Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

All guides
🇪🇸

KYC Obligations in Spain — Complete 2026 Guide

Comprehensive guide to KYC and anti-money laundering obligations in Spain: SEPBLAC requirements, Ley 10/2010, document verification, and best practices for obligated entities.

Regulators:SEPBLAC
Key laws:Ley 10/2010, Real Decreto 304/2014, AMLD6
Last updated 2026-03-28

Regulatory Framework

Spain has a structured anti-money laundering framework centred on Ley 10/2010 de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo (Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing). This law, which transposed the 3rd EU AML Directive, was substantially amended by Real Decreto-ley 7/2021 to incorporate AMLD4 and AMLD5 requirements, and by Law 4/2023 to transpose AMLD6. Real Decreto 304/2014 constitutes the implementing regulation detailing due diligence obligations.

SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) is the central body of Spain's AML framework. Attached to the Bank of Spain, SEPBLAC serves a dual function: as financial intelligence unit (FIU), receiving and analysing suspicious transaction reports, and as supervisory body, monitoring compliance with AML/CFT obligations and initiating sanctioning procedures.

The Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (CPBCIM), chaired by the Secretary of State for the Economy, is the policy coordination body for AML prevention. It approves strategic guidelines and instructions for the application of the law.

Spain's framework is characterised by a risk-based approach, aligned with FATF recommendations. Spain undergoes regular mutual evaluations by the FATF and the Council of Europe's MONEYVAL Committee, whose findings influence legislative and regulatory adjustments.

Who Must Comply

Article 2 of Ley 10/2010 defines a broad scope of obligated entities (sujetos obligados):

  • Credit institutions: commercial banks, savings banks (cajas de ahorros), credit cooperatives
  • Investment services firms: securities companies, securities agencies, portfolio management companies
  • Insurance and reinsurance companies: for life insurance and capitalisation activities
  • Payment institutions and electronic money institutions: payment service providers, fintechs
  • Collective investment scheme management companies (SGIIC)
  • Virtual asset service providers: crypto-asset exchange platforms, registered with the Bank of Spain
  • Property developers and real estate agents: for both sales and rentals where monthly rent exceeds EUR 10,000
  • Legal and accounting professions: notaries (notarios), lawyers (abogados), procurators (procuradores), auditors (auditores de cuentas)
  • Auctioneers and art dealers: for transactions exceeding EUR 10,000
  • Casinos and gaming establishments: land-based casinos and online gaming operators authorised by the DGOJ
  • High-value goods dealers: for cash payments exceeding EUR 10,000 or electronic money payments exceeding EUR 10,000

Spain has uniquely extended the scope to foundations and associations declared of public utility, due to identified risks of misuse for terrorist financing.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

Standard due diligence measures (diligencia debida normal) are detailed in Articles 3 to 6 of Ley 10/2010 and Title II of Real Decreto 304/2014:

Formal identification: for natural persons residing in Spain, the DNI (Documento Nacional de Identidad) is the reference document. For foreign nationals residing in Spain, the NIE (Número de Identidad de Extranjero) with residence card or passport. For non-residents, a valid passport. For legal persons, the NIF (Número de Identificación Fiscal), extract from the commercial register (Registro Mercantil), articles of association, and identification of directors.

Beneficial owner identification (titular real): any natural person who directly or indirectly holds more than 25% of the capital or voting rights, or who exercises control by any other means. Spanish law requires consultation of the Registro de Titularidades Reales (Register of Real Ownership), accessible to obligated entities since 2022.

Understanding the purpose and nature of the business relationship: determination of the risk profile, professional activity, source of funds, and expected volume of operations.

Ongoing monitoring: review of transactions carried out within the business relationship to verify consistency with the customer profile. Update of documents and information at regular intervals or upon trigger events.

Thresholds for occasional transactions: due diligence obligations apply for one-off transactions exceeding EUR 15,000, fund transfers exceeding EUR 1,000, and currency exchange exceeding EUR 1,000.

Enhanced Due Diligence (EDD)

Enhanced due diligence measures (diligencia debida reforzada) are mandatory in the following cases:

  • Politically Exposed Persons (PEPs — personas con responsabilidad pública): Spain's definition is aligned with the EU Directive and covers national, foreign, and international organisation functions.
  • Correspondent banking with third-country institutions: specific measures including assessment of the correspondent's AML/CFT framework.
  • Relationships with high-risk countries: countries on the European list or identified by the FATF.
  • Unusually complex transactions: transactions whose characteristics do not match the customer profile.
  • High-risk sectors and products: defined by Spain's national risk assessment, including notably real estate, fund transfers, and virtual assets.

Required Documents

For natural persons:

  • DNI (Spanish residents) or passport/NIE (foreign nationals) in valid condition
  • Proof of address (certificado de empadronamiento, utility bill)
  • NIF or NIE for tax purposes
  • Where applicable, documentation on source of funds for PEPs and high-risk operations

For legal persons:

  • NIF (Número de Identificación Fiscal)
  • Registration in the Registro Mercantil or equivalent register
  • Up-to-date articles of association (escritura de constitución)
  • Identity documents of directors and legal representatives
  • Extract from the Registro de Titularidades Reales
  • Where applicable, powers of attorney (poder notarial)

For foundations and associations:

  • Registration in the foundations or associations register
  • Articles of association and governance documents
  • Identification of board of trustees or board of directors members

Retention period: 10 years after the end of the business relationship or execution of the transaction.

Reporting Obligations

Suspicious transaction report (comunicación por indicio): obligated entities must report to SEPBLAC any transaction or attempted transaction for which there are indications or certainty that it is linked to money laundering or terrorist financing. Reports must be made via SEPBLAC's online system, without delay after detection.

Systematic reporting (comunicación sistemática): certain operations must be systematically reported to SEPBLAC, regardless of any suspicion. This includes cash operations above certain thresholds and cross-border fund transfers as defined by regulations.

Cash payment limitation: Spain imposes a strict limitation on cash payments of EUR 1,000 for transactions involving a professional (one of the lowest limits in Europe). For non-residents, the threshold is EUR 10,000. This measure, introduced by Ley 11/2021, aims to combat tax fraud and money laundering.

Prohibition on tipping off (prohibición de revelación): the obligated entity may not inform the customer or third parties that a report has been made or that an analysis is in progress.

In 2024, SEPBLAC received more than 15,000 suspicious transaction reports, primarily from the banking sector (approximately 65%) and notaries (approximately 15%).

Penalties for Non-Compliance

Administrative sanctions:

  • Very serious offences (infracciones muy graves): fine of up to the higher of EUR 10 million, 10% of total annual turnover, or double the amount of the benefit obtained. Licence revocation, prohibition from activity, temporary or permanent closure of premises.
  • Serious offences (infracciones graves): fine up to EUR 5 million or 5% of turnover. Temporary activity suspension.
  • Minor offences (infracciones leves): fine up to EUR 60,000. Public or private reprimand.

Criminal sanctions:

  • Money laundering (Article 301 of the Spanish Penal Code) is punishable by 6 months to 6 years' imprisonment and a proportional fine
  • For aggravated cases (proceeds of serious crimes, organised crime), the penalty is enhanced
  • Terrorist financing is punishable by 5 to 10 years' imprisonment
  • Legal persons may be sentenced to fines, dissolution, or activity suspension

Publication of sanctions: sanctions for serious and very serious offences are published in the BOE (Boletín Oficial del Estado) and on the SEPBLAC website.

How CheckFile Helps

Spain's KYC framework requires meticulous document verification, with specificities related to national identity documents (DNI, NIE) and the register of real ownership. CheckFile provides an AI-powered document verification solution designed to meet the requirements of Ley 10/2010 and Real Decreto 304/2014.

The CheckFile platform automatically verifies the authenticity of Spanish DNI and NIE, passports, and more than 6,000 international document types. The AI analyses security features (holograms, watermarks, intaglio printing, MRZ zones, and 2D barcodes), extracts data, and cross-validates it with customer-declared information. Document fraud detection (forgery, counterfeiting, stolen documents) achieves an accuracy rate exceeding 99%.

To meet SEPBLAC audit requirements, CheckFile provides a timestamped, complete audit trail, archived for the 10 years required by Spanish regulations. The solution integrates via API with onboarding platforms, banking systems, and existing compliance tools, enabling smooth automation of the verification process. Processing complies with the GDPR and Spain's LOPDGDD, with European data hosting.

FAQ

What documents are required for KYC in Spain?

For Spanish residents, the DNI (Documento Nacional de Identidad) is the reference document. Foreign nationals residing in Spain must provide their NIE and residence card or passport. For legal persons, the NIF, Registro Mercantil registration, articles of association, directors' identity documents, and an extract from the register of real ownership are required. The retention period is 10 years.

What are the penalties for KYC non-compliance in Spain?

Penalties for very serious offences can reach EUR 10 million or 10% of annual turnover. Money laundering is punishable by 6 months to 6 years' imprisonment. Spain also applies one of the lowest cash payment limits in Europe (EUR 1,000 for professionals). Serious and very serious sanctions are officially published.

How often must KYC checks be updated in Spain?

Real Decreto 304/2014 requires risk-proportionate updates. High-risk customers (PEPs, high-risk countries) are reviewed annually. Medium-risk customers every 3 years and low-risk customers every 5 years. Any significant event (change of director, change in shareholding, unusual transaction) requires an immediate update. SEPBLAC systematically checks file maintenance during its inspections.

Frequently asked questions

Automate your compliance

CheckFile simplifies document verification compliant with local requirements.