Spain's licensing framework, Banco de España requirements, SEPBLAC compliance, and infrastructure setup — everything you need to launch a regulated payment or remittance business in the EU's fourth-largest economy.
Starting a money transfer business in Spain means entering one of Europe's most active remittance markets — and one of its most regulated. Spain sits at the intersection of Latin American, North African and Eastern European payment corridors, generating sustained demand for licensed cross-border transfer services. But the path from business idea to regulated operation requires navigating the Banco de España's authorisation framework, SEPBLAC's AML oversight, EU payment services directives, and the practical infrastructure demands of running a compliant remittance platform. This guide sets out the key steps for MTOs and fintech founders looking to launch or expand into Spain in 2026.
In This Article
Spain ranks among Europe's most significant remittance source markets. The country hosts large migrant communities with active payment corridors to Morocco, Colombia, Ecuador, Pakistan, Romania and sub-Saharan Africa — populations that depend on affordable, reliable international transfers. According to Banco de España data, outbound remittance flows from Spain have consistently exceeded €9 billion annually in recent years, making it one of the top five remittance-sending countries in the European Union by volume.
Beyond corridor strength, Spain offers structural advantages that make it a strategic entry point for payment businesses targeting European expansion. As a eurozone member, Spain provides direct access to SEPA payment infrastructure — enabling domestic-rate euro transfers across the EU without the cross-border friction of non-euro jurisdictions. Instant payment adoption through the SEPA Instant Credit Transfer (SCT Inst) scheme is accelerating, with Spanish banks among the more active adopters in continental Europe. For MTOs building real-time payout infrastructure, this connectivity significantly reduces settlement times in key European corridors.
Figure 1: Spain's position in the European remittance landscape. A PI licence in Spain provides a regulated base for accessing the broader EEA market. Source: Banco de España Payment Statistics; European Central Bank.
Spain's fintech ecosystem has matured considerably since 2020, with Barcelona and Madrid emerging as credible European fintech hubs. Digital banking penetration is high, Open Banking adoption under PSD2 is progressing, and regulatory appetite for innovation — reflected in the Banco de España's sandbox programme — means the environment is broadly receptive to well-prepared payment startups. That said, the regulatory bar for authorisation is not light, and underprepared applications face delays or rejection. Founders who approach the process with structured documentation, qualified compliance personnel and tested technology have a meaningfully better track record.
Before filing any payment licence application, founders must establish a Spanish legal entity. The Banco de España will not accept applications from foreign legal persons — the regulated entity must be incorporated in Spain with a registered office in the country. This prerequisite is non-negotiable and should be completed before any substantive work begins on the authorisation application.
The standard corporate structure for payment startups is the Sociedad Limitada (S.L.) — Spain's equivalent of a private limited liability company. An S.L. requires a minimum share capital of €3,000, which must be deposited into a Spanish bank account before incorporation is finalised. Corporate bylaws must specify the company's activities; these should explicitly reference payment services to avoid a subsequent amendment when the licence application is filed. Foreign shareholders and directors who are not EU citizens generally require an NIE (Número de Identidad de Extranjero) — a Spanish tax identification number obtainable through the relevant consulate or a Spanish lawyer.
Figure 2: The five-step legal entity setup process for a new payment company in Spain. All steps must be completed before the Banco de España licence application is submitted.
Payment and remittance services in Spain are regulated under Royal Decree-Law 19/2018 on Payment Services and other Urgent Financial Measures, which transposed the EU's Payment Services Directive 2 (PSD2) into Spanish law. The Banco de España is the competent supervisory authority for payment institutions and issues two principal categories of authorisation relevant to money transfer businesses.
A Payment Institution licence is the standard authorisation route for companies intending to process meaningful transaction volumes, operate independently, or use EU passporting to expand into other EEA member states. A Spanish PI licence grants the holder the right to provide one or more payment services listed in Annex I of PSD2, which covers money remittance (service type 6), payment account services, payment initiation, and card-based payments. Crucially, a passported PI licence from Spain means the entity can notify the Banco de España of its intent to provide services in other EEA jurisdictions, and regulators in those countries cannot independently block the provision of services — making Spain a viable EU beachhead strategy for globally-minded operators.
Figure 3: Key differences between a full Payment Institution licence and Small Payment Institution registration in Spain. Most growth-oriented businesses will require PI authorisation. Source: Banco de España, Royal Decree-Law 19/2018.
Capital requirements for a PI licence depend on which payment services the company intends to provide. Money remittance (PSD2 Annex I, service 6) requires initial capital of €20,000. Companies providing broader payment execution or card-based services must meet higher thresholds — up to €125,000 for the full services scope. Initial capital must be held in liquid, unencumbered assets at the time of application and maintained as ongoing own funds. The Banco de España will also assess the company's financial projections, governance framework, risk management programme, IT infrastructure, internal audit arrangements and business continuity plan as part of the authorisation review.
Spain's Small Payment Institution framework is a registration rather than a full authorisation, available to companies whose payment transaction volumes do not exceed an average of €3 million per month over the preceding 12 months. The SPI route carries lighter compliance obligations and a simpler registration process, making it appropriate for early-stage businesses validating their model before committing to the full PI licensing process. However, SPI status does not confer EU passporting rights, restricts operations to Spain, and requires the company to upgrade to a full PI licence when volume thresholds are exceeded. Founders with clear ambitions to scale beyond Spain should plan for the PI route from inception and treat SPI only as a transitional structure if cash flow constraints at launch make the higher PI capital requirement temporarily prohibitive.
AML compliance is one of the most operationally demanding requirements for licensed payment businesses in Spain, and one of the most common sources of regulatory findings and enforcement actions. Spain's primary AML legislation is Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing (Ley 10/2010), supplemented by Royal Decree 304/2014 setting out the implementing regulations. The framework is broadly aligned with EU AML Directives (currently the 6th AML Directive, 6AMLD, and the broader AMLA package advancing through European institutions) and with FATF Recommendations.
All payment institutions and money remittance operators are classified as "obligated subjects" under Law 10/2010, meaning the full range of AML obligations applies. These include customer due diligence, transaction monitoring, suspicious activity reporting, record keeping, employee training, and internal control requirements. The standard of compliance expected is not a tick-box exercise — the Banco de España and SEPBLAC conduct supervisory examinations that assess the quality and effectiveness of controls, not merely their formal existence. For a structured overview of how these requirements map to operational controls, see compliance and risk management for money transfer businesses.
Figure 4: The four core AML obligation areas for licensed payment institutions in Spain under Law 10/2010. Each requires documented procedures, trained personnel and an audit trail. Source: Ley 10/2010; Real Decreto 304/2014; FATF Recommendations 10–16.
Safeguarding is the regulatory mechanism through which customer funds held by a payment institution are protected against the institution's insolvency. Under Royal Decree-Law 19/2018, Spanish payment institutions must protect customer funds using one of two methods: ring-fencing funds in a dedicated account at a credit institution specifically designated for that purpose, or insuring the funds through an insurance policy or bank guarantee from an authorised institution. The chosen method must be documented in the company's operating framework and reviewed periodically to confirm it remains adequate relative to the volume of funds being held.
Safeguarding is frequently underestimated by early-stage payment businesses as an administrative step. It is not — it is a material operational requirement that affects banking relationships, liquidity management and regulatory reporting. Banks in Spain are generally willing to provide segregated safeguarding accounts to authorised payment institutions, but the relationship must be established and operational before the institution begins processing customer funds. Attempting to operate without a functioning safeguarding arrangement in place is a regulatory breach from the first transaction.
Regulatory authorisation gives a payment institution the legal right to operate — it does not automatically provide the operational infrastructure needed to process transactions, manage liquidity, pay out to beneficiaries, or handle compliance workflows at scale. Many founders reach the point of licence approval and then discover that banking access, payout connectivity and compliance tooling each represent a separate multi-month build project. Understanding the infrastructure requirements early — and building them in parallel with the licensing process — is one of the most important operational decisions a new MTO can make.
Correspondent banking access is particularly challenging for new payment institutions in Spain and across Europe. Many tier-1 banks have significantly reduced their exposure to payment institution clients following AML enforcement trends in the 2018–2024 period. New entrants typically need to approach multiple banking partners, demonstrate a mature compliance programme, and accept that initial banking relationships may carry transaction limits or operational conditions that affect the first 12–24 months of trading. This is not unique to Spain — it reflects a pan-European trend — but it is a planning variable that founders frequently underestimate. For a broader view of how these challenges connect to the operational lifecycle of a money transfer business, see the guide on how to start a money transfer business in 2026.
| Infrastructure Layer | What It Covers | Build vs Platform | Timeline Risk |
|---|---|---|---|
| KYC & Onboarding | Identity verification, biometrics, risk scoring, CDD/EDD workflows | Platform recommended | Low with platform |
| AML Transaction Monitoring | Rule engine, corridor-calibrated alerts, case management, SAR filing | Platform recommended | Low with platform |
| Sanctions Screening | Real-time screening vs EU, OFAC, UN, HMT lists with daily refresh | Platform recommended | Low with platform |
| Banking / Safeguarding | Operational account, segregated safeguarding account, SEPA access | Must build — no alternative | High — allow 3–6 months |
| Payout Network | Bank transfer, wallet, cash pickup connectivity in corridor markets | Platform recommended | Medium |
| FX & Treasury | Currency conversion, rate management, pre-fund liquidity | Requires partner relationships | Medium |
| Regulatory Reporting | SEPBLAC STR filing, Banco de España supervisory returns, SUNARP integration | Platform recommended | Low with platform |
Figure 5: Core infrastructure layers for a Spain-based money transfer business. Banking and FX relationships must be built directly; compliance and operational tooling is significantly faster to deploy via integrated platform. Source: RemitSo operational assessment framework.
The most common operational trap for new MTOs entering Spain is attempting to build compliance and payout infrastructure in-house while simultaneously managing the licensing process, banking outreach and customer acquisition. Each of these workstreams requires specialised expertise — and the failure of any one of them delays the others. MTOs that adopt integrated infrastructure platforms for KYC, AML and payout operations consistently reach operational status faster and with fewer compliance findings in their first regulatory examination. For a detailed analysis of the cost and timeline trade-offs, see white-label remittance software: build vs buy.
For founders seeking faster market entry or those not yet ready for the capital and compliance demands of a standalone PI licence, operating as an authorised agent under an existing licensed institution is a viable interim strategy. Under PSD2 as transposed in Spain, licensed payment institutions may appoint agents to distribute their payment services — the agent operates under the principal's licence and compliance framework rather than holding its own authorisation.
The agent model trades operational independence for speed and lower upfront cost. For the right founder profile, this is a highly rational entry strategy.
The agent model is a means, not an end. Founders should enter it with a clear view of the constraints and a defined transition plan.
The authorised agent route is not a shortcut around compliance — it is a different compliance structure. As an agent, your customer-facing operations, transaction records and conduct are still subject to AML law obligations. Your staff must be trained, your onboarding procedures must meet the principal's standards, and any suspicious transactions originating through your operation must be reported through the principal's SEPBLAC channel. For related guidance on how remittance-as-a-service models work operationally, see Remittance as a Service — how it works.
RemitSo provides the operational infrastructure that licensed MTOs and payment institutions need to function from the first day of operations — without the 12–18 month build timeline that in-house development typically requires. For businesses launching in Spain or across the EU, the platform delivers integrated KYC onboarding with 15-second automated identity verification, AML transaction monitoring with 55+ rule indicators calibrated for remittance-specific typologies, real-time sanctions screening across OFAC, UN, EU and HMT lists with daily automated refresh, and a full case management and audit trail system that produces the documentation regulators examine during supervisory visits. The compliance infrastructure is built to the standards expected by the Banco de España and SEPBLAC — not adapted from a generic banking product.
For operators pursuing the European RaaS route — where RemitSo's existing regulatory relationships provide the licensed infrastructure and the operator distributes under that framework — the path to operational status in Spain and across the EU is significantly accelerated. This model allows founders to reach customers and generate revenue while building their own compliance track record, rather than attempting to do both simultaneously from a standing start. Explore RemitSo's European RaaS offering or speak with the AML consulting team for a structured assessment of your Spain market entry options.
RemitSo provides compliance-ready remittance infrastructure for operators entering Spain and the broader European market — with the KYC, AML and payout systems that regulators and banking partners expect to see.
Yes — businesses providing payment or money remittance services in Spain must be authorised by the Banco de España as a Payment Institution (PI) or registered as a Small Payment Institution (SPI) under Royal Decree-Law 19/2018. Operating without authorisation is a criminal offence under Spanish law and may result in fines, forced cessation of business and personal liability for directors. There is no de minimis exemption that permits unlicensed money transmission — even small operators processing limited volumes require either their own authorisation or a formal agency agreement with a licensed institution. The Banco de España maintains a public register of authorised payment institutions and authorised agents; founders should verify that any partner institution they intend to work under is correctly registered before commencing operations.
Capital requirements for a PI licence in Spain depend on the specific payment services the company intends to provide. Under Royal Decree-Law 19/2018, companies providing money remittance only (PSD2 Annex I service 6) require initial capital of €20,000. Companies providing payment initiation services require €50,000. Companies providing full payment execution, card issuing or account management services require €125,000. Initial capital must be held in liquid, unencumbered form at the time of application and maintained as ongoing own funds throughout the licence period. In addition to initial capital, the Banco de España assesses the company's financial projections to confirm the business model is viable and that the capital held is proportionate to the operational risk profile. SPI registration does not carry a fixed capital requirement in the same way but still requires evidence of financial sustainability.
SEPBLAC is the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias — Spain's financial intelligence unit responsible for receiving and analysing suspicious transaction reports, supervising obligated subjects' AML programmes, and coordinating with international financial intelligence units. For licensed MTOs in Spain, SEPBLAC is the primary regulatory counterparty for AML matters. All payment institutions must designate a named representative responsible for SEPBLAC communications, submit suspicious transaction reports through the SUNARP platform, and provide systematic reporting of transactions above prescribed thresholds. SEPBLAC also conducts AML supervisory examinations of obligated subjects independently of the Banco de España's prudential supervision, meaning MTOs may be subject to examination from both regulators. Failure to maintain an adequate SEPBLAC reporting programme is one of the most common sources of enforcement proceedings against payment businesses in Spain.
Yes — a Spanish Payment Institution licence confers EU passporting rights under PSD2, allowing the entity to provide payment services across all 30 EEA member states (EU 27 plus Iceland, Liechtenstein and Norway) without obtaining separate licences in each country. To exercise passporting rights, the entity must notify the Banco de España specifying the target country, the services to be provided, and whether it intends to use a branch or cross-border provision. The Banco de España then notifies the host country regulator, which has one month to prepare for supervision of the entity's activities. Host country regulators generally cannot block provision of services under a validly passported licence, but they retain the right to impose additional requirements in specific areas — particularly AML, where host country law applies to local operations alongside Spanish law. Small Payment Institutions cannot use passporting; this right is exclusive to full PI licence holders.
Yes — KYC is mandatory for all payment institutions and money remittance operators in Spain under Law 10/2010. The law requires that obligated subjects identify and verify the identity of all customers before establishing a business relationship and before processing occasional transactions above prescribed thresholds. The minimum standard is Standard Customer Due Diligence (CDD) — document identity verification plus address confirmation. Enhanced Due Diligence (EDD) is mandatory for higher-risk relationships including PEPs, customers in high-risk third countries, and accounts showing transaction patterns inconsistent with stated purpose. Spain's implementing regulations accept digital onboarding methods including biometric identity verification, provided the technology meets the reliability and audit standards set out by the Banco de España. Physical document verification is not required as long as the digital method achieves equivalent assurance. Ongoing periodic re-verification of customer records is also required — KYC is not a one-time onboarding event under Spanish law.
Yes — there is no nationality restriction on founding or directing a licensed payment institution in Spain. Foreign nationals can hold shares in and serve as directors of a Spanish S.L. that holds a PI licence. However, non-EU nationals require a Número de Identidad de Extranjero (NIE) — the Spanish tax identification number for foreigners — before company incorporation and bank account opening can proceed. The NIE is obtainable through the Spanish consulate in the applicant's country of residence or in person at a Spanish police station. The Banco de España's fit and proper assessment for directors and significant shareholders is applied equally regardless of nationality — what matters is the individual's financial crime record, professional background, and demonstrated capacity to oversee a regulated payment business. Non-Spanish directors must also be able to communicate effectively with the regulator; the Banco de España conducts its supervisory correspondence in Spanish.
Safeguarding protects customer funds held by a payment institution against the institution's insolvency or operational failure. Under Royal Decree-Law 19/2018, Spanish payment institutions must safeguard customer funds by either segregating them in a dedicated account at a credit institution (ring-fencing method) or by insuring them through a policy or guarantee from an authorised insurer or credit institution. The chosen method must cover the full amount of customer funds held at any point in time — not just average holdings. The safeguarding arrangement must be established before the institution begins processing customer funds. Practically, this means securing a segregated bank account relationship with a Spanish credit institution that is willing to accept a payment institution as a customer — a process that can take three to six months given current banking market conditions. Institutions that commingle customer funds with operational funds face immediate enforcement action.
A Spain-based MTO needs seven core infrastructure layers operational before launch: automated KYC onboarding with biometric verification and risk scoring; AML transaction monitoring with corridor-calibrated rules and alert management; real-time sanctions screening against EU, OFAC and UN lists with at least daily refresh; a designated safeguarding account at a Spanish credit institution; payout connectivity to the institution's primary corridors through bank, wallet or cash networks; FX management and treasury arrangements for currency conversion; and regulatory reporting workflows for SEPBLAC STR submissions and Banco de España prudential returns. In practice, the components that take the longest to establish are banking relationships and FX partnerships — both require the institution to demonstrate a mature compliance programme and a credible business plan. Compliance and operational technology, by contrast, can be deployed in weeks via integrated platforms rather than built over months in-house.
