Anti‑money laundering in acquiring: How a regulated PayFac operates

A sub‑merchant onboarded at 9:00 begins processing 200 transactions per hour with cards issued in three different jurisdictions. At 11:00, the system withholds settlement. At 14:00, the compliance team blocks the account and files a report with SEPBLAC. That merchant never received a single euro. This scenario can happen to any payment facilitator that is doing its job correctly.

Anti‑money laundering (AML) prevention is not an onboarding formality. It is a live, continuous process that affects every transaction. If you operate under an aggregated acquiring model, you need to understand which controls your facilitator applies, why they may impact your settlement, and how to collaborate to avoid friction.

What AML prevention is and why it defines PayFac operations

Anti‑money laundering prevention is the set of legal obligations and technological controls that prevent illicit funds from entering the financial system. Article 1 of Law 10/2010 defines money laundering as the conversion, transfer, concealment, or acquisition of assets derived from criminal activity.

In a PayFac model, the facilitator aggregates multiple merchants under its umbrella and acts as an intermediary between the sub‑merchant, the regulated acquirer, and the card schemes. This position makes the facilitator a “obliged entity” under Article 2.h) of Law 10/2010, which includes payment institutions and the entities referenced in Royal Decree‑Law 19/2018.

The dual responsibility of the PayFac model

The facilitator is responsible for applying AML controls to every sub‑merchant: due diligence at onboarding, continuous monitoring, and reporting to SEPBLAC when indicators arise. If a sub‑merchant launders money through the platform, regulatory liability falls on both the facilitator and the financial institution acting as the acquirer.

The real impact of AML prevention on your merchant settlement

Every euro processed by a facilitator passes through a risk filter before reaching the merchant’s account. When the filter detects an anomaly, funds are withheld. Law 10/2010 requires obliged entities to abstain from executing suspicious operations and to report them to SEPBLAC.

A merchant billing €80,000 per month who faces a 10‑day withholding experiences an immediate liquidity issue. Common triggers include: volumes tripling the declared turnover, concentration of payments from cards issued in non‑cooperative jurisdictions, and refund ratios above the 1% threshold imposed by card schemes.

The other side of the equation: a merchant with complete documentation and activity aligned with its profile receives settlements in 24–48 hours with fewer holds. Well‑managed AML from onboarding is not a barrier—it is what enables funds to flow.

How AML prevention works inside a PayFac

Compliance operates in three phases that run continuously from the moment a merchant applies for onboarding until the moment it stops operating on the platform.

Phase 1: KYC and KYB during sub‑merchant onboarding

Article 3 of Law 10/2010 requires formal customer identification before establishing a business relationship. In a PayFac, this translates into an onboarding process that includes:

• Document verification of the legal representative using optical recognition and facial biometrics.
• Identification of the beneficial owner: any natural person holding more than 25% of the share capital.
• Analysis of the business model and expected transaction volume to assign the correct category code.
• Screening against international sanctions lists, politically exposed persons lists, and high‑risk registries.

An automated process approves low‑risk merchants within minutes. Profiles requiring enhanced due diligence (Articles 11 to 16) undergo manual review.

Phase 2: Continuous transactional monitoring

Article 6 of Law 10/2010 requires ongoing monitoring of the business relationship. In practice, every transaction is analyzed in real time against the sub‑merchant’s profile. Rule engines generate alerts when detecting:

• Volumes significantly exceeding the range declared during onboarding.
• Multiple unrelated cards operating on the same sub‑merchant within abnormal intervals.
• Structuring patterns designed to evade control thresholds (below‑the‑radar laundering).
• Requests to change the settlement bank account without documented justification.
• Concentration of operations from high‑risk jurisdictions or anonymous prepaid cards.

Phase 3: Reporting to SEPBLAC and confidentiality obligations

When indicators of money laundering are confirmed, the facilitator reports the suspicious activity to SEPBLAC. Article 24 prohibits disclosing to the merchant that such a report has been filed. Breaching this confidentiality obligation constitutes a very serious infringement. All documentation must be retained for 10 years.

Regulatory compliance: Law 10/2010, Directive 2015/849 and EBA guidelines

Law 10/2010 is the core regulatory framework. Article 2.h) includes payment institutions as obliged entities. Articles 3 to 6 regulate due diligence, Articles 11 to 16 define enhanced measures for high‑risk sectors, and Articles 26 to 31 require an internal control body and a representative before SEPBLAC. The sanctioning regime (Articles 51 to 58) includes fines of up to €150,000 for serious infringements and €10,000,000 for very serious ones.

At the European level, Directive (EU) 2015/849 (4AMLD) harmonizes obligations and includes payment service providers as obliged financial entities. The EBA Guidelines EBA/GL/2021/02, updated in January 2024, detail the risk factors institutions must assess when onboarding clients: nature of the business, product type, distribution channel, and geographical scope.

AML prevention in action: real alerts by sector

In e‑commerce, the most frequent alerts involve mass purchases with stolen cards, fictitious refunds used as a laundering channel, and structuring below thresholds. The refund‑to‑sales ratio is the key indicator.

In digital service platforms, the risk pattern is a newly created sub‑merchant processing volumes incompatible with its age. An account active for 48 hours with €50,000 in micro‑transactions triggers immediate withholding.

In gaming and betting, Article 11 of Law 10/2010 classifies the sector as high risk. Enhanced due diligence is mandatory: verification of source of funds and intensified monitoring of deposits and withdrawals.

Regulated acquiring vs. generic models: why the difference matters

Real AML questions in acquiring

My payment facilitator has withheld my settlement without explaining why. Is this legal.

Yes. Article 24 of Law 10/2010 prohibits the obliged entity from revealing that an analysis or report to SEPBLAC has been initiated. What the facilitator must do is request the documentation needed to resolve the incident.

What is the difference between a money‑laundering hold and a transactional fraud hold

A fraud‑related hold affects specific operations (stolen cards, unauthorized transactions). A money‑laundering hold affects the entire sub‑merchant profile: activity, volume, and consistency with what was declared. Both may occur simultaneously.

What documentation should I have ready to avoid account blocks

Updated corporate documentation, valid identification for all beneficial owners with more than 25% ownership, proof of activity (invoices, supplier contracts), and an operational website consistent with the declared activity.

How often does a facilitator review due‑diligence information

It is required when customer circumstances change, when a significant operation occurs, or at least once per year. Higher‑risk merchants are reviewed monthly.

If I detect suspicious activity on my platform and do not report it, what are the consequences

Law 10/2010 classifies this as a very serious infringement when an executive or employee has internally raised the existence of indicators. Fines can reach €10,000,000.

Anti‑money laundering prevention in acquiring is not an isolated department: it is the infrastructure that supports every settlement. Payment facilitators like PayOk execute these controls backed by a premium regulated acquirer so merchants can scale with legal certainty.

Sources and related reading

Legal and regulatory framework

• Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing.
• Royal Decree 304/2014, approving the Regulation of Law 10/2010.
• Directive (EU) 2015/849 of the European Parliament and of the Council (4AMLD).
• Directive (EU) 2015/2366 on payment services (PSD2).
• Royal Decree‑Law 19/2018 on payment services.

Guidelines and technical standards

• EBA/GL/2021/02 – Guidelines on money‑laundering and terrorist‑financing risk factors (updated by EBA/GL/2024/01).
• FATF Recommendations.
• SEPBLAC catalogue of risk indicators.