BMC’s regulatory compliance practice advises companies across all sectors on the design, implementation and ongoing management of compliance programmes. We cover the full spectrum of non-labour regulatory compliance: criminal, data protection, AML, financial regulation, public procurement, and internal investigations.
Why compliance has become a strategic function
The regulatory burden on Spanish and European companies has grown steadily over the past decade and accelerated sharply between 2022 and 2026. Law 2/2023 on whistleblower protection, the NIS2 Directive, the Artificial Intelligence Act, the MiCA Regulation for crypto-assets, DORA for the financial sector, and tightening AML obligations have created a compliance ecosystem that demands specialist knowledge, dedicated resources, and continuous updating.
Companies that treat compliance as a minimum obligation are losing competitive ground. Private equity funds conducting due diligence, acquirers in M&A transactions, and large corporate clients during supplier approval processes are increasingly treating compliance programme maturity as an indicator of management quality and future contingency risk.
Criminal compliance: exemption as an objective
Art. 31bis of the Spanish Criminal Code allows legal entities to be exempt from criminal liability if they have adopted and effectively implemented — before the offence is committed — an organisational and management model including surveillance and control measures to prevent offences of the same type. A well-designed and implemented criminal compliance programme is not just a defensive shield: it is a corporate governance asset that reduces the cost of capital and facilitates access to financing and public procurement.
Our approach combines risk mapping, ethics code and protocol drafting, implementation of the whistleblowing channel, and training and supervision of the Compliance Officer or Compliance Committee.
AML: obligations and PBC/AML risk management
Anti-money laundering compliance is one of the highest-sanction-risk areas for companies included in the obliged-entity catalogue under Law 10/2010. SEPBLAC intensified its inspections from 2022, and penalties for non-compliance can reach 10% of annual turnover or twice the benefit obtained.
We design prevention manuals, implement KYC/KYB due diligence procedures adapted to each obliged entity’s risk profile, and prepare organisations for inspections by the SEPBLAC and the Banco de España.
Data protection: GDPR as a competitive advantage
Personal data protection is today a critical component of corporate reputation and an increasing requirement from clients, partners, and regulators. Beyond formal GDPR and LOPDGDD compliance, a robust privacy system — Records of Processing Activities, Data Protection Impact Assessments, breach protocols, staff training — is a real differentiator in B2B markets and a standard requirement in due diligence processes.
Our outsourced DPO acts as an extension of the client’s team, registered with the AEPD, conducting periodic audits and available for operational queries.
Financial regulation: authorisations and ongoing compliance
Financial institutions, fintechs, and crypto-asset companies operate in one of the most demanding and fast-changing regulatory environments. CNMV and Banco de España authorisations, MiCA compliance for crypto-asset issuers and CASPs, MiFID II and DORA adaptation, and ongoing regulatory compliance management require a specialist team with practical experience in authorisation processes.
Internal investigations: methodology, independence, and chain of custody
When a report reaches the whistleblowing channel or an irregularity is detected internally, the management of the internal corporate investigation is decisive in containing the damage, preserving evidence, and demonstrating to the regulator or prosecutor that the company acted diligently. We direct independent investigations with forensic methodology — chain of custody, structured interviews, documentary and digital analysis — and produce reports that support disciplinary decisions and are usable in judicial proceedings.
Public procurement: preparation, tendering, and defence
Public procurement represents one of the largest markets for professional services, technology, and infrastructure companies. Correct preparation of tender documentation, compliance with technical and financial solvency requirements, and defence of the company’s interests before the Central Administrative Review Tribunal (TACRC) are services BMC provides with practical experience in the Spanish Public Procurement Law (Law 9/2017 LCSP).
When to contact the compliance team
We recommend a regulatory compliance review when:
- Your company exceeds 50 employees and has not yet implemented the mandatory whistleblowing channel (Law 2/2023).
- You operate in an AML-obliged sector (financial services, real estate, professional services, crypto-assets) without an up-to-date PBC programme.
- You have received a communication from the AEPD, SEPBLAC, CNMV, or Banco de España.
- You are preparing for an M&A transaction or investor due diligence and need to evidence a mature compliance system.
- You have detected a potential internal irregularity requiring formal investigation.
- Your activity is affected by MiCA, DORA, NIS2, or the AI Act and you need an adaptation plan.
An initial compliance consultation is the starting point for mapping your organisation’s regulatory risk profile and prioritising the most urgent compliance measures.
Related Insights
Go deeper with our most recent analysis:
- Criminal Compliance in Spain 2026: 3-Step Setup — How to build a compliant Article 31 bis programme that withstands court scrutiny
- CSRD sustainability reporting for large companies 2026 — Obligations, ESRS standards, and which companies must report first
- CSDDD: Supply Chain Due Diligence — What large European companies must do to address risks in their value chains
- Anti-Money Laundering: Company Obligations — AML/CFT obligations, internal controls and SEPBLAC reporting requirements
- ESG Reporting and CSRD: How to Prepare — Roadmap for implementing sustainability reporting in your organisation
- AI Act: High-Risk System Obligations — Technical, documentation and audit requirements for high-risk AI systems