Spain Calls for Stricter Bank Regulation, Boosts Bitcoin Interest

Update (May 10, 2025): After thoroughly examining Royal Decree 253/2025 alongside the official BOE document and various independent fact-checks, we found that a previous version of this article incorrectly stated that Spaniards are required to notify tax authorities 24 hours in advance before withdrawing over €3,000 in cash and could incur fines up to €150,000 for non-compliance. The truth is that the reporting requirement falls on banks and fintech companies, not individual depositors, and the €150,000 penalty is applicable solely to institutions that fail to submit the necessary data. This article has been fully revised to clarify these issues and offers a detailed, well-sourced explanation of the updated regulations.

In summary: the decree focuses on banks and fintechs, rather than individual account holders, yet it moves Spain closer to complete financial transparency.

Origins of the misinformation

The narrative originated from an April 28 article in Madrid Informa, which was further disseminated by several English-language blogs and a Fintechnews CH syndication. A tweet by CitizenX CEO Alex Recouso gained traction on X, eliciting a colorful response from podcaster Peter McCormack. None of these references provided a link to the Boletín Oficial del Estado (BOE), where the legislation was officially published.

Intent of Royal Decree 253/2025

This decree modifies Articles 37, 38, and 38 bis of Spain’s General Tax Management Regulations (Real Decreto 1065/2007) and introduces a new Article 38 ter. (BOE-A-2025-6599)
It mandates that banks, e-money institutions, and card issuers submit:
- Monthly reports detailing cash deposits, withdrawals, loans, and account balances exceeding €3,000.
- Monthly reports on merchant card transactions (the previous €3,000 annual threshold has been eliminated).
- Annual reports regarding all card activity—including charges, reloads, and ATM cash—unless total card movements are below €25,000 annually.
It expands these obligations to foreign fintechs serving clients in Spain.
This change converts much of the reporting duty from annual to monthly submissions, thus shortening AEAT’s risk assessment period from a full year to approximately 30 days. (KPMG summary)

Clarifying misinformation: no 24-hour notice, no €150k penalty for private individuals

Fact-checkers at InfoVeritas have debunked the assertion that citizens need to “pre-notify” their withdrawals. Article 38 only requires financial institutions to report any cash movements that exceed €3,000 in their information return. There is no requirement in Royal Decree 253/2025 forcing individuals to submit a form or wait 24 hours before accessing their own funds.

The prominent €150,000 penalty refers to the maximum administrative fine that the AEAT can impose on entities that consistently fail to comply with reporting or provide false information—approximately 0.5% of their annual income according to Spain’s tiered penalty system (Law 58/2003, Article 199). Private clients are not subject to these penalties.

Who can be penalized—and for what reasons

Obligated entity	Trigger	Potential penalty
Bank / fintech / card issuer	Late, incomplete, or inaccurate monthly or annual filing	€150 – €150,000 (Art. 199 LGTT)
Individual user	None under Royal Decree 253/2025 (standard AML/KYC regulations still apply)	N/A

Concerns of privacy advocates and crypto supporters

Even without a requirement for prior notification, the reporting changes mean that the tax agency will receive detailed, nearly instantaneous information on significant cash transactions as well as most card activity. Civil liberties organizations argue that this extensive data collection undermines the presumption of innocence, while cryptocurrency advocates view it as an additional push for self-custodial digital assets.

“When state permission is necessary to access your funds, it’s no longer truly your money.” —Alex Recouso, CitizenX

Recouso’s statement may misinterpret the law, but it reflects a sentiment resonating through the Bitcoin community: each new layer of reporting nudges users towards censorship-resistant alternatives.

A component of a larger EU regulatory effort

This initiative in Spain aligns with the EU’s proposed Anti-Money Laundering Authority framework, which aims to implement a €10,000 cash transaction limit across the EU and requires mandatory monitoring of transactions through APIs. Countries like Italy, France, and Portugal have already imposed cash ceilings for commercial transactions set below €3,000. The European Commission is pushing for these new regulations to be in effect prior to the 2026 AMLA rollout.

Key insights for Spanish savers and implications for crypto markets

You can still walk into your bank and take out €3,001 tomorrow. Be prepared for inquiries and identification checks, but no advance notice is required.
Your bank, not you, will report this to AEAT in its next monthly data submission.
Penalties will be aimed at the institution if it conceals or postpones that information.
The decree accelerates a trend of surveillance that renders bearer-less, peer-to-peer assets like Bitcoin increasingly appealing.

The essential takeaway: while fears about a cash ban may be overstated, Spain’s new regulations do diminish the remaining opportunities for financial privacy. The trend towards self-custody in crypto is reinforced, although stripped of misinformation.