Identity Verification in Spain: What Businesses Need to Know in 2026

Spain’s digital economy is growing faster than its fraud defenses can keep up. In 2024, scammers stole an estimated EUR 7.4 billion from Spanish consumers. The Global Anti-Scam Alliance found that one in six people in Spain was targeted in a single year. Over the same period, Spain’s national cybersecurity institute, the Instituto Nacional de Ciberseguridad , recorded 122,223 cybersecurity incidents, many of them linked to identity fraud.

For businesses operating in Spain, those numbers translate directly into compliance exposure. The Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (SEPBLAC) has raised its enforcement activity, and fines for inadequate customer due diligence have reached eight figures. This guide covers what identity verification in Spain actually demands under Law 10/2010, as interpreted by SEPBLAC, and given the current fraud environment.

Identity verification in Spain is the process by which businesses confirm that a customer is who they claim to be, using government-issued documents, biometric checks, or database cross-references. Spanish law, primarily Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing, makes this process mandatory for banks, fintech firms, real estate agents, and other regulated sectors.

What SEPBLAC requires for identity verification in Spain

SEPBLAC, Spain’s financial intelligence unit (FIU) and anti-money laundering (AML) supervisor, operates under Law 10/2010 and its implementing Royal Decree 304/2014. Since 2020, remote digital onboarding has been permitted, but it must meet technical standards that SEPBLAC reviews and approves. SEPBLAC’s 2024 activity data shows a year-on-year rise in suspicious transaction report (STR) analysis, signalling that the regulator is working through a growing volume of compliance alerts from obliged entities.

Standard customer due diligence

For most customer relationships, SEPBLAC’s due diligence framework requires collecting and verifying a full legal name, date of birth, and address, alongside a copy of a valid government-issued document. For Spanish nationals, the Documento Nacional de Identidad (DNI) is the primary identifier. Foreign residents typically present a Tarjeta de Identidad de Extranjero (TIE) or a valid passport. Royal Decree 255/2025, enacted in March 2025, accelerates the rollout of Spain’s digital DNI, making electronic ID verification in Spain a near-term compliance requirement rather than a future planning item.

KYC verification in Spain follows a risk-based approach. The more complex or higher-value the customer relationship, the more evidence an obliged entity must gather. Standard due diligence covers identity authentication in Spain for most retail customers and satisfies the minimum requirements set out in Law 10/2010.

Enhanced due diligence for high-risk customers

When a customer is classified as high-risk, such as politically exposed persons (PEPs), non-resident relationships, those in cash-intensive sectors, or customers from higher-risk jurisdictions, SEPBLAC requires enhanced due diligence (EDD). EDD demands senior management approval, more detailed source-of-funds verification, and more frequent review cycles. Identity authentication in Spain at the EDD level typically means layering biometric confirmation on top of document review, so the person presenting the document is demonstrably the person named on it.

How the identity verification process works in Spain?

The identity verification process in Spain runs in three sequential stages for remote onboarding. Each stage adds a layer of assurance, and together they satisfy SEPBLAC’s technical requirements for digital customer acceptance.

Document capture and validation

A customer submits a scan or live photo of their DNI, TIE, or passport. Optical character recognition (OCR) extracts machine-readable zone (MRZ) data from the document, and the system compares those values against the visual inspection zones for internal consistency. The document is cross-checked against known fraud indicators, including altered fonts, mismatched holograms, and inconsistent security features. For documents with embedded chips, NFC verification reads chip data directly from the source, bypassing the image layer entirely. AI identity verification in Spain has made this stage considerably faster. Modern models flag document anomalies in milliseconds, catching forgeries that manual reviewers would miss at the volumes Spanish financial institutions process daily.

Biometric liveness detection

Once a document is validated, a biometric check confirms the person presenting it is the same individual pictured on it. A selfie or short video is captured and compared against the document photograph using facial recognition. Online identity verification in Spain increasingly depends on passive liveness detection, which analyses natural movement to confirm the user is physically present rather than presenting a still photograph or pre-recorded video. This step defends against deepfake-based attacks and synthetic identities, both of which Spanish investigators have flagged as growing fraud vectors in recent years.

Database cross-reference and screening

With document and biometric checks complete, the customer’s details are run against AML databases covering global sanctions lists, PEP registries, and adverse media sources. In Spain, this stage must also account for domestic sanction obligations and SEPBLAC’s reporting requirements. AML screening at this stage feeds directly into the suspicious transaction reporting obligations that SEPBLAC monitors. Results return to the compliance team within seconds, while the customer continues through the onboarding flow.

Which industries rely most on identity verification in Spain

Banking and financial services

Banks and neobanks operating in Spain are primary obliged entities under Law 10/2010. Know your customer (KYC) checks are mandatory at account opening, and periodic re-verification applies when a customer’s risk profile changes. The regulatory stakes are concrete. SEPBLAC fined CaixaBank €30 million for anti-money laundering failures related to a high-value real estate transaction. That enforcement action illustrated what inadequate due diligence actually costs in the Spanish market.

Crypto and virtual asset service providers

Spain transposed the Fifth Anti-Money Laundering Directive (5AMLD) requirements for virtual asset service providers (VASPs) into national law, and the Markets in Crypto-Assets Regulation (MiCA) applied across the European Union from December 2024. Spanish VASPs must register with the Banco de España and complete identity verification at a standard equivalent to traditional financial institutions. KYC verification in Spain for crypto businesses now mirrors banking requirements, with no carve-outs for decentralised platforms.

Online gambling and gaming

The Dirección General de Ordenación del Juego (DGOJ), Spain’s national gambling regulator, requires licensed operators to verify player identity before accepting the first deposit. Age verification and source-of-funds checks are mandatory at registration. ID verification solutions in Spain for gaming must combine document authentication, biometric liveness, and database checks. The DGOJ expects evidence these controls run consistently, not that they are logged as exceptions.

Real estate and professional services

Notaries, lawyers, accountants, and estate agents are all obliged entities under SEPBLAC’s framework. The sector carries elevated money laundering risk, as high-value property transactions are a recognised vehicle for layering illicit funds. Spanish digital ID verification for real estate has moved from paper-based workflows to digital processes, and regulators expect document authenticity checks rather than photocopies. The CaixaBank fine referenced above arose from exactly this context, making Spain’s property sector an active area of SEPBLAC scrutiny.

How Shufti helps Spanish businesses verify customer identities online

Compliance teams building onboarding flows in Spain typically face three simultaneous pressures. Document fraud is rising. Regulators expect biometric assurance. And customers abandon flows that take too long.

Shufti addresses that tension by combining document verification with biometric liveness detection in a single pass. The document capture stage handles DNI, TIE, passport, and NFC chip-enabled documents. The biometric layer uses passive liveness, so customers do not have to perform gestures or navigate additional steps. Digital identity verification in Spain can complete in under fifteen seconds this way, rather than the minutes a manual review queue takes.