AML Compliance: Protect Your Business from Money Laundering Risk

Anti-money laundering (AML) compliance in Spain is governed by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (as amended by RDL 7/2021 transposing the EU's 6th AML Directive), which imposes obligations on a defined list of obligated entities — including financial institutions, law firms, notaries, real estate agents, accountants, and company formation agents. These entities must apply customer due diligence (KYC), maintain internal prevention manuals, establish whistleblowing channels, report suspicious transactions to SEPBLAC (Spain's Financial Intelligence Unit), and designate an internal compliance representative. Non-compliance can result in sanctions exceeding EUR 1 million and criminal liability for individual managers.

Our AML compliance team has experience implementing prevention programmes for entities across multiple sectors: financial, real estate, legal, accounting, and business services.

The Compliance Obligation Many Businesses Underestimate

Spain’s Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing applies to a much wider range of businesses than most companies realise. Beyond the obvious financial institutions, the law covers auditors, tax advisers, lawyers involved in real estate or corporate transactions, estate agents, real estate developers, accountants, trust service providers, and any professional adviser managing third-party funds or assets. Many SMEs in these sectors have never properly assessed whether they are obligated entities — or if they have, their compliance programme has not kept pace with regulatory developments.

The SEPBLAC has become progressively more active in its inspection and enforcement activity. Administrative sanctions for serious violations now routinely exceed one million euros. Personal liability for management bodies is also expressly provided for in the law: directors who allow a non-compliant programme to persist are not shielded by the corporate structure.

What an Effective AML Programme Actually Looks Like

The minimum requirements of Law 10/2010 are not met by a generic prevention manual downloaded from the internet. An effective programme requires a genuine risk assessment: a structured analysis of your specific client base, the products and services you provide, the geographic jurisdictions involved, and your distribution channels. Different businesses face radically different AML risk profiles, and the controls must be calibrated accordingly.

KYC is the operational heart of the programme. For corporate clients, this means going beyond the registered company to identify and verify the ultimate beneficial owners — the natural persons who ultimately control the entity. The beneficial-ownership register (RBE) provides a starting point, but its data cannot be relied on exclusively: discrepancies must be investigated. For politically exposed persons (PEPs) and clients from high-risk jurisdictions, enhanced due diligence is required, with documented justification for accepting the business relationship.

Our programmes are designed to be operational, not decorative. We train staff to apply the procedures in their daily work, not just to have attended a compliance presentation. When a transaction triggers a red flag, the team should know what to do: how to escalate, how to document the assessment, and when the obligation to report to the SEPBLAC arises.

AML in Corporate Transactions

When a company is being acquired, AML compliance is a critical dimension of due diligence. An inadequate programme inherited through an acquisition creates immediate regulatory exposure for the buying group. We conduct AML-specific due diligence reviews for acquirers of obligated entities, quantify the remediation cost, and advise on the representations and warranties that should be included in the sale agreement to protect the buyer.

For businesses undergoing restructuring that changes their client base or geographic footprint, the AML risk assessment must be updated to reflect the new profile. A programme designed for a domestic client base may be wholly inadequate after an international expansion.

The Incoming AMLA Regulation

The European Union’s Anti-Money Laundering Authority (AMLA), established by Regulation 2024/1620, will begin direct supervision of selected obligated entities — principally financial sector firms with cross-border activities — from 2026. The 6th AML Directive (AMLD6), currently in final stages, will introduce further harmonisation of national AML rules across the EU, with higher standards for virtual asset service providers and stronger requirements for real estate sector obligated entities. Spanish companies with EU cross-border operations need to monitor AMLA’s implementation closely: the shift from national SEPBLAC supervision to direct European authority oversight for some entities is a material change in the enforcement landscape.

Beneficial Ownership: The Documentation Layer

Verification of beneficial ownership has become the most complex operational dimension of AML compliance. Beyond checking the Registro de Titularidades Reales, a complete programme requires documented evidence of the verification exercise: what sources were consulted, what discrepancies were found, and how they were resolved. For corporate clients with complex ownership chains — multi-layered structures, trusts, foundations, or entities in non-cooperative jurisdictions — the documentation requirement is substantially more demanding. SEPBLAC has made clear that the register is a starting point, not a conclusion: independent verification is required when register data appears inconsistent with other client information. Our criminal compliance team advises on the interaction between AML beneficial ownership requirements and corporate law obligations.

Technology in AML Compliance

Transaction monitoring systems, PEP and sanctions list screening tools, and case management platforms are increasingly standard in compliance programmes for larger obligated entities. We advise on the selection and implementation of these tools, help configure risk models that minimise false positives without reducing detection effectiveness, and review the regulatory implications of using AI-assisted screening tools — which themselves raise questions under the EU AI Act compliance framework when they make decisions affecting individuals. The intersection of AML technology and AI regulation is an emerging compliance challenge that is best managed with integrated legal and technical expertise from the outset.

Sectors Most Affected

Financial services: banks, investment firms, payment institutions, and crypto-asset providers are the most heavily supervised AML sector. Crypto-asset providers registered with the Banco de España have been subject to SEPBLAC examination since 2023.

Real estate: estate agents and developers are obligated entities. AEPD and SEPBLAC have highlighted real estate as high-risk. The Marbella and Costa del Sol market — high foreign buyer volumes and complex structures — is a specific inspection priority.

Professional services (lawyers, accountants, auditors): client acceptance due diligence for relationships involving company formation, real estate transactions, or financial advice. Law firms must balance AML reporting with legal professional privilege — the most legally complex AML challenge for professional services.

Company Size Segmentation

Small obligated entities: real estate agents, small practices. Proportionate implementation accepted. Non-compliance generates minimum EUR 60,000 sanctions. A genuinely applied risk-based programme costs less than EUR 3,000 per year.

SMEs and medium firms: formal AML programme with designated or outsourced compliance officer, documented risk assessment, and SEPBLAC registration of the internal control body.

Large entities: full AML infrastructure — independent compliance officer, transaction monitoring systems, sanctions screening, annual risk assessment, training with testing, and SEPBLAC periodic reporting.

Worked Example: Emergency Compliance for a Real Estate Agency

A Marbella real estate agency (25 employees, EUR 12M sales volume) received a SEPBLAC inspection notification with no formal AML programme. BMC emergency response: internal control body registration filed within 5 business days; sector-specific risk assessment completed in 2 weeks; 8 client files with incomplete beneficial ownership documentation remediated before the inspection; AML policy, procedures, and training completed. Inspection outcome: 3 minor deficiencies noted, no sanction, all remediated within 30 days.

Common Mistakes We Fix

1. Treating AML as documentation, not application. SEPBLAC distinguishes entities with policies and those that apply them. Documentation without application evidences knowledge of the obligation and failure to comply.

2. Underestimating beneficial ownership verification. Independent verification must be documented for complex ownership structures. Register data alone is insufficient.

3. Not registering the Internal Control Body with SEPBLAC. Mandatory and frequently overlooked. SEPBLAC inspection typically begins by verifying this registration.

4. Missing PEP screening obligations. PEPs require enhanced due diligence, senior management approval at acceptance, and annual monitoring.

5. Confusing AML reporting with professional secrecy. For lawyers, the AML/privilege boundary requires specialist advice — the Law 10/2010 privilege carve-out is not unlimited.

How We Work

AML compliance engagements begin with a maturity assessment (3–5 days) producing a gap analysis against SEPBLAC’s inspection criteria and a prioritised remediation plan. For entities facing imminent SEPBLAC inspection, emergency remediation within 2–4 weeks. Ongoing support includes the outsourced compliance officer function, annual risk assessment updates, staff training, and SEPBLAC reporting assistance. Fixed annual fees structured by sector and entity size.

Geographic Coverage

Our AML compliance practice operates across Spain with particular depth in the financial services sector (Madrid, Barcelona) and the real estate sector (Marbella, Málaga, Costa del Sol, Madrid). For obligated entities with cross-border operations across multiple EU jurisdictions, we advise on the Spanish AML compliance dimension while coordinating with correspondent advisers in the relevant jurisdictions for local law requirements. The incoming AMLA regime — with direct European supervision for selected entities — will require entities with operations across multiple Member States to develop unified compliance programmes that satisfy both SEPBLAC and AMLA requirements simultaneously.

Regulatory Framework: Law 10/2010 and EU AML Package

Ley 10/2010 of 28 April (AML Law), as amended by RDL 7/2021: Spain’s primary AML statute. Art. 2 establishes the full list of obligated entities. Arts. 3-11 define customer due diligence — simplified (Art. 9), standard (Arts. 3-8), and enhanced (Arts. 10-11). Arts. 17-24 govern the Suspicious Transaction Reports (STRs) — the obligation to report transactions with AML indicators to SEPBLAC, the prohibited notification of the subject (tipping off), and the protection for good-faith reporters. Arts. 26-35 establish the internal control obligation: the AML policy and procedures manual, the internal compliance representative (Responsable de Cumplimiento), the Internal Control Body (órgano de control interno, OCO), the annual AML training programme, and the internal audit obligation for entities above certain thresholds.

Real Decreto 304/2014 (AML Regulation): implementing regulation providing detailed procedural requirements. Chapter II specifies the customer due diligence process in detail, including the specific documents required for different customer types (individuals, companies, trusts, foundations). Chapter III addresses the risk-based approach requirements for the internal AML programme. The Regulation also specifies the SEPBLAC registration procedure for obligated entities’ internal control bodies.

EU AML Package (Regulation 2024/1620 establishing AMLA; Directive 2024/1640 AMLD6): the EU’s comprehensive AML reform. The directly applicable AML Regulation — which will replace national AML laws across the EU and apply directly — is scheduled to enter into force in 2027. AMLA will directly supervise credit institutions, financial institutions, and crypto-asset providers classified as high-risk from 2026. The AMLD6 will require transposition into Spanish law by mid-2027, introducing stricter harmonisation of customer due diligence, beneficial ownership registers, and sanctions regimes.

SEPBLAC Guidance: SEPBLAC publishes Informe Anual (Annual Report) and sector-specific guidance notes on AML risk profiles and compliance expectations. The most recent guidance covers: (a) real estate sector AML risk typologies (high-value cash transactions, nominee buyer structures, all-cash international buyers); (b) crypto-asset provider requirements (transaction monitoring, wallet screening); and (c) professional services firm obligations (client acceptance procedures, privilege boundaries). SEPBLAC’s inspection methodology is published in its Resolución de 17 de diciembre de 2013 and subsequent updates.

The Suspicious Transaction Report (STR) Obligation

The STR obligation — reportar operaciones sospechosas to SEPBLAC — is the most operationally demanding aspect of AML compliance for many entities. The obligation arises when the entity knows, suspects, or has reasonable grounds to suspect that a transaction involves the proceeds of crime or may be connected to terrorist financing. The obligation is absolute: non-reporting when indicators exist is a serious infringement. But the obligation must be applied with discrimination — systematic reporting of every unusual transaction without genuine analysis creates an SEPBLAC overload that undermines the system.

The STR must be submitted promptly (within 10 days of detection for urgent cases). It must include the entity’s identification, the subject’s identification (to the extent known), the transaction description, and the grounds for the suspicion. A positive STR does not create liability for the reporting entity (provided it is filed in good-faith) — this is the immunity provision that protects compliant obligated entities.

The prohibition on tipping off (comunicación prohibida, Art. 24 Law 10/2010) prohibits the reporting entity from informing the transaction subject that an STR has been or may be filed. This prohibition creates significant practical challenges for lawyers and advisers who must manage client relationships while maintaining STR confidentiality. We advise obligated entities on how to manage client relationships appropriately when the STR process has been activated, including client acceptance decisions and case closure procedures that do not breach the tipping-off prohibition.

Internal Control Body (órgano de control interno) Requirements

The Internal Control Body (OCO) is the governance structure through which the obligated entity’s compliance is supervised. The OCO must be registered with SEPBLAC (Art. 26.4 Law 10/2010), must meet periodically, and must produce documented minutes of its meetings. The OCO is distinct from the designated Internal Compliance Representative (Responsable de Cumplimiento, Art. 26.1) — the named individual responsible for day-to-day AML compliance.

For small obligated entities, the OCO can consist of a single individual (typically the Responsable de Cumplimiento) and can be outsourced to an external compliance provider. Our team acts as external OCO and Responsable de Cumplimiento for a range of obligated entities — providing an independent, professionally qualified compliance function at a fraction of the cost of internal specialisation.

AML in Corporate Transactions and Due Diligence

AML compliance is increasingly a material item in M&A due diligence. An inadequate AML programme inherited through an acquisition creates immediate regulatory exposure for the buying group — SEPBLAC holds the acquirer responsible for the target’s compliance posture from the date of acquisition. We conduct AML-specific due diligence reviews for acquirers of obligated entities, quantify the remediation cost, and advise on the representations and warranties and regulatory disclosures that should be included in the transaction documentation.

For businesses undergoing restructuring that changes their client base or geographic footprint — expanding internationally, acquiring a regulated financial entity, or entering the real estate sector through a new business line — the AML risk assessment must be updated to reflect the new profile. A programme calibrated for a domestic B2B service client base will be wholly inadequate after an expansion into cross-border financial services.

Interaction with Criminal Compliance and Data Protection

AML compliance does not operate in isolation. Effective STR management requires coordination with the criminal compliance programme (to ensure that potential criminal conduct identified through the AML channel is handled with the appropriate evidentiary rigour). GDPR applies to the personal data processed through the KYC and STR functions — retention periods, data subject rights (subject to Law 10/2010 restrictions), and the data protection impact assessment for the beneficial ownership verification process all require coordination between the AML and data protection compliance functions.

We integrate AML compliance within a broader compliance architecture, coordinating with the criminal compliance and data protection practices to ensure that the obligations do not generate conflicting procedures or create unnecessary compliance overhead through duplication.

Practical Notes on SEPBLAC Inspection Readiness

SEPBLAC’s standard inspection procedure begins with a pre-inspection questionnaire requesting documentation of the entity’s compliance programme — the AML policy, the OCO registration, the annual training records, and a sample of customer due diligence files for review. Entities that have these documents readily available and organised significantly reduce the inspection timeline and the probability of findings escalating to sanctions.

Our SEPBLAC inspection readiness service prepares a complete documentation package in the format SEPBLAC expects, conducts a mock review of a representative sample of customer due diligence files, and identifies any gaps before the inspector does. For entities already under inspection, we provide real-time advisory on how to respond to SEPBLAC’s information requests — ensuring responses are accurate, complete, and strategically appropriate given the inspection’s direction.