European corporate liability: key supervisory actions in the EU and Poland

Introduction

The rapid development of financial technology and the accelerating growth of the crypto industry in the European Union have been accompanied by a noticeable tightening of supervisory expectations. Regulators are increasingly focused on licensing discipline, compliance culture, and the operational effectiveness of AML/CTF frameworks and market-abuse controls. As a result, mechanisms of administrative and, in some cases, criminal liability have become central to the European regulatory landscape.

Banks, payment institutions, investment companies and crypto-asset service providers (CASPs/VASPs) now operate under heightened scrutiny, where regulatory obligations are enforced not only through monetary penalties but also through structural measures such as activity restrictions, withdrawal of authorisation and intrusive supervisory intervention. Recent enforcement actions at both EU and national levels, particularly in jurisdictions like Poland, demonstrate how weak governance, inadequate reporting and ineffective risk management systems translate directly into corporate liability.

Against this backdrop, understanding the logic behind supervisory actions and the emerging enforcement patterns is essential for any business operating in Europe’s financial or crypto markets.

EU-level enforcement: high penalties and cross-border significance

EU-level enforcement in recent years has demonstrated a decisive regulatory shift. Supervisors are no longer satisfied with formal compliance or written policies. Instead, they increasingly scrutinise whether systems actually work in practice. AML/CTF frameworks, internal controls, market-abuse safeguards and reporting mechanisms are now tested on their operational maturity rather than their existence on paper.

The enforcement actions against ING Spain and Deutsche Bank illustrate how EU regulators impose substantial penalties on major financial institutions when internal weaknesses compromise market integrity or undermine the fight against financial crime.

ING Spain case

The 2025 enforcement action against ING Spain demonstrates the strict application of EU AML standards. The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) found that the bank failed to report suspicious transactions despite clear red flags and maintained materially deficient procedures for identifying, documenting and escalating potentially illicit activity. Weak automation, ineffective internal escalation channels and inadequate ongoing monitoring resulted in breaches of key obligations under Directive (EU) 2015/849 (4AMLD), including customer due diligence, risk assessment and timely suspicious-transaction reporting.

ING was fined EUR 3.91 million, a penalty that underscores a clear supervisory message: even isolated operational gaps in AML processes are treated as serious violations when they reflect structural deficiencies in risk management.

Deutsche Bank case

A similar regulatory stance is evident in the Federal Financial Supervisory Authority’s (BaFin’s) 2024 action against Deutsche Bank, which resulted in EUR 23.05 million in total penalties. The most significant fine – EUR 14.8 million, was imposed for organisational deficiencies related to derivatives trading activities in Spain. Under Regulation (EU) 596/2014 (MAR), companies must maintain robust internal arrangements capable of detecting and preventing market manipulation and other forms of abusive behaviour.

BaFin concluded that Deutsche Bank failed to react promptly to potential market-abuse indicators and lacked adequate organisational structures, constituting a breach of Article 16 MAR. Additionally, Postbank was fined EUR 4.6 million for violations of MiFID II record-keeping rules owing to its failure to preserve telephone recordings and electronic communications associated with investment advice.

Increasing supervisory pressure: Polish experience

Recent enforcement practice in Poland demonstrates a clear regulatory trajectory: the Polish Financial Supervision Authority (KNF) and the Ministry of Finance are steadily intensifying oversight, expanding the use of administrative sanctions, and applying structural measures up to withdrawal of authorisation, to enforce compliance across the financial and crypto-related sectors. Unlike the EU-level enforcement, which often focuses on high monetary penalties, Poland’s approach is more operational and interventionist: regulators scrutinise governance, risk-management procedures and reporting practices, signalling a near-zero tolerance for systemic non-compliance.

Regulatory practice

In AML supervision, Poland has adopted a distinctly strict stance. The case of STS SA, fined nearly PLN 3 million, illustrates the consequences of failing to establish even the most basic AML/CTF framework. The company operated without an AML officer, had no risk assessment, and lacked internal AML procedures – failures that KNF characterised not as isolated omissions but as a systemic disregard for statutory duties. Regulators emphasised that AML requirements cannot be perceived as administrative formalities: the absence of core compliance infrastructure constitutes a fundamental breach of national AML legislation.

Similarly, ING Bank Śląski was sanctioned with a PLN 4.28 million fine for inadequate customer-identification measures, delays in filing suspicious-activity reports with the financial intelligence unit (GIIF), and deficiencies in ongoing monitoring. Notably, KNF did not apply mitigating factors despite the bank’s systemic significance, demonstrating a shift towards uniform enforcement standards regardless of an institution’s size or market stature.

KNF’s assertive approach extends beyond AML and deeply affects the payments and crypto sectors. A landmark example is COINQUISTA S.A., which lost its status as a Small Payment Institution (MIP) due to repeated violations of reporting obligations under the Payment Services Act. Persistent failure to submit mandatory reports prompted KNF to impose the most severe measure available – revocation of the right to operate as an MIP. Withdrawal of authorisation is used in Poland more frequently than in many other EU jurisdictions, reflecting the regulator’s readiness to remove non-compliant entities from the market entirely.

This supervisory philosophy is further reflected in structural interventions taken against smaller providers. Entities such as VCA sp. z o.o. and Send and Go sp. z o.o. were deleted from the payment-service register after repeatedly failing to submit operational data and failing to maintain mandatory insurance or guarantees. These actions underscore the preventive nature of Polish regulatory practice: companies unable to ensure compliance are barred from operating before they generate risks for customers or the wider financial system.

Taken together, recent enforcement actions show that Poland has adopted one of the most assertive supervisory models in the EU. Monetary fines are only part of the toolkit: KNF increasingly relies on structural sanctions, demanding operational transparency, documented compliance processes and timely reporting. The Polish model signals that regulatory expectations are rising rapidly and that entities operating in high-risk sectors such as payments, fintech and crypto must be prepared for intrusive, detail-oriented and uncompromising supervisory scrutiny.

Conclusions

Recent enforcement actions at both the EU level and in Poland make one trend unmistakably clear: European regulators are shifting from formalistic compliance to a strict assessment of operational effectiveness. Weak AML controls, inadequate reporting and insufficient governance structures are no longer viewed as technical shortcomings – they are treated as systemic risks that trigger corporate liability.

The cases of ING Spain and Deutsche Bank show that EU supervisors readily impose high penalties where market integrity or AML/CTF obligations are compromised. Poland goes even further: KNF increasingly relies on structural measures such as licence withdrawals, removal from registers and operational restrictions, reflecting one of the most assertive supervisory models in the EU.

For banks, payment companies, fintech companies and CASPs, the message is simple: compliance is no longer about documentation but about demonstrable, functioning systems. Institutions must ensure robust governance, timely reporting and effective risk management if they want to withstand tightening regulatory scrutiny.

Europe’s enforcement environment is becoming more demanding and more consistent. Companies that adapt early, investing in real operational compliance, will be best positioned to maintain trust and avoid escalating liability risks.

At Manimama Law Firm, we help businesses navigate this new reality effectively. We prepare documentation, manage application processes, and develop long-term crypto compliance strategies.