Given Poland’s EU membership, the legal framework applicable to financial institutions (including banks) is largely influenced by EU legislation – in particular, Directive 2013/36/EU (the “Capital Requirements Directive”, or CRD) and Regulation (EU) 575/2013 (the “Capital Requirements Regulation”, or CRR). The latter is directly applicable to banks in Poland.

The primary source of regulations governing the banking sector in Poland is the Act of 29 August 1997 (the “Banking Law”, or BL). In particular, the BL sets out licensing conditions, principles applicable to conducting banking activity, the terms of providing key banking products (deposits, loans, bank guarantees, etc), bank-specific principles for bankruptcy proceedings, and principles of exercising banking supervision.

Other important legal acts governing the banking sector include:

• the Act of 19 August 2011 on payment services, which sets the regulatory framework of payment services and implements Directive (EU) 2015/2366 (the “Payment Services Directive”, or PSD2);
• the Act of 15 September 2000 (the “Commercial Companies Code”), which sets out the general framework for joint stock companies (ie, the form in which banks are usually established);
• the Act of 23 April 1964 (the “Civil Code”), which regulates the private law aspect of crucial banking agreements – eg, the bank account agreement and regular loan agreement (umowa pożyczki);
• the Act of 12 May 2011 on consumer credit, which sets the rules for providing consumer credit under Directive 2008/48/EEC (the “Consumer Credit Directive”);
• the Act of 23 March 2017 on mortgage credit and the supervision of mortgage brokers and agents, which sets the rules for providing consumer credit under Directive 2014/17/EU (the “Mortgage Credit Directive”);
• the Act of 29 July 2005 on trading financial instruments (ATFI), which regulates the rules of public trade in financial instruments and implements Directive 2014/06/EU (the revised “Markets in Financial Instruments Directive”, or MiFID II);
• the Act of 1 March 2018 on countering money laundering and terrorism financing, which regulates the obligations of banks as “obliged entities” and implements Directive (EU) 2015/849 (the “Anti-Money Laundering Directive IV”, or AMLD IV); and
• the Act of 10 June 2016 on the Bank Guarantee Fund, deposit protection scheme and mandatory restructuring, which implements Directive 2014/59/EU (the “Bank Recovery and Resolution Directive”, or BRRD).

Banks should also be aware of soft law instruments, positions, recommendations and guidelines issued by the relevant regulatory authorities. Although formally non-binding, these soft law sources usually provide a supervisor’s approach to, or interpretation of, binding legal acts.

Regulatory Authorities

The Polish Financial Supervision Authority (PFSA) (Komisja Nadzoru Finansowego) is the regulator responsible for the microprudential supervision of banks in Poland. Poland is not part of the eurozone and does not participate in the Banking Union or the Single Supervisory Mechanism. As such, the supervisory powers and duties lie with the national regulator.

The Financial Stability Committee (Komitet Stabilności Finansowej) is the primary regulator responsible for the macroprudential supervision of the banking sector. It issues recommendations and positions on macroprudential matters, and co-ordinates the work of its members regarding macroprudential oversight.

The Bank Guarantee Fund (Bankowy Fundusz Gwarancyjny) is the regulator responsible for running the mandatory deposit protection scheme. It is also the local bank resolution authority.

The General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej) is the regulator responsible for supervision in the AML/CFT field.

Authorisation

There is only one type of banking licence available. However, the scope of a bank’s permitted activities is determined by the scope of the application for the authorisation to set up the given bank and the decision issued by the PFSA.

Commercial banks are usually formed as joint stock companies. In such cases, the number of founders (initial shareholders) cannot be fewer than three, unless the founder is another bank (from within Poland or from another country).

The only sub-type of bank in the form of a joint stock company is a mortgage bank operating under the Act of 29 August 1997 on mortgage bonds and mortgage banks. These specialised banks may only engage in selected activities, which essentially include activities related to the mortgage market.

Polish regulations also enable co-operative banks (banki spółdzielcze) and credit unions (Spółdzielcze Kasy Oszczędnościowo-Kredytowe) to be established. The latter may engage in similar activities to those of banks, but represent a different kind of financial institution.

Scope of Activities

Banks may only engage in activities listed directly under the BL, referred to as “banking activities” (czynności bankowe). They primarily include:

• accepting deposits of money payable on demand or on a specified date and maintaining accounts for such deposits;
• maintaining other bank accounts;
• granting loans, whether “bank loans” (kredyty bankowe) or cash loans (pożyczki);
• granting and confirming bank guarantees, and opening and confirming letters of credit;
• issuing bank securities;
• providing payment services and issuing electronic money;
• acquiring and disposing of monetary receivables;
• storing objects and securities, and providing safe deposit boxes;
• conducting the purchase and sale of foreign exchange values;
• granting and confirming guarantees (sureties);
• performing commissioned activities related to the issuance of securities; and
• performing other activities specified for banks in other laws.

The restrictive interpretation presented by the PFSA provides that if the regulations do not explicitly authorise a bank to carry out a certain business activity, such activity should not be pursued as the bank’s regular business.

Brokerage activities

Notwithstanding the foregoing, a bank may conduct brokerage activities after obtaining a permit from the PFSA (at the stage of the bank’s establishment or for a change in the articles of association during the bank’s existence). This creates an obligation to attach additional documents (inter alia, procedures, statements and regulations) to the PFSA. A bank’s brokerage activities may be conducted on the condition that these activities are organisationally separated from the bank’s other activities (“organisational separation”).

The ATFI also sets out detailed rules for when the performance of certain brokerage activities by a bank does not constitute brokerage activities and does not require authorisation from the PFSA.

With additional authorisation from the PFSA, a bank may operate securities accounts, derivatives accounts and omnibus accounts (“custody activities”).

MiCAR activities

Regulation (EU) 2023/1114 (the “Markets in Crypto-Assets Regulation”, or MiCAR) establishes simplified rules for credit institutions (banks) with regard to providing crypto-asset services and offering asset-referenced tokens to the public and seeking such tokens’ admission to trading.

Instead of obtaining a specific licence under MiCAR, credit institutions must execute certain notification obligations. By way of example, a credit institution may provide crypto-asset services if it successfully fulfils a notification obligation towards the competent authority of its home member state at least 40 working days before providing those services for the first time.

In Poland, a law is still being drafted to ensure the practical application of MiCAR. The relevant supervisory authority will be the PFSA.

Conditions of Authorisation

Under the BL, a bank can be established if:

• the bank is equipped with adequate own funds, the amount of which should correspond to the type of banking activities to be performed and the size of the intended activity;
• the bank is equipped with premises that have adequate technical equipment;
• the bank’s founders provide a guarantee of the bank’s prudent and stable management;
• the persons scheduled to take up positions on the bank’s supervisory board and management board meet the relevant legal requirements;
• the persons scheduled to take up the positions of chair of the management board and the management board member responsible for risk management have proven knowledge of the Polish language; and
• the (minimum of a) three-year plan presented by the founders indicates that these activities will be safe for the funds collected in the bank.

Process of Applying for Authorisation

The authorisation to operate as a bank is granted in two stages. Firstly, the authorisation to set up a bank has to be obtained, followed by an authorisation to start operations (an operating licence). After obtaining these two authorisations, an entity may start operating.

A model process of applying for authorisation includes the following steps:

• preparing and filing an application for the authorisation to set up a bank (approximately three to six months);
• the first phase of the proceedings before the PFSA (approximately nine to 12 months);
• registering the bank in the form of a joint stock company with the national court register (approximately three months);
• preparing and filing an application for the authorisation to start operations as a bank (approximately three months); and
• the second phase of the proceedings before the PFSA (approximately six to nine months).

The above-mentioned timelines constitute a rough approximation, given the amount and complexity of information to be provided to the PFSA. Other formalities include the usual filings and registrations for tax or employment purposes.

The administrative fee in the proceedings before the PFSA amounts to 0.1% of the contemplated share capital of the bank and does not include other costs (eg, legal, consulting or business advisory).

Obtaining an EU Passport (Branches, Cross-Border Services)

The opening of a branch of a credit institution in Poland starts with the submission of a notification to the competent authority of its home member state in accordance with Article 35 of the CRD.

Under the BL, a branch of a credit institution may commence its operations in Poland at the earliest two months after the date on which the following information has been received by the PFSA:

• the name and address of the branch in the territory of the Republic of Poland, where it will be possible to obtain documents concerning its activities;
• a programme of activity specifying, in particular, the activities the credit institution intends to carry out and a description of the branch’s organisational structure;
• the names of the persons intended to take up the positions of branch manager and deputy branch manager; and
• the amount of own funds of the credit institution and the solvency ratio.

Until that time, the PFSA may indicate the conditions that the branch of a credit institution must fulfil when carrying out business in Poland, in the interest of the general good (in particular, to protect consumer welfare, ensure the security of economic transactions or prevent infringements of the law).

Cross-border activity of a credit institution also involves the submission of a notification to the competent authority of its home member state in accordance with Article 39 of the CRD. In such cases, under the BL, a credit institution may commence cross-border activities in Poland upon receipt by the PFSA of a notification from the competent supervisory authorities of its home country, which specifies the types of activities that the institution intends to carry out.

General

The procedure for acquiring qualified holdings in Polish banks is subject to unified EU rules resulting from the CRD. However, compared to other jurisdictions, Polish proceedings are much more document-heavy, and the PFSA’s approach tends to be very formalistic.

Shareholding Thresholds

The BL provides that an entity or person that intends – directly or indirectly – to acquire or subscribe to shares or rights from the shares of a national bank in a number that ensures reaching or exceeding, respectively, 10%, 20%, one-third or 50% of the total number of votes at the shareholders’ general meeting or shares in the share capital is obliged to notify the PFSA of its intention.

The same obligation applies to the intention to acquire control of a bank in any way other than by the acquisition or subscription of shares.

Notification

An entity filing the notification to the PFSA is obligated to disclose its parent company, arrangements made by this parent company, and information about the parent company remaining in any arrangements that allow other entities to exercise rights from shares in a bank or exercising parent company rights over such a bank.

The notification to the PFSA includes:

• the identification of the applicant;
• the identification of the target bank;
• a description of the professional activities the applicant performs and a description of the obtained education;
• a description of the group to which the applicant belongs;
• a description of the applicant’s financial situation;
• information on criminal and fiscal crimes, conditionally discontinued proceedings and concluded disciplinary proceedings, as well as concluded administrative and civil proceedings if this may influence the assessment of the applicant;
• information on pending criminal and fiscal crime proceedings, as well as pending administrative, disciplinary and civil proceedings if they may influence the assessment of the applicant;
• a description of actions aimed at acquiring and subscribing for shares – in particular, information on the target share in the share capital or the target number of votes at the general meeting; and
• information on the applicant’s intention regarding the bank’s future business activity.

Detailed requirements for all this information and these documents are provided in secondary legislation. An important part of the filing is constituted by the commitments undertaken by the investor(s) vis-à-vis the PFSA concerning the target bank and its activities.

The PFSA may object to the intended acquisition or subscription for shares if:

• the applicant has failed to supplement the notification;
• the applicant has not provided the additional information required by the PFSA within the deadline; or
• it is justified by the need for the prudent and stable management of the bank due to the possible impact of the applicant on the bank or the possible impact of the applicant’s financial situation.

The PFSA’s objection (or decision declaring the absence of grounds for it) may be issued within 60 working days following receipt of the complete notification. However, in practice, such proceedings usually last for approximately four to six months, as the PFSA issues extensive requests related to the submitted documents.

No voting rights may be exercised from the shares acquired or subscribed for in violation of the relevant regulatory filing rules.

General Corporate Structure

The Commercial Companies Code is the primary source of law for joint stock companies, including banks (subject to differences resulting from the BL). The Commercial Companies Code provides for a two-tier board structure, and the governing bodies of a bank include the management board, the supervisory board and the shareholders’ general meeting.

Additional Requirements

The BL introduces additional, specific corporate governance requirements, generally in line with EU law requirements for credit institutions. The measures include an obligation to:

• introduce a management system consisting of, at least, a risk management system and an internal control system;
• separate a risk division from other divisions and appoint a dedicated board member responsible for risk management, who cannot also oversee an area that generates risk for the bank’s operations;
• separate the function of the dedicated board member responsible for risk management from the president of the management board, who may not also be entrusted with supervising an area that generates a material risk for the bank’s operations;
• separate a control function, compliance unit and independent internal audit unit (within the internal control system);
• establish, within the supervisory board, a nomination committee, a risk committee and a remuneration committee (this applies to significant banks – ie, listed banks or banks with more than a 2% share in the banking sector’s assets, deposits or own funds, as well as banks that the PFSA designates as significant);
• adopt a diversity policy in the management board – which should take into account the broad set of qualities and competencies required for board members and be adopted by a nomination committee or the supervisory board – and also notify the PFSA about their respective gender pay gaps every year; and
• preserve banking secrecy – the bank, all its employees and the persons through whom the bank performs banking activities are obliged to maintain banking secrecy, which includes all information concerning the banking activity obtained during the negotiation, conclusion and execution of the contract under which the bank performs this activity (the BL specifies when information subject to banking secrecy may be disclosed and impermissible disclosure involves criminal liability).

Soft Law and Industry Initiatives

The PFSA issued a dedicated recommendation concerning the principles of internal governance in banks: Recommendation Z (Rekomendacja Z). The document contains a set of general and specific rules governing many aspects of a bank’s governance, ranging from separating functions within the internal structure to managing conflicts of interest to risk or outsourcing management.

The European Banking Authority (EBA) Guidelines on internal governance (EBA/GL/2017/11) are applicable in Poland. The PFSA also issued a more general recommendation – the Corporate Governance Rules for Supervised Entities (Zasady Ładu Korporacyjnego dla Instytucji Nadzorowanych) – which applies to all supervised entities.

Banks listed on the Warsaw Stock Exchange (WSE) are also obligated to adhere to the Good Practices of Listed Companies issued by the WSE (the “WSE Good Practices”). The WSE Good Practices are based on a “comply or explain” principle.

General

Management board members (including the president of the management board) are appointed by the supervisory board. A bank’s management board and supervisory board members should have the knowledge, skills and experience appropriate for their respective functions and duties. They should also assure due performance of those duties. Notably, this refers to the person’s reputation, honesty, integrity and ability to run the bank’s business in a prudent and stable manner (the “fit and proper requirement”).

Accountability

Management and supervisory board members are subject to regular civil liability towards the bank itself and its shareholders. In addition, the PFSA may impose penalties for non-compliance with the issued guidance or other applicable obligations, of up to approximately PLN20 million (approximately EUR4 million).

PFSA Approval

Appointing the president of the management board and the management board member responsible for risk management requires the PFSA’s approval. The PFSA must be notified with the following information:

• the identification of the candidate;
• the candidate’s knowledge, skills and experience – in particular, education, professional experience and completed courses;
• information about the other entities in which the candidate serves as a statutory board member;
• the candidate’s criminal record;
• administrative sanctions, other proceedings that may adversely affect the financial position of such a person, and administrative, disciplinary or enforcement proceedings in which the appointed person has acted or acts as a party;
• Polish language proficiency; and
• any other information that may affect the assessment of meeting the fit and proper requirement.

The PFSA will not approve the appointment if:

• the fit and proper criteria are not fulfilled;
• the candidate has been penalised for an intentional crime or fiscal crime, excluding privately prosecuted crimes;
• the candidate does not inform the PFSA about charges in criminal proceedings or fiscal crime proceedings, except for charges related to privately prosecuted crimes within 30 days from the date of the charges; or
• the candidate does not prove their Polish language proficiency.

The Polish language requirement may be waived if the PFSA deems its fulfilment unnecessary for prudential supervision reasons – in particular, the level of acceptable risk or the scope of the bank’s intended activities.

In 2020, the PFSA issued a document called Methods for Assessment of Suitability of the Members of the Bodies of Entities Supervised by the Polish Financial Supervision Authority (Metodyka Oceny Odpowiedniości Członków Organów Podmiotów Nadzorowanych), which contains the very detailed methodology behind the PFSA’s approach to the fit and proper requirements. These are generally in line with the applicable EBA Guidelines on assessing the suitability of management body members and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2017/12).

Remuneration Policy

Banks have to adopt remuneration policies for each category of persons whose professional activity has an impact on the bank’s risk profile. These persons primarily include:

• supervisory board and management board members;
• directors (usually heads of divisions); and
• other persons who have knowledge of the risks associated with the bank’s activities and who are responsible for making decisions impacting these risks.

The management board is responsible for preparing and implementing the remuneration policy, which is subject to the supervisory board’s approval.

Non-significant banks with lower values of owned assets may implement simplified policies, as may persons whose annual variable remuneration does not exceed the Polish zloty equivalent of EUR50,000 or one-third of the total annual remuneration of these persons. Other exceptions may apply where an appropriate justification is present.

The PFSA may limit the variable component of the remuneration of persons covered by the remuneration policy, as a percentage of net income, in cases where its amount impedes meeting the own-funds requirements. Additional requirements for remuneration policies may be found in the EBA Guidelines on sound remuneration policies (EBA/GL/2015/22), which apply in Poland.

AML-Related Obligations

Banks are “obliged entities” under the Act of 1 March 2018 on countering money laundering and terrorism financing. As such, they are subject to many obligations, including:

• applying customer due diligence (standard, simplified or enhanced, as applicable);
• adopting and complying with an internal AML procedure;
• maintaining records of information acquired during maintaining business relationships with clients;
• providing the General Inspector of Financial Information with information regarding accepting certain funds with an equivalent value of more than EUR15,000;
• suspending suspicious transactions and blocking accounts; and
• applying specific restrictive measures to sanctioned entities included in the relevant lists of sanctioned parties.

The General Inspector of Financial Information or the PFSA may require the bank to change the scope or to end the correspondent relationship with a respondent entity with its seat in a high-risk third country identified by the EC.

Customer Due Diligence Measures

Banks are primarily obligated to apply customer due diligence measures when:

• establishing a business relationship;
• carrying out occasional transactions;
• there is a suspicion of money laundering/terrorism financing; or
• there is doubt about the veracity or adequacy of previously obtained customer identification data.

Customer due diligence measures include:

• identifying and verifying the customer’s identity;
• identifying and taking reasonable measures to verify the beneficial owner;
• assessing and, as appropriate, obtaining information on the business relationship’s purpose and intended nature; and
• conducting ongoing monitoring of the business relationship.

Banks should also be aware of any positions and interpretations that the General Inspector of Financial Information may issue regarding AML/CFT duties.

General

Under the Act of 10 June 2016 on the Bank Guarantee Fund, deposit protection scheme and mandatory restructuring, the Polish mandatory depositor protection scheme is administered by the Bank Guarantee Fund (BGF) – a special legal person set up to govern the scheme. All banks that have their corporate seat in Poland are required to participate in the fund by contributing to it in proportions based on several factors (eg, the bank’s management profile, capital, liquidity and quality of assets).

Scope of Coverage

The funds covered by the BGF include:

• funds in any currency accumulated by the depositor in bank accounts where the depositor is a party to the bank account agreement;
• the depositor’s other receivables arising from selected banking activities;
• the receivables of the person who covered the funeral costs of a deceased bank account holder; and
• selected receivables of the depositor arising from bank securities.

The guarantee does not extend to:

• the depositor funds that, during the two years prior to the date of fulfilment of the guarantee condition, were not subject to turnover other than interest operations and the sum of which is less than the Polish zloty equivalent of EUR2.5; or
• electronic money as defined in the legislation implementing Directive 2009/110/EC (the “E-Money Directive”, or EMD2) and funds received in exchange for electronic money.

Entities Entitled to Guarantee

The following entities are entitled to guarantee:

• natural persons;
• legal persons;
• organisational units that are not legal persons but have legal capacity (eg, commercial partnerships);
• school savings funds;
• savings and loan associations; and
• parent councils.

Limitations

The following entities are not entitled to guarantee:

• the State Treasury;
• the National Bank of Poland;
• banks, foreign banks and credit institutions;
• credit unions and the National Credit Union (Krajowa Spółdzielcza Kasa Oszczędnościowo-Kredytowa);
• the BGF;
• certain financial institutions;
• persons and entities not identified by the entity participating in the fund;
• local government units; and
• public authorities of an EU member state other than the Republic of Poland and a third country – in particular, central and regional governments and local government units of these countries.

Under Directive 2014/49/EU (the “Deposit Guarantee Scheme Directive”), the funds are covered by the guarantee up to the Polish zloty equivalent of EUR100,000, according to the average exchange rate of the National Bank of Poland as of the date of fulfilment of the guarantee condition.

Exercising Rights Under the Guarantee

The guarantee is payable within seven business days of the date of fulfilment of the guarantee conditions, which – for banks – include the following:

• issuing the PFSA’s decision to suspend a bank’s activities; and
• filing the BGF’s motion for a bank’s bankruptcy with the competent court.

As of the date of the fulfilment of the guarantee condition, the BGF acquires a claim to the entity in relation to which the guarantee condition has been fulfilled, in the amount of the sum of guaranteed funds.

Initial Capital and Basel III Standards

The BL prescribes the minimum of the Polish zloty equivalent of EUR5 million as a bank’s initial capital. However, the PFSA requires the initial capital to correspond to the intended scale and scope of bank activities in which a bank wishes to engage: the broader the scope of the banking licence, the greater the expectations the PFSA may have for initial capital.

The EU adopted the CRR/CRD package to implement most of the Basel III standards. These acts are either directly applicable in Poland (CRR) or were implemented in the BL (CRD).

Capital Requirements

The core capital adequacy requirement imposes an obligation upon banks to maintain a total capital ratio (own funds – the sum of Tier I capital and Tier II capital) of at least 8% of risk-weighted assets. The Common Equity Tier 1 capital ratio should be at least 4.5%, whereas an overall Tier I capital ratio should not be lower than 6%.

The leverage ratio means the relative – to the bank’s own funds – size of the bank’s assets, off-balance sheets liabilities, and contingent liabilities. At no time should it be lower than 3%.

The BL further stipulates that banks are obligated to maintain higher capital adequacy rates if those the CRR prescribed are not sufficient to cover all identified, significant risks present in a bank’s operations and changes in the economic environment, taking into account the expected level of risk.

The PFSA is authorised to impose additional requirements for own funds and a bank’s liquidity.

Liquidity Requirements

Under the CRR, banks are required to have enough liquid assets to cover a minimum of 100% of net outflows for 30 days under stress conditions. Banks that do not comply with the requirement or expect not to comply are obligated to notify the PFSA of this fact and present a recovery plan aimed at restoring the appropriate liquidity level.

Buffers and Obligatory Reserve

Safety buffer

Banks should also maintain an additional safety buffer equal to the amount of the Common Equity Tier 1 capital of 2.5% of the total risk exposure.

Countercyclical buffer

The countercyclical buffer should amount to the Common Equity Tier I capital at the level of the total risk exposure calculated in accordance with the CRR, multiplied by the weighted average of the countercyclical buffer ratios.

Other buffers

Polish regulations also distinguish a buffer applicable to global systemically important institutions. Additional systemic risk buffers may also be introduced when appropriate.

The buffers do not account for the bank’s fulfilment of the own-funds requirement under the CRR, nor of any other additional capital adequacy requirements under the applicable legislation.

Obligatory reserve

Banks are also required to maintain reserves representing a portion of, inter alia, cash deposited in bank accounts held by these banks. The obligatory reserve of banks is the amount – expressed in Polish zlotys – of cash in zlotys and foreign currencies deposited in bank accounts, funds obtained from the issuance of debt securities, and other funds accepted by the bank subject to repayment. Some funds are excluded from the mandatory reserve calculation.

Insolvency

Banks may be subject to regular insolvency proceedings before the competent courts, with certain differences. Only the PFSA may file for a bank’s insolvency. However, if the BGF issues a resolution decision, the PFSA cannot file for insolvency.

The BRRD, which largely follows the Financial Stability Board’s Key Attributes of Effective Resolution Regimes for Financial Institutions, has been implemented in Poland.

As a non-eurozone country, Poland does not participate in the EU Single Resolution Mechanism. The competence to resolve a failing bank lies with the domestic BGF.

The resolution may be triggered, in particular, to maintain financial stability or protect depositors. These goals are achieved through:

• preparing resolution plans;
• the redemption or conversion of equity instruments; or
• resolving the bank.

Course of Resolution

Three criteria need to be met to start a resolution:

• a bank is at risk of failing;
• there are no reasonable indications that the actions of the bank, the institutional protection system or the supervisor will remove the bankruptcy threat in a timely manner; and
• the resolution is necessary for the public interest.

After starting the resolution, the BGF acquires the right to adopt resolutions and decisions on matters reserved by the articles of association of a bank’s bodies, and becomes an entity entitled to solely represent the bank under resolution as the management board and the bank’s other bodies are dissolved. The BGF may appoint a management board or an administrator for the bank under resolution.

Resolution tools include:

• the sale of the business;
• bridge institutions;
• asset separation; and
• bail-in.

The resolution proceedings may be supported by the actions of the institutional protection scheme (recently created in Poland) to guarantee the liquidity and solvency of the scheme’s participants. The institutional protection scheme is administered by a special purpose entity created by commercial banks.

Insolvency Deposit Preference

The BGF’s depositor protection scheme protects the clients’ deposits in the case of the ordinary insolvency of a bank. In the case of resolution, the depositors are protected, as the asset separation tool is usually utilised and the assets of the resolved bank are transferred – for example, to a bridge bank – free of most liabilities. In the case of the bridge bank’s insolvency, the regular deposit protection scheme should apply.

Voluntary Protection System

As of 2022, the BL provides the legal framework for voluntary protection systems. As a result, banks may engage in a contractual protection system governed by the purposefully established joint stock company. The voluntary protection system may, inter alia, assist the BGF in resolution processes. To date, one protection system has been established by the Polish banks (System Ochrony Banków Komercyjnych SA).

Regulatory Framework

The regulation of ESG issues is one of the EC’s primary goals. To the extent that they have the status of obligated entities under ESG regulations, banks must adapt their activities to the new requirements. The steps taken by Polish banks in the transition to a low-carbon, more sustainable and resource-efficient closed-loop economy are increasingly visible in the market. This is related to the gradual entry into force of individual acts and their implementation into the Polish legal order.

Obligations Under EU Legislation

CRR/CRD

Under Article 449a of the CRR, large institutions (as defined in the CRR) that issued securities admitted to trading on a regulated market of any EU member state are obligated to disclose information on ESG risks, including physical risks and transition risks. The method of disclosure of this information is governed by the Commission Implementing Regulation (EU) 2021/637 – in particular, Article 18a thereof.

In June 2021, the EC published draft amendments to the CRR and the CRD under the so-called Banking Package. One of the three main objectives of the reform is to develop banks’ obligations to identify, disclose and manage ESG risks under existing risk management mechanisms. The final texts of Regulation (EU) 2024/1623 (the “Capital Requirements Regulations III”, or CRR III) and Directive (EU) 2024/1619 (the “Capital Requirements Directive VI”, or CRD VI) were published on 19 June 2024.

CRR III has applied directly in all EU member states since 1 January 2025, with the exception of specific amendments (eg, updates of definitions), which have applied since 9 July 2024.

NFRD/CSRD

The current Directive 2014/95/EU (the “Non-Financial Reporting Directive”, or NFRD) imposes an obligation on certain entities (including banks) to report – as part of, for example, the management report – on their policies on human rights and environmental, social and labour issues, as well as on their policies on anti-corruption and anti-bribery issues.

On 5 January 2023, the Corporate Sustainability Reporting Directive (CSRD), which amends the NFRD, entered into force, aiming to increase investment in sustainable operations in EU member states. According to the CSRD, all obliged entities must present information on ESG matters in their management report. This information will be reported according to the common European Sustainability Reporting Standards.

The CSRD provides for a three-stage timetable for entities to apply the new obligations:

• information will be presented for the first time by the largest entities that already report so-called non-financial information under the Polish Accounting Act;
• a year later, the remaining large entities will submit their first reports; and
• small and medium-sized listed companies will report for the first time for the 2026 financial year.

SFDR and taxonomy

The aim of Regulation (EU) 2019/2088 (the “Sustainable Finance Disclosure Regulation”, or SFDR) is to provide transparency in specific areas of the activities of financial market participants and investment advisers with regard to ESG issues. To this end, the SFDR introduces a series of disclosure obligations aimed at prompting obligated entities to consider ESG factors in the investment and advisory process in a consistent manner. Only banks that provide portfolio management services are subject to obligations under the SFDR.

In September 2023, the EC started public and targeted consultations regarding the SFDR, which may result in a proposal to amend the regulation.

The obligations listed in the SFDR are closely linked to the obligations referred to in Regulation (EU) 2020/85 (the “Taxonomy Regulation”). The disclosure obligations established in the Taxonomy Regulation complement the sustainability-related disclosure provisions established in the SFDR.

National Regulations and Soft Law

Sanctions for non-compliance with specific provisions of the SFDR and the Taxonomy Regulation by financial market participants and financial advisers were introduced in the amendment to the Act on Financial Market Supervision in July 2022. The sanctions are both financial (amounting to as much as PLN21 million) and non-financial. The power to impose them is held by the PFSA.

In addition to strictly legislative actions, banks should also be aware of any ESG positions and guidelines issued by the European Central Bank, local and EU (EBA and European Securities and Markets Authority) supervisory authorities, as well as non-supervisory authorities (eg, the Task Force on Climate-Related Financial Disclosures). The PSFA has not yet issued general guidance on ESG matters, but such guidelines may be expected in the short- to-medium term. At present, the PFSA already includes ESG in the list of matters on which it seeks commitments from investors seeking clearance for the acquisition of a bank or other financial regulated institution.

Regulation (EU) 2022/2554 (the “Digital Operational Resilience Act”, or DORA), together with delegated regulations (Regulatory Technical Standards and Implementing Technical Standards), responds to the challenges of operational digital resilience of financial sector entities in the EU. It aims to ensure an adequate standard of cybersecurity at the entities covered by its scope – both in their operational activities and in their relationships with Information and Communications Technology (ICT) third-party service providers.

The key obligations introduced by DORA are outlined here.

Responsibilities for Management Bodies

DORA introduces a number of new obligations for the governing bodies of financial entities, including:

• bearing the ultimate responsibility for managing the financial entity’s ICT risk;
• putting in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality of data;
• setting clear roles and responsibilities for all ICT-related functions and establishing appropriate governance arrangements to ensure effective and timely communication, co-operation and co-ordination among those functions;
• bearing the overall responsibility for setting and approving the digital operational resilience strategy; and
• approving and periodically reviewing the financial entity’s ICT internal audit plans, ICT audits and the material modifications to them.

Recovery and Back-Up Obligations

DORA provides for numerous duties related to ensuring business continuity in financial entities. Primarily, financial entities must put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy forming an integral part of the overall business continuity policy of the financial entity.

ICT business continuity policy shall be implemented through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to, inter alia:

• ensure the continuity of the financial entity’s critical or important functions;
• quickly, appropriately and effectively respond to and resolve all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions; and
• set out communication and crisis management actions that ensure updated information is transmitted to all relevant internal staff and external stakeholders.

Incident Management and Reporting

DORA introduces comprehensive rules on the identification, management and reporting of ICT incidents. With regard to credit institutions, payment institutions, account information service providers and electronic money institutions, these rules also concern operational or security payment-related incidents concerning credit institutions, as DORA unifies reporting obligations currently deriving from PSD2.

DORA and Commission Delegated Regulation (EU) 2024/1772 establish specific criteria for incidents (and cyberthreats) classification, to be used primarily for the purpose of reporting to the relevant authorities.

Management of ICT Third-Party Risk

DORA places a strong emphasis on third-party supplier risk management. It requires financial institutions to carry out rigorous assessments and audits of ICT third-party service providers, and to ensure that relevant contracts contain appropriate clauses.

Polish Legislation Related to DORA

In April 2024, the Polish government started work on an Act amending certain laws related to ensuring the operational digital resilience of the financial sector. The purpose of the new regulation is to implement the provisions set by DORA into the national legal order and to adapt existing regulations to the principles introduced by DORA. The Act was passed on 25 June 2025 and became applicable on 7 August 2025.

Among other things, the Act appoints the PFSA as the supervisory authority for ensuring the operational digital resilience of the financial sector, and obliges banks to have networks and information systems established and managed in accordance with DORA.

EU-Level Developments

Many regulatory developments affecting Polish banks are being initiated at the EU level. Important upcoming developments include the following.

• Payment Services Regulation/PSD3 package – the EC presented a proposal for a review of the existing legal framework for payment services in the EU in June 2023. Most material obligations under the PSD2 will be moved to a regulation to ensure uniform application across the EU. Work on the regulations is still ongoing at EU level.
• Financial Data Access Regulation (FiDA) proposal – FiDA is an “open finance” proposal to allow for an exchange of data on financial products beyond those already covered under the PSD2.
• Digital euro proposal – the EC presented a legislative proposal establishing a framework for the issuance of digital euros by the European Central Bank.
• AML/CFT package – on 19 June 2024, the EU published the final version of an AML/CFT regulatory package consisting of three legal acts. This comprehensive framework introduces significant changes for obliged entities across the EU. A key component is the establishment of the Anti-Money Laundering and Countering the Financing of Terrorism Authority (AMLA), which will focus on enhancing co-ordination and oversight of AML/CFT measures among member states ‒ for instance, developing Regulatory Technical Standards.
• EU AI Act – Regulation (EU) 2024/1689 adopted on 13 June 2024 sets a uniform framework for the use of AI-powered tools. The “high-risk AI systems” subject to an increased regulatory burden include the systems intended to be used to evaluate the creditworthiness of natural persons or to establish their credit score. The AI-related risks will be part of the risk management systems of EU banks.
• Revision of the Consumer Credit Directive 2008/48/EEC – Directive (EU) 2023/2225 of 18 October 2023 (CCD2) introduces many changes to the existing rules. The most important include extending coverage to currently excluded interest-free loans and introducing new information obligations.

Domestic Developments

Changes in bank taxes

At the end of August 2025, a draft Act amending the Corporate Income Tax Act and the Act on Tax on Certain Financial Institutions was published. The proposed amendments provide for a significant increase in the CIT rate for banks from 2026, with a simultaneous slight reduction in the rate of the so-called bank tax. These changes have not yet been voted on and have met with strong resistance from the banking sector.