Publications

The cryptocurrency market in Poland is developing dynamically despite the lack of national regulations issued based on the MiCA regulation, and with it grows the interest in acquisitions of companies holding an entry in the registry of virtual asset service providers (VASP). Purchasing such a company can significantly accelerate market entry, but requires conducting comprehensive due diligence. In light of the upcoming full implementation of the MiCA regulation in 2025, the verification process takes on particular significance and requires a much more in-depth approach.

Are you looking to purchase a ready-made company entered into the VASP register in Poland before December 30, 2024?
Contact us using the contact form at the end of this article!

Regulatory Status and Compliance

The foundation of any VASP company’s operations is its entry in the appropriate registry maintained by the Minister of Finance. Regulatory status verification should include checking the date of registry entry and the assigned identification number. Equally important is confirming the entity’s current status in the registry and precisely determining the scope of services the company is authorized to provide. One cannot forget about verifying whether the entity has made the mandatory notification to the General Inspector of Financial Information, which is a statutory requirement for all entities entered in the VASP registry.

A key change is the upcoming transformation from the VASP registration system to mandatory CASP licensing under the MiCA regulation. From 2025, Poland will begin implementing the pan-European regulation on crypto-asset markets, which introduces mandatory licensing for cryptocurrency companies, now defined as crypto-asset service providers (CASP). The new regulations significantly tighten existing requirements, introducing higher capital thresholds, more rigorous internal controls, expanded reporting obligations, and the requirement for physical presence in the EU.

The transitional period allows entities that legally provided services before December 30, 2024, to continue operations until mid-2026. However, this continuation is conditional and requires compliance with MiCA provisions and timely submission of a comprehensive CASP license application. This extension is not automatic and requires proactive engagement and successful completion of the new application process by the VASP.

Operational Activity History

Actual business activity constitutes a key element in verifying the value of the acquired company. Practice shows that some entities holding VASP registry entries conduct only marginal operational activity that is not organized, continuous, and profitable in nature. Such a situation may suggest that the company was created primarily to obtain registry entry rather than to conduct actual business in the cryptocurrency area.

In-depth analysis should include reviewing the company’s transaction and turnover history, detailed verification of financial documentation including bank statements and invoices, and assessment of the client base and concluded contracts. No less important is examining the technical and operational infrastructure, which should correspond to the declared scope of activity.

Particular attention should be paid to the fact that the Polish Financial Supervision Authority (KNF) itself admitted that there is a “current lack of regulation and supervision” in the virtual currency market. Additionally, international bodies such as MONEYVAL, while noting some improvements in Polish AML/CFT measures, still categorize the country as “partially compliant” in several key recommendations. Particularly concerning is the result of the Supreme Audit Office (NIK) audit, which showed “limited effectiveness” of the national AML/CFT system, placing Poland among the ten European countries with the highest money laundering risk (9th place out of 31).

Ownership Structure and Share Capital

Transparency of ownership structure is fundamental in the cryptocurrency industry, where trust forms the basis of business relationships. Many VASP companies in Poland have minimal share capital of 5,000 PLN, which, although compliant with legal requirements for limited liability companies, may indicate limited financial resources of the entity.

Under MiCA, capital requirements increase dramatically. A tiered system for minimum authorized capital is introduced, directly linked to the scope and nature of crypto-asset services provided. For Class 1 CASP, providing services such as advice, reception and transmission of orders, or portfolio management, the minimum capital is 50,000 euros. Class 2 CASP, additionally including crypto-asset exchange and trading platform operation, require capital of 125,000 euros. The highest Class 3, additionally including custody services, requires capital of 150,000 euros. Additionally, all CASP must maintain reserve capital equal to 25% of fixed expenses from the previous year.

Particular attention should be paid to the history of ownership changes, as frequent shareholder changes may signal problems or speculative nature of the activity. Verification of citizenship and origin of shareholders and identification of the ultimate beneficial owner are necessary for assessing transaction-related risk. The upcoming EU Anti-Money Laundering Regulation (AMLR) lowers the UBO identification threshold to “25% or more” of shares or voting rights, which will require obligated entities to identify a broader group of beneficial owners.

Tax Compliance

The company’s tax status may reveal significant compliance issues. Verification should include checking the entity’s presence on the VAT taxpayers’ white list and obtaining a current certificate of no tax arrears from the tax office. Timeliness of financial statement submissions demonstrates the reliability of business conduct, and analysis of tax settlement history may reveal potential fiscal risks.

Cases of VAT taxpayer registration refusal or removal from the registry may indicate problems with settlements or lack of actual business activity, which should be a warning signal for the potential buyer. According to MiCA provisions, CASP are obligated to comply with established accounting standards and regularly submit financial reports to regulatory authorities. Certified audit becomes mandatory if the company meets at least two of the following conditions: annual revenue exceeding 5 million euros, annual turnover exceeding 2.5 million euros, or number of employees greater than 50.

Financial Documentation and Reporting

The reliability of financial statements allows assessment of the company’s actual condition. Analysis should include verification of financial statements submitted for previous financial years and detailed examination of financial results, with particular attention to trends in profits and losses. The structure of revenues and costs may reveal the company’s income sources and operational efficiency. Assessment of financial liquidity is crucial for determining the company’s ability to continue operations.

Financial statements of Polish companies can be obtained through public resources such as the National Court Register (KRS) or specialized services. The significant increase in capital requirements, combined with the obligation of certified audits for larger entities, signals a clear shift toward ensuring actual financial substance and stability.

Due diligence must now include thorough financial analysis that goes beyond simple minimum capital checking. It should critically assess VASP’s long-term financial forecasts, liquidity management policies, and solvency indicators to ensure the company can sustain operations and absorb market shocks.

Online Presence and Reputation

In the fintech and cryptocurrency industry, professional online presence is a market standard. The lack of a functioning website, trading platform, or social media activity should raise serious doubts about the actual nature of the company’s operations. Reputation verification should include analysis of customer opinions, media mentions both positive and negative, and the company’s overall image in the industry.

Entities conducting actual cryptocurrency service activities typically care about their online visibility and actively communicate with the market, so its absence may indicate a facade nature of operations. MiCA imposes the obligation of fair marketing practices and prohibits misleading statements about crypto-assets. CASP are obligated to act honestly, fairly, and professionally toward their clients, consistently putting the client’s interest first.

AML/CFT Compliance

Implementation of a solid AML/CFT framework is paramount for any VASP, particularly in a jurisdiction like Poland that has been subject to scrutiny regarding historical effectiveness in this area. Obligated institutions are required to implement and maintain internal AML policies, procedures, and controls that fundamentally include comprehensive risk assessment measures.

Risk assessment must be scrupulously tailored to the specific nature and scope of VASP operations, covering critical factors such as customer profiles, countries or geographical areas of operation, types of products and services offered, transaction patterns, and delivery channels. A notable gap, however, is the lack of a specific provision in the current AML/CFT act requiring reporting entities to identify and assess AML/TF risks that may arise specifically from the development of new products, new business practices, or use of new or emerging technologies.

Due diligence must therefore explicitly assess how the VASP identifies, assesses, and mitigates AML/TF risk associated with new or evolving crypto products, services, and technologies (e.g., decentralized finance (DeFi) protocols, non-fungible tokens (NFTs), privacy coins, mixers, and tumblers). The VASP’s internal risk assessment framework should ideally go beyond minimum statutory requirements to proactively address these emerging threats.

Particularly concerning is the documented backlog in STR analysis by GIFI, with an average waiting time of at least 338 working days (490 calendar days) for reports to be qualified for analysis. This situation highlights a significant gap between de jure regulatory requirements and de facto enforcement and supervisory capabilities.

Operational and Technical Resilience

The digital nature of virtual asset services inherently links VASP profitability to its operational and technical resilience. The entry into force of the Digital Operational Resilience Act (DORA) additionally formalizes these critical requirements across the EU financial sector.

DORA, which applies from January 17, 2025, imposes mandatory requirements for ICT risk management and governance, incident response and reporting, digital operational resilience testing, and third-party risk management. CASP are obligated to define, establish, and implement comprehensive information and communication technology (ICT) risk management policies. This includes conducting regular ICT risk assessments to identify vulnerabilities, threats, and potential business impacts.

A well-defined ICT incident management process is a fundamental requirement, enabling CASP to detect, manage, and notify relevant authorities of incidents. Major incidents must be reported to regulators within four hours of detection, and a comprehensive supplementary report must be submitted within one month.

MiCA additionally formalizes cybersecurity expectations, requiring CASP to implement appropriate technical and organizational security measures to protect their systems and data. CASP are explicitly obligated to conduct regular security audits and penetration testing.

Management and Key Personnel

The integrity and competence of VASP management and key personnel are fundamental to regulatory compliance and operational success. Board members and beneficial owners must meet rigorous “fit and proper” criteria. This requires them to have appropriate experience or education in the financial sector or virtual assets and lack of criminal record, particularly regarding economic or financial crimes.

Senior managers must demonstrate necessary experience and qualifications, such as completing training or courses covering legal or practical issues related to virtual currencies or at least one year of proven experience in this field. The broader personnel composition should also include specialists with experience in cryptocurrency, fintech, and compliance.

Information about criminal records of natural persons in Poland can be obtained from the National Criminal Register for a fee (30 PLN for paper version, 20 PLN for electronic). Due diligence should aim to assess the culture of compliance and ethics in VASP management. This may include conducting detailed interviews with key personnel, reviewing their professional experience for any previous regulatory violations, and assessing their understanding and actual commitment to MiCA principles.

Banking Relationships and Operational Stability

The ability of VASP to establish and maintain stable banking relationships is a critical operational component, particularly for facilitating fiat on/off-ramps. Opening a bank account for a cryptocurrency company is generally possible with a Polish crypto license, often facilitated by European electronic money institutions (EMI).

A key benefit of obtaining a crypto license is its role in demonstrating credibility to traditional banking institutions, which are often cautious about engaging with the crypto sector due to perceived AML/CFT risks. MiCA explicitly requires CASP to ensure that client funds are held in separate accounts at EU credit institutions. This is a crucial safeguard for protecting client assets, particularly in case of VASP insolvency.

Due diligence must assess the stability and robustness of VASP banking relationships, not just their existence. This includes understanding the number and reputation of their banking partners, their contingency plans in case of banking relationship termination, and their proven ability to ensure client fund segregation in accordance with MiCA requirements.

Travel Rule Compliance and Counterparty Risk Management

The FATF Travel Rule imposes an obligation on VASP to collect, store, and transmit specific originator and beneficiary information for virtual asset transactions exceeding the threshold of 1,000 USD or 1,000 EUR. Crucially, the Travel Rule also requires VASP to conduct due diligence on counterparty VASP.

This includes assessing the counterparty’s AML/CFT program robustness, their data storage and security frameworks, their licensing and registration status, and their compliance with the Travel Rule itself. This assessment must occur before any data transfer under the Travel Rule. Poland’s history of imposing penalties for sanctions violations underscores the seriousness of these obligations.

CASP license in Poland – After Legal Law Firm

Purchasing a company with VASP registry entry can be an attractive option for entering the cryptocurrency market in Poland, but requires particular caution and conducting a comprehensive verification process. The transformation from the registration system to mandatory licensing under MiCA fundamentally changes the operational and financial landscape for VASP.

Before making an acquisition decision, it is essential to conduct thorough due diligence covering all mentioned areas, with particular emphasis on strategic preparation for MiCA, effectiveness of internal compliance frameworks, operational resilience and third-party risk management, financial substance and management integrity, and reputational vulnerability.

Only comprehensive verification, supported by continuous monitoring of regulatory evolution and proactive engagement in the MiCA transformation process, will avoid purchasing an entity unprepared for new regulatory requirements and ensure solid foundations for cryptocurrency business development in Poland. It is also worth considering engaging specialized legal and financial advisors who will help conduct a professional due diligence process tailored to the rapidly evolving regulatory environment.