Spain -- Custody Regulations Regulatory Overview

Spain's regulatory framework for cryptocurrency and digital asset custody is currently evolving, largely driven by the transposition of EU directives and the upcoming implementation of the landmark Markets in Crypto-assets (MiCA) Regulation.

Currently, the primary regulatory oversight for crypto-asset service providers (CASPs), including those offering custody services, stems from Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations. The future will be shaped by MiCA, which introduces a comprehensive licensing and operational framework.

Current Framework in Spain (Based on AMLD5 Transposition)

Spain, like other EU member states, has transposed the 5th Anti-Money Laundering Directive (AMLD5). This brought virtual asset service providers (VASPs), including those providing custody services, under the scope of AML/CTF obligations.

1. Custodial License Requirements (Registration)

• Requirement: Entities providing services of virtual currency exchange for fiat currency, and custody of electronic wallets (custodia de monederos electrónicos), must register with the Bank of Spain (Banco de España). This is a registration requirement, not a full prudential license in the traditional sense, but it subjects providers to AML/CTF supervision.
• Legal Basis:
  • Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing (Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo).
  • Royal Decree 775/2021, of August 31 (Real Decreto 775/2021, de 31 de agosto), which modifies the Regulation of Law 10/2010 to specifically include virtual asset service providers. This decree specifies the conditions and procedures for their registration.
• Competent Authority: Bank of Spain (Banco de España) is responsible for maintaining the register and supervising these entities for AML/CTF purposes.
• URL:
  • Ley 10/2010: https://www.boe.es/eli/es/l/2010/04/28/10
  • Real Decreto 775/2021: https://www.boe.es/eli/es/rd/2021/08/31/775
  • Bank of Spain VASP Register (information page): https://www.bde.es/bde/es/secciones/servicios/Registro_de_pr/

2. Segregation of Client Assets Rules

• Under the current AML/CTF framework, there isn't explicit legislation in Spain mandating the segregation of client crypto-assets in the same way it's required for traditional financial institutions (e.g., client funds in separate accounts). The focus is primarily on customer identification (KYC) and transaction monitoring.
• However, general principles of good governance, consumer protection, and the prevention of misuse of funds would implicitly encourage or suggest such practices, even if not explicitly codified for crypto-assets.

3. Insurance/Bonding Requirements

• The current AML/CTF registration requirements in Spain do not explicitly mandate specific insurance or bonding requirements for crypto custodians. Providers are expected to maintain general business insurance, but there isn't a regulatory requirement for a specific amount of capital or professional indemnity insurance directly linked to the custody of crypto-assets.

4. Cold Storage Mandates

• There are no explicit regulatory mandates for the use of cold storage as a specific technical requirement under the current Spanish AML/CTF framework. While cold storage is widely considered a best practice for securing digital assets against online threats, the regulations focus on the broader AML/CTF compliance rather than specific technological security measures. Firms are expected to have robust security protocols, but the specific implementation is left to the provider.

5. Qualified Custodian Definitions

• The current Spanish framework does not define "qualified custodian" specifically for crypto assets in the same way traditional finance defines qualified custodians (e.g., banks, trust companies). An entity registered with the Bank of Spain to provide "custody of electronic wallets" is essentially the recognized custodian for AML purposes, but this registration doesn't impose the same prudential or institutional requirements as a traditional financial "qualified custodian."

Pending Custody Legislation (MiCA - Markets in Crypto-assets Regulation)

The Markets in Crypto-assets (MiCA) Regulation (Regulation (EU) 2023/1114) will be the most significant piece of legislation for digital asset custody in the EU, including Spain. It introduces a harmonized, comprehensive regulatory framework for crypto-assets and CASPs across the EU.

MiCA's provisions for CASPs offering "custody and administration of crypto-assets on behalf of clients" are expected to apply from 30 December 2024 for stablecoins (ARTs and EMTs) and 30 June 2025 for other crypto-assets and CASPs.

1. Custodial License Requirements (Authorization)

• Requirement: Under MiCA, providing "custody and administration of crypto-assets on behalf of clients" will require a full authorization (license) from a national competent authority (in Spain, likely the CNMV - Comisión Nacional del Mercado de Valores, or potentially the Bank of Spain, subject to national implementation laws).
• Legal Basis: Regulation (EU) 2023/1114 on Markets in Crypto-assets (MiCA).
• Key Provisions: Articles 53-62 of MiCA detail the authorization process and requirements for all CASPs, including those offering custody.
• URL:
  • Regulation (EU) 2023/1114 (MiCA): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

2. Segregation of Client Assets Rules (Explicit)

• MiCA explicitly mandates robust rules for safeguarding client crypto-assets.
• Key Provisions (Article 38 - MiCA):
  • CASPs offering custody must enter into a custody agreement with clients.
  • They must establish and maintain an internal policy outlining how they safeguard client crypto-assets and funds.
  • Segregation: They must ensure the segregation of clients' crypto-assets and funds from their own assets, and from the assets of other clients, in their accounting records.
  • They must take adequate measures to ensure that client crypto-assets are not available to third-party creditors of the CASP.
  • They must establish a policy on the insolvency of the CASP.
• This will be a significant step up from the current framework.

3. Insurance/Bonding Requirements (Prudential Safeguards)

• MiCA introduces prudential requirements for CASPs.
• Key Provisions (Article 67 - MiCA):
  • CASPs will be required to hold a minimum amount of own funds or have a professional indemnity insurance policy, or a combination of both.
  • The amount will depend on the type of services provided and a risk assessment. For "custody and administration of crypto-assets on behalf of clients," this prudential requirement is set at a higher tier than for some other services.
  • This aims to cover potential liability risks, including operational risks and professional negligence.

4. Cold Storage Mandates (Implied Security)

• While MiCA does not explicitly mandate "cold storage," it places strong emphasis on robust security arrangements, operational resilience, and integrity of systems.
• Key Provisions (Article 37 - MiCA): CASPs must "act honestly, fairly and professionally in accordance with the best interests of their clients" and "implement sound administrative arrangements, which ensure the protection of clients' data." Article 38 also requires "robust security arrangements."
• The requirement for sound operational and security measures would naturally lead custodians to adopt industry best practices, including sophisticated multi-signature schemes, hardware security modules (HSMs), and segregated "cold" or "warm" storage solutions, even if the specific technology isn't dictated.

5. Qualified Custodian Definitions (Authorized CASPs)

• Under MiCA, entities authorized to provide "custody and administration of crypto-assets on behalf of clients" will effectively be the "qualified custodians" within the EU regulatory framework.
• MiCA sets out detailed requirements for these authorized entities, including:
  • Prudential requirements (capital/insurance).
  • Organizational requirements (governance, risk management, internal controls).
  • Operational requirements (IT systems, security, business continuity).
  • Conduct of business rules (fairness, best interests of clients, complaint handling).
• This will establish a clear standard for what constitutes a regulated and "qualified" crypto custodian in Spain and across the EU.

In summary, Spain is transitioning from an AML-focused registration regime for crypto custodians to a comprehensive, prudential, and conduct-of-business framework under MiCA. This shift will significantly increase the regulatory burden and requirements for entities offering digital asset custody services.