Skip to content

Business glossary

Anti-Money Laundering (AML)

Anti-money laundering (AML) refers to the legal obligations, internal procedures and controls that designated categories of businesses and professionals (obligated entities) must implement to detect, prevent and report transactions that may be connected with money laundering or terrorist financing. In Spain, the primary legal framework is Law 10/2010 of 28 April and its implementing regulations.

Legal

What Is Money Laundering?

Money laundering is the process of making proceeds from criminal activity appear to have a legitimate origin. The classic three-stage model involves placement (introducing illicit funds into the financial system), layering (conducting complex transactions to obscure the trail) and integration (reintroducing the now-”clean” funds into the legitimate economy).

Terrorist financing shares some techniques with money laundering but has a distinct feature: the funds may be lawfully obtained yet directed towards terrorist activity.

Spain’s AML framework is built on Law 10/2010 of 28 April on the Prevention of Money Laundering and Terrorist Financing, implemented by Royal Decree 304/2014. This legislation incorporates successive EU Anti-Money Laundering Directives (up to the Sixth Directive, 2018/1673) and reflects the recommendations of the FATF (Financial Action Task Force), the global standard-setter in this field.

Key milestones in the evolving framework include:

  • The Fourth Directive (2015/849) and Fifth Directive (2018/843): introduced the UBO register, extended the scope of obligated entities, and strengthened due diligence obligations for politically exposed persons (PEPs).
  • Royal Decree 609/2023: established Spain’s Registro de Titulares Reales.
  • Law 11/2021 on tax fraud prevention: brought crypto-asset service providers into the AML framework.

Who Must Comply: Obligated Entities

Spanish law designates a broad range of obligated entities, including:

  • Financial institutions: banks, credit unions, insurers, investment firms, payment institutions.
  • Notaries and property/commercial registrars.
  • Lawyers and legal professionals when acting in connection with real estate transactions, company formation, fund management, or representing clients in financial transactions.
  • Tax advisers, auditors, and accountants in specified activities.
  • Real estate agents.
  • Gambling operators.
  • Crypto-asset service providers.
  • Trust and company service providers, including registered office providers and corporate administration services.

BMC provides specialist AML compliance advisory for obligated entities needing to build or strengthen their prevention programmes.

Core AML Obligations

Customer Due Diligence (KYC)

Obligated entities must apply three tiers of due diligence based on assessed risk:

  • Simplified due diligence — for low-risk customers (e.g., listed companies, regulated financial entities).
  • Standard due diligence — for the general client base.
  • Enhanced due diligence — mandatory for politically exposed persons (PEPs), non-face-to-face customers, transactions involving high-risk third countries, and any situation where the risk profile so requires.

Ultimate Beneficial Owner (UBO) Identification

Before establishing a business relationship, obligated entities must identify the natural persons who ultimately own or control the client entity. Ownership above 25% of capital or voting rights is the standard threshold, though control by other means also triggers identification requirements. Spain’s Registro de Titulares Reales allows cross-checking UBO declarations made by companies.

Reporting to SEPBLAC

The SEPBLAC (Spain’s Financial Intelligence Unit) is the body that receives, analyses and disseminates financial intelligence. Obligated entities must submit:

  • Suspicious transaction reports (STRs): when there are grounds to suspect a connection with money laundering or terrorist financing.
  • Abstention reports: when a transaction could not be completed because the client refused to provide required documentation.

Reports to SEPBLAC are confidential and do not expose the reporting entity to civil or criminal liability for the act of reporting.

Internal Controls and Training

Obligated entities must maintain a documented AML prevention manual, designate an internal control body (or a representative before SEPBLAC for smaller entities), and run continuous employee training programmes. The policies and controls must be proportionate to the size and risk profile of the business.

Sanctions for Non-Compliance

Spain’s enforcement regime is among the most stringent in the EU. Very serious infringements may lead to:

  • Fines of up to 10% of total annual turnover or €10 million (whichever is higher).
  • Revocation of operating licences.
  • Personal fines for responsible managers of up to €5 million.
  • Criminal prosecution under Article 301 of the Spanish Penal Code for those who knowingly facilitate money laundering.

The supervisory authority varies by sector: the SEPBLAC oversees most obligated entities, while the Banco de España, CNMV, and DGS supervise the entities under their sectoral remit.

Frequently asked questions

Who are the obligated entities under Spanish AML law?
Law 10/2010 lists a closed set of obligated entities: financial institutions (banks, insurers, fund managers), notaries and registrars, lawyers and legal advisors when involved in certain transactions, auditors, real estate agencies, asset managers, casinos, and crypto-asset service providers (since 2021). Tax advisers and company service providers acting on behalf of clients in financial or corporate transactions also fall within scope.
What is KYC due diligence and what does it require?
Know Your Customer (KYC) due diligence requires obligated entities to identify and verify the customer's identity, understand the nature and purpose of the business relationship, and obtain information on the source of funds. Due diligence may be simplified (for low-risk customers), standard, or enhanced (for high-risk customers, politically exposed persons, or transactions involving high-risk countries).
What is SEPBLAC and when must a report be filed?
SEPBLAC (Spain's Financial Intelligence Unit, attached to the Bank of Spain) is the body that receives and analyses suspicious transaction reports. Obligated entities must report any transaction where there are indications or certainty of a connection with money laundering or terrorist financing. They must also report abstentions — transactions they could not complete because the customer refused to provide required information.
What is the UBO register in Spain?
The Registro de Titulares Reales is Spain's public register of ultimate beneficial owners (UBOs) — the natural persons who ultimately own or control a legal entity, directly or indirectly (generally above a 25% threshold in capital or voting rights). Established under Royal Decree 609/2023 to implement the Fifth AML Directive (2018/843), it allows obligated entities to verify the ownership structure of their clients.
What are the penalties for AML non-compliance in Spain?
Sanctions under Law 10/2010 are severe: very serious infringements can result in fines of up to 10% of total annual turnover or €10 million, plus reputational and licence consequences. Individual managers may face personal fines of up to €5 million. Criminal liability under Article 301 of the Spanish Penal Code applies to those who knowingly facilitate money laundering.

Related sectors

Financial Services Real Estate & Construction

Related terms

Corporate Governance in Spain Company Director Liability in Spain Commercial Contracts in Spain
Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact