Perspectives
Perspective 001Regulation

What Spain's recent AML enforcement activity says about regulatory expectations.

Supervisory focus has moved beyond policies to the evidence that governance, accountability and controls operate in practice. Spain offers a useful case study.

By Everett MorganSummer 202612 min read
Madrid Cuatro Torres financial district at sunset
Introduction

The last twelve months of supervisory activity in Spain have set out, in unusually clear terms, what European AML supervisors now expect regulated firms to be able to demonstrate.

SEPBLAC's 2025 Annual Report, published in June 2026, records a year of intensive on-site and thematic inspections across banks, payment institutions, investment firms and cryptoasset service providers. The report is the most detailed public statement of Spanish supervisory priorities in several years, and it lands alongside a series of concrete enforcement actions: a €3.91 million penalty against ING Spain, a €605,000 penalty against Banca March and continuing scrutiny of CaixaBank's historic AML remediation obligations.

These actions are not isolated events. Read together with the Annual Report, they describe a supervisory environment in which the existence of a policy manual, a committee calendar and a Business-Wide Risk Assessment is treated as the minimum expectation, not evidence of an effective control framework. What supervisors now test is whether governance, customer due diligence, monitoring and reporting operate as intended, on the transactions and relationships they choose to sample.

Spain is not an outlier in Europe. The themes running through SEPBLAC's activity are the themes that AMLA will inherit and apply on a harmonised basis from 2028. For that reason alone, recent Spanish enforcement deserves close attention from any board, MLRO or head of compliance operating within a European-regulated firm.

Key findings
  1. 01SEPBLAC's 2025 supervisory activity concentrated on the operating effectiveness of AML frameworks, not on the existence of policies. Written procedures without evidence of application were treated as deficiencies.
  2. 02Governance and senior-management oversight are now central supervisory themes. Boards are expected to demonstrate genuine understanding of the firm's financial crime risk profile, not to approve packs prepared for them.
  3. 03Customer due diligence weaknesses recurred across firms of very different sizes: incomplete files, outdated risk ratings, weak source-of-wealth evidence and inconsistent EDD for higher-risk relationships.
  4. 04Transaction monitoring findings focused on scenario calibration, alert quality and closure rationale. Volume of alerts is no longer accepted as evidence that monitoring works.
  5. 05Suspicious activity reporting was scrutinised for timeliness and quality of narrative, not only for whether reports were filed. Late or under-supported SARs featured in several public enforcement cases.
  6. 06Sanctions screening, remote onboarding and controls over agents and distributors, particularly in payment institutions and cryptoasset service providers, drew heightened supervisory attention.
  7. 07The direction of travel is unmistakable and consistent with AMLR, AMLD6 and the arrival of AMLA: the evidentiary bar for effective controls is rising and will not fall back.

What the regulator actually found

The picture that emerges from SEPBLAC's 2025 supervisory work, taken together with the ING Spain, Banca March and CaixaBank cases, is more granular than the headlines suggest. Several distinct themes recur across firms of very different sizes and business models.

Governance and senior-management oversight

The most consistent finding is that governance frameworks did not function as their documentation implied. Boards approved AML policies and Business-Wide Risk Assessments they had not meaningfully interrogated. Committee minutes recorded acknowledgement rather than challenge. Escalations from the MLRO were logged but did not always change business decisions.

In the ING Spain case, published deficiencies included shortcomings in the firm's structure for controlling money laundering risk, an area that engages the responsibility of senior management directly. The regulator's position was not that controls were absent, but that the accountability model surrounding them was insufficient given the scale and complexity of the business.

Customer due diligence

CDD weaknesses appear in almost every supervisory finding. The pattern is consistent: files that were compliant at onboarding had not kept pace with changes in the customer's activity, ownership, geography or risk profile. Periodic reviews were overdue. Source-of-wealth and source-of-funds evidence was accepted at face value without corroboration. Enhanced due diligence for higher-risk customers was applied inconsistently between relationship managers and, in several cases, applied on paper without any documented additional analysis.

The Banca March enforcement, in which the firm was fined €605,000 for breaches of AML obligations, included findings on the quality of customer identification and on the firm's obligations concerning politically exposed persons and higher-risk relationships. Neither is an unusual failure. Both are the kind of failure that becomes serious when a supervisor tests a sample of files.

Ongoing monitoring and transaction monitoring

SEPBLAC's supervisory activity paid particular attention to the design and calibration of transaction monitoring systems. Findings focused on three specific weaknesses. Scenarios were often generic, drawn from vendor libraries and not tuned to the firm's own customer base or product mix. Thresholds had not been reviewed for extended periods, in some cases years, despite material changes in transaction volumes and profiles. Alert closure rationales were formulaic and did not evidence genuine analytical judgement.

The regulator's expectation is that firms can demonstrate why their monitoring rules are the right rules for their business, how those rules were calibrated, when they were last independently reviewed and what the false-positive and false-negative rates tell them about effectiveness. Volume of alerts is not accepted as evidence that monitoring works.

Suspicious activity reporting

SAR-related findings did not centre on whether firms submitted reports. They centred on timeliness, on the quality of the underlying analysis, and on the coherence between what the monitoring system detected, what the MLRO's team investigated and what was ultimately reported. Late SARs, thin narratives and gaps between the detected pattern and the reported activity all featured in supervisory feedback.

Sanctions and geopolitical risk controls

Sanctions screening received sustained supervisory attention, reflecting the pace of listings and the operational strain placed on firms by the sanctions response to the war in Ukraine and to broader geopolitical risk. Findings included incomplete list coverage, weak screening logic for beneficial owners and connected parties, and inadequate handling of true-match escalations. Sanctions controls that had not been recalibrated since 2022 were treated as inherently suspect.

Management information and independent testing

The Annual Report is explicit that management information used by senior management and the Board was often descriptive rather than analytical. Packs counted alerts, cases, training completion and SARs filed. They did not explain the firm's residual financial crime risk or its direction of travel. Independent testing, whether by internal audit or by external reviewers, was in several cases either infrequent, narrow in scope or disconnected from the firm's stated risk appetite.

Payment institutions, distributors and cryptoasset providers

SEPBLAC's 2025 supervisory activity gave particular attention to payment institutions, to firms operating through networks of agents and distributors and to cryptoasset service providers. Recurring themes included weak oversight of the AML controls operated by agents, inadequate remote onboarding controls and limited visibility over transaction flows that passed through intermediated networks. For cryptoasset firms, findings concentrated on the source of funds, on the treatment of self- hosted wallets and on the effectiveness of the travel rule implementation.

What these findings tell us

Taken individually, none of the deficiencies described above is new. Taken together, they describe a supervisory posture that has shifted in a way regulated firms need to internalise.

For much of the last decade, European AML supervision could be satisfied by evidence that a firm had the right documents in place: an approved BWRA, a current policy suite, an operating committee structure and a training programme. That is no longer the case in Spain, and the evidence from the ECB, DNB, ACPR and the FCA suggests it is no longer the case anywhere in Europe.

What supervisors now test is whether the framework works. That means sampling files and asking why a particular risk rating was assigned. It means attending a live alert review meeting and asking how the analysts decided which alerts to escalate. It means reading a Board pack and asking directors, individually, to explain the firm's three largest financial crime exposures without notes. Where the answers are hesitant, inconsistent or generic, the finding writes itself.

The other shift is in how supervisors treat the historic book. Legacy customers, acquired portfolios and dormant relationships are no longer treated as a separate universe outside the current risk framework. They are treated as part of the firm's live risk profile, and any deterioration in file quality across those cohorts is treated as a current, not a historic, problem.

Why this matters for regulated firms

The practical implications of these supervisory themes reach well beyond the compliance function.

When customer due diligence is incomplete, the firm's risk rating of its own customer base is unreliable. Every downstream control, monitoring, screening, reporting, depends on that risk rating being right. An unreliable rating produces unreliable alerts, unreliable case prioritisation and, ultimately, unreliable SARs. The problem is not confined to the CDD team.

When transaction monitoring is calibrated to a generic template rather than to the firm's actual business, the firm is simultaneously generating too many alerts that do not matter and missing patterns that do. Both outcomes have consequences: the first exhausts analyst capacity and erodes decision quality, the second exposes the firm to precisely the risks the monitoring is meant to detect.

When Board packs report volumes rather than risk, senior management cannot exercise the oversight the regulator requires of them. The Board approves what it is shown, and what it is shown does not answer the question it needs to answer. That is the point at which a governance finding becomes personal accountability.

When sanctions controls lag geopolitical change, the firm is relying on yesterday's screening logic to detect today's risk. In the current environment, that gap is measured in weeks, not years.

Potential consequences

The realistic consequences of the findings described in this article are not hypothetical. They are visible in recent public actions.

In the ING Spain case, deficiencies in the AML control environment resulted in a €3.91 million financial penalty alongside supervisory findings on the firm's governance architecture. In the Banca March case, similar underlying weaknesses produced a €605,000 penalty against a smaller institution. The scale of the penalty was different; the nature of the underlying finding was not.

Beyond financial penalties, the consequences include public censure, the imposition of remediation obligations that are typically multi-year in duration, and the intensification of supervisory scrutiny that continues for years afterwards. For some firms, findings restrict the pace at which they can onboard new customers or enter new markets until remediation is complete.

There is also a set of consequences that does not appear on any published decision. Remediation programmes consume management attention on a scale that is difficult to appreciate from outside one. Skilled resources are redirected from business priorities. External advisers, monitors and Skilled Person equivalents impose their own overhead. Reputation recovers slowly and unevenly, and in institutional segments the memory of an enforcement action is long.

The cost of preventing these outcomes, through honest self-assessment and targeted improvement, is a fraction of the cost of responding to them after a supervisor has made the first move.

Questions Boards and MLROs should now ask

The most productive way for a regulated firm to respond to the recent Spanish supervisory activity is not to redraft its policies. It is to test whether the framework it already operates would withstand the type of examination SEPBLAC has been conducting.

The following questions are the ones a supervisor is most likely to ask a Board or an MLRO in the next inspection cycle. Firms that can answer them clearly, from evidence rather than from memory, are in a defensible position. Firms that cannot have identified where to begin work.

  1. 01Would we be able to evidence effective Board oversight of financial crime risk if a supervisor asked us to demonstrate it in the next 30 days?
  2. 02Are we relying on the existence of policies, or can we show, file by file, that the controls those policies describe operate as intended?
  3. 03Have our transaction monitoring scenarios been independently reviewed against our current customer base, products and delivery channels, and when was that review last refreshed?
  4. 04Could we justify, on the evidence held on file, every high-risk customer relationship we currently maintain?
  5. 05Does our Board and executive management information explain the firm's financial crime risk, or does it report operational volumes such as alerts raised, cases closed and training completed?
  6. 06Have our sanctions and adverse media controls kept pace with the pace of geopolitical change over the last 24 months, including screening logic, list coverage and escalation criteria?
  7. 07When was the last independent challenge to our SAR decision-making, and were the results shared with the Board?

How Claritas can help

Claritas Risk Advisory works with smaller and mid-sized regulated firms in Spain and across Europe on the specific issues raised by the recent SEPBLAC activity. Our work centres on three areas: independent AML governance reviews that test whether frameworks operate as documented, regulatory readiness assessments carried out ahead of expected supervisory engagement, and targeted remediation of the weaknesses those reviews identify.

The advice is grounded in experience gained inside major international financial institutions and in direct engagement with supervisors, inspections and remediation programmes. It is designed to be proportionate to the firm receiving it, and to leave the firm better able to answer the questions supervisors are now asking.

References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation