SEPBLAC and Sanctions Screening in Spain
Sanctions screening in Spain should be treated as part of a broader AML/CFT control framework, not as a standalone name-search exercise. Spain's Law 10/2010 governs the prevention of money laundering and terrorist financing, sets duties for obliged subjects, and gives immediate effect to certain EU and UN financial sanctions measures.
For compliance teams, the practical question is not only "which list should we check?" It is how to turn legal obligations into a repeatable operating model: identify the customer and beneficial owner, screen relevant parties, review possible matches, escalate true positives, report where required, and keep evidence that can be reviewed by supervisors, auditors, and banking partners.
Why This Matters in Spain
SEPBLAC's 2024 activity report shows the scale of operational pressure on Spanish AML/CFT controls. The report states that suspicious reports from obliged subjects rose from 13,854 in 2023 to 24,320 in 2024. It also highlights sharp increases from neobanks and virtual-asset service providers.
SEPBLAC's 2024 activity report says obliged subjects submitted 24,320 suspicious reports, up from 13,854 in 2023.
Reports from neobanks increased from 1,152 in 2023 to 7,595 in 2024.
Reports from virtual-asset service providers increased from 202 in 2023 to 972 in 2024.
Source: SEPBLAC, Memoria de actividades 2024, section on suspicious reports analysed.
The same report says that, by 31 December 2024, a new aggregated mule-account reporting format had been used by 26 obliged subjects and covered more than 30,000 accounts, 1.5 million operations, and more than EUR700 million. That is a useful signal for product and operations teams: modern AML/CFT controls need to work at onboarding, during transactions, through event-based reviews, and across continuous monitoring.
What SEPBLAC Does
SEPBLAC is Spain's Financial Intelligence Unit. It receives, analyses, and disseminates financial intelligence related to money laundering and terrorist financing. It is also a supervisory authority for AML/CFT compliance and for the execution of certain financial sanctions and countermeasures.
For a Spain-based firm, this means SEPBLAC is not only a place where suspicious reports may end up. It is part of the control environment that shapes how obliged subjects design due diligence, monitoring, internal controls, reporting, and evidence retention.
SEPBLAC is not the sanctions list
There is no separate "SEPBLAC sanctions list" that replaces EU, UN, or other official sanctions sources. SEPBLAC supervises and receives financial intelligence, and it is involved in the control environment for financial sanctions and countermeasures, but list screening should be anchored to the official list sources that apply to the firm's risk and legal footprint.
For Spain-facing controls, that usually means treating EU restrictive measures and relevant UN Security Council financial sanctions as the legal baseline, then adding OFAC, the UK Sanctions List, and other national or regional sources where exposure requires broader coverage. This distinction is important because it prevents a Spanish AML/CFT article from turning into either an under-scoped local list search or an overbroad claim that every foreign list is automatically a Spanish-law requirement for every firm.
Who Must Comply
The starting point is Article 2 of Law 10/2010, which defines the list of obliged subjects. The list is broad. For many Checklynx readers, the relevant categories include credit institutions, payment institutions, e-money institutions, investment firms, insurers, pension and investment fund managers, currency exchange businesses, lending and credit intermediaries, and providers of exchange between virtual currency and fiat currency and custodian wallet services.
The law also makes clear that obligations can apply to operations carried out through agents, mediators, or intermediaries. That matters for embedded finance, marketplaces, payment programmes, and other models where risk can enter through indirect channels.
Sanctions screening should therefore be connected to the wider customer due diligence process:
- formal identification of the customer;
- identification and verification of the beneficial owner;
- understanding the purpose and intended nature of the relationship;
- ongoing monitoring of the relationship;
- special review of unusual or unjustified facts and operations;
- reporting where the legal threshold is met;
- retention of evidence.
Law 10/2010 Duties That Shape Screening
Sanctions screening sits inside a wider sequence of AML/CFT duties. Mapping the article to the legal order makes the workflow easier for compliance, product, and operations teams to understand.
| Law 10/2010 anchor | What it means operationally | Screening impact |
|---|---|---|
| Article 2 | Defines obliged subjects, including many financial, payment, investment, insurance, advisory, real-estate, gambling, precious-goods, and virtual-asset activities. | Confirm whether the business, branch, agent, intermediary, or cross-border activity is in scope. |
| Articles 3 and 4 | Require formal customer identification and beneficial-owner identification and verification. | Screen the customer and the natural persons who own, control, or act behind the relationship. |
| Articles 5 to 7 | Cover purpose and nature of the relationship, ongoing monitoring, and risk-based application to existing customers. | Rescreen when the relationship, ownership, product, or transaction risk changes. |
| Articles 17 to 19 | Govern special examination, suspicious-transaction reporting, and abstention from execution in ML/TF cases. | Treat unresolved high-risk alerts as investigation cases, not simple search results. |
| Article 24 | Prohibits tipping off the customer or third parties about reporting or examination. | Keep alert handling and escalation controlled. |
| Article 25 | Requires ten-year retention of relevant AML/CFT documentation. | Store screening inputs, matches, review rationale, decisions, and actions. |
| Article 42 | Gives immediate effect to qualifying EU and UN financial sanctions and certain countermeasures. | Maintain up-to-date screening and true-positive response procedures. |
This structure also helps separate two duties that are often blurred in vendor copy. A confirmed sanctions match triggers the firm's sanctions-response procedure under the applicable restrictive measure. A suspicious transaction report to SEPBLAC follows from a special examination where there is indication or certainty of money laundering or terrorist financing. One case can trigger both, but the legal basis and operating route are not identical.
How Sanctions Screening Fits AML/CFT
Sanctions controls and AML/CFT controls overlap, but they are not the same thing. AML/CFT is risk-based. It asks firms to understand customers, monitor relationships, identify suspicious behaviour, and report when there are indications of money laundering or terrorist financing.
Sanctions controls are more direct. If a person, entity, vessel, wallet, or other relevant party is subject to a financial sanctions measure, the firm may need to reject, suspend, freeze, block, or report activity depending on the applicable regime and competent authority process.
Article 42 of Law 10/2010 is the Spain-specific anchor. It provides that qualifying EU restrictive measures and relevant UN Security Council measures that impose financial sanctions, including freezing or blocking funds and prohibitions on making funds, assets, economic resources, or financial services available, are mandatory with immediate effect from designation.
This is why a simple "screen once at onboarding" policy is weak. A customer that was clear at onboarding may become sanctioned later. A beneficial owner may change. A payment beneficiary may introduce new exposure. A transaction route may involve a jurisdiction or counterparty that changes the sanctions analysis.
Which Sanctions Lists to Screen
The right coverage depends on the firm's legal footprint, customer base, currencies, payment rails, banking relationships, and geographic exposure. For a Spain-based obliged subject, the clean baseline is EU and relevant UN financial sanctions. Other lists are often prudent where exposure justifies them.
| Source | Practical role for Spain-based firms | How to frame it |
|---|---|---|
| EU financial sanctions sources | Core baseline for firms operating in Spain and the EU. | Legal and operational baseline. |
| UN Security Council Consolidated List | Relevant because Article 42 gives immediate effect to qualifying UN financial sanctions measures. | Core baseline where the measure falls within Article 42. |
| OFAC sanctions lists | Important where there is U.S. nexus, USD clearing, U.S. persons, banking partner requirements, or international counterparty exposure. | Risk-based extension, not the Spain-only baseline. |
| UK Sanctions List | Relevant where there are UK customers, counterparties, banking relationships, contracts, or group policies. | Risk-based extension for UK exposure. |
| Other national or regional lists | May matter for firms with Swiss, Canadian, Australian, Singaporean, or other specific exposure. | Document the policy rationale. |
The key editorial point is precision. Do not tell Spain-only firms that every non-EU list is automatically a Spanish legal requirement. Do explain that international financial services often require broader screening because of banking corridors, payment rails, customer geography, correspondent relationships, investor expectations, and group policy.
A Practical Screening Workflow
Sanctions screening is a workflow, not a single database query.
- Step 01
Collect and structure the data
Capture customer names, aliases, dates of birth, nationality, addresses, registration numbers, beneficial owners, directors, payment parties, wallets, vessels, and other identifiers where relevant.
- Step 02
Screen and triage matches
Screen against the policy list set, compare identifiers, use context to reduce weak name-only matches, and prioritise alerts that require human review.
- Step 03
Decide and retain evidence
Clear false positives with rationale, escalate potential matches, take required action for true positives, and retain a complete audit trail.
At onboarding, screen the customer, beneficial owner, directors, control persons, and other relevant parties. During the relationship, rescreen when sanctions lists change, when customer data changes, when new products are opened, when ownership changes, and when transactions introduce new counterparties or routes.
The EBA's 2024 restrictive-measures guidelines are useful here for payments and crypto-asset firms. They expect screening to use customer information such as name and date of birth for natural persons and legal name for legal persons, where relevant to the applicable restrictive measures. The EBA also clarified that date of birth should not be screened in isolation from first name and surname. In practice, better identifiers reduce both missed matches and unnecessary false positives.
A strong policy should define trigger events instead of relying only on a fixed periodic refresh. Useful triggers include new or changed sanctions measures, onboarding, significant changes to customer due-diligence data, new products, new beneficial owners, significant or complex transactions, new payment corridors, wallet or counterparty exposure, and reasonable grounds to suspect sanctions circumvention.
The same policy should define which fields are screened for each party type. Natural-person screening should not stop at a single name field where better identifiers are available. Legal-person screening should consider legal names, trade names, registration numbers, ownership and control links, and relevant addresses. For payments, crypto-assets, vessels, aircraft, or other asset-linked scenarios, the screening data model may also need wallet addresses, payment parties, vessel identifiers, or other regime-specific fields.
How to Review Matches
A screening alert is not the same as a confirmed match. A name similarity should trigger review, not automatic legal treatment.
Review should compare the strongest available identifiers:
- full legal name and known aliases;
- transliteration and spelling variants;
- date and place of birth;
- nationality or citizenship;
- address and country data;
- registration numbers or document identifiers;
- ownership and control links;
- payment role and transaction context;
- list source, regime, and designation details;
- any listed wallet, vessel, aircraft, or other asset identifier.
The decision should be documented as one of three broad outcomes:
| Outcome | Meaning | Operational response |
|---|---|---|
| False positive | The reviewed customer or transaction is not the listed party. | Close with rationale and retain evidence. Use controlled suppression only where policy allows. |
| Potential match | The alert cannot be cleared with available evidence. | Escalate for enhanced review and collect additional information. |
| True positive | The reviewed party is the sanctioned person, entity, asset, or controlled party. | Trigger the required legal and internal procedures without delay. |
False positive
A false positive is not a failure if it is reviewed correctly. The file should show why the customer, beneficial owner, counterparty, wallet, vessel, or other screened party is not the designated target. Good false-positive handling compares identifiers, documents the rationale, and avoids informal clearing notes that cannot be reconstructed later.
Where policy allows internal whitelisting or suppression, it should be controlled. A cleared name should be reviewed again when sanctions lists change, customer data changes, or the original rationale no longer holds. Otherwise, whitelisting can become a stale exception that hides future true positives.
Potential match
A potential match is an unresolved alert. It should be investigated without delay and treated as a case requiring evidence, ownership, and escalation. The firm may need additional information from internal systems, onboarding records, transaction metadata, corporate registries, or the customer relationship team, while keeping tipping-off restrictions in mind.
The key operating point is that a potential match should not be described internally as "sanctioned" before confirmation. It is also not business as usual. The case should stay open until the firm can classify it as false positive, true positive, or another documented outcome under policy.
True positive
A true positive means the reviewed party is the designated person, entity, asset, or a party owned or controlled by a designated target under the applicable regime. For true positives, the EBA guidelines refer to follow-up procedures that may include immediate rejection, suspension, or freezing, and reporting to the relevant national authority or supervisory authority as required by applicable law.
In Spain, the exact notification and operating route can depend on the applicable restrictive measure and competent authority instructions. The article's practical point is narrower and more stable: the decision must not sit in an ordinary alert queue once confirmed. The case should trigger sanctions-response controls, management escalation, evidence retention, and any required authority communication without delay.
Suspicious ML/TF indicators
Sanctions screening can also reveal facts that require AML/CFT analysis even where the sanctions result itself is cleared. For example, a customer may repeatedly transact near sanctioned jurisdictions, use payment routes that appear designed to obscure counterparties, or provide inconsistent ownership information during alert review. Those facts may need special examination under Law 10/2010 even if the name alert is ultimately not a true sanctions match.
Evidence and Audit Trail
Article 25 of Law 10/2010 requires obliged subjects to retain relevant documentation for ten years. It covers due-diligence documentation and documents or records that adequately evidence operations, participants, and business relationships.
For sanctions screening, the evidence bundle should be specific enough that another reviewer can understand what happened later.
Weak evidence is a common operational failure. A note that says "cleared" is not enough. A defensible file should explain why the match was cleared, escalated, or confirmed.
Spain Sanctions Screening Checklist
Use this checklist to turn the legal and source framework into an operating model:
- Confirm whether the business, branch, agent, intermediary, or cross-border service is an obliged subject under Article 2.
- Treat EU restrictive measures and relevant UN Security Council financial sanctions as the Spain-facing baseline under Article 42.
- Decide whether to add OFAC, UK, Swiss, Canadian, Australian, Singaporean, or other sources because of currencies, payment rails, customers, counterparties, banking partners, group policy, or contractual duties.
- Capture enough identifiers to resolve alerts: legal name, first name and surname, aliases, trade names, date of birth, nationality, address, registration number, ownership links, wallet addresses, and asset identifiers where relevant.
- Screen customers, beneficial owners, directors, control persons, payment parties, counterparties, and other relevant third parties according to the risk model.
- Define trigger events for rescreening, including list updates, onboarding, changed CDD data, new products, ownership changes, significant transactions, new corridors, and suspected circumvention.
- Separate false positives, potential matches, true positives, and suspicious ML/TF indicators in the case taxonomy.
- Keep escalation paths clear for sanctions response, AML/CFT special examination, reporting, abstention, and no-tipping-off controls.
- Retain the screening source, version or refresh timestamp, input data, candidate result, rationale, reviewer, decision, and any blocking, reporting, or monitoring action for the required retention period.
How Checklynx Supports the Workflow
Checklynx supports sanctions screening as a workflow family rather than a single search box. Teams can use real-time API checks, batch screening, manual review, ongoing monitoring, transaction screening, case management, and audit evidence workflows depending on how risk enters the business.
That matters for Spain-based firms because obligations do not sit in one moment. A sanctions-relevant event can appear during onboarding, after a list update, during a transaction, after a beneficial-owner change, or during an investigation. A practical system should preserve the context around each decision and make it easier to show what was screened, when it was screened, what matched, who reviewed it, and what happened next.
Build an audit-ready screening workflow
Use Checklynx to screen customers and counterparties, manage alert review, monitor list updates, and retain evidence for compliance teams.
FAQ
What is SEPBLAC?
SEPBLAC is Spain's Financial Intelligence Unit and a supervisory authority for AML/CFT compliance and certain financial sanctions and countermeasures. It receives and analyses financial intelligence and supervises compliance controls.
Does Spanish law require sanctions screening?
Spanish law gives immediate effect to qualifying EU and UN financial sanctions measures under Article 42 of Law 10/2010. The law also requires due diligence, ongoing monitoring, internal controls, special review, reporting, and evidence retention. Screening is the practical control firms use to operate those duties.
Is SEPBLAC the sanctions list in Spain?
No. SEPBLAC is the Financial Intelligence Unit and a supervisory authority. Sanctions screening should use the official list sources that apply to the firm, with EU and relevant UN financial sanctions as the Spain-facing baseline and other lists added according to exposure.
Which sanctions lists should a Spain-based firm screen?
EU financial sanctions and relevant UN Security Council measures should form the Spain-facing baseline. OFAC, the UK Sanctions List, and other national lists should be added where the firm's exposure, banking relationships, currencies, counterparties, or group policy justify broader coverage.
Should beneficial owners be screened?
Yes, where beneficial ownership is relevant to the relationship or operation. Law 10/2010 requires obliged subjects to identify the beneficial owner and take appropriate measures to verify identity before establishing the business relationship or executing operations.
How often should existing customers be rescreened?
Rescreening should happen when sanctions lists change, customer data changes, new products are opened, ownership changes, significant operations occur, or transaction context introduces new risk. Higher-risk customers and higher-change business models need stronger ongoing monitoring.
What turns a name hit into a true sanctions match?
A true match requires review of identifiers and context, not just name similarity. Review should compare names, aliases, transliteration, date of birth, nationality, registration numbers, addresses, ownership links, and regime-specific identifiers where available.
What is the difference between a sanctions match and a SEPBLAC report?
A sanctions match concerns whether the party is subject to a restrictive measure and what sanctions response is required. A SEPBLAC suspicious-transaction report concerns indications or certainty of money laundering or terrorist financing after special examination. One case can involve both, but they are separate decisions.
How long should sanctions screening evidence be kept in Spain?
Article 25 of Law 10/2010 requires retention of relevant AML/CFT documentation for ten years. Sanctions screening evidence should be retained consistently with the firm's legal and record-retention policy.
Are OFAC and UK sanctions mandatory for all Spain-based firms?
Not as a universal Spain-only baseline. They are usually exposure-driven extensions for firms with U.S. or UK nexus, correspondent-banking expectations, group policy requirements, contractual commitments, relevant currencies, or cross-border counterparties.
Official Sources Explained
- BOE: Law 10/2010 consolidated text: the legal backbone for obliged subjects, customer due diligence, beneficial ownership, ongoing monitoring, special examination, reporting, no tipping off, document retention, and Article 42 financial sanctions.
- SEPBLAC 2024 Activity Report: the source for the 2024 suspicious-reporting figures, neobank and virtual-asset reporting increases, and aggregated mule-account reporting data cited above.
- UN Security Council Consolidated List: the official UN list source to reference when screening relevant UN Security Council measures.
- OFAC Sanctions List Service: the official U.S. list-delivery endpoint for firms that need OFAC coverage because of U.S. exposure, USD clearing, banking requirements, or group policy.
- UK Sanctions List: the official UK designations source for firms with UK exposure, counterparties, contracts, or policy requirements.
- EBA Final Report on restrictive-measures guidelines: operational guidance for restrictive-measures governance, screening fields, trigger events, calibration, alert handling, and true-positive follow-up.
Last reviewed: 23 May 2026.