KYC Requirements in Spain: What Firms Need to Know in 2026

Law 10/2010 and Royal Decree 304/2014 may still govern Spanish KYC, but customer files are now being tested against a stricter mix of supervisory scrutiny, central beneficial ownership data, MiCA’s transition phase, the first technical work coming out of AMLA, and Spain’s new digital DNI rules for private-sector use.

In this article, we break down the current state of Spain KYC compliance and give practical tips for companies that operate in that country. We will mainly focus on the parts that are likely to affect onboarding, periodic review, account monitoring, and reporting quality in 2026.

Law 10/2010 applies to credit institutions, payment and e-money firms, certain crypto service providers, lawyers in certain transactions, real estate businesses, gambling operators, auditors, tax advisers, dealers in high-value goods, and other non-financial firms.

Law 10/2010 sets the main obligations, while Royal Decree 304/2014 develops how those obligations work in practice, especially in areas such as non-face-to-face onboarding and internal controls.

According to the law, firms must perform four core KYC duties:

• identify the customer;

• identify and verify the beneficial owner;

• collect enough information on the purpose and intended nature of the relationship;

• keep the relationship and its transactions under review over time.

While there is little novelty in these actions, it’s worth noting that the outcomes of these actions must form one customer file rather than as disconnected records held by different teams.

A context like remote onboarding makes this especially relevant. Royal Decree 304/2014 sets out the permitted routes for non-face-to-face identification, including electronic-signature methods, a notarized copy of the ID document, a first payment from an account in the customer’s own name at a qualifying institution, or another secure procedure previously authorized by Sepblac. Within one month, the firm must also obtain the documents needed for due diligence.

In practice, the key question is not how polished the customer flow looks on screen, but whether the firm can later retrieve clear evidence of what was checked, what result was reached, and why the customer was accepted. A good Spanish remote-ID file should let a reviewer find out:

• what exactly was checked;

• what result the system and analyst reached;

• what happened when the case fell outside the normal path.

Royal Decree 609/2023 created the Registro Central de Titularidades Reales and gave Spain a single central register for current beneficial ownership data. 

It has been operating since September 19, 2023, and obliged firms under Law 10/2010 can access current data, certificates, and extracts for beneficial-owner checks. The decree also amended article 9.6 of the AML regulation so that firms must consult the central register to identify and check the beneficial owner, while still being able to use other reliable sources where appropriate.

The maintenance side is also stricter now: the decree says that changes in beneficial ownership must be updated within ten days once those responsible are aware of the change. 

For entities that do not report through the Commercial Registry or another sectoral registry, the update goes through electronic filing to the central register. That turns beneficial ownership into a live data point, which has obvious consequences for periodic review. A corporate file that has not been refreshed after a control change, director change, or group restructuring can become unreliable much faster than teams assume.

The EU AML package adopted in 2024 is often discussed as a future event because the new AML Regulation will apply from July 10, 2027. However, the new package has already started to affect how firms should think about customer files, account structures, linked transactions, and supervisory expectations.

EUR-Lex describes Regulation (EU) 2024/1624 as the new rulebook for AML/CFT obligations, while Directive (EU) 2024/1640 recasts the institutional side. AMLA has already started its technical work, and in February 2026 it opened consultations on draft standards for customer due diligence and for identifying business relationships, occasional transactions, and linked transactions.

Spain is also giving firms current official material for risk tuning. Sepblac’s 2024 update to the National Risk Assessment refreshed national threats, vulnerabilities, and sector risks that had appeared since the prior report. 

Tesoro’s current catalogs of risk indicators, published in 2025 and still current in 2026, cover credit institutions, payment and e-money firms, real estate, gambling, insurance, securities, professionals, and art and jewelry, and are paired with laundering typologies grouped by predicate offense. For a compliance team, this is now the most current source material for onboarding prompts, alert scenarios, and review checklists.

Spain’s crypto landscape has been rapidly changing once MiCA was introduced: from July 1, 2026, only providers authorized by CNMV or another European authority may operate. CNMV has also published fresh criteria and Q&A on the transition period, stressing that firms planning to seek authorization should do so with enough lead time.

Now, the Bank of Spain’s registry page states that the old register for virtual-currency exchange and wallet-custody providers was abolished on December 30, 2024 and kept only for informational purposes for registrations made before that date that may rely on MiCA’s transition regime. 

That means a legacy Bank of Spain entry is no longer a full answer to the all the required questions such as:

• Is this provider registered?

• Who is the competent authority?

• What is the current legal basis for operating?

• If the firm is using a transition period, when does that basis expire?

This is one of the more interesting corners of Spain KYC requirements because the paperwork can look deceptively complete. A file may contain an old registration record, company documents, and a recent screenshot, yet still miss the one point that now matters most: current status under MiCA. For third-party due diligence, many older templates need a rewrite.

Royal Decree 255/2025 gives the digital version of the Spanish ID card (DNI) the same legal value for identification as the physical card and states that public and private entities must adopt the measures needed for its proper functioning within twelve months of the decree’s entry into force. 

At EU level, Regulation (EU) 2024/1183 amends eIDAS and establishes the European Digital Identity Framework, including EU Digital Identity Wallets intended for use in both public and private services.

There is also a simple customer-experience point here: when identity evidence is stronger at the start, later review can become less repetitive. That can reduce unnecessary follow-up when the customer has already provided an authoritative identity source that the firm can retrieve and verify again during review. 

AMLA’s draft customer due diligence standards also point in that same direction by working through what information and documents firms should collect and how electronic identification attributes may fit risk-based checks.

In 2026, Spain expects firms to show that customer admission, beneficial ownership checks, account monitoring, and suspicious reporting belong to one file that still makes sense when another team, an external expert, or a supervisor reads it later.

For teams that want stronger files, the useful technology is the kind that helps verify identity documents, compare a live face with the portrait, read chip data when available, and preserve evidence that can still be reviewed years later.

This is where Regula IDV Platform can help: it is an end-to-end framework for identity verification and user lifecycle management with flexible orchestration and configurable workflows that can be adapted to all KYC compliance needs.

It brings together capabilities that are highly relevant for KYC in Spain, including:

• configurable KYC and onboarding workflows;

• automated AML and PEP screening as well as custom watch lists;

• document and biometric verification, backed by a large document template database, face matching, and liveness detection;

• structured user data management and audit-ready evidence for ongoing monitoring;

• integration with existing tech stacks through flexible connectors.

Need to stay KYC-compliant in Spain? The Regula team can help.