SEPBLAC software: automate AML reporting without losing traceability
Any fintech, payment institution or e-money institution operating in Spain is an obliged entity under Law 10/2010 on the prevention of money laundering. That means reporting to Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias. Unidad de inteligencia financiera de España (FIU), receptor oficial de las comunicaciones de operativa sospechosa de las entidades obligadas.SEPBLAC with enforceable deadlines, format and traceability. Manual reporting does not scale with volume, and a shared spreadsheet does not survive an inspection. Well-designed SEPBLAC software automates the repetitive work without sacrificing the audit trail or human control over what reaches the regulator.
What SEPBLAC requires from an obliged entity
Law 10/2010 and Royal Decree 304/2014 set out four operational obligations a system must sustain:
| Obligation | What it means |
|---|---|
| Special examination | Analyse in detail every complex, unusual operation with no apparent economic purpose before deciding whether to report. |
| Suspicion-based reporting | Report to SEPBLAC any operation linked, by indication or certainty, to money laundering, with its supporting documentation. |
| Systematic reporting | Periodically report operations subject to declaration even with no indication of suspicion. |
| Record retention | Keep documentation for ten years, retrievable and with demonstrable integrity. |
Each one produces a case file. Without a system, that file lives scattered across emails, spreadsheets and folders, and the decision chain goes unrecorded.
Why manual reporting does not scale
The problem is not only time. It is defensibility under an inspection.
| Problem | Impact |
|---|---|
| Latency | Weeks between detection and reporting, when the deadline is tight. |
| Transcription errors | Data hand-copied from five different systems, with inconsistency risk. |
| Incomplete audit trail | No record of who analysed what, when and on what criteria. |
| Key-person risk | Process knowledge lives in a single head. |
In an inspection, what is examined is not only the final report: it is how it was reached. A manual process can rarely reconstruct that chain with guarantees.
What SEPBLAC software should automate
Automating is not generating the report in one click and signing blind. The layers where software adds real value are specific:
1. Structured special examination
The system should enrich each alert with a 360° Know Your Customer: conjunto de procesos para verificar la identidad de un cliente y entender su perfil de riesgo. En banca y fintech, requisito legal previo a la apertura de relación de negocio. Leer más → KYC profile: client risk factors, jurisdiction, PEP status, transaction history. The analyst receives the case already documented, not a stray line.
2. Pre-filled case file
From the case file, the software pre-fills the Formulario F19-1: comunicación por indicio al SEPBLAC. Documento estandarizado que los sujetos obligados remiten cuando detectan indicios de blanqueo de capitales o financiación del terrorismo, conforme al Art. 17 de la Ley 10/2010.F19 form, drafts the narrative summary in regulatory language, maps the applicable SEPBLAC indicators and builds the chronological timeline of operations. The analyst reviews and corrects, rather than transcribing.
3. Filing in a valid format
Reporting to SEPBLAC has a defined format and fields. The software validates the structure before submission, so an incomplete case file is never filed by mistake.
Guiding principle: the software proposes, the person decides
Automation must never report to the regulator without human approval. The four-eyes principle (segregation of duties) guarantees that every high-risk filing requires validation by two distinct people. It is enforceable, not optional.
Traceability is not an add-on
This is where most generic solutions fail. Serious SEPBLAC software must record every state transition of the case file immutably: who opened it, who analysed it, who approved the filing and when. Without that audit trail, automation solves speed but leaves the defence before the regulator exposed.
Ten-year retention demands the same: keeping the final PDF is not enough. You must be able to prove the integrity of the case file from the moment it was opened. A cryptographically sealed audit log turns "trust our archive" into "verify the integrity".
Data sovereignty when AI is involved
If the software uses AI for triage or drafting, it processes specially protected information: full names, national IDs, banking data, transaction patterns. Sending that data to third-party APIs only relocates the problem:
| Risk | Description |
|---|---|
| Data sovereignty | Information leaves your jurisdiction with no effective control. |
| General Data Protection Regulation: Reglamento UE 2016/679 de protección de datos personales. Aplica a cualquier tratamiento de datos de residentes europeos. Sanciones de hasta el 4% del facturado global.GDPR Art. 28 | The AI provider becomes a data processor. |
| Reglamento UE 2024/1689: marco europeo para sistemas de IA basado en riesgo. Prohíbe usos inaceptables, regula los de alto riesgo y establece transparencia para modelos generativos. Entrada en vigor escalonada 2025-2027.AI Act | High-risk AI systems require transparency and governance. |
The alternative is sovereign processing: models that run on your own infrastructure, so the case-file data never leaves the controlled perimeter.
How BlueUPALM approaches SEPBLAC reporting
| Capability | Implementation |
|---|---|
| Special examination | 360° KYC profile with configurable risk factors. |
| Indicators | Mapping of SEPBLAC indicators onto each alert. |
| Four-eyes | Segregation of duties with dual approval on filings. |
| Reporting | F19 pre-fill with narrative summary and timeline. |
| Audit trail | Immutable record of every case-file state transition. |
| Sovereign AI | Local processing: data never leaves the perimeter. |
Related reading
- AML automation with AI: from manual screening to intelligent triage — The AI layer that feeds the special examination.
- DORA 2026: a practical guide for financial entities — The other regulatory framework that shares traceability demands.
- DORA Calculator — Assess your Digital Operational Resilience Act: reglamento UE 2022/2554 sobre resiliencia operativa digital. Exige a entidades financieras de la UE resistir, responder y recuperarse de incidentes TIC. En vigor desde 17 enero 2025. Leer más → DORA maturity in minutes.
Want to see SEPBLAC reporting automated?
We will walk you through the BlueUPALM AML engine with synthetic data from your sector, including the special-examination flow and filing with an audit trail.