According to 2024 data from the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC), more than 24,000 warnings of suspicious transactions were detected as a result of mandatory Know Your Customer (KYC) verifications in Spain. Financial institutions accounted for the majority of the warnings (86%), followed by nonfinancial institutions (11.6%) and other types of entities (2.6%).

In Spain, specific business entities have a legal obligation to implement KYC controls. However, any company that wants to improve fraud detection and prevention can also do so voluntarily. Whether or not KYC is mandatory for your business, it is important to know how to implement it. In this article, we explain KYC, including its purpose and procedures.

What’s in this article?

• What does Know Your Customer (KYC) mean?
  
• What are the benefits of KYC?
  
• Who is required to implement KYC procedures in Spain?
  
• Legal requirements for KYC procedures in Spain
  
• Example of a KYC procedure in Spain
  
• How Stripe Identity simplifies KYC procedures
  
• FAQs about KYC in Spain
  

What does Know Your Customer (KYC) mean?

A KYC procedure is designed to verify the identity of customers before contracting services or completing online purchases. Its aim is to reduce the risk of fraud and other financial crimes, such as money laundering.

To verify customer identity and mitigate security threats—including identity theft and personal data theft—businesses can use mechanisms such as two-factor authentication and digital signatures.

What are the benefits of KYC?

Beyond being a mandatory requirement in some industries, the implementation of KYC offers advantages at operational and strategic levels for companies working in digital environments. These are the main benefits of integrating KYC procedures:

• Fraud protection
  Verifying customers’ identities makes it harder for fraudulent actors to gain access. KYC is the initial barrier that verifies each customer. This is especially important in a digital environment where cases of identity theft account for 14% of the queries to the National Cybersecurity Institute (INCIBE).
  
• Operational stability
  Strict compliance with the Law on the prevention of money laundering is important to guarantee business continuity. In addition to financial penalties, a deficient KYC system can lead to the suspension of company activities or disqualification of directors.
  
• Automation and accuracy in data processing
  Most modern KYC solutions use optical character recognition (OCR) and artificial intelligence (AI) capabilities to extract information from documents with high accuracy. By eliminating the need to manually enter data, these KYC solutions minimize human error. This can result in reliable and standardized customer records.
  
• Fast onboarding
  One of the main reasons for abandonment during the registration process is a slow or complex onboarding. Integrating a flexible KYC system can transform this experience. For example, a process that previously required physical documentation and long wait times can now be completed within seconds. Furthermore, some KYC solutions are compatible with identity documents from dozens of countries, making them easier to launch in new markets.
  

Who is required to implement KYC procedures in Spain?

Regulation (EU) 2024/1624 establishes the regulatory framework that governs the application of KYC policies and procedures in the EU. However, each member state has the power to introduce its own legal nuances.

In Spain, Law 10/2010 on the prevention of money laundering and the financing of terrorism mainly governs the KYC system. Below, we provide a list of entities that have a legal obligation to collect and verify identifying information when they establish or maintain a commercial relationship in Spain.

Financial institutions

Financial institutions are exposed to a greater risk of fraudulent transactions because they focus on the management of customers’ financial resources. This is reflected in data from SEPBLAC, which indicates that banks, savings banks, payment institutions, and other credit institutions had the largest number of indication-based reports in 2024. Here is a complete list of financial institutions that are required to implement KYC procedures:

• Credit institutions
  
• Life or investment insurance companies
  
• Investment service companies
  
• Mutual fund managers and companies
  
• Pension fund managers
  
• Venture capital managers and companies
  
• Mutual guarantee societies (i.e., nonprofits that finance Spanish small and medium-sized enterprises [SMEs] and are governed by Law 1/1994)
  
• E-money and payment institutions
  
• Currency exchange professionals
  
• Cryptocurrency service providers
  

Nonfinancial institutions

Some entities outside the financial sector are also involved in high-risk transactions. Lottery administrators, registrars, and notaries recorded the largest number of indication-based reports in 2024, according to SEPBLAC. The following are nonfinancial institutions that must implement KYC procedures:

• Money order service providers, as long as their main activities involve logistics and not those of payment institutions
  
• Credit brokers and lenders that operate without a banking license and are not legally considered credit institutions or financial credit establishments
  
• Real estate developers and brokers with rental transactions equal to or greater than €10,000 per month or €120,000 per year
  
• Auditors, external accountants, and tax advisors
  
• Notaries and land registrars, personal property registrars, and company registrars
  
• Attorneys and solicitors in certain transactions on behalf of customers, such as financial or real estate transactions
  
• Professionals that provide services to corporations and trusts
  
• Casinos
  
• Jewelry, precious stones, or precious metals traders
  
• Art or antique dealers or brokers
  
• Sellers of goods with buyback offers
  
• Lottery and gambling operators when paying out winnings
  
• Sellers of goods with purchases by nonresidents of Spain worth more than €10,000 and paid for with high-risk payment methods, such as cash
  
• Foundations and associations when they contribute or receive funds
  
• Securities settlement and payment system managers
  

Even if a business is not legally required to adopt a KYC system, implementing one is recommended to improve fraud risk management. Because KYC involves verifying customers’ identities and financial activities, this process can help to mitigate threats such as identity theft.

Legal requirements for KYC procedures in Spain

Law 10/2010 also establishes the requirements all entities required to implement KYC procedures must meet. The requirements are classified into due diligence and control measures. We describe the most important of these requirements below.

Due diligence

Due diligence involves gathering information about customers’ identities and economic activities. Due diligence measures are applied in proportion to the level of customer risk, type of product, or nature of the transaction. This risk analysis must be formalized in writing in advance to determine the risk profile and, ultimately, the applicable requirements.

Due diligence requirements for low-risk profiles

In cases where the analysis determines that the risk profile is low, regulations allow the application of simplified due diligence measures. This simplifies the procedures without compromising regulatory compliance. The most important requirements are described below:

• Identify the customer
  The first step for companies or professionals implementing KYC procedures is to formally identify the customer. If it is a legal entity (e.g., a company that wants to buy an office), the beneficial owner must be identified (i.e., the individual who owns more than 25% or controls the company).
  
• Verify the professional or business activity
  The entity responsible for the KYC procedure must verify that the customer’s professional or business activity is truthful (e.g., through payroll or company profits). This verification must be reasonable (i.e., proportionate to the transaction’s level of risk).
  
• Determine the purpose of the transaction
  Next, it is necessary to discover the customer’s purpose in pursuing the financial transaction. This must be consistent with the previously verified professional or business activity. For example, if the purpose of the transaction is to allocate part of the entity’s savings to invest in cryptocurrencies, a purchase of €500,000 in bitcoin can be reasonable if the company has annual revenues of several million. However, it would not be reasonable for an individual with a monthly salary of €1,500.
  
• Implement continuous monitoring
  The KYC system is not limited to the beginning of the business relationship. Instead, it involves continuous monitoring. For example, if a customer earned a salary of €2,900 when they invested in a fund, but they are now unemployed and without income, it is important for the financial institution to know that information. Therefore, it is important to update customer data when significant changes occur in their profiles.
  

Due diligence requirements for high-risk profiles

If the analysis determines that the customer profile, transaction, or acquired asset is high risk, enhanced due diligence measures will be implemented. These are in addition to the requirements for low-risk profiles. Below, we explain some of the most common measures in Spain:

• Locate the origin of the funds
  This enhanced measure applies, for example, when the customer holds a position of public responsibility, such as a minister or a senior leader of a political party with representatives in parliament.
  
• Require an electronic signature
  If the transaction takes place electronically, the entity must verify the customer’s identity with an electronic signature that meets the requirements established by Regulation (EU) 910/2014.
  
• Obtain express authorization
  In certain cross-border payments from a Spanish bank to a foreign bank, express authorization from senior management is required before proceeding with the transfer of funds.
  

Control and information measures

If the results of due diligence point to possible illegal activity, the company responsible for the KYC procedure must adopt the following control and information measures:

• Special examination
  The entity must implement its internal control protocols to investigate the specific case and prepare a report that details the reasons for the suspicion and the conclusions reached.
  
• Indication-based or systematic reporting
  If the conclusion of the special examination confirms or reinforces the initial suspicion, the company must send a report to SEPBLAC detailing the customer’s identity, activity, and suspicious transaction. Even if there is no evidence of suspicion, it is mandatory to send a systematic report of those transactions with origins or destinations in countries with high risks of money laundering.
  
• Transaction cancellation
  The company must refrain from carrying out the transaction, unless this is impossible or could hinder the course of the investigation.
  
• Prohibition of disclosure
  The entity is prohibited from informing the customer or third parties about the report to SEPBLAC, regardless of the report being indication-based or systematic.
  
• Cooperation with authorities
  If the relevant authorities request additional information, the entity must provide it quickly and accurately to facilitate the investigation.
  
• Document retention
  The company must retain all documentation for 10 years that proves compliance with the legal requirements for KYC procedures in Spain.
  

Example of a KYC procedure in Spain

Although customer due diligence verifications vary depending on the risk profile and business type, the fundamental steps are similar in most cases. Here is an example of a KYC procedure in Spain:

• Access the form
  Booking.com is the most used accommodation booking system in the B2C environment in Spain, even ahead of direct bookings with hotels. The management of a traditional hotel decides to start a business relationship with this online travel agency as part of its digital transformation strategy. To operate on the platform, it must first complete the Booking.com KYC form.
  
• Determine the type of entity
  Booking.com applies different requirements, depending on the type of entity. For example, self-employed individuals only need to enter their personal details and bank account information. However, the hotel is registered in the Commercial Registry as a limited liability company (SL), so the hotel managers select the “Business Entity” option.
  
• Fill out the form
  The representative completes the form on behalf of the SL. To operate as a partner company, Booking.com requests information, such as the company name, date of incorporation, and International Bank Account Number (IBAN) for the company bank account.
  
• Verify the information and analyze the risk
  After receiving the form, Booking.com carries out the verification process, which includes several steps, such as identifying the owners of the SL and verifying that the information matches the listing in the Commercial Registry. Next, it will conduct a risk analysis and, if the outcome is favorable, initiate a business relationship with the hotel.
  
• Implement a KYC procedure for booking
  It is common for platforms such as Booking.com to extend this procedure to customers who make hotel bookings to strengthen their KYC protocols. In this video, we demonstrate the identity verification process with Stripe Identity and the steps customers need to complete during the booking process.
  

How Stripe Identity simplifies KYC procedures

If you are legally required to implement a KYC system in Spain, you must ensure that the information collection procedures comply with the General Data Protection Regulation (GDPR). Stripe Identity facilitates this task by simplifying identity verification during the onboarding process and complying with Spanish KYC regulations.

Identity allows you to verify your customers’ identities and reduce the risk of confidential data leaks. Furthermore, it simplifies fraud teams’ workloads by reducing manual tasks, while helping legitimate customers benefit from faster and simpler verification processes.

Furthermore, combining Stripe Payments—Stripe’s online payment platform—with Stripe Radar—its fraud tool—can help prevent fraudulent attacks. This is because of these systems’ security measures and prevention of false positives that could affect conversion.

For platforms and marketplaces, Stripe Connect can simplify KYC procedures involved in multiparty payment management. It integrates KYC verifications for customers, in addition to verification for businesses and professionals offering their products and services on your website.

FAQs about KYC in Spain

Is it mandatory to carry out KYC procedures for all transactions?

Whether or not KYC procedures are mandatory depends on the type of entity. Financial institutions (e.g., credit institutions and cryptocurrency service providers) must apply KYC procedures to all transactions. However, some nonfinancial entities are only required to perform these verifications in specific cases. For example, shops and professionals must carry out the KYC procedure with transactions to nonresidents for amounts exceeding €10,000 paid with high-risk payment methods.

What happens if the KYC procedure is not implemented despite being mandatory?

If a company fails to fulfill the obligation to implement KYC procedures, it will have to accept the applicable penalties. Minor offenses—such as failing to identify a customer in a single transaction—can result in private reprimands or fines of up to €60,000. In the case of a serious offense—such as failing to identify the customer when there are indications or certainty of money laundering or financing of terrorism—the minimum fine is €60,000. For very serious offenses—including repeat offenses—the minimum penalty is €150,000. In addition to fines, serious and very serious offenses can lead to other consequences, such as temporary suspension of the administrative authorization to operate and disqualification of managers.

Is it advisable to implement KYC procedures in an ecommerce business?

Although ecommerce businesses are not legally required to implement a KYC system, it is recommended for detecting and preventing fraud in ecommerce. By gathering information about customers and their economic activities, you can determine the level of risk in business relationships and, if necessary, take extra precautions to avoid threats such as identity theft. Implementing the KYC procedure without being required to do so is especially recommended for businesses that accept riskier payment methods, such as ecommerce businesses that accept cryptocurrency payments or installment payments.