Cumplimiento normativo

Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT)

If your company is listed among the obliged entities under Law 10/2010, you need a documented, up-to-date and auditable internal control system. At Summum Consultoría we implement it from scratch — or review your existing one — aligning it with the new EU AML regulatory package 2024.

Legal frameworkLaw 10/2010 · RD 304/2014 · EU AML Package 2024
Supervisory authoritySEPBLAC (Spanish Anti-Money Laundering Commission)
ScopeObliged entities: real estate agencies, advisors, notaries, fund managers, financial intermediaries and others

Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing (AML/CFT) — developed by Royal Decree 304/2014 — obliges a broad range of companies and professionals to implement customer due diligence measures, identify their clients and transactions, retain documentation, appoint a representative before SEPBLAC and maintain an up-to-date internal manual. Penalties for non-compliance range from formal warnings to fines that can reach 10% of annual turnover in the most serious cases.

In 2024, the European Union published the so-called 'AML Package' — comprising Regulation (EU) 2024/1624 (AMLR), Directive (EU) 2024/1640 (AMLD6) and the Regulation establishing the European Anti-Money Laundering Authority (AMLA) — which reinforces existing obligations, extends the scope to new sectors (crypto-asset service providers, luxury real estate agents, digital asset managers) and sets 10 July 2027 as the key deadline for full national transposition. Spain already has a draft reform of RD 304/2014 under way to align domestic regulations with the new EU requirements, with a public consultation period completed in 2026.

Summum Consultoría — with offices in Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas, and more than 2,000 regulatory compliance projects supported since 2007 — designs and implements the AML/CFT system tailored to each company's actual activity: analysis of the inherent risk of the client portfolio, standard and enhanced due diligence procedures, assessment of politically exposed persons (PEP), internal suspicious transaction reporting channel, ongoing staff training and, where required, coordination with the periodic external examination mandated by law.

The Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) process.

The process · four stages
01

Diagnosis and classification

We determine whether your company qualifies as an obliged entity and at what sectoral risk level. We review existing documentation (if any), identify gaps against Law 10/2010 and the AMLR, and prioritise the actions with the greatest regulatory impact.

02

Design of the internal control system

We draft the AML/CFT Prevention Manual tailored to your activity, the risk map by client and transaction, due diligence procedures (standard, simplified and enhanced), and the KYC policy with the formal identification measures required by the regulation.

03

Operational implementation and SEPBLAC reporting

We set up the suspicious transaction reporting channel, designate or advise on the designation of the SEPBLAC representative, and prepare reporting procedures for the Anti-Money Laundering Commission. We deliver the mandatory training programme to exposed staff.

04

Ongoing maintenance and regulatory updates

We review the manual and risk map annually. When significant regulatory changes occur — such as the transposition of AMLD6 or amendments to the Spanish regulation — we update the documentation and alert the compliance officer so that no deviations arise.

What is included

What Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Full AML/CFT Manual

    Internal control document tailored to the company's activity, including client acceptance policy, due diligence procedures, risk map and transaction register. Updatable with each regulatory reform.

  • Risk analysis and classification

    Identification of the inherent risk of each client segment, product and distribution channel, with the risk matrix required by Article 32 of RD 304/2014 and aligned with SEPBLAC's 2024 National Risk Assessment.

  • KYC and due diligence procedures

    Client identification and verification protocols (Know Your Customer), including enhanced due diligence for PEPs, relationships with high-risk countries and complex or unusually large transactions.

  • SEPBLAC representative

    Advisory on the appointment, duties and responsibilities of the representative before the Anti-Money Laundering Commission, as well as on processing periodic activity communications and reports.

  • Staff training

    Mandatory training programme for staff with access to transactions or clients, with attendance and assessment records. Tailored by role: management, sales, administration and operations.

  • Update to the EU AML Package 2024

    Analysis of the impact of Regulation (EU) 2024/1624 and Directive 2024/1640 on the company, and a roadmap to meet national transposition deadlines before July 2027 — without waiting until the last moment.

Frequently asked questions about Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT).

How do I know whether my company is an obliged entity under Law 10/2010?

Article 2 of Law 10/2010 provides the exhaustive list: credit and financial institutions, life insurers, fund managers, real estate agents, notaries, lawyers and solicitors (for certain transactions), auditors, tax advisors, property developers, luxury goods traders (jewellery, works of art, vehicles) and, following successive reforms and the full application of MiCA Regulation (EU) 2023/1114, crypto-asset service providers and certain digital intermediaries. If you are unsure, we offer a free initial diagnosis.

What must the legally required prevention manual contain?

The manual must include at least: the client acceptance policy, risk classification criteria, due diligence procedures (standard, simplified and enhanced), measures for identifying the ultimate beneficial owner, internal suspicious transaction reporting procedures, the reporting channel to SEPBLAC, the training plan and internal control measures to detect non-compliance. The exact content depends on the sector and transaction volume.

What changes with the new EU AML Package 2024?

Regulation (EU) 2024/1624 (AMLR) directly harmonises — without the need for national transposition — due diligence thresholds, identification of the ultimate beneficial owner and obligations for crypto-asset service providers. Directive AMLD6 reinforces supervision and cooperation between authorities. AMLA, headquartered in Frankfurt, will directly supervise the highest-risk entities from 2028. Spanish companies must update their systems before July 2027.

How often must the manual and AML/CFT system be reviewed?

The law does not set a fixed frequency, but SEPBLAC recommends a minimum annual review, and always when there are significant regulatory changes, introduction of new products or services, expansion into new high-risk geographic markets or internal incidents. In addition, non-financial companies above certain transaction thresholds must submit their system to a periodic external examination.

What happens if SEPBLAC identifies deficiencies in my AML/CFT system?

SEPBLAC may issue recommendations, remediation requirements, formal reprimands or initiate disciplinary proceedings. Serious sanctions under Law 10/2010 can reach twice the benefit obtained, 10% of the previous year's annual turnover or high fixed amounts, depending on the type of infringement. Diligent cooperation and the existence of a documented programme are recognised mitigating factors.