Contributed By Traple Konarski Podrecki & Partners
Instruments to Help Providers and Customers Affected by COVID-19
In 2020, the Polish fintech market was dominated mainly by the after-effects of the outbreak of COVID-19. On one hand, online service providers flourished (eg, e-commerce acquirers). On the other hand, the Polish legislator and the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego or KNF) introduced various legal instruments to aid providers and their struggling customers. These instruments included:
New Guidelines and Laws
The KNF’s guidelines for outsourced cloud-based activities (which are irrespective of the EBA guidelines on outsourcing arrangements) only came into force in November 2020, while the expansion of consumer laws to cover individuals running their own business took effect from 1 January 2021. From that date, full-scale strong customer authentication (SCA) also became a requirement for all electronic payment transactions (including e-commerce and card-based transactions).
Uncertainty over Brexit
Brexit was another milestone of 2020 which affected the Polish fintech market. The final stages of that process caused a lot of uncertainty, primarily among the legacy players that provide cross-border operations (eg, payment service providers specialising in UK-Polish transfers).
Important Future Legal Changes to the Fintech Market
Navigating the COVID-19 pandemic and post-Brexit landscape seems to be the most challenging area for Polish fintech providers in the near future. Important legal changes to the fintech market are also expected in 2021, for example, the process of implementing AMLD5 will be completed and Regulation (EU) 2020/1503 on European crowdfunding service providers for business will come into force.
With regard to the AMLD5 implementation process, the act implementing this directive, as at the date of preparation of this study, is at the final stage of the legislative process. The most important changes include:
In Poland, fintech business activities are conducted mainly on the payment market. Some payment-related services (see Article 3 of the EU Payment Services Directive 2 or PSD2) may be provided solely on the basis of general freedom of entrepreneurship. However, providing payment and e-money services typically requires proper authorisation from the KNF. Payment market participants may choose from several types of authorisation depending on the type of services they intend to provide.
Small Payment Institutions
Currently, the most common way to start a business pertaining to traditional payment services is to obtain the status of a "small payment institution". This status allows a business to provide a wide range of such services, it can be obtained relatively quickly, and it ensures a clear path for becoming a fully regulated payment institution without the risk of constraining a flourishing business in the process. The small payment institution was introduced in June 2018 when the Polish legislator decided to broaden the use of the exemption specified in Article 32 of PSD2. Before then, most payment service providers in Poland would start by obtaining authorisation as a payment institution.
Small payment institutions are not allowed to provide account information services (AIS), payment imitation services (PIS) or e-money services. Under the legislative proposal of 11 January 2021 for an amendment to the Act on Payment Services, entities applying to the Polish Financial Supervision Authority, to be registered as small payment institutions, will be subject to the requirement to submit information regarding the AML compliance procedures and information concerning any other activity (in case of conducting activity as hybrid small payment institutions). The amendments described above are aligned with a certain shift in the approach taken by the Polish Financial Supervision Authority to small payment institutions, and with a policy of more extensive financial regulation of these entities, even during the registration proceedings.
AIS Providers and Payment Institutions
All major legacy players on the payment market conduct business as a payment institution. Businesses seeking to provide AIS typically register as an AIS provider (an institution provided for under Article 33 of PSD2) or as a fully regulated payment institution. A payment institution is additionally entitled to provide PIS and e-money services (although only on a small scale with respect to the latter). In order to provide unlimited e-money services, it is necessary to acquire the status of an electronic money institution. Polish payment services law also provides for a separate, simple form of registration for small money remittance providers.
Payment and e-money services in Poland are regulated primarily by the Act of 19 August 2011 on Payment Services and its implementing regulations. This act transposes both PSD2 and the EU’s second E-Money Directive (EMD2) into the national legal system. Commission Delegated Regulation (EU) 2018/389 also applies fully in Poland regarding the strong customer authentication (SCA) measures and the communication framework between account servicing payment service providers (ASPSPs) and third-party providers (TPPs).
General Financial Regulations
Furthermore, Polish payment and e-money service providers are subject to general financial regulations, such as the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing, the GDPR, the Act of 10 May 2018 on the Protection of Personal Data, and the Act of 5 August 2015 on the Handling of Complaints by Financial Market Organisations and the Financial Ombudsman. Where credit transactions are offered to consumers in relation to the payment services provided, the requirements set out in the Act of 12 May 2011 on Consumer Credit have to be fulfilled.
Credit institutions providing payment services are also regulated by the Banking Act of 29 August 1997.
Per-transaction and Periodic Fees
Payment service providers are allowed to charge users primarily as agreed in their mutual contract. Depending on the type of payment services, the most common models are per-transaction fees (either fixed amount per transaction or percentage of the transaction’s amount) and periodic fees (eg, a fixed monthly fee, irrespective of frequency of service usage).
Payment Service Providers
Restrictions on charging consumers
Payment service providers are, however, subject to some restrictions on charging users that are consumers. These restrictions include:
These restrictions may not apply in whole or in part to payment service users that are not consumers if so agreed with their payment service providers. Such agreements between professional business parties are common practice in Poland.
The EU Payment Account Directive (PAD) is also implemented in the Polish legal system. Thus, account servicing payment service providers are subject to additional disclosure obligations towards consumers (eg, providing them with a fee information document before entering into a contract for a payment account and periodic statements of fees while the contract is in force).
Restrictions on charging merchants
Payment service providers that are acquirers must comply with specific restrictions on charging merchants (eg, maximum limits on interchange fees) as Regulation (EU) 2015/751 on interchange fees for card-based payment transactions ("IF Reg") is fully applicable in Poland.
Payment Industry Participants Other Than Payment Service Providers
Restrictions on charging customers
Payment industry participants other than payment service providers (eg, merchants) are also subject to some restrictions on charging their customers. These restrictions relate mainly to charges for using certain payment methods. As a general rule, business professionals may not charge fees beyond the cost of enabling consumers to use a given payment method. Charging a fee for the use of payment instruments (surcharging) for which interchange fees are regulated under the IF Reg is, however, not possible in any case. The surcharge ban is not applicable to other payment methods, as the Polish legislator decided not to introduce any local regulations under Article 62(5) of PSD2.
Fintech industry participants are not subject to separate regulation in Poland. They have to comply with the same regulations as all other financial service providers, including legacy players. However, there are some legal frameworks designed specifically for fintech players (especially for fintech start-ups), the small payment institution being a prime example (with time, legacy players tend to evolve into fully regulated payment institutions or credit institutions). Another example is the possibility to apply for an individual ruling from the KNF pertaining to the legal framework for providing innovative products or services on the Polish financial market.
The Innovation Hub Programme
The KNF is in the process of developing a regulatory sandbox in Poland. The process was initiated in 2018. To date, the KNF has successfully introduced the Innovation Hub Programme for supporting the development of financial innovation (fintech) as part of the regulatory sandbox. The programme is intended first and foremost for start-ups in the financial market, with innovative products or services based on modern information technology. Established entities supervised by the KNF which plan to implement such innovative products or services may also participate in the programme.
Participation in the programme
Fintech entities wishing to participate in the programme have to complete a dedicated contact form and submit it via the KNF’s webpage. The contact form is then assessed by the KNF based on the eligibility criteria for participation in the programme, which primarily include the innovative nature of the solution and a preliminary analysis of the legal and regulatory environment and the real need for support (lack of legal certainty as to whether the solution is compatible with the existing legal framework). The main benefits of participating in the programme include assistance from the KNF in:
The Special Task Force for Financial Innovation in Poland
Another project within the regulatory sandbox initiative was the creation of the Special Task Force for Financial Innovation in Poland (fintech). The task force brought together representatives of the KNF, the Polish legislator, and various institutions supervised by the KNF in order to identify the legal barriers preventing further development of the fintech sector in Poland and to propose solutions aimed at eliminating them. A list of those barriers was published in a special report and the proposed solutions are currently being implemented.
Further projects under the KNF’s regulatory sandbox were expected but were suspended in 2020. The regulatory sandbox is being developed using EU funds from the 2017–2020 Structural Reform Support Programme with the support of the European Bank for Reconstruction and Development.
The main regulator in the fintech sector in Poland is the KNF. Supervision of payment schemes and payment organisations (three- and four-party payment card and non-payment card schemes), and settlement system operators, is exercised by the National Bank of Poland (NBP). Acquirers are subject to joint oversight by the NBP and the KNF. Special fintech financial innovation departments were established, both at the NBP and at the KNF, in 2018/2019.
Outsourcing operational activities may not lead to the cessation of the actual provision of payment services or involve the transfer of the right to represent the payment service provider. In the case of a bank and a co-operative savings and credit union, an internal audit may not be outsourced.
Where operators of key services or critical infrastructure operators (eg, designated banks) use cloud computing services, the KNF recommends that data processing centres located in Poland be used first.
Obligations of Payment Service Providers
Payment service providers are subject to the obligations set down in the Polish Act on payment services, in the Banking Law or in the Act on Co-Operative Savings and Credit Unions. In addition, payment service providers are required to implement the EBA guidelines on outsourcing by no later than 31 December 2021. In its guidelines on outsourcing issued on 16 September 2019, the Polish supervisory authority declared compliance with the EBA Guidelines by 28 December 2020, with some exceptions (a national approach is used for the part related to cloud outsourcing). The KNF guidelines on cloud computing had to be implemented by 1 November 2020. In each case, a written outsourcing contract is required. Unfortunately, no major exemptions apply in the case of outsourcing to a regulated financial entity, ie, another payment institution or bank.
Regulated Fintech Providers
Regulatory liability for uncovering and reporting suspicious or unlawful behaviour lies first and foremost with market participants that are subject to the Polish AML Act (obliged institutions). Most regulated fintech providers fall under these regulations and are therefore deemed as “gatekeepers” in Poland. On top of that, payment service providers must report operational or security incidents and fraud to the KNF (and the customers involved in some cases) in line with Article 96 of PSD2.
Non-regulated Fintech Providers
On the other hand, there are no regulations forcing non-regulated fintech providers to actively look for suspicious or unlawful behaviour while providing services or to report such behaviour to the relevant supervisory authorities. However, due to the nature of fintech services, financial institutions often expect non-regulated fintech providers to perform anti-fraud checks and report any irregularities back to them. The scope and severity of such assistance are primarily left to the discretion of the parties, which derives from contractual freedom. At the same time, there are certain regulations which directly require financial institutions to stipulate subcontractors’ assistance in contractual terms (eg, the GDPR).
There is no apparent information as to whether any significant supervisory sanctions have recently been imposed on entities operating on the basis of a permit for the provision of payment services (eg, payment institutions, small payment institutions, account information service providers).
In a few cases where an entity was judged by the KNF to have provided payment services without appropriate authorisation, the KNF has notified the applicable prosecutor’s office of a suspected criminal offence. When such notification is submitted by the KNF, the entity concerned is placed on the list of entities that have had public warnings published on the KNF website.
In one case in 2020, the KNF changed a decision revoking authorisation for a payment institution as a result of an appeal by the entity concerned.
The use of social media and similar tools within the fintech sector is subject to general regulations on advertising, personal data protection, and telecommunications law, as well as to regulations on providing electronic services.
The Act on Payment Services
In addition, in accordance with the Act on Payment Services, information about the payment institution and the payment services it provides, including advertising information published by the payment institution or on behalf of the payment institution, must be presented in a fair and understandable manner.
According to the Act on Payment Services, a service provider (including banks) is required to give consumers prior notification of amendments to a contract on a durable medium. Recent activity of the president of the Office of Competition and Consumer Protection indicates that only providing a consumer with this information via an internet banking service is considered not a durable medium. The issue of internal electronic banking systems as a durable medium was resolved in a judgment on 25 January 2017 by the Court of Justice of the European Union (CJEU). In its judgment, the CJEU stated that such systems may be considered a durable medium, provided that, for instance, the consumer is informed that there is a message from the bank waiting for the consumer on the electronic service. This message cannot be changed unilaterally by the bank. Moreover, it is imperative that the consumer has access to it and can retrieve it in good time.
Amendment to the Civil Code and the Act on Consumer Rights
As at 1 January 2021, an amendment to the Civil Code and the Act on Consumer Rights came into force in Poland, under which some natural persons who run a sole proprietorship have certain consumer rights in relation to other entrepreneurs (the possibility of exercising the right to withdraw from a distance or off-premises contract within 14 days, prohibition of including abusive clauses in contracts with such persons, and the right to the consumer rights warranty). These elements of consumer protection will be expanded to cover a natural person who concludes a contract with an entrepreneur in connection with the performed economic activity, if the contract indicates that the contract is not of a professional nature for that person. This is determined in particular according to the scope of activity registered by this person in the Central Register and Information on Economic Activity. These new regulations do not apply to contracts concluded before 1 January 2021.
The Act on the National Cybersecurity System (NIS Directive)
According to the Act on the National Cybersecurity System (NIS Directive implementation), a bank (credit institution) may be designated as an operator of essential services. This designation implies some new obligations for the entity concerned, eg, conducting systematic incident risk assessment and management of the risk, and implementation of documentation on cybersecurity of the information technology system used to provide the key service, as well as appropriate technical and organisational measures to prevent or reduce the effects of incidents. These new obligations may affect (restrict) a bank’s capacity to perform certain areas of business activity, especially use of IT services such as cloud computing.
Amendments to the NIS Directive
On 16 December 2020, the European Community published a proposal for amendments to the NIS Directive (so-called NIS 2). Under the proposal, NIS 2 will extend the range of entities to which the existing directive applies. The entities covered by NIS 2 will be subject to more stringent requirements in terms of management, handling and disclosure of security gaps, testing the level of cybersecurity, and effective use of encryption. The proposal also contains more precise provisions on incident reporting than given in the NIS Directive. There is a completely new development, which is responsibility of the company's management for compliance with risk management measures in cybersecurity. The subject is covered in the Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018, establishing the European Electronic Communications Code. The member states, including Poland, were required to implement the Directive by 21 December 2020. Although this deadline has expired, the regulations implementing this Directive have not yet been passed in Poland.
The Telecommunications Law and the Proposed Law on Electronic Communications
Currently, according to relevant provisions of the Telecommunications Law, the president of the Office of Electronic Communications may impose a fine for failure to comply with the obligation to obtain the consent of the end user to place cookies on their end device. Under the current proposal for the law on electronic communications, the president of the Office of Electronic Communications will have the same powers in this regard, following the amendment.
Moreover, according to the proposal for the law on electronic communications, failure to obtain consent to add a fee for services to a telecommunications subscriber's bill on a durable medium (direct carrier billing) could lead to a penalty being imposed by the president of the Office of Electronic Communications. This subject is not regulated at the moment.
Most entities that conduct regulated or large-scale operations are required to have their financial statements audited by an independent auditor. Depending on the particular nature of the activity of a given fintech entity, it may also be subject to specific external audits, eg, acquirers who process card payments are subject to audits with respect to compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Additionally, several trade organisations operate in the financial market, representing the interests of their members by participating in the legislative process, issuing joint positions or opinions, etc. Trade organisations in the fintech sector include the Foundation for the Development of Cashless Payments (Fundacja Rozwoju Obrotu Bezgotówkowego or FROB) and the Polish Chamber of Information Technology and Telecommunications (Polska Izba Informatyki i Telekomunikacji or PIIT).
Entities that conduct regulated activities in Poland may – as a rule – also offer unregulated services or products. In some cases (eg, banks), there are restrictions on the types of unregulated activities that an entity may undertake. In other cases (eg, payment institutions), no such restrictions are in place. Entities operating in the fintech sector, in particular payment institutions, relatively often engage in such hybrid activities.
In exceptional cases, if an institution’s activities violate or could possibly compromise its financial stability or limit the ability of the KNF to exercise supervision over the institution, the KNF may order the legal and organisational separation of unregulated activities.
Robo-advisers are a relatively new type of service on the financial market and have many applications. The EBA Glossary for Financial Innovation defines robo-advisers as: “Applications that combine digital interfaces and algorithms, and can also include machine learning, in order to provide services ranging from automated financial recommendations to contract brokering to portfolio management to their clients. Such advisers may be standalone firms and platforms, or can be in-house applications of incumbent financial institutions.”
Legal Qualification of Robo-advisers in Poland
The regulations of Polish law which govern the provision of investment advisory do not distinguish between "traditional" advisory and that based on technical solutions. For this reason, the provision of services using technology in that process does not change the legal qualification of robo-advisers.
The use of robo-advisory may therefore be considered as investment advisory, and consequently, as brokerage activity referred to in Article 69 of the Act of 29 July 2005 on Trading in Financial Instruments. The KNF has said that robo-advisory may consist in preparing recommendations based on the client’s situation and needs in terms of sale, subscription, exchange, purchase or redemption of certain financial instruments, or refraining from entering into transactions in those instruments.
The KNF issued the Polish Financial Supervision Authority Position on Robo-Advisory Services on 4 November 2020. This comprehensively addresses the most important issues related to robotic advisory, which should be considered by supervised entities in their operations. The document covers the whole process, starting from the design phase of such a service, to its practical implementation and monitoring of already functioning solutions. The KNF emphasises that a robo-advisory service can be outsourced, which means that it is allowed to be performed as part of cloud computing.
Moreover, the European Securities and Markets Authority (ESMA) Guidelines on certain aspects of the Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFID II) suitability requirements provide important guidance for the implementation of such services.
The introduction of robo-advisers in Poland is a slow process, and thus the number of such services is still low. Robo-advisers are found mainly on trading platforms, such as the EXERIA platform. The process of implementation of the working advisers also applies to legacy players. PZU, one of the largest insurance companies in Poland, has launched the inPZU platform, where investment strategies can be constructed with the assistance of a "helper".
A similar robo-advisory service was launched by a company in the ING Bank Śląski capital group – NN Investment Partners TFI. The robo-adviser Investo provides a service in which it makes recommendations to the client on what funds to choose to maintain the investment risk at a level acceptable to the client. The service is available on the Moje ING online and mobile banking service.
Also, the biggest Polish bank – PKO Bank Polski or PKO BP – launched its own robo-advisory platform, Inwestomat, in November 2019. Anyone who has access to iPKO (PKO BP's internet banking service) can use the PKO Inwestomat platform. Both PKO BP and ING Bank Śląski require the completion of a survey which is used to create an investment profile of the client, on the basis of which, subsequent investment proposals are created.
As indicated in 3.1 Requirement for Different Business Models, the regulations which govern the provision of investment advisory do not distinguish between "traditional" advisory and that based on technical solutions. For this reason, the services provided by robo-advisers should be executed in accordance with MiFID II and the Act on Trading in Financial Instruments. This means that orders must be discharged on the terms most favourable to clients.
The key difference in the business or regulation of loans is related to whether loans are provided to consumers or to business entities.
Loans to Consumers
Lending to consumers is a strictly regulated business activity. It is regulated primarily by the Consumer Credit Act of 12 May 2011 (CCA), which sets out rules for such areas of the lending business as advertising, precontractual information and contract content, maximum costs, the right of early repayment, and the right of withdrawal. Moreover, lending to consumers requires proper prior authorisation from the KNF, as such activity may only be performed by lending institutions (the simplest form), credit unions, credit institutions or banks. Consumer loan intermediaries are also subject to authorisation by the KNF.
Providing mortgage loans to consumers is separately regulated by the Mortgage Loans Act of 23 March 2017 (MLA). The act sets out the rules for such activity in similar areas to the CCA. Lending institutions are not allowed to provide mortgage loans to consumers.
Loans to Businesses
On the other hand, professionals that provide loans to other business entities are not subject to detailed regulations in Poland. This area is regulated primarily by the general principle of freedom of establishment and by the rules laid down in the Polish Civil Code. Under new legislation from January 2021, there are some differences depending on whether a client is a sole proprietor who enters into an agreement in a relationship not relating to their profession, or a different enterprise, as some consumer laws are now applicable to the former (eg, regulations concerning unfair terms in consumer contracts).
Furthermore, the provision of credit is also regulated by the Banking Act of 29 August 1997 and the Act of 29 August 1997 on Mortgage Bonds and Mortgage Banks. Credit related to payment services offered by payment institutions and e-money institutions is also subject to the Act on Payment Services of 19 August 2011. These acts establish additional, subsidiary requirements which are, however, generally very similar when it comes to providing such loans to consumers and to business entities.
Crowdfunding and Crowdlending
Poland currently has no specific regulations on crowdfunding and crowdlending but this will change in the near future, as Regulation (EU) 2020/1503 on European crowdfunding service providers for business shall apply in Poland from 10 November 2021.
Most regulations on lending (providing credit) require lenders to assess the creditworthiness of their clients (eg, the CCA, the MLA, the Banking Act). Those regulations are, however, general in nature and do not dictate specific, obligatory measures to be used in the process. They also do not specify criteria that lenders ought to apply to decide whether a prospective borrower is creditworthy. Rules for assessing creditworthiness by banks, credit institutions and credit unions are detailed in soft law instruments. In particular, the KNF has issued an array of recommendations applicable to such assessments (eg, Recommendation T concerning best practices in the management of the risk of retail credit exposures). In general, the legal frameworks are very similar, whether the process is performed online or face to face.
In business practice, however, distinct measures are used to assess creditworthiness online and face to face. Lenders employ various solutions ranging from external databases (eg, the Credit Information Bureau, business information bureaus) and information and documents received from clients, to automated profiling and decision-making, including behavioural models and AI tools. The choice depends mainly on the type of loan and client.
Polish AML Law
Additionally, all lenders are subject to the Polish AML law, and typical AML obligations are applicable in underwriting processes. These obligations include identification and verification of the customer (borrower) and their beneficial owner, conducting a risk-based assessment of the business relationship and monitoring it on an ongoing basis, including analysing transactions. Performing AML obligations in the online environment differs vastly from doing so face to face, as under AML regulations such circumstances qualify as a factor potentially increasing the risk. In order to mitigate that risk, lenders mainly apply technological solutions such as electronic signatures, trusted profiles (eg, the e-government website ePUAP), document scans, verification of payments or video-conference tools.
Lenders raise funds for providing loans from various sources, such as taking deposits, own funds, securitisations and peer to peer. The range of sources allowed depends mainly on the nature of the lender.
For example, only banks, credit institutions and credit unions are entitled to provide loans from received deposits. There are several safeguarding regulations pertaining to the amount in deposits that can be involved. Safeguarding measures are also established for the possible involvement of own funds to provide loans.
Crowdfunding and Crowdlending
On the other hand, raising funds for loans via peer-to-peer (crowdfunding and crowdlending) platforms is not directly regulated in Poland at the moment. This will change in the near future, however, as Regulation (EU) 2020/1503 on European crowdfunding service providers for business shall apply in Poland from 10 November 2021. In the meantime, the KNF has explicitly recognised crowdfunding and crowdlending platforms as a lawful business activity. In general, such activity may be conducted solely on the basis of general freedom of establishment. In specific cases, it may, however, constitute regulated investment services.
So far there have been no market signals about syndication of online loans in Poland.
Payment processors operating in Poland can use the existing payment systems such as SORBNET2 and TARGET2 for large-value payments; and Elixir, Euro Elixir, BlueCash or the BLIK Payment System for retail payments. New payment systems may be created, but the permission of the president of the NBP must be obtained beforehand.
The Polish Act of 19 August 2011 on Payment Services
Apart from the payment systems listed above, which essentially define the rules for clearing and settlement of payment transactions between banks and credit institutions, the functioning of payment schemes is also regulated by the Polish Act of 19 August 2011 on Payment Services. A payment scheme (including a payment card system) is a set of rules for conducting payment transactions, issuing payment instruments, accepting payment instruments and processing payment transactions, carried out using payment instruments. Some of the solutions based on virtual wallets or mobile applications may fall within the scope of payment scheme regulation.
Further Payment Scheme Regulation
Each payment scheme is subject to the supervision of the president of the NBP, and operating four-party schemes also requires the president's permission. The applicable payment scheme regulation is specific to the Polish market and has no source in PSD2.
As a rule, the provisions of the Act of 19 August 2011 on Payment Services governing the execution of payment transactions by payment service providers operating in Poland, apply to both domestic and cross-border transactions carried out in the European Economic Area (EEA). In the case of payment transactions where one of the payment service providers is located outside the EEA, those provisions have limited application (generally, they apply to those parts of a transaction that are carried out within the EEA).
In addition to the above regulation, there is Regulation (EC) No 924/2009 regarding certain fees for cross-border payments in the EU and currency conversion fees. This regulation sets out, for instance, the rules for charging fees for making cross-border payments within the European Union. According to this regulation, Polish payment service providers processing cross-border payments of up to EUR50,000 must levy the same charges for their execution as for corresponding national payments of the same value and in the same currency.
"Fund administrators" are not defined under Polish law. Polish law provides definitions of "investment funds" or "investment firms", and these forms of activity are regulated and require the appropriate licence issued by the KNF.
Outsourcing and Insourcing
If an investment fund company intends to outsource certain activities, such as keeping a register of funds or accounting activities, to a third party, the provisions on outsourcing apply. In relation to investment funds, such provisions are set out in the Act of 27 May 2004 on Investment Funds and Management of Alternative Investment Funds. If an investment fund is administered by an insourcer, the fund administrator may be subject to control by the KNF.
Each investment fund company is also required to conclude an agreement with a depositary, which is usually the bank where the fund’s assets are stored. The activities of fund depositaries are regulated by law.
Outsourcing and AML
Requirements for contracts concluded between investment fund companies or investment firms and third parties to which specific tasks are outsourced, are specified primarily in provisions on regulated outsourcing and provisions on requirements for entrusting the processing of personal data to a third party. In the event that a third party performs, on behalf of the fund, certain activities related to the execution of obligations in the field of counteracting money laundering and terrorist financing, the provisions on outsourcing of AML activities specified in the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing, will apply.
Statutory Requirements for Outsourcing
The Act of 27 May 2004 on Investment Funds and Management of Alternative Investment Funds imposes on supervised entities a number of obligations related to the outsourcing of specific activities to third parties. The third party (insourcer) should have appropriate knowledge and experience in performing the entrusted tasks. Outsourcing activities to a third party may not adversely affect the ability of the KNF to exercise supervision. The option of terminating the contract cannot be excluded if it is in the interest of the investment fund participants. These and other statutory requirements for outsourcing have a direct impact on the terms and conditions of outsourcing agreements concluded by investment fund companies. Relevant provisions in relation to investment firms are included in the Act on Trading in Financial Instruments.
Outsourcing of Cloud-Computing Services
In the event that a third party’s services involve the processing of data in the cloud, specific guidelines on the use of cloud-computing services by supervised entities will apply (ie, the KNF’s 2020 Communication on information processing by supervised entities using public or hybrid cloud computing services). In this respect, attention should also be paid to the Q&A in the above-mentioned communication, which was issued in December 2020 in response to concerns expressed by market stakeholders.
The regulations in force in Poland which govern trading in financial instruments derive primarily from the MiFID II regulation. The principles, procedure and conditions for trading in financial instruments, the rights and obligations of the entities involved in trading in financial instruments, as well as the exercise of supervision in this field are regulated by the Act of 29 July 2005 on Trading in Financial Instruments. The catalogue of financial instruments includes securities, investment fund shares, money market instruments, options, futures, forward contracts, swaps, other derivatives, and emission allowances.
There are three basic platforms for secondary trading in financial instruments referred to in the Act of 29 July 2005:
Regulated market operators require the prior permission of the KNF to trade. Only certain categories of supervised entities (including brokerage houses) may run an MTF or OTF upon first meeting the conditions set out in the act. As a rule, a multilateral trading system (the activity of matching offers to buy and sell financial instruments) can only be operated by organising a regulated market or running an MTF or OTF. Trading in treasury securities and instruments that have treasury security as an underlying asset is an exception.
As a rule, individual classes of financial instruments operate in the same regulatory regime. An example of a regulation that deals with trading in financial instruments regardless of their type is the Market Abuse Regulation (EU Regulation No 596/2014). This regulation defines, for instance, the requirements to prevent capital market manipulation, including the related duties of market participants.
At the level of specific regulations on trading in financial instruments, there are some differences with respect to individual categories of instruments. For example, only bonds, structured finance products, emission allowances, derivatives, or specific energy products can be traded on the OTF market. A company operating a regulated market may also organise separate markets according to the type of securities or other financial instruments, as well as according to the type of issuer.
Polish law does not allow cryptocurrencies to be classified as legal tender. Depending on its nature, a given cryptocurrency may be qualified as a financial instrument, electronic money, or a sui generis property right. Such a property right cannot easily be included in the existing regulatory framework. Adopting a specific legal classification will result in the need to meet specific regulatory requirements regarding the exchange or trading of cryptocurrencies. The Polish supervisory authorities have an ambiguous position in this regard, meaning that the legal status of cryptocurrencies still raises a number of questions.
Notwithstanding the issues relating to the legal classification of cryptocurrencies, within the meaning of the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing, entities which provide the following services are obliged institutions:
Such entities are therefore obliged to apply the financial security measures set out in the act, which include identification of the client, its beneficial owner, verification of its identity, transaction analysis and reporting suspicious transactions.
Also, in some cases, running a cryptocurrency exchange platform can coincide with maintaining a payment account in which the user’s payment means (fiat currency) are kept. This type of activity requires an appropriate licence (payment institution or small payment institution licence). Some cryptocurrency trading platforms operating on the Polish market have either already obtained the required licence or have applied for it.
Pursuant to the Act on Trading in Financial Instruments, access to financial instrument trading systems should be granted according to transparent and non-discriminatory rules based on objective criteria and subject to publication. The rules of the regulated market and any changes thereto require the approval of the KNF. Compared to regulated trading, trading on the MTF or OTF market is less stringently regulated, but with the obligation to observe the same general standards.
The rules for handling orders for the purchase or sale of financial instruments by investment firms are laid down in the Act on Trading in Financial Instruments and originate from MiFID II. As a general rule, an investment firm is required to implement appropriate solutions and procedures to guarantee immediate, fair and proper execution of clients’ orders in relation to other clients’ orders and to the firm’s own orders, ensuring that orders are executed in order of receipt.
The activity of peer-to-peer trading platforms in Poland is currently not very widespread, but there has been an increase in the number of such projects. First of all, platforms that enable cryptocurrency trading are becoming more popular (see 7.3 Impact of the Emergence of Cryptocurrency Exchanges). Trading in financial instruments generally takes place in a regulated environment.
Nonetheless, there is growing interest in projects based on the crowdfunding model. In most cases, such platforms fall outside the scope of regulation, which raises some doubts and is sometimes called into question. In this regard, Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 onEuropeancrowdfundingserviceprovidersfor business,andamending Regulation(EU) 2017/1129and Directive (EU) 2019/1937, will apply from 10 November 2021. This act comprehensively defines the conditions for conducting crowdfunding activities.
Correct identification of the legal model in which a peer-to-peer trading platform should operate is one of the key issues in this type of fintech project.
Under the Act on Trading in Financial Instruments, investment firms are required to take all reasonable steps to ensure the best possible conditions for the execution of orders placed by their clients. To this end, the following parameters should, in particular, be taken into account:
These requirements do not apply if the customer specifies in detail the conditions under which the order is to be carried out.
On the Polish market, the practical significance of the best execution principle seems to be limited. This is due to the fact that most shares are listed on only one stock exchange. In addition, only a few brokerage houses in Poland execute orders on foreign markets, where shares of some of the companies listed on the Polish stock exchange are listed simultaneously.
The Act on Trading in Financial Instruments prohibits investment firms which place orders in order execution systems from accepting monetary or non-monetary benefits that would unduly influence their obligations related to the management of conflicts of interest, and to acceptance of benefits in cash or in kind. Generally speaking, the rules of payment for order flow ought to be assessed in the context of the inducements rule.
Basic principles of market integrity and market abuse have their source in Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation), which aims to increase market integrity and investor protection. This regulation prohibits insider dealing, unlawful disclosure of inside information and market manipulation, and contains provisions to prevent and detect these.
The creation and use of high-frequency and algorithmic trading is regulated under the Act on Trading in Financial Instruments and originates from MiFID II. An investment firm that engages in algorithmic trading must have effective systems in place, as well as risk controls suitable to the business it operates, to ensure that its trading systems are resilient and have sufficient capacity. An algorithmic trading system must be subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly market. An investment firm also has to have in place an effective risk control system and business continuity arrangements to deal with any failure of its trading systems. It is required to ensure that its systems are fully tested and properly monitored. There are no specific distinctions or different regulatory regimes between asset classes.
An investment firm is obliged to inform the KNF of the use of algorithmic trading in its activity and when it ceases to use algorithmic trading.
An investment firm that engages in algorithmic trading to pursue a market-making strategy must ensure compliance with the following and other requirements under MiFID II:
With regard to high frequency and algorithmic trading, there is no regulatory distinction between funds and dealers in Poland.
The regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading are set out in Commission Delegated Regulation (EU) 2017/589 of 19 July 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council. According to this regulation, an investment firm must employ sufficient staff with the necessary skills and technical knowledge to manage:
An investment firm remains fully responsible for its obligations under the regulation when it outsources or procures software or hardware used in algorithmic trading activities. However, the regulations do not apply directly to programmers who actually develop and create trading algorithms or other electronic trading tools.
Platforms which provide investment analyses, financial analyses and other general recommendations regarding transactions in financial instruments are not subject to any registration, as a rule, unless they also provide other investment services, as set out in Article 69(2) of the Act of 29 July 2005 on Trading in Financial Instruments.
However, websites comparing fees charged by payment service providers may register with the KNF upon fulfilling requirements in line with the Payment Account Directive (PAD). This is entirely voluntary. For now, most of these comparison websites have skipped registration, and only one has decided to register.
Requirements on counteracting unlawful behaviour in the financial markets (such as insider dealing, unlawful disclosure of inside information and market manipulation) are set out in the General Market Abuse Regulation (EU Regulation No 596/2014). Disseminating false or misleading information may be qualified as a manipulative activity.
According to current knowledge, there are no financial research platforms in Poland that allow users to post any information on the platform that qualifies as "financial research". The only persons authorised to share any kind of financial content are the employees of the platforms.
The GDPR Ban on Automated Decisions
Players in the underwriting industry use advanced personal data processing operations, including profiling. Generally, both profiling and automated decision-making through profiling in the underwriting industry may involve clients, potential clients, or – in some cases – former clients. The GDPR introduced a general ban on automated decisions, due to the danger posed to the rights and freedoms of a natural person, and specified an exhaustive list of cases in which such decisions are allowed.
The Polish Act on Insurance and Reinsurance
The Polish Act of 11 September 2015 on Insurance and Reinsurance Activity does however allow, in accordance with Article 22(2)(b) of the GDPR, automated decision-making, including profiling, in specific cases.
Such processing of personal data, on the one hand, is permitted for purposes related to:
On the other hand, there are doubts whether the Polish Act on Insurance and Reinsurance Activity identifies a closed catalogue of data that may form the basis for decisions made solely as a result of automated processing.
Accordingly, whether an insurance company is allowed to use automated decision-making must be assessed case by case, taking into consideration the criteria stipulated in Article 22(2)(a) of the GDPR (the requirement that the decision be necessary for the conclusion or performance of a contract between the data subject and the administrator) or in Article 22(2)(c) of the GDPR (explicit consent of the data subject).
The harmonisation of Polish law with the GDPR did not result in amendment of the Act of 15 December 2017 on Insurance Distribution, which was updated when the Insurance Distribution Directive (IDD) of 20 January 2016 was implemented into Polish law. There has been some criticism of this.
Processing of Personal Data Using Cloud Computing
Some processes related to the processing of personal data, including automated decision-making, may also take place using cloud computing. In this case, not only the provisions of the GDPR regarding entrusting the processing of personal data will apply, but also the Communication from the KNF on information processing by supervised entities using public or hybrid cloud-computing services from 23 January 2020.
Assisted by external advisers, the Polish Chamber of Insurance, together with insurance companies, has drafted a proposal for a cloud-computing standard for the insurance industry.
Two types of insurance which receive significantly different legal treatment are life and property insurance. Companies which provide life insurance services are treated as obligated institutions within the meaning of the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing. They are consequently subject to a wider range of obligations relating to the verification of clients (eg, for the purpose of screening through international sanction lists).
In Poland, work is still ongoing on the implementation of the AMLD5 (the latest proposal for the act amending the Act on Counteracting Money Laundering and Terrorist Financing and certain other acts was published on 15 November 2020).
Different types of insurance are also treated differently depending on the object and scope of the insurance, including with respect to the scope of personal data collected for the purposes of concluding or implementing the insurance contract. For example, under the Act of 11 September 2015 on Insurance and Reinsurance Activity, life insurance companies are permitted to lawfully process personal data concerning health, which is a special category of personal data within the meaning of Article 9(1) of the GDPR, on the basis of Article 9(2)(g) of the GDPR.
Regtech as Supporting Technical Services
There is no separate legislation on regtech providers in Poland. Regtech services are mainly used by financial institutions to assist with compliance with applicable regulations, primarily safeguarding measures, risk management, internal control, supervisory reporting and AML obligations. Thus, regtech services are generally treated as supporting technical services rather than as independent financial services.
Providing supporting technical services to financial institutions often constitutes regulated outsourcing and requires compliance with a specific legal framework. That framework applies primarily to the civil relationship with the financial institution rather than the KNF. In general, regulated outsourcers do not need to seek their own authorisation and are subject only to indirect supervision from the KNF. However, there are differences in the legal framework of regulated outsourcing depending on the nature of the financial market. In addition to this, some supporting technical services may be provided only by outsourcers that are regulated entities themselves. For example, some activities pertaining to AML obligations may be outsourced only to other institutions subject to the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (obligated institutions in Poland).
Regtech as Independent Financial Services
In cases where regtech services constitute independent financial services (eg, for the verification of payments for AML purposes), the provider of such services is required to comply with all relevant regulations, which typically include seeking the appropriate authorisation.
Regtech Services as Regulated Outsourcing
Regtech services often constitute regulated outsourcing on the Polish financial market. Contractual terms to assure proper performance and accuracy on the part of regtech providers are therefore primarily dictated by the applicable regulations and soft law. Specific requirements differ depending on the nature of the financial institution which outsources its activities (eg, whether it is a bank or payment institution). There are also separate, extensive requirements for providing outsourced activities via a cloud. The KNF has adopted its own guidelines for outsourced cloud-based activities (irrespective of the EBA guidelines on outsourcing arrangements).
On a general level, safeguarding measures pertaining to regulated outsourcers usually include:
In practice, financial institutions often seek to reflect applicable regulations and soft law very closely in outsourcing contracts.
Regtech Services as Non-regulated Outsourcing
In cases where regtech services do not constitute regulated outsourcing, contracts between financial institutions and regtech providers can be shaped more freely. In practice, such contracts still tend to contain provisions to assure performance and accuracy on the part of the provider, though these are far less strict than those found in regulated outsourcing contracts.
Application of the GDPR
In addition to this, the GDPR applies if a regtech provider has access to the personal data of the outsourcing financial institution’s clients (most cases). The applicable GDPR regulations include those on additional requirements with respect to ensuring the proper performance and accuracy from the regtech provider, especially in the area of processing personal data on behalf of the financial institution acting as the controller. Contract terms have to mirror these regulations whether the contract is drawn up under a regulated or non-regulated regime.
Legacy players across all financial markets in Poland are becoming increasingly interested in blockchain and related technology. The first initiatives are already underway. In 2018, the Polish Bank Association (an autonomous organisation of banks) put forward three alternative proposals for developing a new technology for the whole banking sector, which would be compliant with the durable medium requirements defined in PSD2. Two of the proposals were based on blockchain technology. In 2020, the first blockchain-based documentary letter of credit was opened by a Polish bank.
Wider Uses of Blockchain
Furthermore, there are initiatives to harness blockchain technology to enhance the performance of AML measures. On the one hand, those initiatives focus on employing blockchain (in particular on account of its high resistance to counterfeiting) in transaction-tracking technologies in order to tackle so-called "layering operations" more effectively. On the other hand, the potential for using blockchain as part of customer due diligence measures has also been recognised. In particular, distributed database solutions are being explored to accelerate the customer verification process.
Blockchain is also the base technology for many virtual currencies exchanged via online trading platforms in Poland as well as the foundation of the first Polish e-money issued via a non-bank entity.
Working Group Proposals
There are no regulations in Poland regarding blockchain, but a working group on distributed ledgers and blockchain is now attached to the Ministry of Development, Labour and Technology. Among the proposals put forward by this group is the possible statutory restriction of certain rights granted to data subjects under the GDPR in the case of personal data processing using blockchain technology. Such a limitation is possible only as long as it does not violate fundamental rights and freedoms, and as long as it is a necessary and proportionate measure in a democratic society serving the purposes specified in Article 23(1)(a)–(j) of the GDPR.
Applications and Advantages of Blockchain
Owing to its wide range of applications in both the private (including the financial sector) and public sectors, as well as numerous advantages (including resistance to IT system failures, resistance to cyberattacks, transparency, low cost, high efficiency, etc), the use of blockchain technology can reasonably be assumed to be substantially in the public interest, ie, in the economic or financial interest of Poland as an EU member state. It seems that Poland may also have an important economic interest in enabling the legal development of innovative and secure digital services, in particular, by creating an appropriate legal framework.
GDPR Rights Impeded
Blockchain technology has features, including its decentralised and distributed nature, that may impede the full and effective exercise of some of the rights provided by the GDPR (such as, the right to rectify data, to object to data processing or to delete data). The need to identify entities that are controllers, which is a crucial obligation under the GDPR, also raises significant difficulties. Under Article 23 of the GDPR, the scope of obligations and rights provided in Articles 12–22, Article 34, and Article 5 of the GDPR may be limited both under EU law and under the law of a member state as long as its provisions correspond to the rights and obligations set out in Articles 12–22 of the GDPR.
Off-chain storage as a solution
One reasonable solution could be storing personal data off-chain. The blockchain may contain links (hash-pointers) to verify that such data is accurate. If all personal data was processed off-chain, difficulties in using distributed databases in accordance with the GDPR would be avoided.
All solutions that effectively prevent access from a blockchain to personal data to people who do not know the appropriate password will be sufficient from the point of view of the GDPR. If the personal data processed off-chain is in a centralised database, it is easy to identify the controller responsible for compliance with all the obligations imposed by the GDPR. A change to personal data may cause a mismatch between the link stored in the blockchain and the data processed off-chain. Storing personal data off-chain and leaving only links to this data in the blockchain-based registry, eg, in the form of hash-pointers, should be considered compliant with the GDPR once the pseudonymisation requirements are satisfied. Such solutions might be attractive mainly for private networks or permissioned networks, though not for public (permissionless) networks, because they involve limiting the decentralisation of the blockchain-based registry and introducing a kind of trusted third party that maintains personal data stored off the register (off-chain).
Blockchain as a "durable medium"
In a decision issued on 30 May 2018, the president of UOKiK (the Office of Competition and Consumer Protection) favoured the use of blockchain technology in the context of a "durable medium" from the point of view of the recipient of banking services, ie, consumers, in connection with a bank's need to provide specific electronic banking functionality (primarily in terms of the consistency, including durability, of the information provided). The position of the consumer protection authority does not take into account the possible consequences related to the legal and technological risk of a bank implementing and using blockchain technology.
It is still unclear how to classify blockchain assets in terms of their legal status. However, cryptocurrency is not legal tender in Poland.
There is currently no Polish regulation that expressly classifies blockchain assets or cryptocurrencies. Depending on the specifics, blockchain assets might be qualified as a financial instrument under Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (MiFID II), which has been implemented into Polish law. According to the EBA’s report, blockchain assets might also be qualified as electronic money under the Electronic Money Directive (Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions), subject to certain conditions.
The KNF has not yet indicated how blockchain assets should be classified, while it has issued several warnings regarding the risk of investing in crypto-assets.
If the issued block-chain assets are qualified as financial instruments under MiFID II and the Act on Trading in Financial Instruments, the regulation applicable to the issuance of these instruments would apply.
If the issued block-chain assets are qualified as electronic money under the Electronic Money Directive and the Act of 19 August 2011 on Payment Services, the regulation applicable to the issuance of electronic money would apply.
The issuance of blockchain assets itself is not regulated under Polish law.
In accordance with the Act on Counteracting Money Laundering and Terrorist Financing, virtual currency account providers, virtual currency exchange intermediaries and exchange platform providers have the status of obliged entities. Such entities are therefore required to apply the financial security measures set out in the act, which include identification of the client and the beneficial owner, transaction analysis, and reporting of suspicious transactions. Outside of these regulations, blockchain asset trading platforms or secondary market trading of blockchain assets remains unregulated under Polish law.
The activity of investment funds in Poland is strictly regulated under the Act on Investment Funds and the Management of Alternative Investment Funds. With regard to these regulations, there are no provisions that would apply strictly to investments in blockchain assets.
Virtual currencies, in contrast to other blockchain assets, are covered by the Polish AML law. Virtual currency exchange platform providers, virtual currency exchange intermediaries, and virtual currency account providers ("obliged institutions" in Poland) are subject to all the typical AML requirements. Specifically, they must apply appropriate customer due-diligence measures.
Virtual currencies are covered by the Polish AML law as a result of Poland’s independent legislation initiative taken before the completion of AMLD5. Thus, Polish AML regulations on virtual currencies differ in the details from AMLD5. It is anticipated that all discrepancies will be rectified in the process of implementing AMLD5 into the Polish legal system.
The term "DeFi" (decentralised finance) is not defined in the provisions of generally applicable law. However, this concept can be found in soft law acts. In this context, the KNF issued an important position on 10 December 2020 concerning the issuance and trading of crypto-assets. In that document, DeFi is defined as an ecosystem of applications for the provision of financial services, based on DLT.
DeFi platforms may provide various types of financial services, such as lending and trading in crypto-assets. The detailed scope of the legislation that will be relevant to the development and use of DeFi platforms will depend on the types of financial products offered on them. Nevertheless, the regulations concerning customer protection, dispute resolution, data protection and anti-money laundering/combating the financing of terrorism (AML/CFT) may apply.
Also important are recent legislative initiatives at EU level that have been taken as part of the Digital Finance Package. A proposal for a regulation on Markets in Crypto-assets, amending Directive (EU) 2019/1937, and for a regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT) may have a significant impact on the functioning of DeFi platforms in the future.
In Poland, PSD2 was implemented on 20 June 2018, and the transitional period expired on 20 December 2018. On 14 September 2019, when the SCA and CSC regulatory technical standards took effect, the PolishAPI standard came into force (https://polishapi.org). On 12 December 2019, version 3.0 of the PolishAPI standard was published – the new version supports split payments and an automatic registration service for TPP client applications on the side of ASPSPs. At the beginning of 2020, some TPPs were already operating, both as payment institutions and banks, providing PIS and AIS, while several proceedings for authorisation before the KNF are pending.
According to the data from the register kept by the KNF (https://e-rup.knf.gov.pl/index.html), by the beginning of 2021, four entities were authorised to provide AIS only. This register also shows that six payment institutions are entitled to provide both AIS and PIS, and two such entities are authorised to provide one of these services.
The PolishAPI standard allows the use of the ASPSP authentication mechanism, which redirects to the ASPSP website during the performance of AIS, PIS and Confirmation of Availability of Funds (CAF) services, which means that the payment services user (PSU) authentication and authorisation data are provided only on the ASPSP website. PSU authentication is carried out in the ASPSP interface. The PolishAPI standard allows the use of an authentication mechanism in an external authorisation tool when providing AIS and PIS (decoupled). A communication sequence that leads to the establishment of a session with the XS2A (which is a tool for accessing payment account information) interface is also permitted, taking into account PSU authentication, using the redirection method and using the "refresh token".
In most cases, AIS is approved based on additional consent given by the PSU, on the grounds of which account information will be provided to the account information service provider's (AISP’s) partner. The information obtained in this way is then used by the AISP’s partner to offer relevant products and services to the PSU.
The KNF takes the view that the information provided by the AISP should always be made available to the PSU, but it is also permissible for the PSU to grant authorisation for the AISP’s partner to obtain such information.