Spain Crypto "Travel Rule" in Practice

The European Union's revised Transfer of Funds Regulation (“TFR”)^[1] extends the wire‑transfer Travel Rule to crypto‑asset transfers, implementing FATF Recommendation 16 for virtual assets across all Member States. This regulation is directly applicable in Spain without requiring national transposition and has been fully operational for Crypto-Asset Service Providers (“CASPs”) since 30 December 2024.

The TFR establishes an information-sharing framework that obliges CASPs to collect, verify, and transmit specific originator and beneficiary data with crypto-asset transfer. Complementing this EU-level framework, Spain maintains its domestic AML infrastructure under Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing, and continues its transition toward full markets in crypto-assets regulation^[2] (“MiCA”) implementation, with supervisory responsibilities shifting from the Bank of Spain to the Spanish Authority on securities regulation: the Comisión Nacional del Mercado de Valores (“CNMV”).

This consolidated article provides Spanish CASPs and international operators targeting the Spanish market with practical guidance on compliance obligations, recent regulatory developments, and the evolving supervisory landscape.

As an EU regulation, the TFR enjoys direct applicability throughout Spain without requiring legislative transposition by the Spanish Parliament. This ensures uniform travel rule standards across the European Union (the “EU”) and eliminates the regulatory fragmentation that historically characterized national implementations of EU directives.

The TFR applies to transfers of funds and certain crypto‑assets where at least one payment service provider (PSP) or CASP is established in the European Union. Its scope explicitly includes:

• Transfers between CASPs;
• Transfers between CASPs and self-hosted (unhosted) wallets;
• Chain transactions involving intermediary CASPs; and
• Cross-border transfers with third-country counterparties

The regulation operates alongside MiCA, which governs the authorization, conduct, and prudential requirements for CASPs. Together, these instruments create a dual-pillar framework: MiCA addresses market integrity and consumer protection, while the TFR focuses specifically on AML/CFT obligations related to information sharing during transfers.

While the TFR governs information transmission during transfers, CASPs operating in Spain remain fully subject to the comprehensive AML framework established by Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing and its implementing regulation, Royal Decree 304/2014.

These domestic instruments impose obligations including:

• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Identification, verification, and ongoing monitoring of customers, beneficial owners, and business relationships
• Risk Assessment: Implementation of internal risk-based methodologies considering customer, product, service, and geographic risk factors
• Suspicious Transaction Reporting (STRs): Mandatory reporting to the Spanish AML authority: the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC).
• Record Retention: Maintenance of complete documentation for a minimum of ten (10) years from the termination of the business relationship or completion of the occasional transaction
• Internal Controls: Appointment of compliance officers, employee training programs, and independent audits

The interaction between the TFR's five-year retention requirement and Law 10/2010's ten-year obligation implies that Spanish CASPs must retain Travel Rule data for ten years to ensure full compliance with domestic law.

Spain has embarked on a significant supervisory restructuring to align with MiCA's authorization and oversight framework. Historically, crypto-asset service providers were required to register with the Bank of Spain under Law 10/2010's virtual asset services provider (VASP) regime, primarily for AML supervision purposes.

In such regard, it is relevant to highlight the following recent developments:

- Bank of Spain announced on December 2024 that it has ceased accepting new VASP registrations and clarified that its existing register serves informational purposes only during the MiCA transition period.

- Under MiCA, the CNMV becomes the competent authority for authorizing and supervising CASPs in Spain. This includes prudential supervision, conduct oversight, and coordination of AML compliance with SEPBLAC.

- CASPs must obtain MiCA authorization from CNMV following Spain's decision to shorten the transitional period to 30 December 2025. The CNMV has published guidance indicating that: (i) authorization assessments evaluate governance, technical infrastructure, safeguarding arrangements, and AML/CFT frameworks; and (ii) failure to obtain authorization by the 2025 deadline result in prohibition from providing crypto-asset services in Spain.

- Notwithstanding the supervisory shift to CNMV, SEPBLAC retains its function as the designated Financial Intelligence Unit. CASPs must continue submitting STRs, monthly statistical reports, and responding to SEPBLAC information requests. SEPBLAC may conduct on-site inspections focused specifically on AML/CFT compliance, independent of CNMV's prudential supervision.

This dual-supervisor model -CNMV for authorization and conduct, SEPBLAC for AML intelligence- requires CASPs to maintain robust internal coordination and prepare for potentially overlapping inspection cycles.

In such context, it is relevant to mention that the MiCA transition period did not create a regulatory holiday for Travel Rule obligations. From this perspective, the TFR is applicable since 30 December 2024 regardless of a CASP's authorization status, and supervisory authorities have made clear that ongoing compliance is non-negotiable throughout the transition period.

 Author:

Emiliano Silva , Of Counsel, Lopez-Ibor  Abogados SLP