to the amount in deposits that can be involved. Safeguarding measures are also established for the possible involvement of own funds to provide loans.

Crowdfunding and Crowdlending

On the other hand, raising funds for loans via peer-to-peer (crowdfunding and crowdlending) platforms is now regulated under Regulation (EU) 2020/1503 on European crowdfunding service providers for business that is applicable across the EU from 10 November 2021. In Poland, however, work is still underway on the national law which will enable the adaption of the Polish legal order to the provisions of the Regulation (EU) 2020/1503.

There are no specific regulations pertaining to syndication of loans in Poland.

Payment Systems

Payment processors operating in Poland can use the existing payment systems such as SORBNET2 and TARGET2 for large-value payments; and Elixir, Euro Elixir, BlueCash or the BLIK Payment System for retail payments. New payment systems may be created, but the permission of the NBP must be obtained beforehand.

The Polish Act on Payment Services

Apart from the payment systems listed above, which essentially define the rules for clearing and settlement of payment transactions between banks and credit institutions, the functioning of payment schemes is also regulated by the Polish Act on Payment Services. A payment scheme (including a payment card system) is a set of rules for conducting payment transactions, issuing payment instruments, accepting payment instruments and processing payment transactions, carried out using payment instruments. Some of the solutions based on virtual wallets or mobile applications may fall within the scope of payment scheme regulation.

Further Payment Scheme Regulation

Each payment scheme is subject to the supervision of the president of the NBP, and operating four-party schemes also requires the president's authorisation. The applicable payment scheme regulation is specific to the Polish market and has no source in PSD2.

As a rule, the provisions of the Act on Payment Services governing the execution of payment transactions by payment service providers operating in Poland, apply to both domestic and cross-border transactions carried out in the EEA. In the case of payment transactions where one of the payment service providers is located outside the EEA, those provisions have limited application (generally, they apply to those parts of a transaction that are carried out within the EEA). 

In addition to the above regulation, there is Regulation (EC) No 924/2009 regarding certain fees for cross-border payments in the EU and currency conversion fees. This regulation sets out, for instance, the rules for charging fees for making cross-border payments within the European Union. According to this regulation, Polish payment service providers processing cross-border payments of up to EUR50,000 must levy the same charges for their execution as for corresponding national payments of the same value and in the same currency.

"Fund administrators" are not defined under Polish law. Polish law provides definitions of "investment funds" or "investment firms", and these forms of activity are regulated and require the appropriate licence issued by the KNF.

Outsourcing and Insourcing

If an investment fund company intends to outsource certain activities, such as keeping a register of funds, accounting activities or management of an investment portfolio to a third party, the provisions on outsourcing apply. In relation to investment funds, such provisions are set out in the Act of 27 May 2004 on Investment Funds and Management of Alternative Investment Funds.

Depositary Agreement

Each investment fund company is also required to conclude an agreement with a depositary, which is usually the bank where the fund’s assets are stored. The activities of fund depositaries are regulated by law and include keeping a record of the fund's assets and ensuring that the value of fund assets is calculated in accordance with the regulations and the fund’s statute.

General Requirements Related to Outsourcing of Specific Activities by Investment Fund Companies

Requirements for contracts concluded between investment fund companies and third parties to which specific tasks are outsourced, are specified primarily in provisions on regulated outsourcing and provisions on requirements for entrusting the processing of personal data to a third party. If a third party performs, on behalf of the fund, certain activities related to the execution of obligations in the field of counteracting money laundering and terrorist financing, the provisions on outsourcing of AML activities specified in the Act on Counteracting Money Laundering and Terrorist Financing, will apply. 

Statutory Requirements for Outsourcing

The Act on Investment Funds and Management of Alternative Investment Funds imposes on supervised entities a number of obligations related to the outsourcing of specific activities to third parties. The third party (insourcer) should have appropriate knowledge and experience in performing the entrusted tasks. Outsourcing activities to a third party may not adversely affect the ability of the KNF to exercise supervision. The option of terminating the contract cannot be excluded if it is in the interest of the investment fund participants. These and other statutory requirements for outsourcing have a direct impact on the terms and conditions of outsourcing agreements concluded by investment fund companies. Relevant provisions in relation to investment firms are included in the Act on TFI.

Outsourcing of Cloud-Computing Services

In the event that a third party’s services involve the processing of data in the cloud, specific guidelines on the use of cloud-computing services by supervised entities will apply (ie, the KNF’s 2020 Cloud Communication).

The regulations in force in Poland which govern trading in financial instruments derive primarily from the MiFID II regulation. The principles, procedures and conditions for trading in financial instruments, the rights and obligations of the entities involved in trading in financial instruments, as well as the exercise of supervision in this field are regulated by the Act on TFI.

The catalogue of financial instruments includes securities, investment fund shares, money market instruments, options, futures, forward contracts, swaps, other derivatives, and emission allowances. 

There are three basic platforms for secondary trading in financial instruments referred to in the Act of 29 July 2005: 

• trading on a regulated market; 
• trading in the alternative trading system (MTF); and 
• trading within organised trading facilities (OTF). 

Regulated market operators require the prior permission of the KNF to trade. Only certain categories of supervised entities (including brokerage houses) may run an MTF or OTF upon first meeting the conditions set out in the act. As a rule, a multilateral trading system (the activity of matching offers to buy and sell financial instruments) can only be operated by organising a regulated market or running an MTF or OTF. Trading in treasury securities and instruments that have treasury security as an underlying asset is an exception.

As a rule, individual classes of financial instruments operate in the same regulatory regime. An example of a regulation that deals with trading in financial instruments regardless of their type is the Market Abuse Regulation (EU Regulation No 596/2014). This regulation defines, for instance, the requirements to prevent capital market manipulation, including the related duties of market participants. 

At the level of specific regulations on trading in financial instruments, there are some differences with respect to individual categories of instruments. For example, only bonds, structured finance products, emission allowances, derivatives, or specific energy products can be traded on the OTF market. A company operating a regulated market may also organise separate markets according to the type of securities or other financial instruments, as well as according to the type of issuer.

AML Obligations

Under the Act on AML , entities which provide the following services are obliged institutions: 

• exchange between virtual currencies and legal tender; 
• exchange between virtual currencies; 
• brokering this type of exchange; and 
• maintaining virtual currency accounts. 

Such entities are therefore obliged to apply the financial security measures set out in the Act, which include identification of the client, its beneficial owner, verification of its identity, transaction analysis and reporting suspicious transactions. 

Payment Services

In some cases, running a cryptocurrency exchange platform can coincide with maintaining a payment account in which the user’s funds (fiat currency) are kept. This type of activity requires an appropriate licence (payment institution or small payment institution licence). Some cryptocurrency trading platforms operating on the Polish market have either already obtained the required licence or have applied for it.

MiCA Regulation

Cryptocurrency exchange services are likely to fall within the scope of the proposed Regulation on Markets in Crypto Assets (MiCA), which is now going through legislative procedure in the Council and the EP. When this regulation comes into force, the provision of crypto-asset services, such as the operation of a trading platform for crypto-assets (including cryptocurrencies), will be highly regulated and will require authorisation from the regulatory authority.

Pursuant to the Act on TFI , access to financial instrument trading systems should be granted according to transparent and non-discriminatory rules based on objective criteria and subject to publication. The rules of the regulated market and any changes thereto require the approval of the KNF. Compared to regulated trading, trading on the MTF or OTF market is less stringently regulated, but with the obligation to observe the same general standards.

The rules for handling orders for the purchase or sale of financial instruments by investment firms are laid down in the Act on TFI and originate from MiFID II. As a general rule, an investment firm is required to implement appropriate solutions and procedures to guarantee immediate, fair and proper execution of clients’ orders in relation to other clients’ orders and to the firm’s own orders, ensuring that orders are executed in order of receipt.

The activity of peer-to-peer trading platforms in Poland is currently not very widespread, but there has been an increase in the number of such projects. First of all, platforms that enable cryptocurrency trading are becoming more popular (see 7.3 Impact of the Emergence of Cryptocurrency Exchanges). Trading in financial instruments generally takes place in a regulated environment.

Under the Act on TFI , investment firms are required to take all reasonable steps to ensure the best possible conditions for the execution of orders placed by their clients. To this end, the following parameters should, in particular, be taken into account: 

• the price of the financial instrument; 
• costs associated with the execution of the order; 
• the time of the transaction; 
• the probability of the transaction and its settlement; and 
• the size of the order and its nature. 

These requirements do not apply if the customer specifies in detail the conditions under which the order is to be carried out. On the Polish market, the practical significance of the best execution principle seems to be limited. This is due to the fact that most shares are listed on only one stock exchange. In addition, only a few brokerage houses in Poland execute orders on foreign markets, where shares of some of the companies listed on the Polish stock exchange are listed simultaneously.

The Act on TFI prohibits investment firms which place orders in order execution systems from accepting monetary or non-monetary benefits that would unduly influence their obligations related to the management of conflicts of interest, and to the acceptance of benefits in cash or in kind. Generally speaking, the rules of payment for order flow ought to be assessed in the context of the inducements rule.

Basic principles of market integrity and market abuse have their source in Regulation (EU) No 596/2014 of the EP and of the Council of 16 April 2014 on market abuse (the "MAR"), which aims to increase market integrity and investor protection. This regulation prohibits insider dealing, unlawful disclosure of inside information and market manipulation, and contains provisions to prevent and detect these. 

The creation and use of high-frequency and algorithmic trading is regulated under the Act on TFI and originates from MiFID II. An investment firm that engages in algorithmic trading must have effective systems in place, as well as risk controls suitable to the business it operates, to ensure that its trading systems are resilient and have sufficient capacity. An algorithmic trading system must be subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the system otherwise functioning in a way that may create or contribute to a disorderly market. An investment firm also has to have in place an effective risk control system and business continuity arrangements to deal with any failure of its trading systems. It is required that its systems are fully tested and properly monitored. An investment firm must also document the acts related to the use of algorithmic trading in its operations in a manner that demonstrates that the conditions set out in the applicable law are met. There are no specific distinctions or different regulatory regimes between asset classes.

An investment firm is obliged to inform the KNF of the use of algorithmic trading in its activity and when it ceases to use algorithmic trading. 

An investment firm that engages in algorithmic trading to pursue a market-making strategy must ensure compliance with the following and other requirements under MiFID II:

• this market-making strategy must be performed continuously during a specified proportion of the trading venue’s trading hours, except under exceptional circumstances, with the result of providing liquidity on a regular and predictable basis to the trading venue;
• a binding written agreement must be concluded with the trading venue, specifying as a minimum the obligations of the investment firm in accordance with the point above; and
• effective systems and controls must be in place to ensure that the investment firm fulfils its obligations under the agreement referred to above.

With regard to high-frequency and algorithmic trading, there is no regulatory distinction between funds and dealers in Poland.

The regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading are set out in Commission Delegated Regulation (EU) 2017/589. According to this regulation, an investment firm must employ sufficient staff with the necessary skills and technical knowledge to manage:

• the relevant trading systems and algorithms;
• the monitoring and testing of such systems and algorithms;
• the trading strategies that the investment firm deploys through its algorithmic trading systems and algorithms; and
• the investment firm's legal obligations. 

An investment firm remains fully responsible for its obligations under the regulation when it outsources or procures software or hardware used in algorithmic trading activities. However, the regulations do not apply directly to programmers who actually develop and create trading algorithms or other electronic trading tools.

Platforms which provide investment analyses, financial analyses and other general recommendations regarding transactions in financial instruments are not subject to any registration, as a rule, unless they also provide other investment services, as set out in Article 69(2) of the Act on TFI. 

However, websites comparing fees charged by payment service providers may register with the KNF upon fulfilling requirements in line with the PAD. This is entirely voluntary. For now, most of these comparison websites have skipped registration, and only one has decided to register.

Requirements on counteracting unlawful behaviour in the financial markets (such as insider dealing, unlawful disclosure of inside information and market manipulation) are set out in the MAR. Disseminating false or misleading information may qualify as a manipulative activity.

According to current knowledge, there are no financial research platforms in Poland that allow users to post any information on the platform that qualifies as "financial research". The only persons authorised to share any kind of financial content are the employees of the platforms.

The GDPR Ban on Automated Decisions

Players in the underwriting industry use advanced personal data processing operations, including profiling. Generally, both profiling and automated decision-making through profiling in the underwriting industry may involve clients, potential clients, or – in some cases – former clients. The GDPR introduced a general ban on automated decisions, due to the danger posed to the rights and freedoms of a natural person, but specified an exhaustive list of cases in which such decisions are allowed.

The Polish Act on Insurance and Reinsurance Activity

The Polish Act on Insurance and Reinsurance Activity (PAIRA) does however allow, in accordance with Article 22(2)(b) of the GDPR, automated decision-making, including profiling, in specific cases.

Such processing of personal data, on the one hand, is permitted for purposes related to:

• assessment of insurance risk – with respect to the personal data of insured persons; and
• insurance activities referred to in the Act – with respect to the personal data of insured persons, policyholders and persons entitled under insurance contracts. 

On the other hand, there are doubts whether the PAIRA has identified a closed catalogue of data that may form the basis for decisions made solely as a result of automated processing.

Case-by-Case Assessment

Accordingly, whether an insurance company is allowed to use automated decision-making must be assessed case by case, taking into consideration the criteria stipulated in Article 22(2)(a) of the GDPR (the requirement that the decision be necessary for the conclusion or performance of a contract between the data subject and the administrator) or in Article 22(2)(c) of the GDPR (explicit consent of the data subject). 

Processing of Personal Data Using Cloud Computing

Some processes related to the processing of personal data, including automated decision-making, may also take place using cloud computing. In this case, not only the provisions of the GDPR regarding entrusting the processing of personal data will apply, but also the Cloud Communication from the KNF.

Assisted by external advisers, the Polish Chamber of Insurance (PCI), together with insurance companies, has developed the standard for the implementation of information processing in cloud computing for the insurance industry. This document analyses the requirements of the communication from the KNF, and thus presents the requirements of the KNF to supervised entities in the insurance sector that use public or hybrid cloud-computing information processing services.

In the context of using external service providers (including cloud-computing providers), it is also worth paying attention to the ongoing work on the draft act amending certain acts in connection with ensuring the development of the financial market and protection of investors on this market (UD235). It is proposed, among other things, to extend the definition of outsourcing to ensure consistency with EU regulations (eg, Solvency II).

Two types of insurance which receive significantly different legal treatment are life and property insurance. Companies which provide life insurance services are treated as "obligated institutions" within the meaning of the Act on AML. They are consequently subject to a wider range of obligations relating to the verification of clients (eg, for the purpose of screening through international sanction lists).

The implementation of AML Directive 5 (AMLD5) in Poland was carried out by the Act amending the Act on counteracting money laundering and terrorist financing and certain other acts (JL 2021.815). As part of the amendment to the national law on counteracting money laundering and terrorist financing, a number of changes were also introduced to supplement the incomplete implementation of AMLD4 in 2018.

Different types of insurance are also treated differently depending on the object and scope of the insurance, including with respect to the scope of personal data collected for the purposes of concluding or implementing the insurance contract. For example, under PAIRA, life insurance companies are permitted to lawfully process personal data concerning health, which is a special category of personal data within the meaning of Article 9(1) of the GDPR, on the basis of Article 9(2)(g) of the GDPR.

Regtech as Supporting Technical Services

There is no separate legislation on regtech providers in Poland. Regtech services are mainly used by financial institutions to assist with compliance with applicable regulations, primarily safeguarding measures, risk management, internal control, supervisory reporting and AML obligations. Thus, regtech services are generally treated as supporting technical services rather than as independent financial services. 

Legal Compliance

Providing supporting technical services to financial institutions often constitutes regulated outsourcing and requires compliance with a specific legal framework. That framework applies primarily to the civil relationship with the financial institution rather than the KNF. In general, regulated outsourcers do not need to seek their own authorisation and are subject only to indirect supervision from the KNF. However, there are differences in the legal framework of regulated outsourcing, depending on the nature of the financial market. In addition to this, some supporting technical services may be provided only by outsourcers that are regulated entities themselves. For example, some activities pertaining to AML obligations may be outsourced only to other institutions subject to the Act on AML ("obligated institutions" in Poland).

Regtech as Independent Financial Services

In cases where regtech services constitute independent financial services (eg, for the verification of payments for AML purposes), the provider of such services is required to comply with all relevant regulations, which typically include seeking the appropriate authorisation.

Regtech Services as Regulated Outsourcing

Regtech services often constitute regulated outsourcing on the Polish financial market. Contractual terms to assure proper performance and accuracy on the part of regtech providers are therefore primarily dictated by the applicable regulations and soft law. Specific requirements differ depending on the nature of the financial institution which outsources its activities (eg, whether it is a bank or payment institution). There are also separate, extensive requirements for providing outsourced activities via a cloud. The KNF has adopted its own guidelines for outsourced cloud-based activities (irrespective of the EBA guidelines on outsourcing arrangements). 

On a general level, safeguarding measures pertaining to regulated outsourcers usually include: 

• high qualifications and expertise in the outsourced activities; 
• implementation of a proper business continuity plan; and 
• the right to monitor the outsourcer’s activities (which may include the right to perform on-site audits) or additional grounds for terminating an outsourcing contract if it is not performed, or if it is improperly performed. 

In practice, financial institutions often seek to reflect applicable regulations and soft law very closely in outsourcing contracts.

Regtech Services as Non-regulated Outsourcing

In cases where regtech services do not constitute regulated outsourcing, contracts between financial institutions and regtech providers can be shaped more freely. In practice, such contracts still tend to contain provisions to assure performance and accuracy on the part of the provider, though these are far less strict than those found in regulated outsourcing contracts.

Legacy Players

Legacy players across all financial markets in Poland are becoming increasingly interested in blockchain and related technology. The first initiatives are already underway. In 2018, the Polish Bank Association (an autonomous organisation of banks) put forward three alternative proposals for developing a new technology for the whole banking sector, which would be compliant with the durable medium requirements defined in PSD2. Two of the proposals were based on blockchain technology. In 2020, the first blockchain-based documentary letter of credit was opened by a Polish bank.

Wider Uses of Blockchain

Furthermore, there are initiatives to harness blockchain technology to enhance the performance of AML measures. On the one hand, those initiatives focus on employing blockchain (in particular, on account of its high resistance to counterfeiting) in transaction-tracking technologies in order to tackle so-called "layering operations" more effectively. On the other hand, the potential for using blockchain as part of customer due diligence measures has also been recognised. In particular, distributed database solutions are being explored to accelerate the customer verification process. 

Blockchain is also the base technology for many virtual currencies exchanged via online trading platforms in Poland, as well as the foundation of the first Polish e-money issued via a non-bank entity. Solutions based on blockchain technology are also developed in Poland by one of the AIS providers.

Working Groups Proposals

There are no regulations in Poland regarding blockchain, but a working group on distributed ledgers and blockchain is now attached to the Ministry of Development, Labour and Technology. Among the proposals put forward by this group is the possible statutory restriction of certain rights granted to data subjects under the GDPR in the case of personal data processing using blockchain technology. Such a limitation is possible only as long as it does not violate fundamental rights and freedoms, and as long as it is a necessary and proportionate measure in a democratic society serving the purposes specified in Article 23(1)(a)–(j) of the GDPR. Similar postulations were formulated by the working group on development of financial innovations (fintech) operating under the auspices of the KNF as part of the report published in April 2021.

Applications and Advantages of Blockchain

Owing to its wide range of applications in both the private (including the financial sector) and public sectors, as well as numerous advantages (including resistance to IT system failures, resistance to cyber-attacks, transparency, low cost, high efficiency, etc), the use of blockchain technology can reasonably be assumed to be substantially in the public interest, ie, in the economic or financial interest of Poland as an EU member state. It seems that Poland may also have an important economic interest in enabling the legal development of innovative and secure digital services – in particular, by creating an appropriate legal framework.

Off-Chain Storage as a Solution

One reasonable solution could be storing personal data off-chain. The blockchain may contain links (hash-pointers) to verify that such data is accurate. If all personal data was processed off-chain, difficulties in using distributed databases in accordance with the GDPR would be avoided. 

All solutions that effectively prevent access from a blockchain to personal data by people who do not know the appropriate password will be sufficient from the point of view of the GDPR. If the personal data processed off-chain is in a centralised database, it is easy to identify the controller responsible for compliance with all the obligations imposed by the GDPR. A change to personal data may cause a mismatch between the link stored in the blockchain and the data processed off-chain. Storing personal data off-chain and leaving only links to this data in the blockchain-based registry, eg, in the form of hash-pointers, should be considered compliant with the GDPR once the pseudonymisation requirements are satisfied. Such solutions will probably be attractive mainly for private networks or permissioned networks, though not for public (permissionless) networks, because they involve limiting the decentralisation of the blockchain-based registry and introducing a kind of trusted third party that maintains personal data stored off the register (off-chain).

Blockchain as a "Durable Medium"

In a decision issued on 30 May 2018, the president of UOKiK (the Office of Competition and Consumer Protection) favoured the use of blockchain technology in the context of a "durable medium" from the point of view of the recipients of banking services, ie, consumers, in connection with a bank's need to provide specific electronic banking functionality (primarily in terms of the consistency, including durability, of the information provided). The position of the consumer protection authority does not take into account the possible consequences related to the legal and technological risks of a bank implementing and using blockchain technology.

It is still unclear how to classify blockchain assets in terms of their legal status. However, cryptocurrency is not legal tender in Poland. 

There is currently no Polish regulation that expressly classifies blockchain assets or cryptocurrencies. Depending on the specifics, blockchain assets might be qualified as a financial instrument under MiFID II, which has been implemented into Polish law. According to the EBA’s report, blockchain assets might also be qualified as electronic money under the Electronic Money Directive 2 (EMD 2) on the taking up, pursuit and prudential supervision of the business of electronic money institutions, subject to certain conditions.

The KNF seems to have a similar point of view – according to the KNF’s position on the issuance and trading of crypto-assets, the tokens may be divided into three types: exchange tokens, utility tokens and investment tokens (however, such division is not complete as it was stipulated by the KNF). In the light of the KNF’s position, payment tokens may sometimes meet the conditions justifying their qualifications as electronic money, while investment tokens may, under certain conditions, be considered as financial instruments.

If the issued blockchain assets are qualified as financial instruments under MiFID II and the Act on TFI, the regulation applicable to the issuance of these instruments would apply. 

If the issued blockchain assets are qualified as electronic money under the EMD and the Act on Payment Services, the regulation applicable to the issuance of electronic money would apply. 

The issuance of blockchain assets itself is not regulated under Polish law. However, during the work on the amendment to the Act on Counteracting Money Laundering and Terrorist Financing it was considered whether the registration obligation should apply to issuers of virtual currencies.

In accordance with the Act on Counteracting Money Laundering and Terrorist Financing, virtual currency account providers, virtual currency exchange intermediaries and exchange platform providers have the status of "obliged entities". Such entities are therefore required to apply the financial security measures set out in the Act, which include identification of the client and the beneficial owner, transaction analysis, and reporting of suspicious transactions. Furthermore, from 31 October 2021, virtual currency account providers, virtual currency exchange intermediaries and exchange platform providers providing their services in Poland were required to register their business activity (although no licence is needed) under the Act on Counteracting Money Laundering and Terrorist Financing. Besides these regulations, blockchain asset trading platforms or secondary market trading of blockchain assets remain unregulated under Polish law.

The activity of investment funds in Poland is strictly regulated under the Act on Investment Funds and the Management of Alternative Investment Funds. With regard to these regulations, there are no provisions that would apply strictly to investments in blockchain assets.

Virtual currencies, in contrast to other blockchain assets, are covered by Polish law. Under the Act on Counteracting Money Laundering and Terrorist Financing, the virtual currency is understood as a digital representation of a value which is not:

• a legal tender issued by the NBP, foreign central banks or other public administration authorities;
• an international clearing unit established by an international organisation and accepted by individual countries belonging to or co-operating with such organisation;
• electronic money within the meaning of the Polish Payment Services Act;
• a financial instrument within the meaning of the Polish TFI Act; or
• a bill of exchange, a promissory note or a cheque,

and is convertible in business dealings for legal tender and accepted as a means of exchange, and may also be electronically stored or transferred, or the object of electronic trade.

Virtual currencies started to be covered by Polish law as a result of Poland’s independent legislation initiative taken before the completion of AMLD5. During the implementation of AMLD5 into the Polish legal order, the legislator, however, did not change the legal definition of "virtual currency". Nevertheless, after transposition of the directive, virtual currency account providers, virtual currency exchange intermediaries and exchange platform providers are required to be entered in the relevant register.

The term "DeFi" (decentralised finance) is not defined in the provisions of generally applicable law. However, this concept can be found in soft law acts. In this context, the KNF issued an important position on 10 December 2020 concerning the issuance and trading of crypto-assets. In that document, DeFi is defined as an ecosystem of applications for the provision of financial services, based on distributed ledger technology (DLT).

DeFi platforms may provide various types of financial services, such as lending and trading in crypto-assets. The detailed scope of the legislation that will be relevant to the development and use of DeFi platforms will depend on the types of financial products offered on them. Nevertheless, the regulations concerning customer protection, dispute resolution, data protection and anti-money laundering/combating the financing of terrorism (AML/CFT) may apply. 

Also important are recent legislative initiatives at EU level that have been taken as part of the Digital Finance Package. A proposal for a regulation on MiCA and for a regulation on a pilot regime for market infrastructures based on DLT may have a significant impact on the functioning of DeFi platforms in the future.

There are no specific regulations in Poland regarding the issuance or trading of NFTs or the operation of NFT platforms. So far, the Polish legislator – with the exception of the provisions on virtual currencies (see 12.7 Virtual Currencies) – has decided not to introduce regulations relating to what are broadly understood as crypto-assets, including NFTs. This approach probably results from the ongoing work on the MiCA regulation at the EU level and the desire to avoid introducing national legislation that could be incompatible with MiCA.

In Poland, PSD2 was implemented on 20 June 2018, and the transitional period expired on 20 December 2018. On 14 September 2019, when the SCA and CSC regulatory technical standards took effect, the PolishAPI standard came into force (https://polishapi.org). On 12 December 2019, version 3.0 of the PolishAPI standard was published. The new version supports split payments and an automatic registration service for TPP client applications on the side of ASPSPs. At the beginning of 2020, some TPPs were already operating both as payment institutions and banks, providing PIS and AIS, while several proceedings for authorisation before the KNF are pending.

According to the data from the register kept by the KNF, by the beginning of 2022, 11 entities were authorised to provide AIS only. This register also shows that 11 payment institutions are entitled to provide both AIS and PIS, and four such entities are authorised to provide PIS.

The PolishAPI standard allows the use of the ASPSP authentication mechanism, which redirects to the ASPSP website during the performance of AIS, PIS and Confirmation of Availability of Funds (CAF) services, which means that the payment services user (PSU) authentication and authorisation data are provided only on the ASPSP website. PSU authentication is carried out in the ASPSP interface. The PolishAPI standard allows the use of an authentication mechanism in an external authorisation tool when providing AIS and PIS (decoupled). A communication sequence that leads to the establishment of a session with the XS2A (which is a tool for accessing payment account information) interface is also permitted, taking into account PSU authentication, using the redirection method and using the "refresh token".

In most cases, AIS is approved based on additional consent given by the PSU, on the grounds of which, account information will be provided to the account information service provider's (AISP’s) partner. The information obtained in this way is then used by the AISP’s partner to offer relevant products and services to the PSU. 

The KNF takes the view that the information provided by the AISP should always be made available to the PSU, but it is also permissible for the PSU to grant authorisation for the AISP’s partner to obtain such information.

Unfortunately, one of the main Polish banks does not provide name information under open banking.