KYB in Spain 2026: Business Verification Under Banco de España and EU AMLD
Spain KYB in 2026 isn't a Mercantile lookup with an AML label attached. The harder part is understanding who owns the company, who controls it, who's acting for it — and whether that picture holds up under Ley 10/2010 and SEPBLAC scrutiny.
In Spain, KYB is not a light company lookup followed by a commercial approval. In 2026, any fintech onboarding Spanish businesses needs a workflow that verifies the legal entity, identifies the beneficial owners, checks the administrators and representatives, and connects that evidence to SEPBLAC-facing AML obligations.
Spain is one of the more active fintech markets in Europe.
That creates a common mistake.
Teams assume Spanish business onboarding is mostly about checking that the company exists in the Registro Mercantil and then moving on. In practice, the harder part is understanding who owns the company, who controls it, who is acting for it, and whether the relationship is coherent under Spain's AML rules.
This is exactly where weak KYB starts looking complete when it is not.
The Spain KYB framework in 2026
Spanish business verification sits inside the broader anti-money laundering framework rather than existing as a separate registry exercise.
Three layers matter most.
1. Ley 10/2010 is still the core AML law
Spain's main AML statute remains Ley 10/2010, de prevención del blanqueo de capitales y de la financiación del terrorismo.
That law imposes customer due diligence, beneficial-owner identification, ongoing monitoring, recordkeeping, and suspicious-activity escalation obligations on regulated firms and other obliged entities.
For KYB teams, the practical point is simple: onboarding a business customer is part of the AML system, not a preliminary admin task outside it.
2. Real Decreto 304/2014 makes the control model more operational
The regulation approved by Real Decreto 304/2014 develops Ley 10/2010 and turns the legal duty into a more usable operating framework.
That matters because the regulation is where many practical expectations become clearer:
- what due diligence should look like
- how obliged entities should examine unusual cases
- what systematic and suspicious reporting flows exist
- how customer knowledge should support later escalation
In other words, Spain KYB is not only about collecting the right documents. It is about building a customer file that can support later monitoring and reporting decisions.
3. Banco de España supervision matters for payment and e-money flows
For many fintechs, the most relevant supervisory perimeter is Banco de España.
Banco de España states that payment institutions are legal entities authorized to provide regulated payment services and that supervised entities must be registered in its official public registers. If your platform is a payment institution, e-money institution, or otherwise operating in a Banco de España supervised structure, the onboarding process needs to be strong enough for that control environment.
That does not mean Banco de España replaces SEPBLAC in AML matters. It means prudential and operational supervision sit alongside AML obligations, which makes weak business onboarding harder to defend.
What a Spain KYB check should include
A defensible Spain KYB workflow usually has six layers.
1. Entity verification through the Mercantile record
The first step is confirming that the company exists and that the legal-entity record is current.
In practice, that means checking:
- legal name
- legal form
- registered office
- registration status
- Mercantile record data
- tax identifier for the entity
This is the baseline.
But it is only the baseline.
A registry record proves the entity exists. It does not prove the relationship is low risk, that the controller is known, or that the signatory has clean authority.
2. NIF and representative logic
Spanish business onboarding often breaks at the representative layer, not at the company-exists layer.
A platform should be able to verify:
- the company's NIF
- the identity of the person acting for the company
- the authority of that person to represent the business
- whether the declared role matches the company documentation
This matters because many operational failures come from assuming the onboarding contact is obviously authorized. In practice, authority chains need to be checked.
3. Beneficial-owner identification
Spain's AML regime requires beneficial-owner identification. That is not optional.
A real Spain KYB process should ask:
- who directly or indirectly owns the company
- who effectively controls it
- whether the ownership chain is understandable
- whether the beneficial-owner picture matches the declared business profile
This is where a shallow onboarding process usually fails.
It can identify the company but not the people behind it.
4. Use the Central Beneficial Ownership Register properly
This is one of the most important practical changes for Spain KYB.
Real Decreto 609/2023 created the Registro Central de Titularidades Reales as a central electronic register for beneficial ownership information in Spain. The regulation also explains who can access it, including authorities and obliged entities acting through accredited users.
That means fintech teams should not design Spain KYB around fragmented ownership evidence alone. There is now a central structure for beneficial-owner data, but it still needs to be used lawfully and reconciled against the full customer file.
This means one thing: beneficial-owner review is now more structured, but not automatic.
The register supports the workflow. It does not eliminate the need for analysis.
5. Director and administrator review
Spanish business verification should not stop at ownership.
It should also cover:
- administrators
- directors or equivalent control persons
- legal representatives
- whether management and control make sense for the declared activity
That step becomes more important when the customer is a merchant platform, B2B payments business, treasury user, or higher-volume corporate account.
6. Screening, monitoring, and escalation
SEPBLAC's own guidance on comunicación por indicio makes the control chain clear.
If an obliged entity sees facts or attempted operations that, after special examination, point to money laundering or terrorist financing risk, it must communicate that to SEPBLAC without delay. The reporting logic depends on understanding the customer, the activity, and the mismatch between them.
That is why Spain KYB should feed:
- sanctions and PEP screening
- business-risk classification
- expected-activity profiles
- unusual-activity review
- suspicious-operation escalation
If the business file is weak at onboarding, the later SEPBLAC reporting decision gets weaker too.
Why Spain KYB gets difficult in practice
The legal framework is not the hardest part.
The hard part is operational consistency.
Registry truth does not answer ownership questions by itself
A valid Mercantile record can still leave open questions about who ultimately controls the company or whether the operating story fits the structure.
Representative authority gets messy quickly
The person signing up for the product is not always the person with the cleanest legal authority.
That creates avoidable risk if authority review is treated as a formality.
Cross-border structures are common
Spanish business customers can sit inside wider EU or non-EU ownership chains. That means the beneficial-owner analysis may move beyond a single domestic record fast.
Monitoring is easy to postpone
Teams often treat KYB as a front-door decision only.
But SEPBLAC reporting expectations and Law 10/2010's broader due-diligence logic make that approach too weak for serious fintech use cases.
How VOVE ID helps automate Spain KYB
VOVE ID helps fintech teams turn Spanish business onboarding into one operational workflow instead of a patchwork of registry extracts, screenshots, spreadsheets, and analyst notes.
That can include:
- legal-entity verification
- NIF and representative checks
- beneficial-owner capture and review
- director and administrator mapping
- sanctions and PEP screening
- risk scoring and escalation routing
- one audit trail across the onboarding case
That matters because the real cost of weak KYB is not just a slower approval.
It is weaker monitoring later, noisier alerts, slower investigations, and a harder time explaining why the customer was approved in the first place.
Spain KYB checklist for fintech teams
Before approving Spanish business customers, ask:
- Can we verify the legal entity through current official registry data?
- Do we validate the company's NIF and the authority of the acting representative?
- Can we identify and explain the beneficial-owner chain cleanly?
- Do we use beneficial-owner register access lawfully and reconcile it with other case evidence?
- Are administrators, representatives, and beneficial owners screened before activation?
- Does the onboarding result feed an expected-activity and monitoring model?
- If the case turns suspicious later, can we reconstruct the full decision path quickly?
If those answers are weak, the problem is not that Spain is hard.
It is that the KYB workflow is still too shallow.
Conclusion
Spain KYB in 2026 is not a Mercantile lookup with an AML label attached.
Under Ley 10/2010, Real Decreto 304/2014, the central beneficial-owner register, and the Banco de España and SEPBLAC control environment, fintechs need to verify the entity, identify the beneficial owners, confirm who can act for the company, and carry that knowledge into monitoring and escalation.
That is what makes Spanish business onboarding durable.
Need to automate Spain KYB across registry checks, beneficial-owner review, and ongoing AML operations in one workflow? Talk to the team.
