Preventing money laundering and the financing of terrorism is an obligation that directly affects many law firms in Spain. Certain activities — such as involvement in real estate transactions, handling funds, incorporating companies or wealth planning — place the lawyer within the scope of “obliged subjects” under anti-money-laundering rules. This calls for serious know-your-client (KYC) and customer due diligence procedures.

This article offers a practical checklist, designed for small and mid-sized firms, to help organise these obligations. It does not replace specialist advice.

Why this affects your firm

SEPBLAC is the supervisory authority and financial intelligence unit in Spain. When a firm carries out certain regulated activities, it takes on specific obligations: identifying the client, assessing risk, retaining documentation and, where appropriate, reporting suspicious transactions.

Non-compliance is not a minor matter: beyond the reputational risk, there is a penalty regime. The good news is that an orderly process and the right tools dramatically reduce the workload and the risk of error.

Client identification checklist (KYC)

Before starting the business relationship or the regulated transaction, it is worth checking:

  • Formal identification. A valid identity document for individuals (DNI, NIE or passport) and registry details for legal entities.
  • Identity verification. Cross-checking the documentation provided against reliable, independent sources where appropriate.
  • Beneficial ownership. For companies and other structures, identifying the individual or individuals who ultimately control or benefit from the entity.
  • Purpose of the relationship. Understanding the nature and purpose of the transaction or the professional engagement.
  • Source of funds. For transactions of a certain value or risk, reasonable information about where the money comes from.

Risk-assessment checklist

Not all clients or transactions carry the same level of risk. A risk-based approach means documenting the assessment of factors such as:

  • Type of client. For example, politically exposed persons (PEPs), complex corporate structures or non-resident clients.
  • Nature of the transaction. High-value real estate deals, cash movements or unusual structures warrant closer attention.
  • Geographic area. Jurisdictions considered higher risk under the applicable lists and criteria.
  • Channel of the relationship. Non-face-to-face engagement may require enhanced identification measures.

Depending on the outcome, you will apply standard, simplified or enhanced due diligence.

Retaining documentation

The rules require due diligence records to be kept for the period set by law. In practice, this means keeping the following in an orderly, accessible way:

  • Copies of identification documents.
  • The risk analysis carried out and its conclusions.
  • Evidence of the verifications performed.
  • A record of the regulated transactions.

The key is traceability: being able to demonstrate what was done, when and why.

Reporting suspicious transactions

If you detect indications that a transaction may be connected to money laundering, there is an obligation to refrain from carrying it out and to report it to SEPBLAC under the established procedures. It is essential to:

  • Avoid tipping off the client that a report is to be or has been made.
  • Document internally the reason for the suspicion.
  • Appoint an internal responsible person where the firm’s structure requires it.

Common mistakes in small firms

  • Treating KYC as a one-off. Due diligence requires ongoing monitoring of the business relationship, not just an initial check.
  • Scattered documentation. Keeping records in emails, loose folders and spreadsheets makes it hard to demonstrate compliance during an inspection.
  • No consistent standard. Without a written procedure, each lawyer applies their own approach, with uneven results.

How a good management tool helps

An end-to-end firm-management system means compliance no longer has to be a manual burden. By centralising clients, case files and documents, it becomes far easier to:

  • Collect and retain the identification and beneficial ownership of each client.
  • Record the risk analysis attached to each matter.
  • Locate all the documentation in a file instantly.
  • Maintain the traceability needed to respond to the supervisor.

When these functions are also supported by AI, the system can help flag incomplete data or prepare documentation more quickly, always under the professional’s supervision.

Conclusion

Anti-money-laundering compliance does not have to become a constant source of stress. With a clear procedure, a well-documented risk assessment and a tool that keeps information in good order, your firm can comply confidently and devote its time to what truly matters.

This article is informational and does not constitute legal advice. If you would like to simplify your firm’s document and compliance management, request early access to Mandato, the AI-native end-to-end CRM designed for Spanish legal practice.