6AMLD Is Coming: What Compliance Teams Are Actually Doing About It
By January 2021, every EU member state was required to have transposed the Sixth Anti-Money Laundering Directive into national law. Poland's implementation - through amendments to the AML Act - landed with enforcement teeth that compliance teams in Warsaw are now actively feeling. The General Inspectorate of Financial Information (GIIF) and the National Revenue Administration (KAS) have increased audit frequency since 2022, and the pattern is clear: institutions that treated 6AMLD as a documentation exercise rather than an operational change are the ones receiving findings.
This is not a directive you can paper over with a policy update. It changed the liability architecture for AML violations and changed what data your team must collect at onboarding - and maintain on an ongoing basis.
What Actually Changed: 6AMLD vs. AMLD5
The framing that 6AMLD is simply "more of the same" is wrong. The liability structure is fundamentally different.
| Area | AMLD5 | 6AMLD |
|---|---|---|
| Criminal liability | Applied primarily to individuals (natural persons) | Extended to legal persons - companies themselves can now face criminal prosecution |
| Predicate offenses | 21 predicate offenses covered | Expanded to 22 offenses - cybercrime and environmental crime now included |
| Aiding and abetting | Narrowly defined | Extended to include facilitation - broader exposure for institutions that enabled laundering |
| Sanctions scope | Fines, license suspension for individuals | Corporate debarment, exclusion from public contracts, judicial winding-up as potential outcomes |
| Beneficial ownership | 25% threshold, manual reporting | Strengthened - registries must be cross-verified; errors carry liability |
The legal person liability extension matters most operationally. Under AMLD5, a compliance failure typically resulted in enforcement action against a named individual - a CCO, a board member, an MLRO. Under 6AMLD, the institution itself is the legal target. That changes the risk calculus for boards, not just compliance departments.
The expansion to cybercrime and environmental crime as predicate offenses is less immediately visible but operationally significant. Compliance teams now need adverse media screening and transaction monitoring calibrated to flag patterns linked to ransomware payments and carbon credit fraud - not just traditional financial crime typologies.
What Polish Compliance Teams Are Actually Doing Now
Three operational patterns have emerged from compliance leads at Polish payment institutions and SME lenders. These are not aspirational - they are what teams with real audit risk are implementing now.
Automating CRBR pulls on every onboarding. The Polish Central Register of Beneficial Owners (CRBR) is the mandatory data source for verifying ultimate beneficial ownership of Polish legal entities. Under 6AMLD, getting this wrong now carries potential corporate liability. Teams that previously pulled CRBR manually on a sample basis are moving to automated queries on every onboarding, with scrapers handling CAPTCHA friction that slows manual access.
Setting up ongoing monitoring for corporate changes. Checking CRBR at onboarding is necessary but not sufficient - a beneficial owner change made six months later is invisible to a team that only checks at point of entry. The correct posture is periodic re-verification: quarterly for high-risk counterparties, annually for standard risk. Teams are building this into case management by scheduling automated re-pulls rather than relying on analysts to remember.
Updating adverse media screening to include court gazette data. Spanish companies with operations in Poland, Austrian holding structures with Polish subsidiaries, German entities active in CEE - all of these require checking corporate gazette data from the relevant jurisdiction, not just sanctions lists. The Spanish BORME (Official State Gazette for Commercial Matters) publishes ownership changes, dissolution proceedings, and judicial acts that are not reflected in sanctions databases. Compliance teams with cross-border counterparty books are adding gazette checks as a structured step in enhanced due diligence.
The Data Sources That Map to 6AMLD Obligations
For institutions onboarding Polish legal entities, the data architecture for a compliant file looks like this:
| Data Source | What It Proves | 6AMLD Obligation Covered | Update Frequency Needed |
|---|---|---|---|
| CRBR (Central Register of Beneficial Owners) | Ultimate beneficial owners above 25% threshold, ownership chain structure | Beneficial ownership verification - mandatory for all Polish legal entities | At onboarding + periodic re-verification (min. annually) |
| KRS (National Court Register) | Legal registration status, registered directors, articles of association, share capital | Legal existence, authorized representatives | At onboarding; material changes trigger re-check |
| KRZ (National Restructuring Register) | Active insolvency, restructuring, court-ordered interventions | Financial integrity of counterparty; predicate offense screening | At onboarding + quarterly for active relationships |
| BORME (Spanish Commercial Gazette) | Ownership changes, dissolution proceedings, court acts for Spanish legal entities | Beneficial ownership for Spanish-registered counterparties with Polish nexus | At onboarding + on material corporate events |
| KNF Register (Polish FSA) | Licensing status, authorization type, enforcement history | Regulated entity status; counterparty license verification | At onboarding; license status can change without notice |
The cross-border requirement catches teams off guard. An institution onboarding a Polish branch of a Spanish holding company cannot rely on CRBR alone: the parent's ownership structure is recorded in Spain, and beneficial ownership changes appear in BORME before they appear anywhere else.
The Most Common 6AMLD Compliance Mistake
The pattern that shows up most consistently in enforcement findings is checking CRBR once at onboarding and treating the file as closed.
Beneficial ownership structures change. Polish holding structures are frequently restructured for tax and succession reasons. A 40% owner sells to a new vehicle. A new shareholder crosses the 25% threshold. The CRBR record reflects these changes when the company files the update - but the compliance team's record of the original onboarding check does not automatically update.
Under 6AMLD, the obligation is to maintain accurate beneficial ownership information on an ongoing basis. A static snapshot from two years ago is not compliance. If a regulator pulls your file and the CRBR data no longer matches the current register - because the structure changed and you did not re-verify - you have an explanation to make.
The fix is mechanical: schedule re-verification. High-risk counterparties quarterly. Standard risk annually at minimum. Route the automated re-pull output back into your case management system with a timestamp. If the data changed, flag for analyst review. If not, log the clean result and move on.
KAS has been explicit that ongoing monitoring failures - not just onboarding failures - are in scope for enforcement. The institution that did an impeccable onboarding check three years ago but never re-verified is not in a defensible position if the beneficial owner changed in the interim.
What This Means for Your Compliance Stack
6AMLD compliance at an operational level comes down to data freshness and data coverage. The liability exposure is now corporate, not just individual. The predicate offense list is wider, which means the adverse media surface is wider. The obligation to maintain accurate beneficial ownership data does not expire at onboarding.
The institutions ahead of this have replaced manual portal navigation with structured, auditable data pulls - and built re-verification into their monitoring calendar rather than relying on analyst discretion.
For automated CRBR beneficial ownership pulls on Polish legal entities - structured output, audit-ready timestamps, no CAPTCHA friction - the CRBR Beneficial Owners Scraper covers the data layer: https://apify.com/regdata/crbr-beneficial-owners-scraper
For Spanish counterparties requiring BORME corporate gazette monitoring - ownership changes, dissolution proceedings, judicial acts - the BORME Corporate Acts Scraper provides structured access without manual gazette navigation: https://apify.com/regdata/borme-corporate-acts-scraper
Both return timestamped, structured data that integrates into existing compliance workflows and produces an audit trail that holds up under examination.
Top comments (0)