Spain -- AML/CFT Compliance Regulatory Overview

**Directive (EU) 2015/849 (4th AMLD):** The foundational directive, which brought more entities into scope and strengthened CDD.

**Directive (EU) 2018/843 (5th AMLD):** **Crucially**, this directive extended the scope of AML/CFT rules to include virtual asset service providers (VASPs), specifically:

Providers engaged in exchange services between virtual currencies and fiat currencies.

**Directive (EU) 2018/1673 (6th AMLD):** Primarily focuses on harmonizing the definition of money laundering criminal offenses and related sanctions across the EU, which indirectly supports the AML framework.

**Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo** (Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing).

**Real Decreto 304/2014, de 5 de mayo, por el que se aprueba el Reglamento de la Ley 10/2010 (Royal Decree 304/2014, of May 5, approving the Regulation of Law 10/2010):** This Royal Decree provides detailed rules for the implementation of Law 10/2010. It also has been amended to reflect EU changes.

**Real Decreto-ley 7/2021, de 27 de abril (Royal Decree-Law 7/2021, of April 27):** This specific decree transposed significant parts of the 5th AMLD, formally bringing VASPs under the scope of Law 10/2010 and establishing the requirement for their registration with the Bank of Spain.

**Circular 2/2022 del Banco de España, de 23 de marzo (Circular 2/2022 of the Bank of Spain, of March 23):** This circular specifically regulates the administrative registration of providers of virtual currency exchange services for fiat currency and electronic wallet custody services.

**Identification and Verification of the Customer:**

**Natural Persons:** Obtain and verify identity using reliable independent sources (e.g., national ID card, passport). Required data includes full name, date and place of birth, address, and national identification number.

**Legal Persons/Entities:** Obtain and verify the name, legal form, address, proof of incorporation, articles of association, names of directors, and the legal representative(s).

**Identification and Verification of the Beneficial Owner (BO):**

For legal entities, identify any natural person(s) who ultimately own or control 25% plus one share or more of the entity, or who otherwise exercise control.

If no such natural person is identified, identify the natural person(s) who hold the position of senior managing official(s).

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must gather information about the client's typical transaction volumes, types of virtual assets, and the source of funds/wealth where necessary.

**Ongoing Monitoring of the Business Relationship:**

Scrutinizing transactions undertaken throughout the course of the relationship to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Regularly updating customer information, including CDD documentation.

Carrying out occasional transactions exceeding €1,000 (whether in a single transaction or several linked transactions).

Where there is suspicion of money laundering or terrorist financing.

When there are doubts about the veracity or adequacy of previously obtained customer identification data.

Required for higher-risk situations, such as:

Politically Exposed Persons (PEPs), their family members, and close associates.

Customers from high-risk third countries (as identified by the EU or FATF).

Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Non-face-to-face relationships without specific safeguards.

EDD measures include obtaining senior management approval, taking reasonable measures to establish the source of wealth and funds, and conducting enhanced ongoing monitoring.

Permitted in explicitly defined low-risk situations, though given the inherent risks often associated with virtual assets, this is less frequently applicable to VASPs.

**Reporting Obligation:** Any VASP that knows, suspects, or has reasonable grounds to suspect that funds, regardless of the amount, are the proceeds of criminal activity or are related to terrorist financing, must promptly report it.

**Recipient:** Reports must be submitted to the **Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC)**, which is Spain's FIU.

**"Tipping-Off":** VASPs are strictly prohibited from informing the customer concerned or third parties that a suspicious transaction report is being, or has been, transmitted, or that a money laundering or terrorist financing investigation is being, or may be, carried out.

**Internal Controls:** VASPs must have internal policies, procedures, and controls in place to detect and report suspicious transactions, including appointing a Money Laundering Reporting Officer (MLRO).

Records of CDD measures (copies of identification documents, beneficial ownership information).

Records of all transactions, including:

Amount and currency of the transaction.

Parties involved (sender and recipient, including their virtual asset addresses).

Records of STRs and any internal suspicious activity reports.

Records of internal policies and procedures, and staff training.

**Retention Period:** All records must be retained for at least **five years** after the end of the business relationship with the customer or the date of an occasional transaction.

**1. For AML/CFT Compliance and Enforcement (FIU):**

**Name:** **Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC)**

**Role:** This is Spain's Financial Intelligence Unit (FIU). It is responsible for receiving, analyzing, and disseminating suspicious transaction reports. It also oversees compliance with AML/CFT obligations by obliged entities, including VASPs, and can impose sanctions for non-compliance.

**Name:** **Banco de España (Bank of Spain)**

**Role:** Following the transposition of the 5th AMLD, providers of virtual currency exchange services for fiat currency and electronic wallet custody services are required to register with the Bank of Spain. This registration is a prerequisite for operating legally in Spain. The Bank of Spain maintains a public register of these entities and ensures they meet certain operational and reputational requirements before granting registration.

**Specific Registry Page (in Spanish):** Look for "Registro de proveedores de servicios de cambio de moneda virtual por moneda fiduciaria y de custodia de monederos electrónicos" on their site. A direct link to the relevant section or public registry might change, but it can typically be found under their "Supervision" or "Financial Innovation" sections. As of the last update, the main page on registration is often linked from their "Normativa y publicaciones" (Regulations and Publications) or "Entidades supervisadas" (Supervised entities) sections.

**Requirement:** Entities providing services of virtual currency exchange for fiat currency, and **custody of electronic wallets (custodia de monederos electrónicos)**, must register with the **Bank of Spain (Banco de España)**. This is a *registration* requirement, not a full prudential *license* in the traditional sense, but it subjects providers to AML/CTF supervision.

**Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing (Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo).**

**Royal Decree 775/2021, of August 31 (Real Decreto 775/2021, de 31 de agosto)**, which modifies the Regulation of Law 10/2010 to specifically include virtual asset service providers. This decree specifies the conditions and procedures for their registration.

**Competent Authority:** **Bank of Spain (Banco de España)** is responsible for maintaining the register and supervising these entities for AML/CTF purposes.

**Bank of Spain VASP Register (information page):** https://www.bde.es/bde/es/secciones/servicios/Registro_de_pr/

Under the current AML/CTF framework, there isn't explicit legislation in Spain mandating the *segregation of client crypto-assets* in the same way it's required for traditional financial institutions (e.g., client funds in separate accounts). The focus is primarily on customer identification (KYC) and transaction monitoring.

However, general principles of good governance, consumer protection, and the prevention of misuse of funds would implicitly encourage or suggest such practices, even if not explicitly codified for crypto-assets.

The current AML/CTF registration requirements in Spain **do not explicitly mandate specific insurance or bonding requirements** for crypto custodians. Providers are expected to maintain general business insurance, but there isn't a regulatory requirement for a specific amount of capital or professional indemnity insurance directly linked to the custody of crypto-assets.

There are **no explicit regulatory mandates for the use of cold storage** as a specific technical requirement under the current Spanish AML/CTF framework. While cold storage is widely considered a best practice for securing digital assets against online threats, the regulations focus on the broader AML/CTF compliance rather than specific technological security measures. Firms are expected to have robust security protocols, but the specific implementation is left to the provider.

The current Spanish framework **does not define "qualified custodian"** specifically for crypto assets in the same way traditional finance defines qualified custodians (e.g., banks, trust companies). An entity registered with the Bank of Spain to provide "custody of electronic wallets" is essentially the recognized custodian for AML purposes, but this registration doesn't impose the same prudential or institutional requirements as a traditional financial "qualified custodian."

**Regulator Name:** Comisión Nacional del Mercado de Valores (CNMV)

**Entity Targeted:** Binance (specifically, Binance Spain S.L.)

**Violation Type:** Non-compliance with the CNMV's Circular 1/2022 on advertising of crypto-assets. The alleged violations included insufficient disclosure of risks, lack of clarity, and inadequate warnings in advertising campaigns.

**Date:** October 2023 (Resolution published in November 2023)

**Outcome:** Fine imposed and publicly announced. This marked a significant enforcement of Spain's relatively new crypto advertising rules.

**CNMV Official Announcement (Spanish):** https://www.cnmv.es/portal/verDoc.axd?t=%7b04968848-185d-4096-98ec-6aa0633b4d45%7d

**El País Article (Spanish):** https://elpais.com/economia/2023-11-06/la-cnmv-multa-con-31-millones-a-binance-por-incumplir-la-normativa-de-publicidad-de-criptoactivos.html

**Regulator Name:** Agencia Española de Protección de Datos (AEPD - Spanish Data Protection Agency)

**Entity Targeted:** Tools for Humanity Corp. (the company behind the Worldcoin project)

**Violation Type:** Illicit processing of personal data (especially sensitive biometric data like iris scans), lack of transparency, insufficient information provided to users, and processing of data of minors.

**Penalty Amount:** Precautionary measure imposing an immediate prohibition on the collection and processing of personal data by Worldcoin in Spain. A final fine amount will be determined after a full investigation, potentially reaching up to €20 million for GDPR violations.

**Outcome:** Precautionary measure imposed, requiring Worldcoin to cease all data collection and processing activities in Spain related to its iris scanning. Investigation ongoing. This is a very significant action due to its direct operational impact and the novelty of regulating biometric data in a crypto context.

**AEPD Official Press Release (Spanish):** https://www.aepd.es/prensa/la-aepd-impone-una-medida-cautelar-para-prohibir-a-worldcoin-el-tratamiento-de-datos-personales-en-espana

**Entity Targeted:** Numerous (hundreds) of unregistered entities operating in the cryptocurrency and forex markets, often referred to as "chiringuitos financieros" (financial boiler rooms). Specific examples include warnings against companies like Bitget, MEXC Global, and countless smaller, fraudulent-appearing platforms.

**Violation Type:** Offering investment services or products related to crypto assets in Spain without the required authorization or registration with the CNMV. This often includes deceptive advertising practices.

**Penalty Amount:** While not a single "fine," the outcome is a public warning, inclusion on the CNMV's "grey list" (list of unauthorized firms), and potential legal action or blocking of access within Spain. This effectively prohibits their operations in Spain and serves as a public consumer alert.

**Date:** Ongoing throughout the last 3 years (e.g., warnings against Bitget in 2021, MEXC in 2022, etc., with new entities added weekly).

**Outcome:** Prohibition of unauthorized operations in Spain, public consumer warning, and potential escalation to legal action. This proactive enforcement has been a continuous and significant effort to protect investors.

**CNMV Grey List (Ongoing updates, Spanish):** https://www.cnmv.es/Portal/ADVERTENCIAS/ListaEntidadesNoAutorizadas.aspx

**Example Warning (Bitget, 2021 - Search for specific names on CNMV website):** https://www.cnmv.es/portal/advertencia/ListaAdvertencias-fichas.aspx?id=1285

**CNMV General Press Release on crypto risks (Spanish, 2022):** https://www.cnmv.es/portal/prensa/NP-2022/NP_01022022.aspx

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

This is the primary legal text. It creates a harmonized legal framework for crypto-assets not already covered by existing financial services legislation.

**URL:** Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets

**National Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) Legislation:**

**Real Decreto-ley 7/2021, de 27 de abril, de transposición de directivas de la Unión Europea en diversas materias** (Royal Decree-Law 7/2021, of April 27, transposing EU directives on various matters), which incorporated the 5th AMLD, including crypto-asset service providers, into Spanish law.

**Banco de España (BdE):** The central bank of Spain, responsible for supervising e-money institutions and credit institutions. Under MiCA, it will also be the competent authority for the supervision of issuers of e-money tokens (EMTs) and potentially asset-referenced tokens (ARTs), especially those of significant scale. It also maintains the registry for crypto-asset service providers under national AML law.

**URL (BdE Crypto Register):** Banco de España - Register of providers of virtual currency exchange for fiat currency and electronic custody of electronic wallets

**Comisión Nacional del Mercado de Valores (CNMV):** Spain's securities market regulator. It will be the competent authority for the supervision of issuers of ARTs (other than those supervised by BdE for e-money activities) and other crypto-assets under MiCA.

Defined as a crypto-asset whose main purpose is to be used as a means of exchange and that purports to maintain a stable value by referencing the value of **one single fiat currency**.

These are essentially tokenized fiat currency.

**Classification:** EMTs fall under MiCA's specific regime but are also closely linked to the **E-money Directive (EMD2)**. An issuer of an EMT is considered an e-money institution and must comply with both MiCA and relevant EMD2 provisions.

Defined as a crypto-asset that is not an e-money token and that purports to maintain a stable value by referencing any other value or right, or a combination thereof, including one or several fiat currencies, one or several commodities, or one or several crypto-assets, or a combination of such assets.

**Classification:** ARTs are a distinct category under MiCA. They are not e-money or securities in the traditional sense, but MiCA creates a bespoke regulatory regime for them.

Issuers must at all times maintain a **1:1 peg** with the fiat currency they reference.

The issuer must ensure that the reserve assets are invested in **secure, low-risk assets** (e.g., short-term government bonds, highly liquid money market funds) and held in **segregated accounts** with credit institutions.

At least **30%** of the reserve assets must be held in demand deposits and be available for immediate redemption.

Issuers are required to publish daily reserve statements.

Issuers must maintain a reserve of assets that is **equal to or greater than the value of the ARTs in circulation**.

The reserve assets must be **liquid** and held in **custody** by an independent third party (credit institution or crypto-asset service provider authorized for custody).

The investment policy for reserve assets must be publicly available, clear, and designed to minimize market, credit, and liquidity risk.

A minimum of **30%** of the reserve assets must be held in highly liquid financial instruments with minimal market risk, capable of being liquidated within one business day.

Issuers must establish clear redemption policies.

Only **credit institutions** (banks) or **e-money institutions (EMIs)** authorized under the EMD2 can issue EMTs.

An existing EMI license will be sufficient, but the EMI will also need to comply with the additional requirements of MiCA specific to EMTs.

The Banco de España would be the competent authority in Spain for supervising these entities.

Issuers of ARTs must be a **legal entity established in the EU** and obtain specific **authorization** from their national competent authority (in Spain, likely the CNMV, or the BdE if the ART has characteristics close to e-money or falls under its remit due to scale).

The authorization process involves a detailed application, demonstrating robust governance arrangements, internal control mechanisms, risk management procedures, and compliance with all MiCA requirements.

"Significant ARTs" (those with a large user base or high value) will be subject to enhanced supervision by the European Banking Authority (EBA) and potentially the European Central Bank (ECB).

Holders of EMTs have a right to redeem their tokens **at par value (1:1)** against the referenced fiat currency at **any time**.

This redemption must be done without undue delay and without charging any fees, unless otherwise specified in the white paper for specific circumstances (e.g., very high volumes).

Issuers must provide clear and precise terms and conditions for redemption, including the value at which the ARTs can be redeemed (which must be at **fair market value** of the referenced assets).

Redemption must be possible **at any time**, directly from the issuer or via a payment services provider.

**Prohibition:** MiCA effectively **prohibits** stablecoins that rely solely on an algorithm to maintain their price stability without backing their value with sufficient, robust reserve assets.

**Asset-Backed Requirement:** The core principle of MiCA's stablecoin framework is that both ARTs and EMTs must be **backed by actual reserves** designed to ensure their stability and allow for redemption. This means purely algorithmic, unbacked stablecoins like the former TerraUSD (UST) model would not be permitted under MiCA.

**Banco de España's Role:** The Banco de España is participating in the technical and policy discussions led by the European Central Bank (ECB) regarding the design and implementation of a digital euro.

**Distinction from Stablecoins:** A digital euro would be distinct from MiCA-regulated stablecoins.

**Digital Euro:** Central bank money, risk-free, direct liability of the ECB. It would serve as an official complement to cash and bank deposits.

**Stablecoins (ARTs/EMTs):** Private sector money, issued by regulated private entities, and subject to the specific risks and regulatory requirements outlined in MiCA.

**Complementary but Separate:** While both aim to facilitate digital payments, they operate on different levels. Stablecoins could potentially interact with a digital euro as a bridge or a method for specific use cases, but the digital euro's existence would create a fundamental, risk-free digital monetary base that stablecoins would exist alongside. The digital euro aims to preserve monetary sovereignty and offer a public option for digital payments, which could impact the demand for private stablecoins.