AML compliance in Spain for foreign companies

A foreign company sets up in Spain to provide financial services or real estate advisory. Within months, it receives a formal request from Spain’s financial intelligence unit — SEPBLAC — asking for its AML policies, customer due diligence records, and internal control procedures. The company has none. The result: fines, reputational damage, and potential suspension of activity. This is not a hypothetical. It happens every year to foreign businesses that underestimate Spain’s anti-money laundering framework.

Spain has one of the most developed AML compliance frameworks in the EU, governed by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing. Foreign companies operating in Spain — whether through a branch, subsidiary, or direct cross-border activity — can be subject to these obligations. Here is what you need to know.

Which companies are subject to AML obligations in Spain?

Spain’s AML law applies to a broad list of ‘obligated entities’ (sujetos obligados). Foreign companies operating in Spain in any of the following sectors are covered:

• Credit and financial institutions (banks, payment service providers, electronic money institutions)
• Insurance companies offering life insurance or investment-linked products
• Investment firms and fund managers
• Real estate agents and property developers
• Auditors, external accountants, and tax advisers
• Lawyers and notaries when involved in financial transactions, company formation, or real estate
• Trust and company service providers (formation agents, registered office providers)
• Casinos and gambling operators
• Dealers in high-value goods (art, jewellery, luxury vehicles) when transactions exceed €10,000 in cash
• Crowdfunding platforms and virtual asset service providers (VASPs)

If your company falls into any of these categories and operates in Spain — regardless of whether you have a local entity — you may be a sujeto obligado and subject to Spain’s full AML compliance framework.

Core AML obligations for foreign companies in Spain

1. Customer due diligence (CDD)

All obligated entities must apply customer due diligence (diligencia debida) before establishing a business relationship or carrying out occasional transactions above the relevant threshold. CDD requires:

• Identifying and verifying the identity of the customer (using official documents)
• Identifying the ultimate beneficial owner (UBO) — the individual who ultimately owns or controls the customer entity
• Understanding the nature and purpose of the business relationship
• Ongoing monitoring of the relationship and transactions

Enhanced due diligence (EDD) applies to high-risk customers, politically exposed persons (PEPs), and customers from high-risk third countries identified by the EU. In these cases, additional measures — such as senior management approval and source of funds verification — are required.

2. Internal control systems

Obligated entities must establish and maintain written internal AML policies and procedures, including:

• A risk assessment identifying the money laundering and terrorist financing risks specific to the entity’s activity
• A customer risk classification system
• An internal AML compliance officer (representante ante el SEPBLAC)
• An internal reporting channel for suspicious transaction alerts
• A regular employee training programme on AML obligations

For foreign companies operating in Spain through a branch or subsidiary, the internal policies of the parent group must be supplemented with a local compliance programme that meets Spanish requirements specifically.

3. Reporting suspicious transactions to SEPBLAC

SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) is Spain’s financial intelligence unit. Obligated entities must report suspicious transactions (operaciones sospechosas) to SEPBLAC without tipping off the customer. There is no minimum amount threshold for suspicious transaction reports — the obligation arises from suspicion, not value.

Certain categories of transactions must also be reported automatically regardless of suspicion — for example, cash transactions above €10,000 (or €1,000 for certain high-risk activities).

4. Record keeping

All AML-related records must be kept for a minimum of 10 years, including customer identification documents, due diligence records, transaction records, and internal reports. These records must be available for inspection by SEPBLAC and other competent authorities on request.

The role of the AML compliance officer in Spain

Every obligated entity in Spain must designate a specific compliance officer responsible for AML matters — the representante ante el SEPBLAC. This individual serves as the point of contact with the supervisory authority and is responsible for the entity’s internal AML programme. In practice, for foreign companies operating in Spain, this role is often fulfilled by a senior local manager or an external compliance provider.

Who supervises AML compliance in Spain?

Supervision of AML compliance in Spain is distributed across several bodies depending on the sector:

• SEPBLAC: supervises financial institutions, insurance companies, and some other regulated sectors
• Banco de España: credit institutions
• CNMV (securities regulator): investment firms and fund managers
• DGSFP (insurance regulator): insurance companies
• Consejo General del Notariado, Consejo General de la Abogacía Española: legal professionals
• ICAC and regional audit bodies: auditors and external accountants
• AEAT and regional tax authorities: tax advisers and certain other professionals

Penalties for AML non-compliance in Spain

Spain’s AML enforcement has intensified significantly in recent years. Penalties under Law 10/2010 are divided into three categories:

• Minor infractions: warnings or fines up to €60,000
• Serious infractions: fines from €60,001 to €150,000, or up to twice the amount of the transaction involved
• Very serious infractions: fines from €150,001 to €1,500,000, or up to 5% of total assets, plus potential suspension of activity and publication of the sanction

Directors and senior managers can also be held personally liable for infringements attributable to their negligence or failure to act.

Frequently asked questions

Does a foreign company without a Spanish entity need to comply with Spanish AML rules?

It depends. If the foreign company carries out transactions with Spanish customers or provides regulated services to Spanish clients — even without a local entity — it may fall within the scope of Spain’s AML law. The determining factor is whether the activity is covered by the list of obligated entities and whether it is conducted in Spain or directed at Spain. Legal advice is needed to confirm the specific position.

What is the beneficial ownership register in Spain?

Spain maintains a Registro de Titularidades Reales (beneficial ownership register) within the Registro Mercantil. Companies are required to identify and register their ultimate beneficial owners — individuals who own more than 25% of the shares or voting rights, or who exercise effective control. This information must be kept up to date and is accessible to competent authorities and, in some cases, to the public.

How often must AML training be provided to employees?

Spain’s AML regulations require that employee training be provided on a regular basis — at a minimum, annually. Training must be adapted to the roles and responsibilities of the individuals and updated whenever there are significant changes in the regulatory framework or the entity’s risk profile.

AML compliance in Spain is not a tick-box exercise — it is an ongoing legal obligation with serious consequences for non-compliance. At Capital Auditors & Consultants, we help foreign companies establish, review, and maintain AML compliance programmes that meet SEPBLAC’s requirements. Contact our compliance team to assess your obligations.