Regulatory framework

Regulatory authorities

What national authorities regulate the provision of financial products and services?

The competent regulatory authorities in Spain are the Bank of Spain and the National Securities Market Commission (CNMV). Their specific functions are detailed in question 2.

What activities does each national financial services authority regulate?

The Bank of Spain is mainly entrusted with the following duties:

  • the prudential supervision of certain regulated entities, essentially, credit institutions (together with the European Central Bank (ECB) and within the distribution of functions set out under the Single Supervisory Mechanism (SSM), payment institutions, e-money institutions and financial credit establishments;
  • the supervision of the provision of banking services by the aforementioned entities (for instance, payment services and the raising of deposits) and their compliance with the rules of conduct applicable to such services; and
  • the supervision of the Spanish payment systems and the security of payments in general in order to ensure financial stability.

The CNMV is mainly entrusted with the following duties:

  • the prudential supervision of certain regulated entities, essentially, investment firms, collective investment schemes, alternative investment funds, securitisation funds, asset managers, market infrastructures (central securities depositaries, central clearing counterparties, management companies of official markets) and crowdfunding platforms;
  • the supervision of the provision of investment services and any other services related to financial instruments by the aforementioned entities (for instance, receiving and transmitting orders and the custody of financial instruments) and their compliance with the rules of conduct applicable to such services; and
  • the supervision of the functioning of the securities markets and any entity operating therein, whether as an issuer, a member of the market, a purchaser or a custodian.

What products does each national financial services authority regulate?

See question 2.

Authorisation regime

What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?

Certain financial services may only be provided by entities duly authorised to do so. For instance:

  • the raising of deposits, which may only be performed by credit institutions;
  • payment services, which may only be performed by credit institutions, e-money institutions and payment institutions;
  • issuance of e-money, which may only be performed by credit institutions and e-money institutions;
  • investment services, which may only be performed by investment services firms, credit institutions and the management companies of collective investment schemes; and
  • management of collective investment schemes, which may only be performed by collective investment managers.

The authorisation to provide ‘banking’ services (essentially, the raising of deposits, the issuance of e-money and the payment services) is granted by the Bank of Spain (or the ECB when it concerns a credit institution). The CNMV is the competent authority for services which relate to financial instruments and securities (essentially, investment services and the management of collective investments).

The authorisation for the provision of financial services varies according to the services that the firm intends to provide. Authorisations are usually granted to legal entities. However, in certain types of entities (for instance, particular types of investment services firms), the authorisation may be granted to a natural person. Natural persons may also be appointed as agents of financial services providers.

The requirements and time frame to obtain authorisation depend on the type of financial licence that is requested and the services to be provided. In general, the financial services provider is subject to requirements concerning minimum share capital and own resources, suitability of shareholders, directors and managers, corporate governance, anti-money laundering and internal control systems.


What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

The Bank of Spain’s supervisory duties are shared with the ECB in accordance with the regulations of the SSM. The ECB, with the assistance of the Bank of Spain, is entrusted with the direct supervision of significant credit institutions, adopts decisions related to the common procedures and oversees the consistency of the supervision by the Bank of Spain of less significant credit institutions, among others. In turn, the Bank of Spain is the primary entity responsible for the supervision of the less significant credit institutions, payment institutions, e-money institutions and financial credit establishments.

Law 13/1994 of 1 June on the autonomy of the Bank of Spain and Royal Legislative Decree 4/2015 of 23 October, approving the revised text of the Securities Market Law, regulate the main functions and powers of the Bank of Spain and the CNMV, respectively.

However, other regulations provide the Bank of Spain and the CNMV with specific powers to supervise financial services firms. For instance, Law 35/2003 of 4 November on collective investment schemes provides the CNMV with certain supervisory powers regarding collective investment schemes and their management companies.

What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?

Financial regulations within the member states of the European Union are mostly determined by EU law. Consequently, the Spanish financial legal system is a combination of the transposition of EU Directives, EU regulations, which are directly applicable, and Level 3 legislation (ie, guidance and recommendations from EU supervisory authorities). These regulate not only the prudential aspects of entities (ie, capital and resources, corporate governance, suitability of shareholders, internal control systems and audits, accounting, reporting to supervisory authorities and to the public, among others) but also rules of conduct (ie, transparency, protection of clients, conflicts of interests and information to clients, among others).

Notwithstanding the above, there is also Spanish legislation further regulating these matters, particularly in connection with transparency, financial publicity and client protection, and other types of financial services providers not regulated by EU law (for instance, the regulation of crowdfunding platforms).

Scope of regulation

What are the main areas of regulation for each type of regulated financial services provider and product?

The main areas of regulation for financial services providers are the following.


The provision of regulated services requires the financial services provider to first obtain the relevant authorisation from the corresponding supervisory authority or, in the case of EU entities, the undergoing of a ‘passporting’ procedure, which enables them to provide services on a cross-border basis or with a permanent establishment in Spain without having to obtain an authorisation from the Spanish supervisory authorities.

Business conduct rules

Throughout the provision of services, financial services providers must also observe certain business conduct rules. These basically refer to how the services should be provided, for instance, the information that must be provided to clients in connection with the services.

Capital and liquidity

Most financial services providers must comply with capital and own resources requirements and, some, such as credit institutions, must also maintain liquidity ratios.

Anti-money laundering

All financial services providers are subject to legislation on anti-money laundering and the prevention of terrorism requiring them to implement customer due diligence measures, have dedicated internal control bodies and to report certain transactions to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (Sepblac).

Reporting to supervisory authorities

All financial services providers are subject to regulatory reporting requirements, which will be more or less intense depending on the particular entity, the service provided and the clients targeted.

Infringements and penalties

All financial services providers are subject to administrative penalties for breach of financial regulations imposed by the competent financial supervisory authorities (see question 10).

Additional requirements

What additional requirements apply to financial services firms and authorised persons, such as those imposed by self-regulatory bodies, designated professional bodies or other financial services organisations?

The main regulatory authorities are the Bank of Spain (together with the ECB, where applicable), the CNMV and Sepblac, in connection with anti-money laundering and financing of terrorism regulations. These public authorities constantly issue guidelines, Q&As and other soft law criteria. State and regional consumer authorities may also issue guidelines on the protection of consumers, which may be of relevance for the provisions of financial services.

Financial services providers may typically be part of professional associations but these do not have regulatory authority.

Certain entities participating in the markets (such as central securities depositaries or clearing central counterparties) may issue internal regulations, although such regulations must be drafted in accordance with legal requirements and are subject to the supervisory authorities’ review.


Investigatory powers

What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?

The powers of supervision and inspection of the Bank of Spain and CNMV are very wide and, among others, include the ability to:

  • access and receive a copy of any document in any form whatsoever;
  • request information from any person; and
  • perform inspections on site in any office or premises.

If the Bank of Spain (or the ECB) or the CNMV detects that a provider is not complying with its obligations or if the authority simply wants to review procedures to ensure compliance, it may initiate an investigation, which may lead to a sanction if the entity has breached its duties.

Disciplinary powers

What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?

The Bank of Spain and the CNMV may impose administrative penalties on financial services firms and their managers if they infringe financial regulations. These sanctions are independent of any criminal proceedings. The Bank of Spain and the CNMV have no powers to sanction crimes.

There are three levels of administrative infractions: very serious, serious and minor. The level of seriousness depends on various parameters such as the nature of the infraction, the responsibility that the entity had when it committed the infraction, the economic situation of the entity and the consequences for third parties.

The sanctions to be imposed will depend on the seriousness of the infraction committed, the reoccurrence of the infraction, the harm produced and the cooperation with the public authorities during the course of the investigation, among others.


What tribunals adjudicate criminal and civil financial services infractions?

Administrative and criminal infractions are not heard by the same tribunals. Administrative proceedings, such as the ones dealt with before the Bank of Spain or the CNMV, can only be reviewed by administrative courts. Criminal infringements (even if financial in nature) may only be dealt with by the criminal courts.

Criminal proceedings prevail over administrative ones. Therefore, if a regulated financial services provider is investigated by a supervisory authority and, at the same time, criminal proceedings are initiated for the same conduct, the authority will halt its investigation until the criminal proceedings are finalised.


What are typical sanctions imposed against firms and individuals for violations? Are settlements common?

Infractions normally lead to a sanction, which is usually a fine. However, in some cases the Bank of Spain and the CNMV may also take other measures, such as revoking the authorisation granted to the services provider.

At the same time, the Bank of Spain and the CNMV may also impose sanctions on the management body of the regulated financial services provider. These sanctions may consist of fines or even the removal of the manager from his or her position, whether temporarily or permanently.

Additionally, the Bank of Spain and the CNMV may also publish the sanctions in the Spanish Official Gazette.

Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

In general terms, financial services providers must adopt internal mechanisms related to risk management, compliance and internal audits. These mechanisms should be implemented in accordance with the principle of proportionality, namely with regard to the nature, complexity and volume of the business of each entity.

The management body of the financial services provider is entrusted with the establishment of the above mechanisms. For that purpose, it is generally responsible for the development of a corporate governance system that, among other things, ensures the sound management of the provider. Additionally, certain regulated financial services providers must have internal control functions covering risk, compliance and internal audit functions, to support the management body in its regulatory duties.


How important are gatekeepers in the regulatory structure?

Compliance and internal auditing are two of the three essential functions of the internal control and corporate governance system mentioned in question 13.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Directors of financial services firms are subject to the general standard of care applicable to directors of any entity together with specific regulatory duties applicable only to directors of financial services firms.

The two primary duties of company directors are the duty of care and the duty of loyalty. The duty of care involves making careful and informed decisions. The duty of loyalty means that the director should act in the best interests of the entity and also its shareholders, without the interference of personal interests.

Directors of financial services firms have additional duties, such as:

  • designing and monitoring the corporate governance system of the financial services firm;
  • guaranteeing the integrity of the accounting information; and
  • supervising the disclosure of information.

When are directors typically held individually accountable for the activities of financial services firms?

Directors are responsible for the damage they cause to the entity, its shareholders and creditors. Liability will be triggered to the extent that such damage results from an act or omission involving negligence or wilful misconduct that is contrary to the law, the articles of association or their duties as directors. Liability may be civil, administrative or even criminal.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

No private rights of action apply to violations of national financial services authority rules and regulations.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

In general, financial services firms must act in the best interests of their clients. However, the specific standard of care depends on the type of service rendered. For instance, banking services regulations are intended to ensure that the client is fully informed before contracting a particular product or service. In turn, investment services regulations require entities to categorise their clients depending on their experience, knowledge and financial situation to ensure that they only receive services and products that are suitable for them.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Yes, this is the case with regard to investment services. The standard of care is lower for clients categorised as professionals or eligible counterparties.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

The opinion of interested parties (for instance, market participants, citizens or organisations) is sought at two different stages when developing a law or regulation:

  • before the law or regulation is drafted; and
  • once the law or regulation has been drafted but before the approval process starts.


The main areas on which persons or organisations may give their opinions are:

  • the issues that the relevant law or regulation intends to solve;
  • whether the law or regulation is necessary and appropriate;
  • its purpose; and
  • possible regulatory or non-regulatory alternatives for the law or regulation.

Cross-border issues

Cross-border regulation

How do national financial services authorities approach cross-border issues?

Certain EU-regulated financial services providers benefit from the ‘passporting procedure’, which enables them to provide services in Spain on a freedom-to-provide-services basis or by establishing a branch. It is not mandatory for them to request authorisation from the Spanish authorities but simply to undergo a notification procedure set out under the main financial directives, which involves the home member state notifying the host member state that the relevant entity intends to provide services in its territory.

The approach to EU entities providing services in Spain depends on whether they are acting by means of a branch or on a freedom-to-provide-services basis. A branch is subject to most Spanish legislation, excluding prudential requirements governed by the home member state. When the entity is operating from its home member state in general terms only the Spanish public protection rules would apply (for instance, consumer protection legislation).

For non-EU financial services firms, however, provision of financial services in Spain is subject to an authorisation procedure before the Bank of Spain or the CNMV, even if they intend to provide services by means of a branch or from the territory of their home state. However, the cross-border option is not always allowed for some entities. For instance, non-EU investment firms must establish a branch in Spain when they are dealing with retail clients.

International standards

What role does international standard-setting play in the rules and standards implemented in your jurisdiction?

International standards play a very important role in the setting of financial rules in Spain. As indicated in question 6, Spanish financial legislation is currently driven by EU rules and standards.

Update and trends

Recent developments

Are there any other current developments or emerging trends that should be noted?

The impact of Brexit to UK entities currently operating in Spain under an EU passport is still unclear. The Ministry of Economy and Business has carried out a study on the risks for the financial sector in a non-agreement scenario (hard-Brexit). The main conclusion of this study is the Spanish government values acting only in those areas where the preparation of the private sector is insufficient to guarantee client protection and legal certainty. In this regard, the Spanish government will approve a scheme in order to ensure continuity of contracts and their validity in Spain, as well as matters not covered by the European Commission’s contingency plan. This scheme should be approved before April, so the upcoming weeks will be essential for UK financial entities that are currently operating in Spain.