AML compliance in Spain 2026: what your business must know about anti-money laundering regulation

AML compliance in Spain: the regulatory framework your business must understand

Spain’s legal framework for anti-money laundering and counter-terrorism financing (AML/CTF) is built on Law 10/2010 of 28 April and its implementing regulation — Royal Decree 304/2014 of 5 May — which transpose successive EU anti-money laundering directives and establish a comprehensive system of obligations for a wide range of obliged entities. Above that national foundation sits a growing layer of European regulation: the Sixth Anti-Money Laundering Directive (6AMLD), the new EU AML Regulation approved in 2024 — which applies directly in Spain without any need for national transposition — and the creation of the European Anti-Money Laundering Authority (AMLA), operational from Frankfurt with direct supervisory powers over selected high-risk entities from 2026.

Understanding exactly what this framework requires — who is an obliged entity, what measures must be adopted, what supervisory exposure exists and what the consequences of non-compliance are — is the foundation for building an AML compliance programme that actually works rather than one that merely exists on paper.

Obliged entities under Article 2 of Law 10/2010

Article 2 of Law 10/2010 defines the personal scope of the AML regulation. The main categories of obliged entities are:

Determining whether a specific activity falls within the personal scope of the law is not always straightforward, particularly for law firms combining advisory and contentious work, or for alternative investment platforms managing private capital. BMC conducts scope analysis for companies uncertain about their status as obliged entities.

Core obligations under Spain’s AML framework

Once obliged entity status is confirmed, Law 10/2010 and RD 304/2014 establish a system of graduated obligations that an AML/CTF programme must cover in full:

Standard customer due diligence (CDD)

All obliged entities must identify and verify the identity of their clients before establishing the business relationship or before executing occasional transactions above €1,000 (€250 for payment institutions). Verification requires original documentation — national ID, NIE or passport for natural persons; articles of incorporation and Commercial Registry extract for legal entities — and cannot be replaced by the client’s own declaration.

Standard CDD also requires understanding the nature of the client’s business, the origin of funds to be used in the relationship, and the purpose of the relationship itself. This knowledge must be documented and updated throughout the duration of the relationship.

Beneficial ownership identification

Beneficial ownership identification generates the highest number of compliance failures and receives the most intense scrutiny in SEPBLAC inspections. The beneficial owner is the natural person who ultimately owns or controls the client — generally any person who directly or indirectly holds more than 25% of the share capital or voting rights.

For simple structures with two or three individual shareholders, identification is relatively direct. Complexity arises with holding structures, widely dispersed shareholding, foundations, trusts, nominee accounts or deferred insurance beneficiary arrangements. Spain’s Commercial Registry beneficial ownership register (created in 2021) facilitates verification but does not exempt the obliged entity from actively verifying and documenting the outcome.

Where beneficial ownership cannot be determined with certainty, this must be explicitly recorded in the client file and, depending on the risk profile, enhanced due diligence or refusal of the business relationship may be necessary.

Enhanced due diligence: PEPs and high-risk jurisdictions

Enhanced due diligence is mandatory when the client, product or transaction carries an elevated risk profile. The most common cases are:

• Politically exposed persons (PEPs): senior public officials, their immediate family members and close associates. The definition expressly includes nationals of third countries and leaders of international organisations. Enhanced due diligence for PEPs requires senior management approval to open or continue the business relationship and ongoing enhanced monitoring throughout.

• Clients from high-risk jurisdictions: countries included in FATF non-cooperative jurisdiction lists, EU high-risk country lists, or Spanish tax haven lists for AML purposes. Enhanced due diligence requires additional verification of the source of funds and may require in-person verification or confirmation by a trusted third party.

• Unusual transactions: transactions whose volume, nature or structure is unusual or unjustified from a legitimate business or economic perspective. This category requires the compliance officer to maintain sufficient sector-specific knowledge to identify unusual patterns in the normal business flow.

Suspicious transaction reporting to SEPBLAC

The obligation to report to SEPBLAC does not require certainty about money laundering: reasonable indications or suspicion are sufficient. Reports are submitted through SEPBLAC’s RCPBC system and are accompanied by the tipping-off prohibition — the obliged entity may not inform the client that a report has been made.

Failure to report is a serious infringement under Law 10/2010. The act of reporting in good faith protects the obliged entity from criminal liability for co-operation in money laundering, provided it has acted with the required diligence.

In addition to individual suspicious transaction reports, obliged entities must make periodic reports to SEPBLAC on certain categories of transactions — including cash movement declarations and, for some sectors, systematic reports regardless of any suspicion.

SEPBLAC representative and Internal Control Body (OCI)

All obliged entities must designate a SEPBLAC representative with sufficient seniority. This person is the inspection interlocutor, responsible for communications to SEPBLAC and for certifying programme compliance to the regulator.

Regulation distinguishes between the SEPBLAC representative and the Internal Control Body (OCI), which is the internal body — individual or collegiate — responsible for the operational management of the AML programme: reviewing client files, approving high-risk client acceptance, investigating internal alerts and deciding whether to escalate to a SEPBLAC report.

For small and medium-sized businesses, the SEPBLAC representative and OCI head are usually the same person. For larger entities, separating the functions and building a dedicated AML compliance team is best practice.

Internal AML unit vs. outsourced OCI: larger obliged entities typically build an internal specialised compliance unit. Medium and smaller entities — particularly professional services firms such as law firms and tax advisers — may outsource OCI functions to a specialist provider while retaining ultimate responsibility and the SEPBLAC representative internally. BMC provides outsourced OCI and SEPBLAC representative services for obliged entities without sufficient internal structure.

SEPBLAC: registration, supervision and formal obligations

SEPBLAC acts as both Spain’s Financial Intelligence Unit (FIU) and the supervisor of non-financial sector obliged entities. Its inspections have increased significantly since 2022, with a focus on the sectors identified as deficient by the FATF 2023 evaluation.

Formal obligations before SEPBLAC include:

• Registration in the obliged entities register for sectors without another sectoral supervisor
• Periodic reports on certain transaction categories, regardless of suspicion
• Documentation availability in inspections: all AML programme documentation and client files must be made available within the timeframe specified in the inspection notice — which can be as short as 48 hours for unannounced inspections
• Notification of SEPBLAC representative changes whenever the designated person changes

What SEPBLAC requests first in every inspection:

1. Documented and dated risk assessment
2. Updated prevention manual (date of last revision)
3. Due diligence files for the last three years with beneficial ownership verification evidence
4. Training records for staff and governing bodies
5. Log of transactions reported to SEPBLAC — and of those considered but not reported, with documented justification
6. Documentation of the SEPBLAC representative and OCI

FATF 2023 mutual evaluation of Spain: key findings

The 2023 FATF mutual evaluation recognised Spain’s strong legal framework and active criminal enforcement of money laundering offences, but identified specific implementation weaknesses with direct consequences for obliged entities:

Legal and accounting advisers: low CDD compliance rates and significant under-reporting of suspicious transactions. The use of professional privilege as a barrier to reporting was flagged as a specific concern. Professional associations for lawyers and economists subsequently received clearer guidance on their members’ obligations.

Company service providers: gaps in beneficial ownership verification for company formation involving holding structures or nominee arrangements.

Risk-based supervision: FATF recommended that sectoral supervisors — including SEPBLAC for sectors without other regulators — adopt a more clearly risk-based supervisory approach, concentrating inspection resources on the highest-risk obliged entities and transaction types.

As a direct result, SEPBLAC intensified inspections, published updated supervisory guidance and increased its documentation quality requirements for KYC files. Companies with deficient or outdated AML programmes entered a materially higher sanction risk environment from 2023 onwards.

The 2024 EU AML package and the AMLA

The EU AML legislative package adopted in 2024 is the most significant reform of European AML architecture since the Fourth Directive in 2015:

Direct applicability of the AML Regulation

The new AML Regulation is an EU regulation — not a directive — and therefore applies directly and without transposition across all member states. Its provisions on due diligence, beneficial ownership and internal programme requirements will be directly enforceable against Spanish obliged entities. This creates a temporary overlap with Law 10/2010 that operators must manage carefully until the Spanish legislature updates national law.

AMLA: direct supervision from Frankfurt

The Anti-Money Laundering Authority (AMLA) will begin operations in 2025 and exercise direct supervision over selected high-risk financial entities from 2026. Selection criteria include volume of cross-border operations, sector risk profile and history of prior infringements. For non-financial sector obliged entities, AMLA will exercise indirect supervision, coordinating national supervisors and establishing binding technical standards.

Key changes for obliged entities

• Extension to CASPs: crypto-asset service providers under MiCA become full obliged entities with the same KYC and reporting obligations as traditional financial institutions.
• Strengthened beneficial ownership requirements: harmonised criteria and methodologies for identifying beneficial owners in multi-layer structures across the EU.
• EU jurisdiction risk lists: the Commission will maintain high-risk and moderate-risk country lists with specific due diligence thresholds, replacing the current patchwork of national and international lists.
• Minimum harmonised programme requirements: the AML Regulation sets the minimum mandatory content of AML/CTF programmes, with AMLA technical standards providing detailed procedures — raising the floor for less developed programmes.

Integrated AML compliance: connecting AML with criminal compliance and whistleblowing

An effective AML compliance programme cannot be designed as a standalone silo. The synergies with other regulatory frameworks are direct:

Criminal compliance (Article 31 bis of the Spanish Criminal Code) and the AML programme share the same prevention logic: both seek to establish controls that prevent the company from being used for illegal activities and — if they occur — allow the company to demonstrate it had adopted adequate preventive measures. The criminal risk map must include the risk of co-operation in money laundering offences as a priority risk in many sectors.

The whistleblowing channel required by Law 2/2023 simultaneously serves as an internal reporting mechanism for AML programme breaches, a channel for communicating suspicions that do not meet the threshold for mandatory SEPBLAC reporting, and an alert channel for the OCI. A well-designed whistleblowing system integrates all three information flows within a single system managed with the same confidentiality and non-retaliation standards.

Data protection (GDPR/LOPDGDD) is also relevant: KYC files contain personal data of clients and beneficial owners whose processing must comply with the GDPR. The legal basis (legal obligation under Law 10/2010), retention periods (ten years), security measures and data subject rights (limited in the AML context by the tipping-off prohibition) must be correctly documented in the records of processing activities.

What a well-implemented AML programme delivers

An AML compliance programme correctly implemented produces concrete, measurable outcomes:

• Passing SEPBLAC inspections without sanction, thanks to documentation quality and staff preparation.
• Reduced criminal liability risk for directors and managers, who can demonstrate the company adopted reasonable preventive measures.
• Access to higher-quality clients and counterparties: major corporate groups and financial institutions require evidence of operational AML programmes before entering business relationships.
• Regulatory confidence: a solid SEPBLAC compliance record reduces the frequency and intensity of future inspections and facilitates constructive engagement on specific queries.
• Efficient adaptation to the EU AML package: a strong programme today is the most efficient foundation for meeting new AMLA standards without rebuilding from scratch.

BMC’s AML compliance team combines technical expertise in AML/CTF regulation with hands-on experience in SEPBLAC inspections and in defending clients in criminal money laundering proceedings. Contact us for a no-obligation review of your programme.

Sources and Regulatory Framework

• BOE — Law 10/2010 of 28 April on Prevention of Money Laundering and Terrorism Financing
• BOE — Royal Decree 304/2014 implementing Law 10/2010
• SEPBLAC — Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales
• FATF — Mutual Evaluation Report Spain 2023
• EUR-Lex — Sixth Anti-Money Laundering Directive (6AMLD) 2018/1673
• EUR-Lex — AMLA Regulation (EU) 2024/1620
• Spanish Ministry of Economy — Secretaría General del Tesoro