Spain -- Enforcement Actions Regulatory Overview

Spain has seen increasing activity from its financial regulators regarding cryptocurrencies in the last three years, largely driven by the implementation of new national regulations and compliance with EU directives. The most significant enforcement actions often stem from the National Securities Market Commission (CNMV) for advertising and unauthorized operations, and the Spanish Data Protection Agency (AEPD) for data privacy violations. The Bank of Spain (BdE) primarily focuses on registration for AML/CTF purposes.

Here are some of the most significant actions:

1. CNMV Fine Against Binance for Advertising Non-Compliance

• Regulator Name: Comisión Nacional del Mercado de Valores (CNMV)
• Entity Targeted: Binance (specifically, Binance Spain S.L.)
• Violation Type: Non-compliance with the CNMV's Circular 1/2022 on advertising of crypto-assets. The alleged violations included insufficient disclosure of risks, lack of clarity, and inadequate warnings in advertising campaigns.
• Penalty Amount: €3,100,000
• Date: October 2023 (Resolution published in November 2023)
• Outcome: Fine imposed and publicly announced. This marked a significant enforcement of Spain's relatively new crypto advertising rules.
• Source URLs:
  • CNMV Official Announcement (Spanish): https://www.cnmv.es/portal/verDoc.axd?t=%7b04968848-185d-4096-98ec-6aa0633b4d45%7d
  • El País Article (Spanish): https://elpais.com/economia/2023-11-06/la-cnmv-multa-con-31-millones-a-binance-por-incumplir-la-normativa-de-publicidad-de-criptoactivos.html

2. AEPD Precautionary Measure Against Worldcoin

• Regulator Name: Agencia Española de Protección de Datos (AEPD - Spanish Data Protection Agency)
• Entity Targeted: Tools for Humanity Corp. (the company behind the Worldcoin project)
• Violation Type: Illicit processing of personal data (especially sensitive biometric data like iris scans), lack of transparency, insufficient information provided to users, and processing of data of minors.
• Penalty Amount: Precautionary measure imposing an immediate prohibition on the collection and processing of personal data by Worldcoin in Spain. A final fine amount will be determined after a full investigation, potentially reaching up to €20 million for GDPR violations.
• Date: March 2024
• Outcome: Precautionary measure imposed, requiring Worldcoin to cease all data collection and processing activities in Spain related to its iris scanning. Investigation ongoing. This is a very significant action due to its direct operational impact and the novelty of regulating biometric data in a crypto context.
• Source URLs:
  • AEPD Official Press Release (Spanish): https://www.aepd.es/prensa/la-aepd-impone-una-medida-cautelar-para-prohibir-a-worldcoin-el-tratamiento-de-datos-personales-en-espana
  • Reuters Article (English): https://www.reuters.com/technology/spain-tells-worldcoin-stop-collecting-data-country-2024-03-06/

3. CNMV Warnings and "Grey List" Against Unregistered Crypto Investment Firms

• Regulator Name: Comisión Nacional del Mercado de Valores (CNMV)
• Entity Targeted: Numerous (hundreds) of unregistered entities operating in the cryptocurrency and forex markets, often referred to as "chiringuitos financieros" (financial boiler rooms). Specific examples include warnings against companies like Bitget, MEXC Global, and countless smaller, fraudulent-appearing platforms.
• Violation Type: Offering investment services or products related to crypto assets in Spain without the required authorization or registration with the CNMV. This often includes deceptive advertising practices.
• Penalty Amount: While not a single "fine," the outcome is a public warning, inclusion on the CNMV's "grey list" (list of unauthorized firms), and potential legal action or blocking of access within Spain. This effectively prohibits their operations in Spain and serves as a public consumer alert.
• Date: Ongoing throughout the last 3 years (e.g., warnings against Bitget in 2021, MEXC in 2022, etc., with new entities added weekly).
• Outcome: Prohibition of unauthorized operations in Spain, public consumer warning, and potential escalation to legal action. This proactive enforcement has been a continuous and significant effort to protect investors.
• Source URLs:
  • CNMV Grey List (Ongoing updates, Spanish): https://www.cnmv.es/Portal/ADVERTENCIAS/ListaEntidadesNoAutorizadas.aspx
  • Example Warning (Bitget, 2021 - Search for specific names on CNMV website): https://www.cnmv.es/portal/advertencia/ListaAdvertencias-fichas.aspx?id=1285
  • CNMV General Press Release on crypto risks (Spanish, 2022): https://www.cnmv.es/portal/prensa/NP-2022/NP_01022022.aspx

Note on Banco de España: While the Banco de España (BdE) is the authority responsible for registering Virtual Asset Service Providers (VASPs) for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) purposes, its primary enforcement in the last three years has been through the registration process itself. This includes rigorous vetting, requiring firms to adapt their structures and compliance mechanisms. As of mid-2024, there haven't been widely publicized, significant financial penalties issued by the BdE against major registered crypto exchanges for AML non-compliance in the same manner as the CNMV or AEPD, though the framework for such fines is in place. The BdE's significance lies in setting the strict entry barriers for legal operation.