Featured Course
Practical AML Framework (Spain)
Strengthen your AML compliance programme for Spain. Learn Law 10/2010, RD 304/2014, SEPBLAC obligations, KYC, risk assessment, suspicious transaction reporting, and practical PBC controls.
AML compliance in Spain operates through the prevención de blanqueo de capitales (PBC) regime, governed by Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo (Law 10/2010) and its implementing regulation Real Decreto 304/2014 (RD 304/2014). Supervised by Spain's Financial Intelligence Unit, the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC), the framework requires obliged subjects to conduct customer due diligence (KYC), implement risk assessments, monitor transactions, and report suspicious activity.
What Does Money Laundering Prevention (PBC) Mean in Spain?
Key takeaway: PBC (prevención de blanqueo de capitales) is Spain's comprehensive anti-money laundering regime, transposing EU directives into domestic law and requiring designated businesses to identify, prevent, and report money laundering and terrorist financing activity.
Spain's PBC framework is the domestic expression of the European Union's Anti-Money Laundering Directives. The term prevención de blanqueo de capitales — literally "prevention of capital laundering" — describes the full set of legal obligations imposed on private-sector entities to act as gatekeepers against illicit financial flows.
The PBC regime rests on three operational pillars:
- Prevention — identifying and verifying customers before establishing a business relationship.
- Detection — continuously monitoring transactions and flagging anomalies.
- Reporting — submitting suspicious transaction reports (STRs) to SEPBLAC when indicators of laundering or terrorist financing arise.
Unlike voluntary corporate governance standards, PBC obligations are mandatory and carry significant administrative and criminal sanctions. Every obliged subject — from a high-street bank to a real estate agency — must embed these pillars into daily operations.
Practical example: A Madrid-based property developer receives a cash offer of €480,000 from a non-resident buyer with no verifiable source of funds. Under the PBC framework, the developer's compliance function must apply enhanced due diligence, document its risk assessment, and — if the suspicion is not resolved — file an STR with SEPBLAC before completing the transaction.
For a broader view of internal compliance structures, see our pillar guide on corporate governance and internal controls in Spain.
What Is Spain's AML Legal Framework Under Law 10/2010 and RD 304/2014?
Key takeaway: Law 10/2010 sets out the primary obligations for AML compliance, while RD 304/2014 provides the detailed implementing rules — together forming the backbone of Spain's PBC regime.
Law 10/2010 — The Primary Legislation
Ley 10/2010, de 28 de abril, transposed the EU's Third Anti-Money Laundering Directive and has been progressively updated to incorporate subsequent directives, including the Fourth (Directive (EU) 2015/849) and Fifth (Directive (EU) 2018/843) AML Directives. Key provisions include:
- Articles 2–3: Define obliged subjects and the scope of regulated activities.
- Articles 3–6: Establish customer due diligence (CDD) requirements including identification, verification, beneficial ownership, and the purpose of the business relationship.
- Articles 7–11: Set out simplified and enhanced due diligence measures.
- Articles 17–18: Require internal control measures, including written policies, a dedicated compliance organ (órgano de control interno, OCI), and employee training.
- Articles 52–57: Establish the sanctions regime for infractions.
RD 304/2014 — The Implementing Regulation
Real Decreto 304/2014, de 5 de mayo, details the practical mechanics:
- Specific identification documents accepted for natural and legal persons.
- Risk-assessment methodology requirements.
- Rules on record-keeping periods (minimum ten years under Article 25 of Law 10/2010).
- Procedures for the internal control organ and the external expert review.
Key EU Instruments
Spain's framework sits within a broader EU architecture. Practitioners should also be aware of:
| Instrument | Relevance |
|---|---|
| Directive (EU) 2015/849 (4th AMLD) | Core harmonised CDD and risk-assessment framework |
| Directive (EU) 2018/843 (5th AMLD) | Extended scope to crypto-asset service providers and art dealers |
| Regulation (EU) 2024/1624 (EU AML Regulation) | Forthcoming single EU AML rulebook — direct applicability expected from 2027 |
| AMLA Regulation (EU) 2024/1620 | Establishes the EU Anti-Money Laundering Authority |
Note: The forthcoming EU AML Regulation will directly apply across member states, reducing the role of national transposition. Spanish obliged subjects should begin mapping their compliance programmes against both the current PBC framework and the incoming EU regulation.
For related data-protection obligations that intersect with AML record-keeping, see our guide on GDPR and LOPDGDD compliance in Spain.
Who Must Comply with AML Obligations in Spain?
Key takeaway: Law 10/2010 imposes PBC obligations on a broad range of "obliged subjects" (sujetos obligados) across financial, professional, and non-financial sectors.
Articles 2 and 3 of Law 10/2010 define obliged subjects. The scope is deliberately wide:
Financial Sector
- Credit institutions (banks, savings banks, credit cooperatives)
- Payment institutions and electronic money issuers
- Insurance and reinsurance companies marketing life products
- Securities firms and collective investment management companies
- Crypto-asset service providers (added following the 5th AMLD transposition)
Designated Non-Financial Businesses and Professions (DNFBPs)
- Real estate agents and developers
- Auditors, external accountants, and tax advisers
- Notaries and land registrars (registradores de la propiedad)
- Lawyers and procuradores, when participating in financial or real estate transactions
- Dealers in high-value goods when payments exceed €10,000 in cash
- Casinos and gambling operators
Other Designated Entities
- Foundations and associations meeting specific thresholds
- Persons trading in goods where cash payments exceed €10,000
- Art market intermediaries handling transactions above €10,000
| Sector | Examples | Key Risk Areas |
|---|---|---|
| Banking & finance | Retail banks, fintech lenders, payment processors | Cross-border transfers, shell-company accounts |
| Real estate | Agents, developers, property investment funds | Cash purchases, non-resident buyers, layered ownership |
| Professional services | Lawyers, notaries, accountants | Trust formation, corporate structuring, nominee arrangements |
| High-value goods | Jewellers, luxury car dealers, art dealers | Cash transactions above €10,000 |
Scenario: A Barcelona-based law firm advising a foreign client on the acquisition of a commercial property must apply CDD under Law 10/2010 because it is participating in a real estate transaction. This applies even though the firm's principal activity is legal advice, not property brokerage.
For sector-specific spoke guidance, see our articles on AML obligations for real estate professionals in Spain, AML requirements for financial institutions in Spain, and AML compliance for legal and accounting professionals.
What Role Does SEPBLAC Play in AML Enforcement?
Key takeaway: SEPBLAC is Spain's financial intelligence unit (FIU) and the primary supervisory body responsible for receiving, analysing, and disseminating suspicious transaction reports, as well as inspecting obliged subjects' compliance programmes.
SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) operates under the oversight of the Commission for the Prevention of Money Laundering and Monetary Offences (Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias), which is chaired by the Secretary of State for Economy.
Core Functions
- Intelligence gathering and analysis — SEPBLAC receives STRs from obliged subjects, analyses patterns, and refers actionable intelligence to law enforcement and judicial authorities.
- Supervisory inspections — SEPBLAC conducts both routine and targeted inspections of obliged subjects to verify compliance with Law 10/2010 and RD 304/2014.
- Guidance and outreach — SEPBLAC publishes sector-specific guidance, typologies, and risk indicators to help obliged subjects calibrate their compliance programmes.
- International cooperation — as a member of the Egmont Group of Financial Intelligence Units and the EU FIU network, SEPBLAC exchanges intelligence with foreign counterparts.
Other Supervisory Bodies
SEPBLAC is not the only authority with AML oversight:
| Authority | Supervisory Role |
|---|---|
| SEPBLAC | Primary FIU; receives STRs; inspects all obliged subjects |
| Banco de España | Prudential supervision of credit institutions; AML supervision of banks |
| Comisión Nacional del Mercado de Valores (CNMV) | AML supervision of securities firms and collective investment schemes |
| Dirección General de Seguros y Fondos de Pensiones (DGSFP) | AML supervision of insurers |
| Consejo General del Notariado | Self-regulatory AML oversight of notaries |
Practical point: During a SEPBLAC inspection, the compliance officer must be able to demonstrate that the internal control organ (OCI) has been properly constituted, that risk assessments are current, and that the entity's training programme covers all relevant staff. Failure to produce documentation is itself an infraction.
What Are the Customer Due Diligence and KYC Requirements?
Key takeaway: Customer due diligence (CDD), known in Spain as diligencia debida, is the cornerstone of the PBC framework — requiring obliged subjects to identify, verify, and understand the risk profile of every customer before establishing a business relationship.
Standard CDD Measures (Articles 3–6, Law 10/2010)
All obliged subjects must, at a minimum:
- Identify the customer — obtain the full name and a reliable identification document (DNI, NIE, passport, or equivalent).
- Verify identity — confirm the customer's identity against a reliable, independent source before or, in limited circumstances, shortly after establishing the relationship.
- Identify the beneficial owner — determine who ultimately owns or controls the customer entity (see UBO section below).
- Understand the purpose and nature of the business relationship — gather sufficient information to build a risk profile.
- Apply ongoing monitoring — continuously review transactions against the customer's known profile.
Simplified Due Diligence (Article 9, Law 10/2010)
Simplified measures may apply where the risk of laundering or terrorist financing is demonstrably low — for example, when the customer is a regulated EU financial institution or a Spanish public body. Even under simplified CDD, the obliged subject must still identify and verify the customer.
Enhanced Due Diligence (Articles 11–16, Law 10/2010)
Enhanced measures are mandatory in higher-risk situations, including:
- Politically exposed persons (PEPs) — individuals holding or having recently held prominent public functions, their family members, and known close associates (Article 14).
- Non-face-to-face business relationships — where the customer is not physically present for identification.
- Correspondent banking relationships — cross-border relationships between credit institutions.
- Complex or unusual transactions — transactions with no apparent economic or lawful purpose.
- High-risk third countries — customers connected to jurisdictions identified by the EU or FATF as having strategic AML deficiencies.
Scenario: A Bilbao-based bank onboards a new corporate customer whose ultimate beneficial owner is a former senior official of a foreign government. The customer qualifies as a PEP. The bank must apply enhanced CDD, obtain senior management approval for the relationship, take adequate measures to establish the source of wealth and source of funds, and conduct enhanced ongoing monitoring for the duration of the relationship.
For a detailed guide on building your KYC procedures, see our spoke article on KYC and customer due diligence requirements in Spain.
How Does the Risk-Based Approach Work in Practice?
Key takeaway: Law 10/2010 and RD 304/2014 require every obliged subject to adopt a risk-based approach (RBA), calibrating the intensity of its AML controls to the specific money-laundering and terrorist-financing risks it faces.
The risk-based approach is not optional — it is a legal requirement under Article 32 of RD 304/2014. Every obliged subject must:
- Conduct a formal risk assessment — identifying and evaluating the laundering and terrorist-financing risks relevant to its sector, customer base, products, geographic exposure, and distribution channels.
- Document the assessment — the risk assessment must be written, approved by the internal control organ (OCI), and updated whenever material changes occur.
- Allocate resources proportionately — higher-risk areas must receive enhanced controls, more frequent monitoring, and additional staff training.
- Review periodically — RD 304/2014 requires the risk assessment to be reviewed at least annually and whenever there is a significant change in the entity's risk profile.
Risk Factors to Consider
| Category | Examples |
|---|---|
| Customer risk | PEPs, non-resident customers, complex ownership structures, cash-intensive businesses |
| Product/service risk | Private banking, correspondent banking, trade finance, crypto-asset services |
| Geographic risk | Jurisdictions on EU or FATF high-risk lists, tax havens, conflict zones |
| Channel risk | Non-face-to-face onboarding, intermediary-introduced relationships |
Building the Risk Matrix
A practical risk matrix maps each factor against likelihood and impact, producing a composite risk score for each customer relationship. The OCI must define:
- Risk categories (e.g., low, medium, high, very high).
- CDD intensity required for each category.
- Escalation triggers — events or thresholds that require the risk category to be reassessed.
- Frequency of review for each risk tier.
Practical tip: SEPBLAC's published sectoral guidance documents contain risk indicators tailored to specific industries. Obliged subjects should use these as a baseline and supplement with their own operational experience.
For step-by-step implementation guidance, see our spoke article on AML risk assessment methodology for Spanish businesses.
How Must Organisations Report Suspicious Transactions?
Key takeaway: Obliged subjects must report any transaction or activity that shows indicators of money laundering or terrorist financing to SEPBLAC through a suspicious transaction report (STR), without tipping off the customer.
The Reporting Obligation (Articles 18–19, Law 10/2010)
The obligation to file an STR arises whenever an obliged subject identifies, in the course of its business, any fact or transaction that shows indicators — even merely suspicious — of being related to money laundering or terrorist financing. There is no minimum monetary threshold.
Key Procedural Requirements
- No tipping off — obliged subjects and their employees must not disclose to the customer or to third parties that an STR has been filed or that an analysis is under way (Article 24, Law 10/2010). Breach of the tipping-off prohibition is a serious infraction.
- Timely reporting — STRs must be filed promptly. Where the suspicion relates to an imminent transaction, the obliged subject must attempt to refrain from executing it until SEPBLAC has been informed.
- Record-keeping — all STRs and supporting documentation must be retained for a minimum of ten years (Article 25, Law 10/2010).
- Protection from liability — good-faith reporting to SEPBLAC does not constitute a breach of confidentiality or data-protection obligations and grants the reporter protection from civil liability (Article 23, Law 10/2010).
How to File
STRs are submitted electronically through SEPBLAC's secure reporting platform. The report must include:
- Identification data of the persons involved.
- Description of the suspicious activity or transaction.
- Reasons for the suspicion, referencing specific risk indicators.
- Supporting documentation (transaction records, CDD files, correspondence).
Scenario: A compliance officer at a Seville-based exchange bureau notices a pattern of structured deposits just below the €1,000 identification threshold, all made by different individuals into the same beneficiary account. The structuring pattern triggers the obligation to file an STR with SEPBLAC, regardless of whether any single deposit appears suspicious in isolation.
For guidance on internal escalation and STR drafting, see our spoke article on suspicious transaction reporting procedures in Spain.
What Are Spain's Ultimate Beneficial Owner (UBO) Obligations?
Key takeaway: Obliged subjects must identify and verify the ultimate beneficial owner of every legal entity or arrangement before establishing a business relationship, and Spain maintains a central register of beneficial ownership to aid transparency.
Definition (Article 4, Law 10/2010)
The ultimate beneficial owner (UBO) — titular real in Spanish — is the natural person who ultimately owns or controls a legal entity, or on whose behalf a transaction or activity is conducted. For corporate entities, the default threshold is any natural person holding — directly or indirectly — more than 25% of the share capital or voting rights.
Central Register of Beneficial Ownership
Spain has established a Registro Central de Titularidades Reales in compliance with the EU's AML Directives. Legal entities must file and keep current their beneficial ownership information. Obliged subjects must consult this register as part of their CDD process, though it does not replace independent verification.
Practical Challenges
- Multi-layered structures: Identifying the UBO through chains of holding companies or trusts requires documentary evidence at every level.
- Nominee arrangements: Where legal ownership is held by a nominee, the obliged subject must look through to the natural person exercising control.
- Trusts and similar arrangements: The settlor, trustee(s), protector, beneficiaries, and any person exercising effective control must all be identified.
For detailed guidance, see our spoke article on ultimate beneficial owner identification in Spain.
What Penalties Apply for AML Non-Compliance in Spain?
Key takeaway: Law 10/2010 establishes a three-tier sanctions regime — minor, serious, and very serious infractions — with fines that can reach up to €10 million or 10% of annual turnover for the most serious breaches, plus potential personal liability for directors and compliance officers.
Sanctions Framework (Articles 52–57, Law 10/2010)
| Severity | Examples of Infractions | Maximum Fine |
|---|---|---|
| Very serious (muy grave) | Systematic failure to apply CDD; failure to file STRs; breach of tipping-off prohibition; obstruction of SEPBLAC inspections | Up to €10 million, or 10% of annual turnover, or up to five times the economic benefit obtained |
| Serious (grave) | Isolated CDD failures; inadequate internal control measures; deficient record-keeping; failure to maintain an OCI | Up to €5 million, or 5% of annual turnover |
| Minor (leve) | Administrative omissions; isolated procedural breaches | Up to €60,000 |
Additional Consequences
Beyond monetary fines, very serious and serious infractions can trigger:
- Public reprimand — publication of the sanction with the name of the entity or individual.
- Prohibition from holding office — directors or compliance officers may be barred from holding management positions in obliged entities for up to ten years.
- Revocation of authorisation — in the most egregious cases, the entity's operating licence may be withdrawn.
- Criminal liability — money laundering itself is a criminal offence under Articles 298–304 of the Spanish Criminal Code (Código Penal), carrying prison sentences of up to six years, with aggravated penalties for professionals who facilitate laundering.
Practical note: Sanctions are imposed by the Consejo de Ministros (for very serious infractions), the Minister of Economy (for serious infractions), or the Secretary of State for Economy (for minor infractions). SEPBLAC proposes the sanction, but the final decision rests with the government.
For deeper analysis, see our spoke article on AML penalties and enforcement actions in Spain.
How Do You Build an Effective AML Programme?
Key takeaway: An effective AML programme integrates governance, risk assessment, policies, training, and independent review into a continuous compliance cycle — starting with a formal risk assessment and culminating in regular external expert review.
AML Programme Roadmap
Step 1: Appoint the Internal Control Organ (OCI)
Under Article 26 of RD 304/2014, every obliged subject must designate a compliance representative (representante ante el SEPBLAC) and establish an OCI appropriate to its size and risk profile.
Step 2: Conduct the Risk Assessment
Document all money-laundering and terrorist-financing risks relevant to your business, following the methodology prescribed in RD 304/2014. Use SEPBLAC's sectoral guidance as a starting point.
Step 3: Draft Internal Policies and Procedures
Written policies must cover at minimum:
- Customer acceptance and CDD procedures
- Transaction monitoring rules and alert-handling protocols
- STR escalation and filing procedures
- Record-keeping and data-retention practices
- Sanctions screening procedures
Step 4: Implement Transaction Monitoring
Deploy monitoring systems — whether manual, rule-based, or automated — capable of detecting unusual transaction patterns, deviations from customer profiles, and sanctions-list matches.
Step 5: Deliver Training
All relevant employees must receive AML training at onboarding and at regular intervals thereafter. Training must be tailored to the employee's role and documented.
Step 6: Conduct the External Expert Review
Article 28 of RD 304/2014 requires obliged subjects to commission an independent external expert to review their AML programme. The expert's report must be submitted to the OCI and made available to SEPBLAC on request.
Step 7: Review, Update, and Iterate
The risk assessment, policies, and control measures must be reviewed at least annually, and updated whenever there is a material change in risk profile, regulatory requirements, or business model.
AML Programme Compliance Checklist
- OCI formally constituted and registered with SEPBLAC
- Written risk assessment completed and approved by OCI
- CDD policies and procedures documented and operational
- Transaction monitoring system deployed and tested
- STR escalation and filing procedure in place
- Sanctions screening integrated into onboarding and ongoing monitoring
- Training programme delivered and documented for all relevant staff
- Record-keeping system compliant with ten-year retention requirement
- External expert review commissioned within required timeframe
- Annual review cycle established
For detailed implementation steps, see our spoke articles on AML internal controls and policies and AML training requirements for Spanish businesses.
Strengthen Your AML Compliance Today
Key takeaway: The best time to review your AML programme is before a SEPBLAC inspection — not after.
If you are an obliged subject under Law 10/2010, a robust AML programme is not a luxury — it is a legal requirement. Whether you are building a programme from scratch or stress-testing an existing one, the following resources can help:
- Download our free AML risk-assessment template — a structured workbook to help you document your risk assessment in line with RD 304/2014 requirements.
- Enrol in the AML & Financial Crime compliance course — a comprehensive, CPD-accredited programme covering Law 10/2010, SEPBLAC obligations, CDD procedures, and enforcement trends, developed by practising compliance professionals.
Featured Course
Practical AML Framework (Spain)
Strengthen your AML compliance programme for Spain. Learn Law 10/2010, RD 304/2014, SEPBLAC obligations, KYC, risk assessment, suspicious transaction reporting, and practical PBC controls.
Frequently Asked Questions
01
What is PBC in Spain?
+
02
Who must comply with AML law?
+
03
What is SEPBLAC?
+
04
What are the AML penalties?
+
