The mule-account aggregated reporting regime under Law 10/2010
The mule-account aggregated-reporting regime is one of the more recent additions to Spain’s AML toolkit. Where a customer’s account has been used by a third party to receive proceeds of fraud, the obligated subject must report the fact pattern to SEPBLAC in a structured, aggregated submission — separate from any standard SAR filing. The mechanism was introduced through amendments to Law 10/2010 to capture the systemic mule-account problem driving authorised-push-payment fraud across the bloc. This piece walks through what triggers reporting, what data is captured, and the operational tooling required.
1. Why the regime exists
Mule accounts — accounts opened in the name of one customer but operated by a third party to receive fraud proceeds — are the operational backbone of authorised-push-payment fraud. Investigators consistently see victim funds flow into a mule’s account, then out within minutes to a second-line beneficiary, often outside the originating jurisdiction.
The individual-SAR framework was producing too many isolated reports for SEPBLAC to correlate effectively. The aggregated-reporting regime structures the data the same way across all obligated subjects, so SEPBLAC can correlate patterns across institutions and feed the data to law enforcement at scale.
2. Legal basis
The regime sits inside Law 10/2010 on the prevention of money-laundering and terrorism-financing, refreshed through subsequent amendments. The detailed operational rules are set in SEPBLAC’s published guidance for obligated subjects on the structured submission. The framework is mandatory for credit institutions, EMIs, PIs and other obligated subjects that hold customer accounts.
3. Who must file
- Credit institutions
- Electronic-money institutions
- Payment institutions, including those passporting in
- Other obligated subjects under Article 2 of Law 10/2010 that hold accounts capable of receiving fraud proceeds
For an EMI or PI passporting into Spain, the obligation flows from the activity carried on in Spain. The home-state SAR regime covers home-state activity; Spanish mule-account aggregation goes to SEPBLAC.
4. What triggers reporting
Common trigger sources:
- A counterparty PSP’s clawback or fraud notification on a specific transaction
- Police request for information identifying the account as part of a fraud investigation
- Internal alert from the firm’s fraud-monitoring engine, confirmed by investigation
- Direct victim complaint, validated against the account’s transaction history
5. What is reported
The structured submission captures, per case:
- Account-holder identification — name, NIF/NIE/passport, date of birth
- Account identifier — IBAN-NIB
- Account-opening date and channel
- The trigger event — type, source, date
- The relevant transactions — incoming fraud proceeds, outgoing transfers, amounts, counterparties
- Internal investigation outcome — confirmed mule, suspected mule, false positive after investigation
- Account status — frozen, terminated, restored
- Whether a separate SAR has been filed in respect of the same fact pattern
6. Cadence and channel
- Frequency: structured aggregated submission on a defined cadence per SEPBLAC’s guidance; not transaction-time
- Channel: SEPBLAC’s structured-reporting platform, in addition to the standard SAR portal
- Linkage: where a SAR has been filed in respect of the same fact pattern, the SAR reference is included in the aggregated record
7. Mule reporting vs. SAR — what goes where
| Scenario | Channel |
|---|---|
| Suspicion of money-laundering, mule pattern not yet confirmed | SAR via the standard SEPBLAC channel |
| Confirmed mule-account use, regardless of whether SAR was also filed | Mule-account aggregated submission |
| Both — SAR followed by confirmation | Both: SAR first, then aggregated submission referencing the SAR |
| False positive after investigation | Neither, with internal documentation of the investigation |
8. Operational tooling
The aggregated-reporting regime is a structured-data submission, not a free-text narrative. Firms with mature fraud-investigation case-management systems can typically generate the submission directly from case data. Firms without a structured case-management layer face manual data entry per case — workable at low volume, painful at scale.
Practical engineering points:
- Tag confirmed-mule cases at case closure with a standardised disposition code
- Capture the trigger source and the linked SAR reference as structured fields
- Build the SEPBLAC submission as a batch from closed cases, not as a real-time push
- Reconcile the aggregated-submission volume against the internal fraud-investigation log monthly
9. Tipping-off and customer communication
The tipping-off rules in Article 24 of Law 10/2010 apply to mule-account reporting the same way they apply to ordinary SARs. The customer cannot be informed that the case has been reported as a confirmed mule. Customer-facing communications around account freeze or termination must avoid disclosing the regulatory trigger.
10. FAQ
Is this the same as a SAR?
No. A SAR (comunicación por indicio) is a suspicion-driven report through the standard SEPBLAC channel. The mule-account aggregated submission is a structured, confirmation-driven report through a separate channel. The two can coexist on the same fact pattern.
Are EMIs and PIs in scope?
Yes. Every obligated subject under Article 2 of Law 10/2010 that holds accounts capable of receiving fraud proceeds is in scope.
What if the mule’s account has already been closed?
The reporting obligation applies to the fact pattern, not the active status of the account. A closed account that was confirmed as a mule still falls in scope.
Can the customer dispute the mule classification?
The internal investigation outcome is the firm’s classification. The customer has GDPR access rights and can challenge factual inaccuracies. Where new evidence reverses the classification, the firm updates the record and notifies SEPBLAC accordingly.
How does this interact with the upcoming Verification of Payee regime?
VoP reduces mule incidence at the entry point by surfacing name-IBAN mismatches before the payer authorises a transfer. It does not eliminate mules — a determined fraudster will use a same-name match. The mule-account reporting regime captures the cases that get through.
Do I freeze the account on confirmation?
Freezing is a separate decision driven by the firm’s AML policy, sanctions screening and contractual terms. SEPBLAC reporting is independent of the operational action — both can happen simultaneously, with tipping-off rules respected.
11. What to do, today
- Audit your fraud-investigation case-management system for structured disposition codes — specifically a “confirmed mule” outcome.
- Map the structured submission fields to your internal case-data model.
- Build the batch-generation flow as a separate pipeline from the standard SAR generator.
- Reconcile the aggregated submission against the closed-case log monthly.
- Coordinate with your SEPBLAC representative on the channel-specific signing and submission flow.
Related: What is SEPBLAC? · How to file a SAR in Spain · Verification of Payee under IPR
