If your company appears on the list of obligated entities under the Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing, simply knowing the regulation is not enough: you must demonstrate to SEPBLAC an active, documented, and periodically audited internal control system. In 2024, according to specialist analyses, cumulative fines in the real estate sector for AML/CFT non-compliance exceeded €30 million. The question that reaches Summum Consultoria from businesses in Valladolid, Burgos, and Palencia is always the same: «What exactly does an AML/CFT consultancy include and what will it cost me?» This article answers both questions with real data.
Who Is Obligated? The Entities Listed in Article 2 of Law 10/2010
The most common mistake is to assume the regulation only applies to banks and financial institutions. Article 2 of Law 10/2010 includes an extensive list that, within the business fabric of Castilla y León, reaches sectors many would not expect:
- Real estate agents who intervene in the purchase, sale, or rental of property (even without a formal licence).
- Property developers when acting as vendors.
- Statutory auditors, external accountants, tax advisers, and administrative agencies (gestorías) when providing financial or tax advisory services.
- Lawyers in property transactions, client fund management, company formation, or acting on behalf of clients in financial transactions.
- Company service providers (formation, administration, or management of companies).
- Currency exchange offices, casinos, jewellers, and antique dealers above specific thresholds.
- Crypto-asset service providers, a category that the 2025 regulatory update has defined in greater detail.
The Directorate General of the Treasury and Financial Policy published updated Risk Indicator Catalogues for ML/TF in the first half of 2025 — a key tool for obligated entities to calibrate their exposure and document their assessment. Ignoring this update means working with an outdated map.
What a Full AML/CFT Consultancy Includes
The service is not a document signed once and filed away. It is a permanent control system reviewed at least annually and whenever the company changes its activity, clients, or structure. These are the canonical components required by SEPBLAC:
1. Entity Risk Assessment (ERA)
An analytical document that identifies and weights the money laundering and terrorist financing risks specific to the business: client typology, countries of operation, products or services offered, distribution channels, and transaction volume. It is the starting point of the entire system. Without an up-to-date ERA, SEPBLAC has no benchmark against which to judge whether controls are proportionate to the real risk.
2. Prevention Manual
A written internal policy covering customer due diligence (KYC) procedures, simplified and enhanced measures, the process for reporting suspicious transactions to SEPBLAC, client acceptance policy, and the management of Politically Exposed Persons (PEPs). The manual must be tailored to the sector and size of the company — not a generic document downloaded from the internet.
3. Appointment and Training of the SEPBLAC Representative
The law requires designating a person responsible before SEPBLAC. In SMEs, this is usually the managing director or the chief financial officer. The consultancy prepares the formal notification of appointment and designs a specific training plan for that person and for other team members with control functions.
4. KYC and Beneficial Ownership Procedures
Operational protocols for formally identifying the client, verifying their identity, determining the beneficial owner (the ultimate effective beneficiary, even when the client is a company), and keeping that information current. This includes data collection forms, accepted verification sources, and the thresholds above which enhanced measures apply.
5. Internal Channel for Reporting Suspicious Transactions
An internal procedure enabling any employee to report an unusual transaction without fear of retaliation, with documented traceability and escalation timelines to the Representative and, where appropriate, to SEPBLAC. This channel is distinct — though complementary — to the whistleblowing channel required by Law 2/2023 (Whistleblowing Directive).
6. Ongoing Team Training
Law 10/2010 requires periodic, not one-off, training. The training plan must be documented: content delivered, attendees, date, and outcome. In many cases, this training can be subsidised through FUNDAE.
7. Annual Internal Audit of the AML/CFT System
An independent review of how the system actually functions: are KYC procedures applied in practice? Have all transactions that should have been reported been reported? Does the manual reflect the company's current activity? This audit produces the report that the company archives and that SEPBLAC may request at any inspection.
If you wish to review in detail how we approach each of these pillars, you can visit our AML/CFT consultancy service page, where we explain the scope and phases of the project.
How It Is Priced: Factors That Drive the Cost
An AML/CFT consultancy does not have a single fee. The indicative price varies according to several factors that any serious consultant must analyse before quoting a figure:
| Factor | Impact on Cost | Practical Example |
|---|---|---|
| Sector and risk profile | High | An administrative agency managing client funds has greater exposure than one that only files tax returns |
| Volume of active clients | High | A real estate agency with 200 annual transactions requires more KYC documentation than one with 20 |
| International operations | Medium-High | Clients from high-risk or third countries require enhanced due diligence measures |
| Existence of a prior system | Medium | Starting from scratch is more costly than updating an already implemented system |
| Number of employees with control functions | Low-Medium | More people means more training hours and more procedures to document |
| Presence of PEPs or sensitive sectors | High | Portfolios involving politicians, business owners from risk jurisdictions, or sectors such as online gambling trigger enhanced measures |
Indicative Market Ranges for 2025-2026
Based on benchmarks published by specialist firms and consultancies in Spain, the indicative market ranges for an initial implementation are:
- Low-risk SME (tax advisory without fund management, small real estate agency with fewer than 20 transactions per year): between €1,500 and €4,000 for the complete system implementation (ERA + manual + KYC procedures + initial training).
- Medium-risk SME (active real estate agency, administrative agency with company services, auxiliary financial services firm): between €4,000 and €9,000.
- Medium-sized company or complex operations (property developer, company with international clients, crypto-asset operators): from €9,000 upwards, potentially exceeding €20,000 if technological integration for client screening is required.
To these amounts must be added the annual maintenance of the system (ERA update, internal audit, manual update, and refresher training), which for low-to-medium-risk SMEs typically ranges between €800 and €2,500 per year. These figures are market references from specialist consultancies and law firms in Spain; they are not Summum's own fees.
The key consideration when comparing quotes is to verify which specific deliverables each proposal includes. A low price that does not contemplate the ERA or the annual audit is not an advantage — it is an incomplete system that will leave the company exposed in a SEPBLAC inspection.
Real Consequences of Non-Compliance
The sanctioning regime under Law 10/2010 is one of the most severe in Spanish administrative law. Very serious infringements can result in fines of up to €10 million or 10% of turnover. Serious infringements can reach up to €5 million (or 10% of annual turnover, if higher). According to specialist annual reviews of SEPBLAC sanctions and requirements, in 2024 SEPBLAC processed numerous sanctioning proceedings in the real estate sector, with cumulative fines that, according to some specialist sources, exceeded €30 million.
The infringements most frequently detected are:
- Absence of a risk assessment, or one that is more than three years old without an update.
- Formal KYC procedures that are not applied in practice (the client file is incomplete).
- Lack of documented team training.
- Failure to designate a SEPBLAC representative, or failure to update that designation after a change of management.
- Absence of an internal audit of the system within the last twelve months.
Corporate criminal liability for money laundering (Article 31 bis of the Spanish Criminal Code) is increasingly enforced by courts: if an employee commits a money laundering offence and the company cannot demonstrate effective control measures, the entity may face criminal liability. The AML/CFT system is no longer merely an administrative obligation — it is also a shield for criminal compliance.
AML/CFT Consultancy in the Context of European Regulation
Law 10/2010 transposed the Fourth Anti-Money Laundering Directive (AMLD4). The Fifth (AMLD5) and Sixth (AMLD6) have added successive obligations, and the EU AML Regulation, adopted in 2024 and progressively applicable until 2027, will create the EU Anti-Money Laundering Authority (AMLA, headquartered in Frankfurt) that will directly supervise the highest-risk entities. For Spanish SMEs subject to obligations, this means that the standard of scrutiny will continue to rise: what meets the minimum today may fall short in 2027.
Companies that already have a robust system in place will navigate that transition with a clear advantage. Those that improvise each time they receive a SEPBLAC request will accumulate emergency costs far exceeding those of an orderly initial implementation.
Why Geography Matters: Valladolid and Castilla y León
The business fabric of Valladolid concentrates a high proportion of sectors with AML/CFT obligations: real estate agencies (active residential market), administrative agencies and tax advisers (many providing company services), auxiliary financial services firms, and property developers with projects across the region's main cities. Geographic proximity to the consultant has real value in this context: in-person visits for team training, client file reviews, and inspection preparation are conducted face-to-face, not by video call.
Summum Consultoria works from Valladolid with companies throughout Castilla y León — Burgos, Palencia, Aranda de Duero — and, when the project requires it, in Las Palmas de Gran Canaria. Since 2007 we have supported more than two thousand business compliance projects: we know the local market and the sectors that attract the most inspections.
Frequently Asked Questions
Is my tax advisory firm required to have an AML/CFT system?
It depends on the specific services you provide. If your firm manages client funds, intervenes in company formation, or provides financial or tax advice to clients who conduct transactions above certain thresholds, you fall within the scope of Article 2 of Law 10/2010. If you only file tax returns without managing funds, the obligation is more nuanced. The most prudent course is to carry out a specific review of your service catalogue before concluding that the regulation does not apply.
How often must the manual and the risk assessment be updated?
SEPBLAC's recommendation is that the Entity Risk Assessment be reviewed at least annually and whenever there are significant changes to the business: new services, changes in the client base, entry into new markets, or relevant regulatory changes. The prevention manual must be updated whenever an internal procedure or the regulation underpinning that procedure changes. The internal audit of the system is compulsory with a minimum annual frequency.
What is the difference between AML/CFT consultancy and criminal compliance?
They are complementary but distinct frameworks. AML/CFT consultancy addresses specific administrative obligations under Law 10/2010 supervised by SEPBLAC. Criminal compliance (Article 31 bis of the Spanish Criminal Code) is the control system designed to exempt or mitigate the criminal liability of a legal entity for offences committed by its employees or directors, of which money laundering is one of the most relevant. Having a good AML/CFT system strengthens criminal compliance but does not replace it. For medium-sized companies or those with greater exposure, it is advisable to implement both in a coordinated manner.
Can I manage the AML/CFT system internally without external consultancy?
Technically, yes. The law does not require the system to be designed by an external consultant. In practice, most SMEs do not have staff with the up-to-date knowledge needed to draft an ERA that conforms to the latest SEPBLAC risk indicator catalogues, design KYC procedures proportionate to the real risk, or prepare an internal audit that will withstand an inspection request. The cost of a poorly designed system — in terms of fines and crisis management time — far exceeds the cost of professional consultancy from the outset.