Financial Regulatory: Authorisations, Licences and Compliance with CNMV and Banco de España

Financial regulatory advisory covers the full life cycle of a supervised financial entity in Spain: from determining whether the business model requires prior authorisation to managing the ongoing compliance programme once the licence is obtained. The CNMV, the Banco de España, and the Dirección General de Seguros y Fondos de Pensiones (DGSFP) are Spain's three sectoral financial supervisors, each with exclusive competence over the types of entities and activities they regulate. Regulation (EU) 2023/1114 (MiCA), fully applicable from December 2024, has added a fourth layer of regulation specific to crypto-asset markets, supervised in Spain by the CNMV for service providers (CASPs) and by the Banco de España for electronic money token (EMT) issuers.

Why Spanish financial regulation is among the most demanding in Europe

The European financial regulatory framework is a layered system of mutually reinforcing legislation: sectoral directives (MiFID II, Solvency II, CRD, AIFMD, UCITS), directly applicable regulations (MiCA, EMIR, SFDR, MiFIR, IFR), and national transposing legislation (Ley 6/2023 LMVSI, Ley 35/2003 IIC, Ley 22/2014 ECR, Real Decreto-ley 7/2021 on payment services). This layering means that determining the obligations applicable to a specific entity — particularly a fintech with an innovative business model that does not fit neatly into any traditional category — requires a legal analysis of considerably greater complexity than most other regulated sectors.

The scope of regulated activities has expanded significantly in the last five years. The emergence of crypto-asset markets, the growth of open banking under PSD2, and the extension of AI regulation to high-risk AI systems in financial services (under the AI Act) have created new categories of regulated activities where the boundary between free activity and activity requiring prior authorisation is not always clear.

The most costly mistake in the regulatory cycle is not a late filing or an incomplete disclosure: it is commencing activity without the correct authorisation. The consequences range from the nullity of contracts entered into to personal liability for directors, administrative sanctions, and — in the most serious cases — criminal prosecution.

CNMV and Banco de España authorisations — which entities need a licence and what the dossier requires

The CNMV has competence to authorise investment firms (ESIs), which include securities agencies, securities companies, independent financial advisers (EAFIs), and collective investment fund managers (SGIICs) and venture capital managers (SGEICs). The Banco de España authorises credit institutions (banks, savings banks, and credit cooperatives), payment institutions (PIs), and e-money institutions (EMIs). The DGSFP authorises insurance and reinsurance undertakings.

The authorisation dossier before each supervisor has both common and category-specific components. Common components include: a programme of activities with a detailed description of the services to be provided and the instruments to be covered; an organisational and governance structure (board, senior management, control committees); compliance and risk management manuals; a three-year business plan with financial projections; and suitability, probity, and experience documentation for board members and heads of internal control functions.

Managing the dialogue with the supervisor during the evaluation process is as important as the quality of the initial dossier. Supervisors routinely request additional information or clarification on aspects of the dossier they consider insufficient. Responding to these requests within the appropriate time frames — the clock stops running from the supervisor’s side while the request is outstanding, but delayed responses can create a negative impression — is a core element of our methodology.

MiCA in Spain — the new framework for crypto-asset issuers and CASPs

Regulation (EU) 2023/1114 (MiCA) establishes for the first time a harmonised European framework for crypto-asset markets. In Spain, MiCA has partially displaced the prior regime under Real Decreto 7/2021 and has created new obligations for two categories of market participants.

Token issuers: those conducting a public offering of utility tokens exceeding €1 million must publish a registered white paper. ART issuers must obtain prior CNMV authorisation; EMT issuers must obtain Banco de España authorisation, with minimum capital requirements ranging from €350,000 to several million euros depending on the volume of tokens in circulation.

Crypto-asset service providers (CASPs): exchanges, crypto-asset custodians, trading platforms, and crypto-asset advisers must register as CASPs with the CNMV. Entities that were already operating in Spain under the prior Banco de España registry for virtual currency exchange and custody service providers had a transitional regime that closed at the end of 2024. From that point, completion of the MiCA authorisation process or initiation of the grandfathering procedure is mandatory.

The principal practical difficulty of the MiCA framework is token classification: a token that is self-described as a “utility token” may in reality be an asset-referenced token or even a financial instrument regulated by MiFID II. Incorrect classification — whether by omission (failing to apply for required authorisation) or by commission (subjecting to MiCA a token that is really a financial instrument under MiFID II) — has significant legal consequences.

Ongoing MiFID II compliance — obligations that do not end with authorisation

Directive 2014/65/EU (MiFID II) and its implementing instruments (MiFIR, Delegated Regulation 2017/565, Delegated Regulation 2017/583) establish a detailed set of conduct and organisational obligations that investment firms must maintain at all times. Non-compliance is sanctionable regardless of whether the entity holds the appropriate authorisation.

The four most operationally demanding MiFID II obligations are: the conflicts of interest policy, which must identify all situations where the entity or its employees might act in their own interest to the detriment of the client, establish management or mitigation measures, and provide for disclosure to the client where those measures are insufficient; the suitability and appropriateness assessment, which must be rigorous, documented, and periodically updated for clients receiving advice or portfolio management; the best execution policy, which must genuinely prioritise the client’s interest over the entity’s in selecting execution venues; and cost and charge disclosure, which must be provided prospectively (before service delivery) and retrospectively (annually), with the detail required by Delegated Regulation 2017/565.

DORA compliance and financial regulation are complementary areas for financial entities: DORA adds a layer of digital operational resilience requirements on top of the organisational and internal control obligations of MiFID II, Solvency II, and banking regulation.

How to build a proportionate financial compliance function for your entity

The compliance function in regulated financial entities is not optional: MiFID II, Solvency II, and banking regulation (CRD/CRR) all require entities to have an independent compliance function with access to the governing body and with adequate material and human resources.

For small and medium-sized entities — sole-practitioner EAFIs, fund managers with less than €500 million AUM, limited-activity payment institutions, specialist insurers — the compliance function can be outsourced provided that internal responsibility is maintained and the entity has an identifiable internal point of contact for the supervisor. An external compliance officer acts as a qualified service provider, bringing the specialist regulatory knowledge that is difficult to develop internally in a small organisation, at a cost proportionate to the size of the organisation.

Our outsourced financial compliance function covers continuous regulatory monitoring (tracking relevant regulatory changes and their impact on the entity), periodic policy and procedure updates, staff compliance training, management of supervisor communications, preparation of the annual compliance function report for the governing body, and supervision of the AML/CTF programme under the Ley 10/2010 and subsequent amendments.

What you can expect

• Precise determination of the authorisation requirement and applicable regulatory category
• CNMV, Banco de España, or DGSFP authorisation dossier of supervisory quality
• MiFID II / MiCA / AML/CTF compliance programme designed and operational
• Periodic prudential reporting managed on time and in the correct form before the competent supervisor
• Outsourced compliance function with dedication proportionate to the size of the entity
• Coordination with DORA, AML, and data protection compliance functions in an integrated framework

Regulated financial entities in Spain benefit from operating in a market with demanding but predictable supervision. The CNMV, the Banco de España, and the DGSFP are active supervisors with high technical capacity, which provides legal certainty for market participants operating with the appropriate authorisation and the correct compliance programmes in place. The cost of building and maintaining those programmes is significant but calculable; the cost of operating without them — in terms of sanctions, personal liability, and reputational damage — is unpredictable and frequently higher.