Anti-money laundering and counter-terrorist financing ([AML](/en/glossary/anti-money-laundering)/CTF) legislation imposes on a broad range of businesses and professionals obligations to identify clients, report suspicious transactions and provide internal training that go far beyond what many reporting entities are aware of. Non-compliance creates not only regulatory risk: it creates reputational risk, risk of complicity in serious crimes and, in the most serious cases, criminal liability of the legal entity.
Who Is a Reporting Entity?
Ley 10/2010, of 28 April, on the Prevention of Money Laundering and Terrorist Financing, establishes a list of reporting entities covering both financial institutions (banking, insurance, investment) and certain professionals and non-financial businesses.
Among the non-financial sector reporting entities, the following are particularly notable:
- Lawyers, legal representatives and legal advisers when they participate in transactions involving real estate sales, company or trust management, capital movements or fiduciary arrangements
- Auditors and tax advisers in the same types of transactions
- Notaries and registrars in their standard functions
- Real estate agents and developers in purchase and sale transactions
- Crypto asset managers (cryptocurrencies)
- Luxury goods dealers (jewellery, art, high-end vehicles) in transactions exceeding €10,000 in cash
- Casinos and gambling operators
If your business or professional activity falls into any of these categories, you have specific legal obligations that must be met regardless of your transaction volumes.
The Basic Obligations of Reporting Entities
Customer Due Diligence (KYC)
Before establishing a business relationship, the reporting entity must identify and verify the client’s identity using official documentation, identify the beneficial owner (the natural person who ultimately controls or owns the client) and understand the purpose and nature of the relationship.
Due diligence may be simplified (for low-risk clients), standard, or enhanced (for high-risk clients: high-risk countries, politically exposed persons — PEPs, opaque ownership structures).
Special Examination of Transactions
Certain transactions must be subject to special examination: those with no apparent economic justification, those of an unusually large amount, those involving high-risk countries or territories, and those with complex structures without an evident legitimate purpose.
Reporting to SEPBLAC
When a suspicious transaction is identified, the reporting entity must report it to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias — SEPBLAC), while maintaining confidentiality towards the client (the “tipping-off” prohibition).
Abstention from Execution
In the highest-risk situations, the reporting entity must decline to execute the transaction and report immediately to SEPBLAC.
Document Retention
Customer due diligence documentation and transaction records must be retained for ten years.
The Internal Prevention System
Reporting entities with a significant volume of activity must implement an internal prevention system comprising:
- AML prevention manual setting out the internal procedures for identification, risk assessment and reporting
- SEPBLAC representative (if the business has the required transaction volumes)
- Internal control body (in financial institutions and certain non-financial reporting entities)
- Ongoing staff training on red flags and procedures
- Regular documented risk assessment
How BMC Can Help
Our anti-money laundering team advises reporting entities on preparing the prevention manual, implementing customer due diligence procedures, training staff and representing the entity before SEPBLAC. We integrate the AML system with the broader criminal compliance programme and the company’s risk map.
If you are unsure whether your activity makes you a reporting entity, or would like to review the adequacy of your current system, contact our team for an initial assessment.
Specific Legal Framework
The relevant legislation in Spain is structured at three levels:
Primary legislation: Ley 10/2010, of 28 April, on the Prevention of Money Laundering and Terrorist Financing (BOE No. 103, of 29 April 2010), transposing the Fourth EU Directive. It establishes the list of reporting entities in Art. 2, customer due diligence measures in Chapter II (Arts. 3 to 13) and SEPBLAC reporting obligations in Chapter III (Arts. 17 to 23). The Law was substantially amended by Ley 11/2021, of 9 July, on measures to prevent and combat tax fraud, which introduced new beneficial ownership registration obligations in the Commercial Registry.
Regulatory framework: Royal Decree 304/2014, of 5 May, approves the Regulations implementing Ley 10/2010, developing risk assessment criteria (Arts. 16 to 26), factors for applying simplified or enhanced measures (Arts. 27 and 28) and the procedure for reporting suspicious transactions to SEPBLAC (Arts. 31 to 40).
European framework: Regulation (EU) 2023/1113, of 31 May 2023, on information accompanying transfers of funds and certain crypto assets, extends traceability obligations on transfers and entered into force in November 2025. This Regulation directly affects payment institutions, banks and crypto asset service providers (CASPs) operating in Spain.
The Fifth Anti-Money Laundering Directive (5AMLD, 2018/843/EU), transposed by Royal Decree-Law 7/2021, of 27 April, introduced the obligation to register beneficial owners for trust structures and expanded the list of politically exposed persons (PEPs).
Practical Example: A Law Firm as a Reporting Entity
Scenario: Bufete Martínez & Asociados (10 lawyers, Madrid) is engaged to incorporate a limited company for a client of Russian origin resident in Spain. The client wishes the company to hold a property valued at €1.2 million.
AML analysis: The incorporation of an SL holding real estate falls within Art. 2.1.ñ) of Ley 10/2010 (advising in the client’s name on the incorporation of legal entities). The law firm is a reporting entity for this transaction.
| Required measure | Action required | Supporting documentation |
|---|---|---|
| Basic due diligence (KYC) | Identify the client with official documentation | Certified copy of passport |
| Beneficial owner | Verify that the client is the only person with >25% control | Signed declaration + registry search |
| PEP check | Verify whether the client is a politically exposed person | Search of commercial database (World-Check, Refinitiv) |
| Source of funds | Justification for the origin of the €1M investment | Bank statements + asset declarations |
| SEPBLAC report | If the origin cannot be satisfactorily established | Form F-19 via SEPBLAC’s electronic portal |
Potential penalty for omitting due diligence: up to €10 million (Art. 52.1.a Ley 10/2010) or 10% of annual turnover if greater.
Common Mistakes BMC Corrects
-
Not registering the SEPBLAC representative when required. Art. 26.1 of Ley 10/2010 requires the appointment of a SEPBLAC representative for entities with a relevant volume of transactions. Many firms and companies believe this obligation only applies to banks, but it also applies to accounting firms, real estate agencies and tax advisers that exceed the thresholds set out in Art. 26.2 of the Regulations.
-
Confusing simplified due diligence with no due diligence. Art. 9 of Ley 10/2010 permits simplified measures for low-risk clients (listed companies, public authorities), but does not dispense with the obligation to identify the beneficial owner or document the relationship. Simplification reduces the depth of the examination, not the examination itself.
-
Not updating the prevention manual following the 2021 amendments. Ley 11/2021 and RDL 7/2021 amended Ley 10/2010 in ways that must be reflected in the Prevention Manual: new beneficial ownership registration obligations in the Commercial Registry, an expanded PEP list and new obligations for crypto asset managers.
-
Retaining KYC documentation for less than 10 years. Art. 25 of Ley 10/2010 sets a retention period of 10 years from the end of the business relationship. Many companies apply the general tax limitation period (4 years), creating a sanctionable breach.
-
Not documenting staff training. Art. 29 of Ley 10/2010 requires ongoing and documented training for employees on red flags and AML procedures. SEPBLAC treats the absence of documented training as a serious infraction, regardless of whether informal training was provided.
Next Steps
- Verify whether the business activity appears in the Art. 2.1 Ley 10/2010 list of reporting entities
- Check whether the Prevention Manual has been updated to reflect the Ley 11/2021 and RDL 7/2021 amendments (in particular beneficial ownership registration and the expanded PEP list)
- Confirm whether transaction volumes require appointment of a SEPBLAC representative (Art. 26.2 of the Regulations)
- Verify that KYC documentation for the last 10 years is correctly filed and accessible
- Implement documented training for employees with an attendance record and content log (Art. 29 Ley 10/2010)
- Update due diligence procedures to cover crypto assets if the business deals with them (Regulation EU 2023/1113)
