What the regulator actually found
The picture that emerges from SEPBLAC's 2025 supervisory work, taken together with the ING Spain, Banca March and CaixaBank cases, is more granular than the headlines suggest. Several distinct themes recur across firms of very different sizes and business models.
Governance and senior-management oversight
The most consistent finding is that governance frameworks did not function as their documentation implied. Boards approved AML policies and Business-Wide Risk Assessments they had not meaningfully interrogated. Committee minutes recorded acknowledgement rather than challenge. Escalations from the MLRO were logged but did not always change business decisions.
In the ING Spain case, published deficiencies included shortcomings in the firm's structure for controlling money laundering risk, an area that engages the responsibility of senior management directly. The regulator's position was not that controls were absent, but that the accountability model surrounding them was insufficient given the scale and complexity of the business.
Customer due diligence
CDD weaknesses appear in almost every supervisory finding. The pattern is consistent: files that were compliant at onboarding had not kept pace with changes in the customer's activity, ownership, geography or risk profile. Periodic reviews were overdue. Source-of-wealth and source-of-funds evidence was accepted at face value without corroboration. Enhanced due diligence for higher-risk customers was applied inconsistently between relationship managers and, in several cases, applied on paper without any documented additional analysis.
The Banca March enforcement, in which the firm was fined €605,000 for breaches of AML obligations, included findings on the quality of customer identification and on the firm's obligations concerning politically exposed persons and higher-risk relationships. Neither is an unusual failure. Both are the kind of failure that becomes serious when a supervisor tests a sample of files.
Ongoing monitoring and transaction monitoring
SEPBLAC's supervisory activity paid particular attention to the design and calibration of transaction monitoring systems. Findings focused on three specific weaknesses. Scenarios were often generic, drawn from vendor libraries and not tuned to the firm's own customer base or product mix. Thresholds had not been reviewed for extended periods, in some cases years, despite material changes in transaction volumes and profiles. Alert closure rationales were formulaic and did not evidence genuine analytical judgement.
The regulator's expectation is that firms can demonstrate why their monitoring rules are the right rules for their business, how those rules were calibrated, when they were last independently reviewed and what the false-positive and false-negative rates tell them about effectiveness. Volume of alerts is not accepted as evidence that monitoring works.
Suspicious activity reporting
SAR-related findings did not centre on whether firms submitted reports. They centred on timeliness, on the quality of the underlying analysis, and on the coherence between what the monitoring system detected, what the MLRO's team investigated and what was ultimately reported. Late SARs, thin narratives and gaps between the detected pattern and the reported activity all featured in supervisory feedback.
Sanctions and geopolitical risk controls
Sanctions screening received sustained supervisory attention, reflecting the pace of listings and the operational strain placed on firms by the sanctions response to the war in Ukraine and to broader geopolitical risk. Findings included incomplete list coverage, weak screening logic for beneficial owners and connected parties, and inadequate handling of true-match escalations. Sanctions controls that had not been recalibrated since 2022 were treated as inherently suspect.
Management information and independent testing
The Annual Report is explicit that management information used by senior management and the Board was often descriptive rather than analytical. Packs counted alerts, cases, training completion and SARs filed. They did not explain the firm's residual financial crime risk or its direction of travel. Independent testing, whether by internal audit or by external reviewers, was in several cases either infrequent, narrow in scope or disconnected from the firm's stated risk appetite.
Payment institutions, distributors and cryptoasset providers
SEPBLAC's 2025 supervisory activity gave particular attention to payment institutions, to firms operating through networks of agents and distributors and to cryptoasset service providers. Recurring themes included weak oversight of the AML controls operated by agents, inadequate remote onboarding controls and limited visibility over transaction flows that passed through intermediated networks. For cryptoasset firms, findings concentrated on the source of funds, on the treatment of self- hosted wallets and on the effectiveness of the travel rule implementation.
What these findings tell us
Taken individually, none of the deficiencies described above is new. Taken together, they describe a supervisory posture that has shifted in a way regulated firms need to internalise.
For much of the last decade, European AML supervision could be satisfied by evidence that a firm had the right documents in place: an approved BWRA, a current policy suite, an operating committee structure and a training programme. That is no longer the case in Spain, and the evidence from the ECB, DNB, ACPR and the FCA suggests it is no longer the case anywhere in Europe.
What supervisors now test is whether the framework works. That means sampling files and asking why a particular risk rating was assigned. It means attending a live alert review meeting and asking how the analysts decided which alerts to escalate. It means reading a Board pack and asking directors, individually, to explain the firm's three largest financial crime exposures without notes. Where the answers are hesitant, inconsistent or generic, the finding writes itself.
The other shift is in how supervisors treat the historic book. Legacy customers, acquired portfolios and dormant relationships are no longer treated as a separate universe outside the current risk framework. They are treated as part of the firm's live risk profile, and any deterioration in file quality across those cohorts is treated as a current, not a historic, problem.
Why this matters for regulated firms
The practical implications of these supervisory themes reach well beyond the compliance function.
When customer due diligence is incomplete, the firm's risk rating of its own customer base is unreliable. Every downstream control, monitoring, screening, reporting, depends on that risk rating being right. An unreliable rating produces unreliable alerts, unreliable case prioritisation and, ultimately, unreliable SARs. The problem is not confined to the CDD team.
When transaction monitoring is calibrated to a generic template rather than to the firm's actual business, the firm is simultaneously generating too many alerts that do not matter and missing patterns that do. Both outcomes have consequences: the first exhausts analyst capacity and erodes decision quality, the second exposes the firm to precisely the risks the monitoring is meant to detect.
When Board packs report volumes rather than risk, senior management cannot exercise the oversight the regulator requires of them. The Board approves what it is shown, and what it is shown does not answer the question it needs to answer. That is the point at which a governance finding becomes personal accountability.
When sanctions controls lag geopolitical change, the firm is relying on yesterday's screening logic to detect today's risk. In the current environment, that gap is measured in weeks, not years.
Potential consequences
The realistic consequences of the findings described in this article are not hypothetical. They are visible in recent public actions.
In the ING Spain case, deficiencies in the AML control environment resulted in a €3.91 million financial penalty alongside supervisory findings on the firm's governance architecture. In the Banca March case, similar underlying weaknesses produced a €605,000 penalty against a smaller institution. The scale of the penalty was different; the nature of the underlying finding was not.
Beyond financial penalties, the consequences include public censure, the imposition of remediation obligations that are typically multi-year in duration, and the intensification of supervisory scrutiny that continues for years afterwards. For some firms, findings restrict the pace at which they can onboard new customers or enter new markets until remediation is complete.
There is also a set of consequences that does not appear on any published decision. Remediation programmes consume management attention on a scale that is difficult to appreciate from outside one. Skilled resources are redirected from business priorities. External advisers, monitors and Skilled Person equivalents impose their own overhead. Reputation recovers slowly and unevenly, and in institutional segments the memory of an enforcement action is long.
The cost of preventing these outcomes, through honest self-assessment and targeted improvement, is a fraction of the cost of responding to them after a supervisor has made the first move.
Questions Boards and MLROs should now ask
The most productive way for a regulated firm to respond to the recent Spanish supervisory activity is not to redraft its policies. It is to test whether the framework it already operates would withstand the type of examination SEPBLAC has been conducting.
The following questions are the ones a supervisor is most likely to ask a Board or an MLRO in the next inspection cycle. Firms that can answer them clearly, from evidence rather than from memory, are in a defensible position. Firms that cannot have identified where to begin work.
- 01Would we be able to evidence effective Board oversight of financial crime risk if a supervisor asked us to demonstrate it in the next 30 days?
- 02Are we relying on the existence of policies, or can we show, file by file, that the controls those policies describe operate as intended?
- 03Have our transaction monitoring scenarios been independently reviewed against our current customer base, products and delivery channels, and when was that review last refreshed?
- 04Could we justify, on the evidence held on file, every high-risk customer relationship we currently maintain?
- 05Does our Board and executive management information explain the firm's financial crime risk, or does it report operational volumes such as alerts raised, cases closed and training completed?
- 06Have our sanctions and adverse media controls kept pace with the pace of geopolitical change over the last 24 months, including screening logic, list coverage and escalation criteria?
- 07When was the last independent challenge to our SAR decision-making, and were the results shared with the Board?
How Claritas can help
Claritas Risk Advisory works with smaller and mid-sized regulated firms in Spain and across Europe on the specific issues raised by the recent SEPBLAC activity. Our work centres on three areas: independent AML governance reviews that test whether frameworks operate as documented, regulatory readiness assessments carried out ahead of expected supervisory engagement, and targeted remediation of the weaknesses those reviews identify.
The advice is grounded in experience gained inside major international financial institutions and in direct engagement with supervisors, inspections and remediation programmes. It is designed to be proportionate to the firm receiving it, and to leave the firm better able to answer the questions supervisors are now asking.
- SEPBLAC. Memoria 2025 (Annual Report, published June 2026). sepblac.es/wp-content/uploads/2026/06/MemoriaSepblac2025_ES.pdf
- Financial Crime Central. ING Spain fined €3.91 million for money laundering violations. fincrimecentral.com/ing-spain-fined-money-laundering-violations
- Europa Press. SEPBLAC multa con 605.000 euros a Banca March por infringir la normativa antiblanqueo (31 January 2025). europapress.es (Banca March, January 2025)
- Fred Kahn (LinkedIn). CaixaBank Spain AML supervisory activity. linkedin.com/posts/fredkahn (CaixaBank, Spain, AML)
- SEPBLAC. Official website. sepblac.es/en



