Spain -- Sanctions Compliance Regulatory Overview

Spain, as a Member State of the European Union, is subject to a multi-layered and robust framework of cryptocurrency sanctions and restrictions. This framework includes international sanctions (UN), regional sanctions (EU), and extraterritorial sanctions (US OFAC), all of which have direct or indirect implications for Virtual Asset Service Providers (VASPs) operating in Spain. Spanish national law further specifies compliance obligations and penalties.

Here's a breakdown of the applicable sanctions and restrictions:

I. International Frameworks Applicable in Spain

A. EU Sanctions Regime (Directly Applicable)

The European Union implements its own autonomous sanctions regimes and also implements sanctions imposed by the United Nations Security Council. EU regulations are directly binding and applicable in all Member States, including Spain, without the need for national implementing legislation (though national laws define penalties).

1. General Principles and Scope:

• Direct Effect: EU Council Regulations imposing sanctions are directly applicable in Spain.

• Scope: EU sanctions target individuals, entities, and sometimes entire countries, prohibiting various activities, including providing financial services, dealing with certain goods, or transferring funds/economic resources. "Economic resources" explicitly includes virtual assets.

• Purpose: To counter terrorism, proliferation of weapons of mass destruction, human rights abuses, and to uphold international law (e.g., in response to Russia's aggression against Ukraine).

• Consolidated List: The EU maintains a consolidated list of persons, groups, and entities subject to EU financial sanctions, which VASPs must screen against.

  • Legal Reference: The legal basis for EU sanctions is primarily Article 215 of the Treaty on the Functioning of the European Union (TFEU).
  • URL: Treaty on the Functioning of the European Union (TFEU)
  • URL: EU Sanctions Map (Consolidated List Data)

2. Crypto-Specific Prohibitions (e.g., Russia Sanctions):

• Following Russia's invasion of Ukraine, the EU introduced explicit prohibitions on crypto-asset services as part of its sanctions packages.

• Council Regulation (EU) 2022/1904 (amending Regulation (EU) No 833/2014) notably prohibited:

  • Providing crypto-asset wallet, account, or custody services to Russian persons or residents, regardless of the value of the crypto assets. (Earlier versions had a €10,000 threshold, which was removed).
  • Providing services related to crypto assets to the Government of Russia or any natural or legal person, entity, or body established in Russia.

• Scope for VASPs: This means Spanish VASPs cannot offer crypto services (exchange, custody, etc.) to anyone who is a Russian national, resident in Russia, or a legal entity established in Russia.

  • Legal Reference: Council Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine, as amended multiple times (e.g., by Council Regulation (EU) 2022/1904 of 6 October 2022).
  • URL: Consolidated version of Council Regulation (EU) No 833/2014 (search for latest) (Note: Always check the latest consolidated version on Eur-Lex, as it's frequently updated).

B. UN Sanctions Regime

• Implementation: Spain, as an EU member, implements UN Security Council sanctions through EU Regulations.

• Scope: UN sanctions typically target specific individuals, entities, and countries involved in terrorism, proliferation, or other threats to international peace and security.

• Impact on VASPs: Any person or entity designated by the UN and subsequently included in an EU implementing regulation (or a national implementing act) must be treated as a sanctioned party. This means freezing their assets (including crypto assets) and prohibiting making funds or economic resources available to them.

  • Legal Reference: UN Security Council Resolutions (various).
  • URL: UN Security Council Sanctions Committees

C. OFAC (US) Sanctions Regime (Extraterritorial Reach)

• Relevance for Spanish VASPs: While a Spanish VASP is primarily governed by EU and Spanish law, US sanctions imposed by the Office of Foreign Assets Control (OFAC) can have extraterritorial reach, particularly if:

  • The VASP deals in USD-denominated transactions.
  • It uses US-origin technology or software.
  • It has US persons or entities as customers, partners, or employees.
  • Transactions "transit" through the US financial system.

• Scope: OFAC maintains various sanctions programs targeting specific countries (e.g., Cuba, Iran, North Korea, Syria, Venezuela), individuals, and entities (e.g., terrorists, cybercriminals, those involved in ransomware, narcotics traffickers).

• Crypto-Specific Actions: OFAC has increasingly sanctioned entities and individuals involved in illicit crypto activities, including mixing services (e.g., Tornado Cash), ransomware groups, and crypto exchanges facilitating illicit transactions.

• Sanctions Lists: VASPs should screen against OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, the Sectoral Sanctions Identifications (SSI) List, and other relevant lists.

  • Legal Reference: Various US Executive Orders and implementing regulations (e.g., 31 CFR Chapter V).
  • URL: OFAC Sanctions Programs and Country Information
  • URL: OFAC Sanctions List Search (SDN List)
  • URL: OFAC Guidance on Virtual Currency (Always check for latest version).

II. Spanish National Implementation and Specific Requirements for VASPs

Spain has integrated EU AML/CFT and sanctions requirements into its national legal framework, with specific provisions for VASPs.

A. Legal Framework for VASPs

• Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo): This is the cornerstone of Spain's AML/CFT framework. It was amended to incorporate the EU's 5th Anti-Money Laundering Directive (AMLD5), bringing VASPs under its scope.

  • Key Amendment: Real Decreto-ley 7/2021, de 27 de abril, transposing AMLD5, specifically includes providers engaged in the exchange of virtual currency for fiat currency and custodial wallet providers as "obligated subjects" (sujetos obligados).
  • URL: Ley 10/2010 (consolidated text on BOE)
  • URL: Real Decreto-ley 7/2021 (Article 1.7 specifically regarding VASPs)

• Bank of Spain (Banco de España): VASPs operating in Spain must register with the Bank of Spain. This registration requires them to comply with AML/CFT obligations, including sanctions compliance.

  • URL: Bank of Spain Registry for VASPs

• SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales y Financiación del Terrorismo): This is Spain's Financial Intelligence Unit (FIU) and supervisory authority for AML/CFT. It provides guidance and oversight to obligated subjects, including VASPs.

  • URL: SEPBLAC Website

B. Sanctioned Entity Screening Obligations for VASPs

Spanish VASPs, as "obligated subjects" under Ley 10/2010, have stringent sanctions compliance obligations:

• Customer Due Diligence (CDD): Implement robust KYC procedures to identify and verify customers and beneficial owners. This includes screening against sanctions lists before onboarding and throughout the business relationship.
• Sanctions Lists to Screen Against:
  • EU Consolidated List: Mandatory for all customers, beneficial owners, and relevant third parties.
  • UN Sanctions Lists: Implemented via EU regulations, thus covered by screening against the EU list.
  • OFAC Sanctions Lists (SDN, SSI): Highly recommended, especially if there's any US nexus (USD transactions, US clients, US technology).
• Nature of Screening:
  • Entity Screening: Screen names of individuals and legal entities, including aliases, associated parties, and beneficial owners.
  • Transaction Screening: Monitor transactions for potential involvement of sanctioned parties or sanctioned jurisdictions.
• Ongoing Monitoring: Continuously monitor existing customer bases against updated sanctions lists. Sanctions lists are dynamic and updated frequently.
• Asset Freezing: Immediately freeze any virtual assets or economic resources belonging to designated individuals or entities upon discovery of a match.
• Prohibition on Making Funds Available: Do not directly or indirectly make funds or economic resources (including crypto assets) available to sanctioned individuals or entities.
• Reporting Obligations:
  • Suspicious Transaction Reports (STRs) / Comunicaciones por Indicios (CI): Report any suspected money laundering or terrorist financing activity to SEPBLAC. This includes situations where a transaction involves a sanctioned entity or a sanctioned jurisdiction.
  • Sanctions Match Reporting: Report positive matches against sanctions lists to SEPBLAC and/or the relevant Spanish authorities.

C. Geographic Restrictions

• Beyond screening for specific individuals/entities, Spanish VASPs must also adhere to country-specific sanctions regimes. This means prohibiting services or transactions with or within certain sanctioned territories.
• Examples of Sanctioned Jurisdictions (EU/UN/OFAC): Crimea/Sevastopol, Donetsk, Luhansk, Kherson, Zaporizhzhia (Ukraine territories occupied by Russia), North Korea, Iran, Syria, Cuba, Venezuela (specific regimes), Russia (extensive prohibitions).
• Impact on Crypto: VASPs cannot:
  • Establish business relationships with individuals or entities located in, or primarily operating from, sanctioned jurisdictions if the sanctions regime prohibits such engagement.
  • Facilitate transactions that would directly or indirectly benefit sanctioned entities or regimes in these geographies.
  • Provide any crypto-asset services in regions under comprehensive sanctions (e.g., providing wallets or exchange services to residents of North Korea or to entities controlled by the North Korean government).

III. Penalties for Violations in Spain

Violations of sanctions and AML/CFT laws in Spain can lead to severe administrative and criminal penalties for VASPs and their management.

• Administrative Penalties (Ley 10/2010):

  • Serious Infringements (Infracciones Graves): Can result in fines of up to €5 million or up to 10% of the VASP's annual turnover, or even up to 150% of the amount of the transaction if determinable. This includes failure to apply CDD, failure to report suspicious transactions, or lack of internal control measures.
  • Very Serious Infringements (Infracciones Muy Graves): Can result in fines of up to €10 million or up to 10% of the VASP's annual turnover, or even up to 150% of the amount of the transaction, plus potential public reprimand, revocation of authorization, or disqualification of management. This includes repeated serious infringements, intentional breaches, or aiding and abetting money laundering/terrorist financing.

• Criminal Penalties (Código Penal):

  • Money Laundering (Blanqueo de Capitales - Article 301): Imprisonment from 6 months to 6 years and fines. If committed by an obligated subject in the exercise of their profession, the penalties are aggravated, including special disqualification.
  • Terrorist Financing (Financiación del Terrorismo - Article 576): Imprisonment from 5 to 10 years, and fines, for those who provide, collect, or manage funds or assets (including virtual assets) with the intention that they be used for terrorist activities.

• Reputational Damage: Significant harm to the VASP's reputation, trust, and ability to operate.

  • Legal Reference: Ley 10/2010, de 28 de abril, Chapters IV and V (Infracciones y Sanciones).
  • URL: Ley 10/2010 (consolidated text on BOE)
  • Legal Reference: Ley Orgánica 10/1995, de 23 de noviembre, del Código Penal, Articles 301-304 (Money Laundering) and 576 (Terrorist Financing).
  • URL: Código Penal (consolidated text on BOE)

IV. Country-Specific Sanctions Lists for Crypto (Spain)

Spain does not maintain a separate national sanctions list specifically for crypto assets. Instead, as an EU Member State, Spain directly applies:

• The EU Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions, which incorporates UN sanctions and the EU's autonomous sanctions regimes. This list is comprehensive and includes individuals and entities designated under various categories, including those involved in illicit financial activities that may encompass crypto.
• While not a Spanish list, OFAC's SDN List and other sanctions lists are critical for Spanish VASPs to screen against due to potential extraterritorial implications.

The focus for Spanish VASPs is on robust compliance programs that integrate screening against the EU's comprehensive sanctions lists, understanding the specific crypto-related prohibitions in EU regulations (like the Russia sanctions), and being aware of OFAC's reach.

Conclusion

VASPs operating in Spain face a complex and evolving sanctions landscape. Compliance requires a comprehensive approach, including:

1. Robust KYC/CDD procedures at onboarding and throughout the customer lifecycle.
2. Automated and continuous screening of all customers, beneficial owners, and transactions against UN, EU, and relevant OFAC sanctions lists.
3. Real-time monitoring of transactions for red flags, including geographic restrictions.
4. Immediate asset freezing and prohibition of making funds available upon a sanctions match.
5. Timely reporting of suspicious activities and sanctions matches to SEPBLAC.
6. Regular training for staff and a well-documented compliance program.

Failure to comply carries significant legal, financial, and reputational risks.