Anti-money laundering and counter-financing of terrorism (AML/CFT) constitutes an area of compliance with growing demands in Spain, driven by European directives and scrutiny from international bodies such as FATF. Companies subject to Law 10/2010 on the prevention of money laundering must have robust and up-to-date internal procedures.
Obligated Entities
The law identifies a broad list of obligated entities, including: financial institutions, insurers, notaries, registrars, lawyers and tax advisers (when acting in certain transactions), auditors, real estate developers, securities firms and casinos. Each category has specific obligations tailored to their activity.
In the non-financial sector, obligations have expanded significantly in recent years. Tax advisers and lawyers are subject to the law when they participate in: (a) real estate or business transfers; (b) management of the client’s funds, securities or other assets; (c) opening or managing bank, savings or securities accounts; (d) organising contributions for the creation, operation or management of companies; and (e) the creation, operation or management of trusts, companies or similar structures.
Key Obligations
AML obligations include: (1) identification and verification of client identity (KYC); (2) identification of the beneficial owner; (3) ongoing monitoring of the business relationship; (4) reporting suspicious transactions to SEPBLAC; (5) document retention; (6) periodic staff training; and (7) documented risk assessment.
Standard due diligence: Applicable to most clients, it requires verifying identity using an official document, identifying the beneficial owner when the client is a legal entity, and obtaining information about the nature and purpose of the business relationship.
Simplified due diligence: May apply to clients presenting demonstrably low money laundering risk, such as EU-supervised financial institutions, companies listed on regulated European markets, or public authorities. It does not exempt from the obligation to identify the beneficial owner.
Enhanced due diligence: Mandatory when high-risk factors are detected, such as non-face-to-face transactions, relationships with politically exposed persons (PEPs), transactions involving high-risk countries identified by the European Commission, or unusually complex ownership structures. In these cases, verification of identity and source of funds must be more thorough.
Beneficial Owner Identification
One of the most demanding obligations is identifying the beneficial owner — the natural person who ultimately owns or controls the client. For legal entities, a person who directly or indirectly holds more than 25% of the capital or voting rights, or who exercises control by other means, is presumed to be the beneficial owner.
The Beneficial Ownership Register, created under the Fifth AML Directive, facilitates querying this information. However, obligated entities cannot rely solely on the register: they must conduct their own verifications and update information when changes are detected.
Regulatory Updates
The Fifth AML Directive (transposed into Spain via Royal Decree 7/2021) strengthened enhanced due diligence obligations for relationships with high-risk countries and politically exposed persons (PEPs). The creation of the Beneficial Ownership Register improved transparency on the effective ownership of entities.
The AML legislative package approved by the European Union in 2024 provides for the creation of a new European anti-money laundering authority (AMLA) based in Frankfurt, which will take on direct supervision of the highest-risk financial entities from 2026. This represents a qualitative leap in supervisory scrutiny for financial groups with cross-border operations.
Additionally, the Funds Transfer Regulation, in force since December 2024, extended traceability requirements to crypto-asset transfers, obliging crypto-asset service providers (CASPs) to include information on the originator and beneficiary in all transactions.
The AML Compliance Programme
An effective AML programme does not merely comply formally with the law. It must be genuinely designed to detect irregular transactions and integrated with business processes. The essential elements are:
Client acceptance policy: Defines the criteria for accepting or declining a business relationship, establishes risk categories and determines the level of due diligence applicable to each client.
Procedures manual: Documents the KYC processes, the criteria for escalating an internal suspicious transaction report and the protocol for reporting to SEPBLAC.
Annual risk assessment: Must be updated annually to reflect changes in the client structure, product and service catalogue, and regulatory context.
Ongoing training: The law requires staff involved to receive specific, up-to-date training. The recommended minimum frequency is annual, with immediate updates whenever significant regulatory changes occur.
Consequences of Non-Compliance
SEPBLAC can impose very serious penalties of up to 5 million euros or 10% of total annual business volume, which represents a significant reputational and economic risk. Serious penalties can amount to up to 1 million euros. Beyond the direct consequences, a SEPBLAC sanctioning proceeding can severely affect the entity’s reputation and its ability to maintain correspondent banking relationships.
At BMC we advise on implementing effective AML programmes. See our AML compliance services.
