One of the questions we receive most frequently at Summum Consultoría is a straightforward one: «Do I need an anti-money laundering prevention manual?» The answer is not always obvious, because the list of subject entities under Law 10/2010, of 28 April, on the prevention of money laundering and the financing of terrorism (AML/CFT) goes well beyond banks and notaries. Tax advisors, estate agencies, jewellers, luxury car dealerships, investment fund managers, and many other businesses fall within the regulatory perimeter. If your company is within that perimeter and does not know it, it is exposed to sanctions from the SEPBLAC ranging from fines of tens of thousands of euros to the suspension of its business activities.
In this article we explain who is considered a subject entity under current law, what specific obligations they must fulfil, how the supervisory framework operates in Spain, and what steps to take if your company has just discovered it falls within the perimeter.
What is a subject entity under AML/CFT law?
Law 10/2010 defines in Article 2 a closed catalogue of natural and legal persons who, by virtue of the nature of their activity, may be used — knowingly or not — as a channel for introducing money of illicit origin into the financial system or for financing terrorist activities. These entities are known as subject entities and are subject to a specific regime of due diligence, internal control, and reporting to the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC), which is Spain's supervisor in this area.
The list is not static: Directive (EU) 2015/849 (4th AML Directive) and its successor, Directive (EU) 2018/843 (5th AML Directive), have progressively expanded the perimeter. Spain transposed these directives through amendments to Law 10/2010 and through Royal Decree 304/2014, of 5 May, which approves its implementing regulations. On the immediate horizon is the new European regulation — the so-called EU AML Package 2024, which includes Regulation (EU) 2024/1624 and Directive (EU) 2024/1640 — which, once transposed (deadline by 2027), will further expand obligations and create the new European Anti-Money Laundering Authority (AMLA).
Full list of subject entities under Law 10/2010
Article 2.1 of Law 10/2010 enumerates the following sectors and activities. A careful reading of each category is essential, as the thresholds and conditions vary:
| Category | Specific description in the legislation | Key observations |
|---|---|---|
| Financial institutions | Banks, savings banks, credit cooperatives, financial credit establishments, electronic money institutions, payment institutions, and currency exchange operators | The historical core of the law; also supervised by the Bank of Spain |
| Insurance and securities | Life insurers, life insurance brokers, investment services firms, collective investment schemes and their management companies, pension funds and their management entities | Brokers only when intermediating in life insurance with a savings component |
| Real estate professionals | Real estate developers and agents acting in property purchase and sale transactions | Includes estate agencies for any transaction, with no minimum price threshold |
| Auditors, accountants and tax advisors | Statutory auditors, external accountants, and tax advisors when providing certain services to clients | The obligation is triggered when providing account management, company formation, or advice on corporate structures |
| Notaries and registrars | Notaries, property registrars, and commercial registrars in the exercise of their activities | Subject entities with a specific reporting regime |
| Lawyers and legal representatives | When participating in property purchase and sale transactions, management of funds or securities, formation/management of companies, or management of bank accounts | Does not apply when acting in the context of legal representation in proceedings |
| High-value goods dealers | Dealers in jewellery, precious stones and metals; art objects and antiques; recreational vessels, aircraft, and high-end motor vehicles | Only when payments are made wholly or partly in cash and exceed €10,000 (threshold revised under current regulations) |
| Casinos and gambling | Land-based and online casinos and other gambling operators under sector-specific regulations | Online casinos licensed by the DGOJ have also been included since 2012 |
| Fund and private equity managers | Private equity fund managers, venture capital entities, business angels, and crowdfunding platforms | Extension introduced by the 5th AML Directive |
| Trust and company service providers | Persons who professionally provide services for the formation, administration, or management of companies or other legal arrangements | Known as «trust and company service providers» (TCSPs) in European terminology |
| Crypto-assets | Providers of exchange services between virtual currency and fiat currency, and custodian wallet providers | Incorporated by the 5th AML Directive; in Spain they must register with the Bank of Spain |
| Other | Currency exchange centres, fund transfer services («remittance operators»), payroll or treasury management activities | Non-exhaustive list; always verify against Article 2 and the implementing regulations |
When does a company «border» the perimeter without actually entering it?
This is the most common grey area. A law firm that only litigates in employment matters is not a subject entity. A tax advisory practice that only prepares income tax returns and does not form companies or manage its clients' bank accounts is also not one — even if it operates in the same sector as one that is. The key lies in the type of service provided, not in the designation of the activity.
Similarly, a mainstream car dealership selling mid-range vehicles does not fall within the category of «high-end motor vehicles» if the prices of its normal transactions are below the thresholds and it does not receive significant cash payments. However, if it at any point accepts a cash payment of more than €10,000 for a vehicle, that specific transaction triggers targeted obligations.
When in doubt, the correct approach is to consult a specialist in AML/CFT rather than assume the company falls outside the perimeter. The cost of a perimeter analysis is minimal compared with a SEPBLAC sanction, which for very serious infringements can reach the greater of: €10 million or 10% of annual business volume (Article 56 of Law 10/2010).
Specific obligations of subject entities
Being within the perimeter as a subject entity implies a structured compliance system. It is not a single document: it is a living prevention programme that must be kept up to date. The obligations are grouped into five main areas:
1. Customer due diligence (KYC)
The law requires identifying and verifying the identity of customers before establishing a business relationship, applying enhanced measures for high-risk customers (politically exposed persons, PEPs; high-risk countries; complex transactions with no clear economic purpose) and simplified measures for certain low-risk profiles. The guiding principle is «Know Your Customer» (KYC). Identification of the beneficial owner — the natural person who ultimately owns or controls the customer — is mandatory and must be verified against the Beneficial Ownership Register or equivalent registers.
2. Record retention
Due diligence documents and records must be retained for 10 years from the end of the business relationship or from the execution of the occasional transaction. This period, established in Article 25 of Law 10/2010, is longer than the general commercial period (6 years) and the tax period (4-6 years depending on the tax).
3. Special examination and reporting to SEPBLAC
When a transaction shows indications of money laundering or terrorist financing, the subject entity must carry out a special examination and, if the indications persist, report it to SEPBLAC through the INTELIF platform. Suspicious transaction reporting differs from systematic reporting (which applies to certain subject entities for specific types of transactions). None of these reports may be disclosed to the customer (tipping off): doing so is itself an infringement.
4. Internal control measures
The law requires designating a representative to SEPBLAC (who in SMEs is usually the owner or a senior manager), implementing a prevention manual setting out the policies and procedures, establishing a continuous training programme for employees with access to risk operations, and defining a process for periodically reviewing the effectiveness of the system. Larger entities are also required to have a separate internal control body.
5. Own risk assessment
Since the reform following the 4th AML Directive, each subject entity must carry out its own documented risk assessment, identifying the specific money laundering and terrorist financing risks inherent in its business model, customers, products, channels, and geographies. This assessment is not a one-off formality: it must be reviewed whenever there are significant changes in the business or the regulatory environment.
How to implement it: from paper to practice
Many companies that discover they are subject entities feel overwhelmed by the scope of the system. The reality is that the level of requirement is proportional to the size and risk profile: a three-person estate agency does not need the same level of sophistication as a fund management company. The regulations explicitly recognise the principle of proportionality.
A good starting point is the following:
- Perimeter analysis: confirm with a specialist whether the activity falls within Article 2 of Law 10/2010 and in which precise category.
- Risk assessment: identify the company's own risk factors (types of customers, products, geographies, payment channels).
- Drafting or updating the manual: client acceptance policies, KYC procedures, alert thresholds, internal reporting channels.
- Designation of the representative to SEPBLAC and registration on the INTELIF platform.
- Initial training for employees and managers, with attendance records.
- Annual review of the system and updates following regulatory or business changes.
If your company needs support throughout this process, at Summum Consultoría we have been helping SMEs and mid-sized companies structure their regulatory compliance programmes for more than a decade. You can find full details of how we work in our AML/CFT prevention service.
SEPBLAC's role and the sanctions regime
The SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) is Spain's AML/CFT supervisor and financial intelligence unit. It reports to the Bank of Spain and to the Commission for the Prevention of Money Laundering and Monetary Offences, attached to the Ministry of Economic Affairs. Its functions are twofold: supervision of compliance with Law 10/2010 by subject entities, and financial intelligence (analysis of suspicious transaction reports and international cooperation with other financial intelligence units within the framework of the Egmont Group).
The sanctions regime under Law 10/2010 distinguishes between very serious, serious, and minor infringements. The most severe sanctions are reserved for systematic failures in due diligence, suspicious transaction reporting, or internal control, and can reach — as already noted — €10 million or 10% of annual business volume (Article 56), with publication of the sanction in the Official State Gazette (name and shame). For legal persons, temporary or permanent suspension of activities is also possible.
In 2023 and 2024, SEPBLAC published its annual reports with figures illustrating its supervisory activity: on-site reviews of dozens of subject entities from various sectors (real estate, advisory firms, crypto-asset managers) and a significant number of sanction proceedings initiated. The trend is one of intensification, in line with Spain's commitments to the FATF (Financial Action Task Force).
The impact of the new EU AML Package (2024-2027)
In May 2024, the European Parliament adopted the so-called AML Package, comprising three texts: Regulation (EU) 2024/1624 (directly applicable, without the need for transposition), Directive (EU) 2024/1640 (replacing the 4th and 5th AML Directives), and Regulation (EU) 2024/1620 creating the new AMLA authority, headquartered in Frankfurt.
The most significant changes for Spanish companies will be:
- Expansion of the perimeter of subject entities to include professional football (clubs and agents) and luxury goods dealers (high-value goods with lower thresholds).
- Obligation of enhanced due diligence in transactions with countries on the FATF blacklist and greylist.
- Creation of a €10,000 cash payment limit applicable directly across the entire EU (already in force in Spain under Law 11/2021 for amounts above €1,000 between businesses, though with nuances).
- Greater interoperability between the beneficial ownership registers of Member States.
- Direct supervision by AMLA of the highest-risk entities from 2027.
Companies that already have their AML/CFT programme in order will face the adaptation with far less effort than those that have yet to start.
Frequently asked questions
Is an employment law advisory firm that does not handle accounting or company formation obligated?
In principle, no. Law 10/2010 includes external tax and accounting advisors, but only when they provide services for managing clients' funds, bank accounts, or securities, or when they help to form, manage, or administer companies and legal structures. If the activity is strictly limited to employment law advice and payroll management without handling client funds or forming corporate structures, it does not fall within Article 2. However, it is worth verifying case by case, as many employment advisory firms also offer accounting or tax services that do trigger the obligation.
Is a freelance estate agent subject to the same obligations as a large agency?
Yes, subject entity status does not depend on the size of the business but on the nature of the activity. A self-employed estate agent acting on behalf of buyers or sellers in property purchase and sale transactions falls within Article 2.1 of Law 10/2010. They will have the same substantive obligations (KYC, document retention, suspicious transaction reporting, prevention manual), although proportionality allows their system to be simpler than that of a large developer.
What happens if I register late as a subject entity?
Not all subject entities are required to register in a specific register (unlike, for example, crypto-asset service providers, who must register with the Bank of Spain). The primary obligation is to implement and apply the system from the moment the activity becomes subject to the law. If SEPBLAC discovers during a supervisory review that a company has been a subject entity for some time without having implemented anything, the accumulated non-compliance aggravates the potential sanction. The most prudent course of action is to regularise the situation as soon as possible, with a gap analysis and a documented implementation plan.
How often must the prevention manual be updated?
The regulations do not set a universal minimum frequency, but they do require the system to reflect the reality of the business and the current regulatory framework at all times. In practice, the standard recommendation is a full annual review of the manual and the risk assessment, in addition to targeted updates whenever significant changes occur: new products or services, entry into new geographies, changes in ownership, publication of new regulations or SEPBLAC guidance. The progressive entry into force of the EU AML Package between 2025 and 2027 will also generate several waves of necessary updates.
If your company is in the process of determining whether it is a subject entity, or if it already is and needs to bring its AML/CFT compliance programme up to date, the Summum Consultoría team can help you from the perimeter analysis phase through to the full implementation of the manual and the training of your team. Learn more about our AML/CFT consultancy service or contact us directly.