Financial Regulation & Compliance

Comprehensive solutions for businesses that want to grow without limits.

We implement operational, auditable, risk-proportionate compliance systems. AML/CFT, crypto-assets, securities markets, fintech regulation and corporate compliance.

Request a consultation View services

Book a call

No obligation. No cost.

Areas of specialization

+50

Entities advised

100%

Tailored solutions

24h

Response time

Services

Key areas where
we help you comply

Results-oriented legal and compliance advice: controls that are executed, evidence that holds up, and systems that scale with your business.

Anti-Money Laundering

Design and implementation of AML/CFT systems proportionate to the risk profile: inherent and residual risk assessment, policies and procedures, customer due diligence (KYC/EDD), beneficial ownership, document retention, mandatory training and readiness for SEPBLAC and Bank of Spain inspections.

Crypto-Assets & Blockchain

We structure the legal and compliance framework for crypto projects: exchanges, custodians, asset tokenization, mining and Web3 services. Regulatory risk analysis under MiCA, crypto-specific KYC/AML and taxation of crypto-assets.

Securities market financial instruments MiFID II ESI EAF CNMV

Securities Market & Financial Instruments Regulation

Advice for entities under CNMV supervision: authorization of investment firms (ESI) and financial advisory firms (EAF), implementation of the MiFID II compliance framework, best execution policies, suitability and appropriateness tests, and conflict-of-interest management.

Fintech regulation payment institution electronic money licenses PSD2 DORA

Fintech Regulation & Payment Licenses

Processing of payment institution and electronic money institution (EMI) licenses before the Bank of Spain, PSD2 compliance, PISP and AISP registration, open banking, DORA implementation and structuring of the full regulatory file to operate as an authorized financial entity.

Corporate Compliance

Design and implementation of criminal compliance and good corporate governance programs: criminal risk map, code of conduct and internal policies, whistleblowing channel, internal investigations, role-based specialized training and support with supervisory authority requirements.

Regulatory framework

What happens when an entity fails to comply?

The consequences of non-compliance are not only financial. They affect operations, reputation and the viability of the business.

Law 10/2010 · AML/CFT

Up to €10M in fines or double the profit obtained, disqualification of directors and public disclosure of the breach by SEPBLAC.

MiFID II · CNMV

Suspension of authorization, fines of up to €5M for a very serious infringement, activity restrictions and disqualification of the responsible directors.

PSD2 · Bank of Spain

Operating without a license: a very serious infringement with immediate cessation of activity, substantial fines and personal liability of directors.

MiCA · CNMV

Providing crypto services without CASP authorization: suspension of activity, fines and publication of the breach. Fully in force since December 2024.

Criminal Code · Corporate Compliance

Without a criminal compliance program, the legal entity can be sentenced to fines of up to 5 years of day-fines, dissolution, suspension of activities or a ban on contracting with the public sector. An effective program can exempt or mitigate criminal liability.

Our approach

Operational compliance, not just paperwork

We don't move obligations onto paper. We implement controls that are applied in daily operations, documented with traceable evidence, and that hold up before regulators, auditors and investors. Every measure has an owner, a deadline and supporting evidence.

About us

AML/CFT

Auditable, risk-proportionate prevention systems

"We design the inherent and residual risk assessment, KYC/EDD procedures, beneficial owner identification and the documentary traceability required by SEPBLAC."

Crypto-Assets

Regulatory framework for digital assets under MiCA

"We structure compliance for CASPs, exchanges and custodians: crypto-specific KYC/AML, Travel Rule, banking of crypto funds and taxation of digital asset transactions."

Securities Market

CNMV authorization and MiFID II compliance

"We manage the authorization file for investment firms (ESI) and financial advisory firms (EAF), implement the required MiFID II policies and prepare documentation for CNMV requirements."

Fintech Regulation

Payment institution and electronic money licenses

"We handle authorization before the Bank of Spain: program of operations, capital requirements, safeguarding of funds, AML policies and DORA compliance from day one."

Why Molina Law Boutique

Regulatory specialization,
not generalist advice

Integrated technical and legal expertise

We combine legal analysis with the operational knowledge of each sector. We don't separate legal advice from compliance: both must work coherently in the entity's daily practice.

Evidence that withstands any inspection

Everything we implement is designed to be verifiable: executed controls, documented decisions and files ready for SEPBLAC, the Bank of Spain, the CNMV or any external auditor. Compliance must be demonstrated, not just proclaimed.

Proportionate compliance with no operational friction

We design regulatory systems tailored to each entity's size, activity and risk profile. Regulation must not block the business: our job is to make compliance an asset, not an obstacle.

Who we help

Sectors with the greatest
regulatory exposure

Proven experience in the sectors where financial, AML and compliance regulation has the greatest operational impact.

Credit and financial institutions

Banks, savings banks and credit cooperatives with AML/CFT, MiFID II, DORA and compliance obligations before the Bank of Spain and the CNMV.

Fintech and payment institutions

Startups and scale-ups that need a PI or EMI license, PSD2 compliance, bank account opening and a regulatory operating framework from the start of their activity.

Crypto-asset service providers

Exchanges, custodians, tokenization platforms and Web3 projects subject to MiCA, crypto-specific KYC/AML and the Travel Rule.

Investment firms

Investment firms (ESI), financial advisory firms (EAF), managers and funds operating under CNMV supervision that must evidence MiFID II compliance, product governance and regulatory reporting.

Large corporations and corporate groups

Entities that need a robust criminal compliance program, ethics channel, legal risk map and documented, auditable corporate governance.

Real estate and developers

Agencies, developers and real estate servicers subject to Law 10/2010 as obliged subjects: AML manual, buyer KYC and sector risk assessment.

Asset managers and family offices

Wealth management structures with AML obligations, enhanced due diligence, beneficial owner identification and source-of-funds verification.

Startups in fundraising processes

Emerging companies structuring funding rounds that need a solid legal framework before institutional investors and venture capital funds.

How we work

A methodology focused
on verifiable results

Four phases to turn regulatory uncertainty into an operational, documented and sustainable compliance system.

Regulatory diagnosis

We identify the applicable regulatory framework, review the existing compliance system and detect the gaps with the greatest impact on the entity's regulatory, operational or reputational exposure.

Review and verification

We verify that the defined controls are actually executed: file sampling, document traceability, alert review, tool validation and decision logging.

Prioritized action plan

We prioritize gaps by risk level and urgency, propose concrete corrective measures with owners, deadlines and minimum evidence, and align the plan with the entity's real operating capacity.

Implementation and support

We deliver technical and legal documentation ready for internal use and third parties. We support implementation, team training and the response to regulatory requirements.

Frequently asked questions

Common questions
from our clients

Make an enquiry

What is Anti-Money Laundering and who is required to comply?

Spain's Anti-Money Laundering and Counter-Terrorist Financing Law (Law 10/2010) imposes due diligence, beneficial owner identification, document retention, training and reporting obligations on many entities: financial and insurance firms, real estate, lawyers, auditors, asset managers, crypto exchanges and other activities defined as obliged subjects. Non-compliance can result in fines of millions of euros.

What does MiFID II compliance involve for an investment firm?

MiFID II requires firms providing investment services to: classify clients, carry out suitability and appropriateness assessments, maintain a best execution policy, manage and disclose conflicts of interest, report periodically and meet staff qualification requirements. Non-compliance is directly supervised by the CNMV and can lead to enforcement proceedings and activity restrictions.

What licenses does a fintech need to operate in Spain?

It depends on the business model. If it manages funds or processes third-party payments, it needs a payment institution license or an electronic money institution (EMI) license from the Bank of Spain. Minimum capital ranges between €20,000 and €125,000 depending on the services. If it provides investment services, it needs authorization as an investment firm before the CNMV. Operating without the relevant license is a very serious infringement.

What does the MiCA Regulation require from crypto-asset service providers?

MiCA (EU Regulation 2023/1114 on markets in crypto-assets) establishes an authorization and supervision framework for CASPs (crypto-asset service providers) across the European Union. It requires capital, governance, safeguarding of client assets, disclosure transparency, specific AML policies and compliance with the Travel Rule for crypto-asset transfers.

What is DORA and which entities does it affect?

The DORA Regulation (Digital Operational Resilience Act) has been mandatory since January 2025 for all regulated financial entities in the EU and their critical ICT providers. It requires an ICT risk management framework, an operational continuity policy, incident logging and reporting, resilience testing and oversight of third-party digital service providers.

What does a Corporate Compliance program cover?

An effective criminal compliance program includes: a criminal risk map of the organization, a code of conduct and internal policies, an ethics or whistleblowing channel in line with the Whistleblowing Directive, an internal investigations protocol, periodic role-based training and oversight and update mechanisms. A well-documented program can exempt or mitigate the criminal liability of the legal entity.

How does an entity prepare for a SEPBLAC or Bank of Spain inspection?

Preparation requires reviewing the consistency between the compliance manual and actual practice: traceability of KYC files, records of alerts and decisions, training evidence, minutes of the internal control body and beneficial owner documentation. A well-organized, consistent file significantly reduces additional information requests and resolution times.

How long does it take to obtain a payment institution license?

The legal resolution period is 3 months from submission of the complete file, although in practice the process can extend to 6–12 months depending on the complexity of the business model and the quality of the submitted file. A well-prepared file from the outset — with the program of operations, the required policies and paid-up capital — reduces additional information requests and shortens timelines.

Get ready for PSD3

Is your company ready
to adapt to PSD3?

We help you analyze the impact of PSD3 on your activity, identify the new regulatory obligations and define a legal and operational adaptation strategy. First consultation at no cost.

PSD3