AML
What is AML/CFT?
AML/CFT stands for Anti‑Money Laundering and Counter‑Terrorist Financing. It is the regulatory framework that requires certain entities and professionals to implement controls to detect, prevent, and report suspicious operations related to money laundering or the movement of funds toward terrorist activities.
In Spain, the main regulation is Law 10/2010 of 28 April, developed by Royal Decree 304/2014. At the European level, the framework is completed by Directive (EU) 2015/849 and the new Regulation (EU) 2024/1624, directly applicable from July 2027.
For an ecommerce business processing card payments, AML/CFT is operational: your acquirer, processor, and financial institution are obliged entities. If your activity does not match what you declared, they may block your account, hold funds, or terminate your payment gateway.
How AML/CFT works
The AML/CFT system is structured around a risk‑based approach. The main obligations are:
- Customer due diligence (KYC): Identification and verification of the customer and the beneficial owner. Law 10/2010 defines three levels: simplified, standard, and enhanced.
- Ongoing monitoring: Transaction analysis to detect atypical patterns, such as volumes inconsistent with the declared activity or frequent changes of bank account.
- Suspicious activity reporting (SAR): Mandatory reporting to SEPBLAC under Article 18 of Law 10/2010.
- Record‑keeping: Documentation must be retained for at least 10 years after the business relationship ends.
- Mandatory training: Periodic staff training on AML/CFT prevention.
According to SEPBLAC’s March 2026 guidance, creating lists of prohibited customers by entire categories indicates ineffective AML/CFT risk management. Rejection must always be individual, based on Article 7.3 of Law 10/2010, and only when the customer prevents the application of due‑diligence measures appropriate to their risk profile.
Regulatory impact and applicable security
The AML/CFT regulatory ecosystem for ecommerce in Spain combines three levels:
| Regulation | Scope | Relevance for ecommerce |
|---|---|---|
| Law 10/2010 and RD 304/2014 | National (Spain) | Defines obliged entities, due‑diligence levels, and sanctions regime |
| Directive (EU) 2015/849 (4th and 5th AMLD) | European Union | Harmonized AML obligations for financial and payment institutions |
| Regulation (EU) 2024/1624 | European Union | Directly applicable from July 2027; strengthens controls on payment institutions |
| EBA Guidelines EBA/GL/2024/01 | European Union | Updates risk factors and enhanced due‑diligence requirements for payment service providers |
| FATF Recommendations | International | Global standards that shape all European and national AML legislation |
Payment institutions and electronic‑money institutions are obliged entities under Article 2.1 of Law 10/2010. The EBA has stated that they present a high level of money‑laundering risk, which has led to reinforced supervision through Guidelines EBA/GL/2024/01.
The most critical risk for ecommerce is transactional money laundering: criminals use legitimate merchants to process payments for undeclared businesses. This exposes both the acquirer and the merchant to severe sanctions and reputational damage.
Operational advantages and disadvantages
Advantages of complying with AML/CFT:
- Protection against account blocks and fund holds by the acquirer.
- Greater trust from payment processors, facilitating merchant‑account approval in regulated sectors.
- Reduced chargeback risk linked to fraudulent activity.
- Access to better commercial conditions from acquirers that value a controlled risk profile.
Operational disadvantages:
- Implementation costs, especially for small businesses that must outsource compliance functions.
- Friction during onboarding when enhanced due‑diligence measures apply.
- De‑risking risk: financial institutions rejecting merchants in certain sectors out of excessive caution, causing unjustified financial exclusion.
Was this term useful?
Leave a Comment