Spain

CNMV — Securities market, crypto advertising regulation (mandatory risk warnings)

Banco de Espana — VASP registration, AML/CFT

**Directive (EU) 2015/849 (4th AMLD):** The foundational directive, which brought more entities into scope and strengthened CDD.

**Directive (EU) 2018/843 (5th AMLD):** **Crucially**, this directive extended the scope of AML/CFT rules to include virtual asset service providers (VASPs), specifically:

Providers engaged in exchange services between virtual currencies and fiat currencies.

**Directive (EU) 2018/1673 (6th AMLD):** Primarily focuses on harmonizing the definition of money laundering criminal offenses and related sanctions across the EU, which indirectly supports the AML framework.

**Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo** (Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing).

**Real Decreto 304/2014, de 5 de mayo, por el que se aprueba el Reglamento de la Ley 10/2010 (Royal Decree 304/2014, of May 5, approving the Regulation of Law 10/2010):** This Royal Decree provides detailed rules for the implementation of Law 10/2010. It also has been amended to reflect EU changes.

**Real Decreto-ley 7/2021, de 27 de abril (Royal Decree-Law 7/2021, of April 27):** This specific decree transposed significant parts of the 5th AMLD, formally bringing VASPs under the scope of Law 10/2010 and establishing the requirement for their registration with the Bank of Spain.

**Circular 2/2022 del Banco de España, de 23 de marzo (Circular 2/2022 of the Bank of Spain, of March 23):** This circular specifically regulates the administrative registration of providers of virtual currency exchange services for fiat currency and electronic wallet custody services.

**Identification and Verification of the Customer:**

**Natural Persons:** Obtain and verify identity using reliable independent sources (e.g., national ID card, passport). Required data includes full name, date and place of birth, address, and national identification number.

**Legal Persons/Entities:** Obtain and verify the name, legal form, address, proof of incorporation, articles of association, names of directors, and the legal representative(s).

**Identification and Verification of the Beneficial Owner (BO):**

For legal entities, identify any natural person(s) who ultimately own or control 25% plus one share or more of the entity, or who otherwise exercise control.

If no such natural person is identified, identify the natural person(s) who hold the position of senior managing official(s).

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must gather information about the client's typical transaction volumes, types of virtual assets, and the source of funds/wealth where necessary.

**Ongoing Monitoring of the Business Relationship:**

Scrutinizing transactions undertaken throughout the course of the relationship to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Regularly updating customer information, including CDD documentation.

Carrying out occasional transactions exceeding €1,000 (whether in a single transaction or several linked transactions).

Where there is suspicion of money laundering or terrorist financing.

When there are doubts about the veracity or adequacy of previously obtained customer identification data.

Required for higher-risk situations, such as:

Politically Exposed Persons (PEPs), their family members, and close associates.

Customers from high-risk third countries (as identified by the EU or FATF).

Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Non-face-to-face relationships without specific safeguards.

EDD measures include obtaining senior management approval, taking reasonable measures to establish the source of wealth and funds, and conducting enhanced ongoing monitoring.

Permitted in explicitly defined low-risk situations, though given the inherent risks often associated with virtual assets, this is less frequently applicable to VASPs.

**Reporting Obligation:** Any VASP that knows, suspects, or has reasonable grounds to suspect that funds, regardless of the amount, are the proceeds of criminal activity or are related to terrorist financing, must promptly report it.

**Recipient:** Reports must be submitted to the **Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC)**, which is Spain's FIU.

**"Tipping-Off":** VASPs are strictly prohibited from informing the customer concerned or third parties that a suspicious transaction report is being, or has been, transmitted, or that a money laundering or terrorist financing investigation is being, or may be, carried out.

**Internal Controls:** VASPs must have internal policies, procedures, and controls in place to detect and report suspicious transactions, including appointing a Money Laundering Reporting Officer (MLRO).

Records of CDD measures (copies of identification documents, beneficial ownership information).

Records of all transactions, including:

Amount and currency of the transaction.

Parties involved (sender and recipient, including their virtual asset addresses).

Records of STRs and any internal suspicious activity reports.

Records of internal policies and procedures, and staff training.

**Retention Period:** All records must be retained for at least **five years** after the end of the business relationship with the customer or the date of an occasional transaction.

**1. For AML/CFT Compliance and Enforcement (FIU):**

**Name:** **Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC)**

**Role:** This is Spain's Financial Intelligence Unit (FIU). It is responsible for receiving, analyzing, and disseminating suspicious transaction reports. It also oversees compliance with AML/CFT obligations by obliged entities, including VASPs, and can impose sanctions for non-compliance.

**Name:** **Banco de España (Bank of Spain)**

**Role:** Following the transposition of the 5th AMLD, providers of virtual currency exchange services for fiat currency and electronic wallet custody services are required to register with the Bank of Spain. This registration is a prerequisite for operating legally in Spain. The Bank of Spain maintains a public register of these entities and ensures they meet certain operational and reputational requirements before granting registration.

**Specific Registry Page (in Spanish):** Look for "Registro de proveedores de servicios de cambio de moneda virtual por moneda fiduciaria y de custodia de monederos electrónicos" on their site. A direct link to the relevant section or public registry might change, but it can typically be found under their "Supervision" or "Financial Innovation" sections. As of the last update, the main page on registration is often linked from their "Normativa y publicaciones" (Regulations and Publications) or "Entidades supervisadas" (Supervised entities) sections.

**Requirement:** Entities providing services of virtual currency exchange for fiat currency, and **custody of electronic wallets (custodia de monederos electrónicos)**, must register with the **Bank of Spain (Banco de España)**. This is a *registration* requirement, not a full prudential *license* in the traditional sense, but it subjects providers to AML/CTF supervision.

**Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing (Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo).**

**Royal Decree 775/2021, of August 31 (Real Decreto 775/2021, de 31 de agosto)**, which modifies the Regulation of Law 10/2010 to specifically include virtual asset service providers. This decree specifies the conditions and procedures for their registration.

**Competent Authority:** **Bank of Spain (Banco de España)** is responsible for maintaining the register and supervising these entities for AML/CTF purposes.

**Bank of Spain VASP Register (information page):** https://www.bde.es/bde/es/secciones/servicios/Registro_de_pr/

Under the current AML/CTF framework, there isn't explicit legislation in Spain mandating the *segregation of client crypto-assets* in the same way it's required for traditional financial institutions (e.g., client funds in separate accounts). The focus is primarily on customer identification (KYC) and transaction monitoring.

However, general principles of good governance, consumer protection, and the prevention of misuse of funds would implicitly encourage or suggest such practices, even if not explicitly codified for crypto-assets.

The current AML/CTF registration requirements in Spain **do not explicitly mandate specific insurance or bonding requirements** for crypto custodians. Providers are expected to maintain general business insurance, but there isn't a regulatory requirement for a specific amount of capital or professional indemnity insurance directly linked to the custody of crypto-assets.

There are **no explicit regulatory mandates for the use of cold storage** as a specific technical requirement under the current Spanish AML/CTF framework. While cold storage is widely considered a best practice for securing digital assets against online threats, the regulations focus on the broader AML/CTF compliance rather than specific technological security measures. Firms are expected to have robust security protocols, but the specific implementation is left to the provider.

The current Spanish framework **does not define "qualified custodian"** specifically for crypto assets in the same way traditional finance defines qualified custodians (e.g., banks, trust companies). An entity registered with the Bank of Spain to provide "custody of electronic wallets" is essentially the recognized custodian for AML purposes, but this registration doesn't impose the same prudential or institutional requirements as a traditional financial "qualified custodian."

**Regulator Name:** Comisión Nacional del Mercado de Valores (CNMV)

**Entity Targeted:** Binance (specifically, Binance Spain S.L.)

**Violation Type:** Non-compliance with the CNMV's Circular 1/2022 on advertising of crypto-assets. The alleged violations included insufficient disclosure of risks, lack of clarity, and inadequate warnings in advertising campaigns.

**Date:** October 2023 (Resolution published in November 2023)

**Outcome:** Fine imposed and publicly announced. This marked a significant enforcement of Spain's relatively new crypto advertising rules.

**CNMV Official Announcement (Spanish):** https://www.cnmv.es/portal/verDoc.axd?t=%7b04968848-185d-4096-98ec-6aa0633b4d45%7d

**El País Article (Spanish):** https://elpais.com/economia/2023-11-06/la-cnmv-multa-con-31-millones-a-binance-por-incumplir-la-normativa-de-publicidad-de-criptoactivos.html

**Regulator Name:** Agencia Española de Protección de Datos (AEPD - Spanish Data Protection Agency)

**Entity Targeted:** Tools for Humanity Corp. (the company behind the Worldcoin project)

**Violation Type:** Illicit processing of personal data (especially sensitive biometric data like iris scans), lack of transparency, insufficient information provided to users, and processing of data of minors.

**Penalty Amount:** Precautionary measure imposing an immediate prohibition on the collection and processing of personal data by Worldcoin in Spain. A final fine amount will be determined after a full investigation, potentially reaching up to €20 million for GDPR violations.

**Outcome:** Precautionary measure imposed, requiring Worldcoin to cease all data collection and processing activities in Spain related to its iris scanning. Investigation ongoing. This is a very significant action due to its direct operational impact and the novelty of regulating biometric data in a crypto context.

**AEPD Official Press Release (Spanish):** https://www.aepd.es/prensa/la-aepd-impone-una-medida-cautelar-para-prohibir-a-worldcoin-el-tratamiento-de-datos-personales-en-espana

**Entity Targeted:** Numerous (hundreds) of unregistered entities operating in the cryptocurrency and forex markets, often referred to as "chiringuitos financieros" (financial boiler rooms). Specific examples include warnings against companies like Bitget, MEXC Global, and countless smaller, fraudulent-appearing platforms.

**Violation Type:** Offering investment services or products related to crypto assets in Spain without the required authorization or registration with the CNMV. This often includes deceptive advertising practices.

**Penalty Amount:** While not a single "fine," the outcome is a public warning, inclusion on the CNMV's "grey list" (list of unauthorized firms), and potential legal action or blocking of access within Spain. This effectively prohibits their operations in Spain and serves as a public consumer alert.

**Date:** Ongoing throughout the last 3 years (e.g., warnings against Bitget in 2021, MEXC in 2022, etc., with new entities added weekly).

**Outcome:** Prohibition of unauthorized operations in Spain, public consumer warning, and potential escalation to legal action. This proactive enforcement has been a continuous and significant effort to protect investors.

**CNMV Grey List (Ongoing updates, Spanish):** https://www.cnmv.es/Portal/ADVERTENCIAS/ListaEntidadesNoAutorizadas.aspx

**Example Warning (Bitget, 2021 - Search for specific names on CNMV website):** https://www.cnmv.es/portal/advertencia/ListaAdvertencias-fichas.aspx?id=1285

**CNMV General Press Release on crypto risks (Spanish, 2022):** https://www.cnmv.es/portal/prensa/NP-2022/NP_01022022.aspx

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

This is the primary legal text. It creates a harmonized legal framework for crypto-assets not already covered by existing financial services legislation.

**URL:** Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets

**National Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) Legislation:**

**Real Decreto-ley 7/2021, de 27 de abril, de transposición de directivas de la Unión Europea en diversas materias** (Royal Decree-Law 7/2021, of April 27, transposing EU directives on various matters), which incorporated the 5th AMLD, including crypto-asset service providers, into Spanish law.

**Banco de España (BdE):** The central bank of Spain, responsible for supervising e-money institutions and credit institutions. Under MiCA, it will also be the competent authority for the supervision of issuers of e-money tokens (EMTs) and potentially asset-referenced tokens (ARTs), especially those of significant scale. It also maintains the registry for crypto-asset service providers under national AML law.

**URL (BdE Crypto Register):** Banco de España - Register of providers of virtual currency exchange for fiat currency and electronic custody of electronic wallets

**Comisión Nacional del Mercado de Valores (CNMV):** Spain's securities market regulator. It will be the competent authority for the supervision of issuers of ARTs (other than those supervised by BdE for e-money activities) and other crypto-assets under MiCA.

Defined as a crypto-asset whose main purpose is to be used as a means of exchange and that purports to maintain a stable value by referencing the value of **one single fiat currency**.

These are essentially tokenized fiat currency.

**Classification:** EMTs fall under MiCA's specific regime but are also closely linked to the **E-money Directive (EMD2)**. An issuer of an EMT is considered an e-money institution and must comply with both MiCA and relevant EMD2 provisions.

Defined as a crypto-asset that is not an e-money token and that purports to maintain a stable value by referencing any other value or right, or a combination thereof, including one or several fiat currencies, one or several commodities, or one or several crypto-assets, or a combination of such assets.

**Classification:** ARTs are a distinct category under MiCA. They are not e-money or securities in the traditional sense, but MiCA creates a bespoke regulatory regime for them.

Issuers must at all times maintain a **1:1 peg** with the fiat currency they reference.

The issuer must ensure that the reserve assets are invested in **secure, low-risk assets** (e.g., short-term government bonds, highly liquid money market funds) and held in **segregated accounts** with credit institutions.

At least **30%** of the reserve assets must be held in demand deposits and be available for immediate redemption.

Issuers are required to publish daily reserve statements.

Issuers must maintain a reserve of assets that is **equal to or greater than the value of the ARTs in circulation**.

The reserve assets must be **liquid** and held in **custody** by an independent third party (credit institution or crypto-asset service provider authorized for custody).

The investment policy for reserve assets must be publicly available, clear, and designed to minimize market, credit, and liquidity risk.

A minimum of **30%** of the reserve assets must be held in highly liquid financial instruments with minimal market risk, capable of being liquidated within one business day.

Issuers must establish clear redemption policies.

Only **credit institutions** (banks) or **e-money institutions (EMIs)** authorized under the EMD2 can issue EMTs.

An existing EMI license will be sufficient, but the EMI will also need to comply with the additional requirements of MiCA specific to EMTs.

The Banco de España would be the competent authority in Spain for supervising these entities.

Issuers of ARTs must be a **legal entity established in the EU** and obtain specific **authorization** from their national competent authority (in Spain, likely the CNMV, or the BdE if the ART has characteristics close to e-money or falls under its remit due to scale).

The authorization process involves a detailed application, demonstrating robust governance arrangements, internal control mechanisms, risk management procedures, and compliance with all MiCA requirements.

"Significant ARTs" (those with a large user base or high value) will be subject to enhanced supervision by the European Banking Authority (EBA) and potentially the European Central Bank (ECB).

Holders of EMTs have a right to redeem their tokens **at par value (1:1)** against the referenced fiat currency at **any time**.

This redemption must be done without undue delay and without charging any fees, unless otherwise specified in the white paper for specific circumstances (e.g., very high volumes).

Issuers must provide clear and precise terms and conditions for redemption, including the value at which the ARTs can be redeemed (which must be at **fair market value** of the referenced assets).

Redemption must be possible **at any time**, directly from the issuer or via a payment services provider.

**Prohibition:** MiCA effectively **prohibits** stablecoins that rely solely on an algorithm to maintain their price stability without backing their value with sufficient, robust reserve assets.

**Asset-Backed Requirement:** The core principle of MiCA's stablecoin framework is that both ARTs and EMTs must be **backed by actual reserves** designed to ensure their stability and allow for redemption. This means purely algorithmic, unbacked stablecoins like the former TerraUSD (UST) model would not be permitted under MiCA.

**Banco de España's Role:** The Banco de España is participating in the technical and policy discussions led by the European Central Bank (ECB) regarding the design and implementation of a digital euro.

**Distinction from Stablecoins:** A digital euro would be distinct from MiCA-regulated stablecoins.

**Digital Euro:** Central bank money, risk-free, direct liability of the ECB. It would serve as an official complement to cash and bank deposits.

**Stablecoins (ARTs/EMTs):** Private sector money, issued by regulated private entities, and subject to the specific risks and regulatory requirements outlined in MiCA.

**Complementary but Separate:** While both aim to facilitate digital payments, they operate on different levels. Stablecoins could potentially interact with a digital euro as a bridge or a method for specific use cases, but the digital euro's existence would create a fundamental, risk-free digital monetary base that stablecoins would exist alongside. The digital euro aims to preserve monetary sovereignty and offer a public option for digital payments, which could impact the demand for private stablecoins.

**Requirement:** Under MiCA, providing "custody and administration of crypto-assets on behalf of clients" will require a full **authorization (license)** from a national competent authority (in Spain, likely the CNMV - Comisión Nacional del Mercado de Valores, or potentially the Bank of Spain, subject to national implementation laws).

**Legal Basis:** **Regulation (EU) 2023/1114 on Markets in Crypto-assets (MiCA)**.

**Key Provisions:** Articles 53-62 of MiCA detail the authorization process and requirements for all CASPs, including those offering custody.

**Regulation (EU) 2023/1114 (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**MiCA explicitly mandates robust rules for safeguarding client crypto-assets.**

**Key Provisions (Article 38 - MiCA):**

CASPs offering custody must enter into a custody agreement with clients.

They must establish and maintain an internal policy outlining how they safeguard client crypto-assets and funds.

**Segregation:** They must ensure the segregation of clients' crypto-assets and funds from their own assets, and from the assets of other clients, *in their accounting records*.

They must take adequate measures to ensure that client crypto-assets are not available to third-party creditors of the CASP.

They must establish a policy on the insolvency of the CASP.

This will be a significant step up from the current framework.

**MiCA introduces prudential requirements for CASPs.**

**Key Provisions (Article 67 - MiCA):**

CASPs will be required to hold a minimum amount of own funds or have a professional indemnity insurance policy, or a combination of both.

The amount will depend on the type of services provided and a risk assessment. For "custody and administration of crypto-assets on behalf of clients," this prudential requirement is set at a higher tier than for some other services.

This aims to cover potential liability risks, including operational risks and professional negligence.

While MiCA does not explicitly mandate "cold storage," it places strong emphasis on **robust security arrangements, operational resilience, and integrity of systems.**

**Key Provisions (Article 37 - MiCA):** CASPs must "act honestly, fairly and professionally in accordance with the best interests of their clients" and "implement sound administrative arrangements, which ensure the protection of clients' data." Article 38 also requires "robust security arrangements."

The requirement for sound operational and security measures would naturally lead custodians to adopt industry best practices, including sophisticated multi-signature schemes, hardware security modules (HSMs), and segregated "cold" or "warm" storage solutions, even if the specific technology isn't dictated.

Under MiCA, entities **authorized to provide "custody and administration of crypto-assets on behalf of clients"** will effectively be the "qualified custodians" within the EU regulatory framework.

MiCA sets out detailed requirements for these authorized entities, including:

Organizational requirements (governance, risk management, internal controls).

Operational requirements (IT systems, security, business continuity).

Conduct of business rules (fairness, best interests of clients, complaint handling).

This will establish a clear standard for what constitutes a regulated and "qualified" crypto custodian in Spain and across the EU.

**Direct Effect:** EU Council Regulations imposing sanctions are directly applicable in Spain.

**Scope:** EU sanctions target individuals, entities, and sometimes entire countries, prohibiting various activities, including providing financial services, dealing with certain goods, or transferring funds/economic resources. "Economic resources" explicitly includes virtual assets.

**Purpose:** To counter terrorism, proliferation of weapons of mass destruction, human rights abuses, and to uphold international law (e.g., in response to Russia's aggression against Ukraine).

**Consolidated List:** The EU maintains a consolidated list of persons, groups, and entities subject to EU financial sanctions, which VASPs must screen against.

**Legal Reference:** The legal basis for EU sanctions is primarily Article 215 of the Treaty on the Functioning of the European Union (TFEU).

**URL:** Treaty on the Functioning of the European Union (TFEU)

**URL:** EU Sanctions Map (Consolidated List Data)

Following Russia's invasion of Ukraine, the EU introduced explicit prohibitions on crypto-asset services as part of its sanctions packages.

**Council Regulation (EU) 2022/1904** (amending Regulation (EU) No 833/2014) notably prohibited:

Providing crypto-asset wallet, account, or custody services to Russian persons or residents, regardless of the value of the crypto assets. (Earlier versions had a €10,000 threshold, which was removed).

Providing services related to crypto assets to the Government of Russia or any natural or legal person, entity, or body established in Russia.

**Scope for VASPs:** This means Spanish VASPs cannot offer crypto services (exchange, custody, etc.) to anyone who is a Russian national, resident in Russia, or a legal entity established in Russia.

**Legal Reference:** **Council Regulation (EU) No 833/2014** concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine, as amended multiple times (e.g., by **Council Regulation (EU) 2022/1904** of 6 October 2022).

**URL:** Consolidated version of Council Regulation (EU) No 833/2014 (search for latest) (Note: Always check the latest consolidated version on Eur-Lex, as it's frequently updated).

**Implementation:** Spain, as an EU member, implements UN Security Council sanctions through EU Regulations.

**Scope:** UN sanctions typically target specific individuals, entities, and countries involved in terrorism, proliferation, or other threats to international peace and security.

**Impact on VASPs:** Any person or entity designated by the UN and subsequently included in an EU implementing regulation (or a national implementing act) must be treated as a sanctioned party. This means freezing their assets (including crypto assets) and prohibiting making funds or economic resources available to them.

**Legal Reference:** UN Security Council Resolutions (various).

**URL:** UN Security Council Sanctions Committees

**Relevance for Spanish VASPs:** While a Spanish VASP is primarily governed by EU and Spanish law, US sanctions imposed by the Office of Foreign Assets Control (OFAC) can have extraterritorial reach, particularly if:

The VASP deals in USD-denominated transactions.

It uses US-origin technology or software.

It has US persons or entities as customers, partners, or employees.

Transactions "transit" through the US financial system.

**Scope:** OFAC maintains various sanctions programs targeting specific countries (e.g., Cuba, Iran, North Korea, Syria, Venezuela), individuals, and entities (e.g., terrorists, cybercriminals, those involved in ransomware, narcotics traffickers).

**Crypto-Specific Actions:** OFAC has increasingly sanctioned entities and individuals involved in illicit crypto activities, including mixing services (e.g., Tornado Cash), ransomware groups, and crypto exchanges facilitating illicit transactions.

**Sanctions Lists:** VASPs should screen against OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, the Sectoral Sanctions Identifications (SSI) List, and other relevant lists.

**Legal Reference:** Various US Executive Orders and implementing regulations (e.g., 31 CFR Chapter V).

**URL:** OFAC Sanctions Programs and Country Information

**URL:** OFAC Sanctions List Search (SDN List)

**URL:** OFAC Guidance on Virtual Currency (Always check for latest version).

**Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo):** This is the cornerstone of Spain's AML/CFT framework. It was amended to incorporate the EU's 5th Anti-Money Laundering Directive (AMLD5), bringing VASPs under its scope.

**Key Amendment:** **Real Decreto-ley 7/2021, de 27 de abril**, transposing AMLD5, specifically includes providers engaged in the exchange of virtual currency for fiat currency and custodial wallet providers as "obligated subjects" (sujetos obligados).

**URL:** Ley 10/2010 (consolidated text on BOE)

**URL:** Real Decreto-ley 7/2021 (Article 1.7 specifically regarding VASPs)

**Bank of Spain (Banco de España):** VASPs operating in Spain must register with the Bank of Spain. This registration requires them to comply with AML/CFT obligations, including sanctions compliance.

**URL:** Bank of Spain Registry for VASPs

**SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales y Financiación del Terrorismo):** This is Spain's Financial Intelligence Unit (FIU) and supervisory authority for AML/CFT. It provides guidance and oversight to obligated subjects, including VASPs.

**Customer Due Diligence (CDD):** Implement robust KYC procedures to identify and verify customers and beneficial owners. This includes screening against sanctions lists *before* onboarding and throughout the business relationship.

**Sanctions Lists to Screen Against:**

**EU Consolidated List:** Mandatory for all customers, beneficial owners, and relevant third parties.

**UN Sanctions Lists:** Implemented via EU regulations, thus covered by screening against the EU list.

**OFAC Sanctions Lists (SDN, SSI):** Highly recommended, especially if there's any US nexus (USD transactions, US clients, US technology).

**Entity Screening:** Screen names of individuals and legal entities, including aliases, associated parties, and beneficial owners.

**Transaction Screening:** Monitor transactions for potential involvement of sanctioned parties or sanctioned jurisdictions.

**Ongoing Monitoring:** Continuously monitor existing customer bases against updated sanctions lists. Sanctions lists are dynamic and updated frequently.

**Asset Freezing:** Immediately freeze any virtual assets or economic resources belonging to designated individuals or entities upon discovery of a match.

**Prohibition on Making Funds Available:** Do not directly or indirectly make funds or economic resources (including crypto assets) available to sanctioned individuals or entities.

**Suspicious Transaction Reports (STRs) / Comunicaciones por Indicios (CI):** Report any suspected money laundering or terrorist financing activity to SEPBLAC. This includes situations where a transaction involves a sanctioned entity or a sanctioned jurisdiction.

**Sanctions Match Reporting:** Report positive matches against sanctions lists to SEPBLAC and/or the relevant Spanish authorities.

Beyond screening for specific individuals/entities, Spanish VASPs must also adhere to **country-specific sanctions regimes**. This means prohibiting services or transactions with or within certain sanctioned territories.

**Examples of Sanctioned Jurisdictions (EU/UN/OFAC):** Crimea/Sevastopol, Donetsk, Luhansk, Kherson, Zaporizhzhia (Ukraine territories occupied by Russia), North Korea, Iran, Syria, Cuba, Venezuela (specific regimes), Russia (extensive prohibitions).

**Impact on Crypto:** VASPs cannot:

Establish business relationships with individuals or entities located in, or primarily operating from, sanctioned jurisdictions if the sanctions regime prohibits such engagement.

Facilitate transactions that would directly or indirectly benefit sanctioned entities or regimes in these geographies.

Provide any crypto-asset services in regions under comprehensive sanctions (e.g., providing wallets or exchange services to residents of North Korea or to entities controlled by the North Korean government).

**Serious Infringements (Infracciones Graves):** Can result in fines of up to **€5 million** or up to **10% of the VASP's annual turnover**, or even up to **150% of the amount of the transaction** if determinable. This includes failure to apply CDD, failure to report suspicious transactions, or lack of internal control measures.

**Very Serious Infringements (Infracciones Muy Graves):** Can result in fines of up to **€10 million** or up to **10% of the VASP's annual turnover**, or even up to **150% of the amount of the transaction**, plus potential public reprimand, revocation of authorization, or disqualification of management. This includes repeated serious infringements, intentional breaches, or aiding and abetting money laundering/terrorist financing.

**Money Laundering (Blanqueo de Capitales - Article 301):** Imprisonment from 6 months to 6 years and fines. If committed by an obligated subject in the exercise of their profession, the penalties are aggravated, including special disqualification.

**Terrorist Financing (Financiación del Terrorismo - Article 576):** Imprisonment from 5 to 10 years, and fines, for those who provide, collect, or manage funds or assets (including virtual assets) with the intention that they be used for terrorist activities.

**Reputational Damage:** Significant harm to the VASP's reputation, trust, and ability to operate.

**Legal Reference:** **Ley 10/2010, de 28 de abril**, Chapters IV and V (Infracciones y Sanciones).

**Legal Reference:** **Ley Orgánica 10/1995, de 23 de noviembre, del Código Penal**, Articles 301-304 (Money Laundering) and 576 (Terrorist Financing).

**URL:** Código Penal (consolidated text on BOE)

The **EU Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions**, which incorporates UN sanctions and the EU's autonomous sanctions regimes. This list is comprehensive and includes individuals and entities designated under various categories, including those involved in illicit financial activities that may encompass crypto.

While not a Spanish list, **OFAC's SDN List** and other sanctions lists are critical for Spanish VASPs to screen against due to potential extraterritorial implications.

**Robust KYC/CDD procedures** at onboarding and throughout the customer lifecycle.

**Automated and continuous screening** of all customers, beneficial owners, and transactions against UN, EU, and relevant OFAC sanctions lists.

**Real-time monitoring** of transactions for red flags, including geographic restrictions.

**Immediate asset freezing** and prohibition of making funds available upon a sanctions match.

**Timely reporting** of suspicious activities and sanctions matches to SEPBLAC.

**Regular training** for staff and a well-documented compliance program.