Quick answer: when a security token offering involves tokenised securities, anti-money-laundering and counter-terrorist-financing (AML/CFT) compliance is not governed by the crypto-asset regime but by the financial-instrument regime. The issuer and the participating entities are subject to Spain's Law 10/2010 of 28 April, under SEPBLAC supervision, and must identify every investor through KYC procedures (individuals) and KYB procedures (legal entities), also verifying the beneficial owner before the business relationship begins. On top of that AML/CFT layer sits the suitability and appropriateness assessment required by MiFID II, transposed in Spain by Law 6/2023 (LMVSI), together with a set of controls native to the technology: on-chain control lists (whitelist or allowlist) that restrict who may receive or transfer the tokens. On the transfer side, the crypto-asset Travel Rule under Regulation (EU) 2023/1113 requires certain operations to carry information on the originator and the beneficiary, and taxation adds a further layer through DAC8, Directive (EU) 2023/2226, which extends the automatic exchange of information on crypto-assets. The core idea: an offering of tokenised securities simultaneously carries the obligations of securities law and those of the anti-money-laundering framework, and they are best designed as a single system from day one.
Which framework applies: the security token as a financial instrument
The starting point conditions everything else. If the token embeds rights characteristic of a transferable security (a share in profits, voting rights, a claim against the issuer or a return linked to the performance of an asset), it is a financial instrument. In that case the securities-market regime applies and, under Article 2(4) of Regulation (EU) 2023/1114 (MiCA), MiCA is excluded: it does not regulate crypto-assets that already qualify as financial instruments. That is the anchor rule that separates a security token from a utility token or an asset-referenced token.
The practical consequence is that the offering operates within Law 6/2023 of 17 March on Securities Markets and Investment Services (LMVSI), which transposes MiFID II and allows transferable securities to be represented through distributed-ledger-technology systems under Regulation (EU) 2022/858 on the pilot regime. For a deeper look at this framework, see our analysis of the LMVSI and tokenisation.
The AML/CFT layer: Law 10/2010 and SEPBLAC supervision
The entities involved in issuing and marketing tokenised securities are, as a general rule, obliged subjects under Law 10/2010. This includes investment firms, credit institutions and, depending on its function, the entity responsible for registration and recording (ERIR) where it provides regulated financial services. Supervision falls to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC), a body under the Bank of Spain.
The core obligations are formal and substantive identification of the client, verification of the beneficial owner before the business relationship begins, retention of documentation for at least ten years, reporting of suspicious operations to SEPBLAC and ongoing staff training. These are not front-desk formalities: they are the foundation on which the entire compliance architecture of the offering is built.
KYC, KYB and beneficial-owner verification
The Know Your Customer (KYC) procedure covers individual investors: documentary identification, identity verification and risk assessment. Know Your Business (KYB) extends that analysis to legal entities, where it is essential to reconstruct the ownership chain up to the beneficial owner, that is, the natural person who ultimately controls the entity. In offerings with investors across several jurisdictions, this due diligence is calibrated to risk: countries, investor type and source of funds determine whether simplified or enhanced due diligence is appropriate.
The MiFID II layer: suitability and appropriateness
Anti-money-laundering answers the question of who the investor is; MiFID II answers whether the product is right for them. Where marketing the security token involves advice or portfolio management, the firm must run the suitability test, which assesses knowledge, experience, financial situation and investment objectives. For mere execution or the reception and transmission of orders on complex products, the appropriateness test applies. These assessments, required by the LMVSI as a transposition of MiFID II, coexist with KYC but serve a different purpose: investor protection, not the prevention of money laundering.
On-chain controls: whitelist and allowlist
Distributed-ledger technology makes it possible to shift part of the compliance burden into the token itself. Through on-chain control lists (whitelist or allowlist), the smart contract only allows tokens to be received or transferred by addresses (wallets) previously verified through the KYC/KYB process. In this way, the transfer restriction stops being a contractual commitment on paper and is enforced automatically: an address not on the list cannot receive the security. This is the mechanism that connects traditional due diligence with the programmability of the token, and it is especially useful for maintaining compliance across the secondary market.
Custody of these assets demands equivalent controls over keys and records; this can be explored further in our article on custody of digital assets in Spain.
The crypto-asset Travel Rule
Regulation (EU) 2023/1113, on the information accompanying transfers of funds and certain crypto-assets, brings the FATF standard known as the Travel Rule into EU law. Applicable since 30 December 2024, in step with MiCA, it requires transfers to include identifying data on the originator and the beneficiary. A nuance is worth noting: this regulation is aimed primarily at crypto-asset service providers. In an offering of tokenised securities circulating on authorised market infrastructures, the transfer-traceability obligations derive from the financial-instrument regime, but the underlying logic is the same: no operation should be left without an identifiable record of the parties.
The tax layer: DAC8
Directive (EU) 2023/2226 (DAC8) extends the EU framework for the automatic exchange of tax information to crypto-assets. Member States were required to transpose it by 31 December 2025, and the information-gathering obligations apply, as a general rule, from 1 January 2026, with the first effective exchange between administrations expected from 2027. For the security token issuer the relevance is twofold: it reinforces the need to keep reliable tax data on each investor, and it confirms the trend towards aligning the transparency of digital assets with that of traditional financial products.
Frequently asked questions
Does MiCA apply to AML in a security token offering?
Not directly. If the token is a financial instrument, MiCA is excluded under its Article 2(4). Anti-money-laundering is governed by Law 10/2010 and the financial-instrument regime, not by MiCA's crypto-asset framework.
Who supervises AML/CFT compliance in Spain?
SEPBLAC, a body under the Bank of Spain, is the supervisory authority for the prevention of money laundering and terrorist financing. Supervision of the securities market falls to the CNMV.
Does the whitelist replace KYC?
No. The whitelist is the technical consequence of KYC/KYB: only addresses whose holders have passed identification and verification are included. Without prior due diligence there is no valid inclusion on the list.
When does DAC8 start to apply?
Transposition was due by 31 December 2025 and the reporting obligations apply, as a general rule, from 1 January 2026, with exchange between administrations from 2027.
What this means for you
If you are planning a security token offering in Spain, it is best to design compliance as an integrated system rather than a sum of isolated formalities: KYC/KYB identification and beneficial-owner verification feed the on-chain whitelist; the MiFID II assessment protects the investor at the marketing stage; the Travel Rule ensures the traceability of operations; and DAC8 closes the tax loop. Anticipating these layers from the token-design phase avoids reworking the structure later and reduces the risk of friction with SEPBLAC and the CNMV. The rule to keep in sight: a tokenised security is, above all, a security, and as such it carries the full regime of financial instruments.
This content is for information purposes only and does not constitute legal, financial or tax advice. Anti-money-laundering and securities-market rules are subject to change and interpretation. Before undertaking a security token offering, consult professional advisers and verify the rules in force.
Sources: Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing (BOE-A-2010-6737); Law 6/2023 of 17 March on Securities Markets and Investment Services (BOE-A-2023-7053); Regulation (EU) 2023/1114 on markets in crypto-assets, MiCA, Art. 2(4) (CELEX 32023R1114); Regulation (EU) 2023/1113 on information accompanying transfers of funds and crypto-assets (CELEX 32023R1113); Directive (EU) 2023/2226, DAC8 (CELEX 32023L2226); Regulation (EU) 2022/858 on the pilot regime for market infrastructures based on DLT (CELEX 32022R0858).
.webp)
.webp)
.png)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
%20(1).webp)
.webp)
.webp)
.webp)
.png)
.png)
.png)
