AML Compliance: Protect Your Business from Money Laundering Risk

Anti-money laundering (AML) compliance in Spain is governed by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (as amended by RDL 7/2021 transposing the EU's 6th AML Directive), which imposes obligations on a defined list of obligated entities — including financial institutions, law firms, notaries, real estate agents, accountants, and company formation agents. These entities must apply customer due diligence (KYC), maintain internal prevention manuals, establish whistleblowing channels, report suspicious transactions to SEPBLAC (Spain's Financial Intelligence Unit), and designate an internal compliance representative. Non-compliance can result in sanctions exceeding EUR 1 million and criminal liability for individual managers.

Our AML compliance team has experience implementing prevention programmes for entities across multiple sectors: financial, real estate, legal, accounting, and business services.

The Compliance Obligation Many Businesses Underestimate

Spain’s Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing applies to a much wider range of businesses than most companies realise. Beyond the obvious financial institutions, the law covers auditors, tax advisers, lawyers involved in real estate or corporate transactions, estate agents, real estate developers, accountants, trust service providers, and any professional adviser managing third-party funds or assets. Many SMEs in these sectors have never properly assessed whether they are obligated entities — or if they have, their compliance programme has not kept pace with regulatory developments.

The SEPBLAC has become progressively more active in its inspection and enforcement activity. Administrative sanctions for serious violations now routinely exceed one million euros. Personal liability for management bodies is also expressly provided for in the law: directors who allow a non-compliant programme to persist are not shielded by the corporate structure.

What an Effective AML Programme Actually Looks Like

The minimum requirements of Law 10/2010 are not met by a generic prevention manual downloaded from the internet. An effective programme requires a genuine risk assessment: a structured analysis of your specific client base, the products and services you provide, the geographic jurisdictions involved, and your distribution channels. Different businesses face radically different AML risk profiles, and the controls must be calibrated accordingly.

KYC is the operational heart of the programme. For corporate clients, this means going beyond the registered company to identify and verify the ultimate beneficial owners — the natural persons who ultimately control the entity. The beneficial-ownership register (RBE) provides a starting point, but its data cannot be relied on exclusively: discrepancies must be investigated. For politically exposed persons (PEPs) and clients from high-risk jurisdictions, enhanced due diligence is required, with documented justification for accepting the business relationship.

Our programmes are designed to be operational, not decorative. We train staff to apply the procedures in their daily work, not just to have attended a compliance presentation. When a transaction triggers a red flag, the team should know what to do: how to escalate, how to document the assessment, and when the obligation to report to the SEPBLAC arises.

AML in Corporate Transactions

When a company is being acquired, AML compliance is a critical dimension of due diligence. An inadequate programme inherited through an acquisition creates immediate regulatory exposure for the buying group. We conduct AML-specific due diligence reviews for acquirers of obligated entities, quantify the remediation cost, and advise on the representations and warranties that should be included in the sale agreement to protect the buyer.

For businesses undergoing restructuring that changes their client base or geographic footprint, the AML risk assessment must be updated to reflect the new profile. A programme designed for a domestic client base may be wholly inadequate after an international expansion.