POLAND Law and Practice Contributed by: Wojciech Ługowski, Lawarton Lugowski Kapica Spolka Komandytowa
Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and related domestic laws. Regulated entities must consider and address all the risks associated with outsourcing arrangements before proceeding. This requires thorough due diligence on potential service providers to ensure they possess the appropriate skills, experience and resources to per - form the outsourced services effectively. Furthermore, regulated entities must have a written outsourcing policy in place and ensure that outsourc - ing arrangements do not compromise their ability to fulfil legal obligations or hinder the competent author - ity’s ability to supervise them. Significantly, outsourc - ing does not relieve the regulated entity of respon - sibility to clients or third parties to deliver regulated services. Additionally, a written outsourcing agreement must be established between the regulated entity and the ser - vice provider, including specific mandatory provisions covering aspects such as data protection, security, the right of the regulated entity and KNF to monitor and audit the outsourcing provider and termination rights. Stricter requirements apply when outsourcing critical functions like risk management, ICT or AML. While outsourcing to a regulated entity is not always required, it is often preferable, as such providers are already subject to supervisory controls, reducing compliance risks. 2.9 Gatekeeper Liability Fintech providers are considered “gatekeepers” in certain regulatory areas, particularly under AML/CFT legislation. They are required to conduct customer due diligence (KYC), monitor transactions and report suspicious activities to the relevant authorities. These obligations help ensure the legality, security and integ - rity of financial activities on fintech platforms. Additionally, depending on their business model, some fintech companies may have broader consumer pro - tection and market integrity responsibilities, such as preventing fraud or unauthorised financial activities. The Digital Markets Act introduces further obligations for large fintech platforms that could be designated
as “gatekeepers” under EU law, potentially subjecting them to stricter compliance and operational transpar - ency requirements. While fintech providers have significant compli - ance responsibilities, their liability for user activities depends on the nature of their services and whether they actively facilitate or merely provide access to financial transactions. 2.10 Significant Enforcement Actions National supervisory authorities enforce regulations in the fintech sector to ensure market integrity and con - sumer protection. The most severe is licence revoca - tion or suspension, which can be imposed for serious violations of regulatory requirements. Regulators also impose penalties and fines on non-compliant fintech firms, serving as a deterrent against breaches of finan - cial regulations. Additionally, supervisory authorities can mandate corrective measures, such as improv - ing internal controls, enhancing security protocols or modifying business practices to align with regulatory standards. For example, in a recent case, the largest online cur - rency exchange group in Poland had its payment institution licence revoked by the regulator due to non-compliance with supervisory requirements. This decision forced the company to cease certain opera - tions, leading to severe financial difficulties and a real threat of insolvency. Polish regulators focus heavily on AML/CFT proce - dures, increasing penalties when AML regulations are not properly implemented or handled. One of the fines for AML non-compliance reached nearly PLN22 mil - lion (approximately EUR5.2 million) in 2022. Market observers conclude that obtaining licences from local regulators is consistently becoming more complex, time consuming and labour intensive. 2.11 Implications of Additional, Non- Financial Services Regulations Data Protection The GDPR requires fintechs to apply privacy by design principles to minimise the amount of data processed and properly handle consumers’ personal data. In
625 CHAMBERS.COM
Powered by FlippingBook