AML Compliance: Protect Your Business from Money Laundering Risk

Anti-money laundering (AML) compliance in Spain is governed by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (as amended by RDL 7/2021 transposing the EU's 6th AML Directive), which imposes obligations on a defined list of obligated entities — including financial institutions, law firms, notaries, real estate agents, accountants, and company formation agents. These entities must apply customer due diligence (KYC), maintain internal prevention manuals, establish whistleblowing channels, report suspicious transactions to SEPBLAC (Spain's Financial Intelligence Unit), and designate an internal compliance representative. Non-compliance can result in sanctions exceeding EUR 1 million and criminal liability for individual managers.

Our AML compliance team has experience implementing prevention programmes for entities across multiple sectors: financial, real estate, legal, accounting, and business services.

The Compliance Obligation Many Businesses Underestimate

Spain’s Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing applies to a much wider range of businesses than most companies realise. Beyond the obvious financial institutions, the law covers auditors, tax advisers, lawyers involved in real estate or corporate transactions, estate agents, real estate developers, accountants, trust service providers, and any professional adviser managing third-party funds or assets. Many SMEs in these sectors have never properly assessed whether they are obligated entities — or if they have, their compliance programme has not kept pace with regulatory developments.

The SEPBLAC has become progressively more active in its inspection and enforcement activity. Administrative sanctions for serious violations now routinely exceed one million euros. Personal liability for management bodies is also expressly provided for in the law: directors who allow a non-compliant programme to persist are not shielded by the corporate structure.

What an Effective AML Programme Actually Looks Like

The minimum requirements of Law 10/2010 are not met by a generic prevention manual downloaded from the internet. An effective programme requires a genuine risk assessment: a structured analysis of your specific client base, the products and services you provide, the geographic jurisdictions involved, and your distribution channels. Different businesses face radically different AML risk profiles, and the controls must be calibrated accordingly.

KYC is the operational heart of the programme. For corporate clients, this means going beyond the registered company to identify and verify the ultimate beneficial owners — the natural persons who ultimately control the entity. The beneficial-ownership register (RBE) provides a starting point, but its data cannot be relied on exclusively: discrepancies must be investigated. For politically exposed persons (PEPs) and clients from high-risk jurisdictions, enhanced due diligence is required, with documented justification for accepting the business relationship.

Our programmes are designed to be operational, not decorative. We train staff to apply the procedures in their daily work, not just to have attended a compliance presentation. When a transaction triggers a red flag, the team should know what to do: how to escalate, how to document the assessment, and when the obligation to report to the SEPBLAC arises.

AML in Corporate Transactions

When a company is being acquired, AML compliance is a critical dimension of due diligence. An inadequate programme inherited through an acquisition creates immediate regulatory exposure for the buying group. We conduct AML-specific due diligence reviews for acquirers of obligated entities, quantify the remediation cost, and advise on the representations and warranties that should be included in the sale agreement to protect the buyer.

For businesses undergoing restructuring that changes their client base or geographic footprint, the AML risk assessment must be updated to reflect the new profile. A programme designed for a domestic client base may be wholly inadequate after an international expansion.

The Incoming AMLA Regulation

The European Union’s Anti-Money Laundering Authority (AMLA), established by Regulation 2024/1620, will begin direct supervision of selected obligated entities — principally financial sector firms with cross-border activities — from 2026. The 6th AML Directive (AMLD6), currently in final stages, will introduce further harmonisation of national AML rules across the EU, with higher standards for virtual asset service providers and stronger requirements for real estate sector obligated entities. Spanish companies with EU cross-border operations need to monitor AMLA’s implementation closely: the shift from national SEPBLAC supervision to direct European authority oversight for some entities is a material change in the enforcement landscape.

Beneficial Ownership: The Documentation Layer

Verification of beneficial ownership has become the most complex operational dimension of AML compliance. Beyond checking the Registro de Titularidades Reales, a complete programme requires documented evidence of the verification exercise: what sources were consulted, what discrepancies were found, and how they were resolved. For corporate clients with complex ownership chains — multi-layered structures, trusts, foundations, or entities in non-cooperative jurisdictions — the documentation requirement is substantially more demanding. SEPBLAC has made clear that the register is a starting point, not a conclusion: independent verification is required when register data appears inconsistent with other client information. Our criminal compliance team advises on the interaction between AML beneficial ownership requirements and corporate law obligations.

Technology in AML Compliance

Transaction monitoring systems, PEP and sanctions list screening tools, and case management platforms are increasingly standard in compliance programmes for larger obligated entities. We advise on the selection and implementation of these tools, help configure risk models that minimise false positives without reducing detection effectiveness, and review the regulatory implications of using AI-assisted screening tools — which themselves raise questions under the EU AI Act compliance framework when they make decisions affecting individuals. The intersection of AML technology and AI regulation is an emerging compliance challenge that is best managed with integrated legal and technical expertise from the outset.

The Incoming AMLA Regulation

The European Union’s Anti-Money Laundering Authority (AMLA), established by Regulation 2024/1620, will begin direct supervision of selected obligated entities — principally financial sector firms with cross-border activities — from 2026. The 6th AML Directive (AMLD6), currently in final stages, will introduce further harmonisation of national AML rules across the EU, with higher standards for virtual asset service providers and stronger requirements for real estate sector obligated entities. Spanish companies with EU cross-border operations need to monitor AMLA’s implementation closely: the shift from national SEPBLAC supervision to direct European authority oversight for some entities is a material change in the enforcement landscape.

Beneficial Ownership: The Documentation Layer

Verification of beneficial ownership has become the most complex operational dimension of AML compliance. Beyond checking the Registro de Titularidades Reales, a complete programme requires documented evidence of the verification exercise: what sources were consulted, what discrepancies were found, and how they were resolved. For corporate clients with complex ownership chains — multi-layered structures, trusts, foundations, or entities in non-cooperative jurisdictions — the documentation requirement is substantially more demanding. SEPBLAC has made clear that the register is a starting point, not a conclusion: independent verification is required when register data appears inconsistent with other client information. Our criminal compliance team advises on the interaction between AML beneficial ownership requirements and corporate law obligations.

Technology in AML Compliance

Transaction monitoring systems, PEP and sanctions list screening tools, and case management platforms are increasingly standard in compliance programmes for larger obligated entities. We advise on the selection and implementation of these tools, help configure risk models that minimise false positives without reducing detection effectiveness, and review the regulatory implications of using AI-assisted screening tools — which themselves raise questions under the EU AI Act compliance framework when they make decisions affecting individuals. The intersection of AML technology and AI regulation is an emerging compliance challenge that is best managed with integrated legal and technical expertise from the outset.