SEPBLAC, eID, and Spain’s Adult Phase of Digital Trust

Digital identity in Spain is being redefined as the boundaries of fraud control are finally clarified. Fraud has been evolving for years, largely outpacing the systems designed to contain it. 

The expansion of digital identity verification (eID) as a requirement in high-risk sectors and the growing relevance of SEPBLAC in compliance and risk conversations are reshaping fraud-fighting as we know it. This is especially clear where anti-money laundering (AML), counter terrorist financing (CTF), and the traceability of “who is really behind an operation” are concerned.

At the same time, companies operating in digital onboarding, remote transactions, or high-value services are facing an uncomfortable reality where identity is no longer just a “data point.” If handled poorly, companies risk a breach that could lead to legal, financial, and reputational risks.

Now more than ever, digital identity is being exploited by cybercriminals and targeted by hybrid networks that forge documentation. Here, social engineering, AI-assisted impersonation, money mules, and automation coexist. This is no longer a marginal issue as it’s clear that identity has become the frontline of systemic risk.

The question that now appears early in executive conversations is simple but brutal: Are we truly verifying people, or are we merely going through the formality?

The path from formal verification to real verification

For years, organizations treated identity verification as a procedural step of an ID scan, a selfie, a biometric match, and an automated approval. The problem is that adversaries no longer operate at that level.

A formal identity verification can be technically flawless yet operationally false, because digital identity can be manipulated. The document may be legitimate, but stolen. The person may exist, but be coerced or used as a proxy. The selfie may be assisted, generated, or strategically captured. The channel may be compromised. And most importantly: the intent behind the identity may be entirely different from what is declared.

Real verification, the kind that truly reduces risk, does not stop at the document looking authentic. It must answer a more difficult question: Is this identity being used in a legitimate, consistent way that matches its overall digital and financial activities?

This is precisely where Spain is starting to move and where SEPBLAC becomes a strategic catalyst.

SEPBLAC: The quiet actor shaping digital onboarding

SEPBLAC, as Spain’s Financial Intelligence Unit and AML supervisory authority, plays both an intelligence and supervisory role. While it does not operate as a sector-specific regulator like the Bank of Spain or CNMV, it issues guidance, oversees compliance with AML/CTF obligations, and coordinates with obligated entities through an intelligence-driven approach to combating money laundering. 

In today’s environment, this has direct consequences for digital identity.

Identity is the first link in every chain of financial risk. If onboarding fails, everything else is compromised as well: scoring models, compliance frameworks, KYC controls, fraud prevention, and transaction monitoring. None of it matters if the foundation is weak.

Spain has an additional complexity in that the ecosystem of obligated entities is broad and increasingly exposed to digital channels. Banks, insurers, fintechs, investment platforms, real estate operators, notaries, legal structures, and many others face the same dilemma: scale digital operations without enabling industrialized fraud.

In this context, SEPBLAC is pushing the system toward higher standards. This pressure does not always manifest as public enforcement. Often, it shows up as an increase in problems: when expectations rise, the cost of getting identity wrong increases dramatically. This is an opportunity for eID and SEPBLAC to converge in an effective way.

Suggested read: Identity Fraud report 2025-2026

eID in Spain: An opportunity and an illusion of security

Talking about eID in Spain is, fundamentally, talking about modernization. The digitization of high-friction processes such as customer onboarding, remote access, signatures, and service activation has improved user experience and enabled business models that would have been impossible a decade ago.

However, eID has also created a secondary effect: a false sense of automatic security. Many seem to think that having an identity verification tool equals having control.

In reality, we are seeing the opposite happen. The more standardized identity verification becomes, the more it becomes a target for fraud automation. Fraudsters do not improvise; they optimize. They test what controls pass, how systems behave, where tolerance thresholds are, what signals are ignored, and what triggers escalation. Once they understand how it works, they turn it into a product.

Identity fraud is becoming an industry

Identity fraud in 2026 rarely appears as an isolated event. Nowadays, it’s more of an operational chain.

First comes identity acquisition or generation: stolen or purchased identities, recycled accounts, synthetic identities, or manipulated documentation. Afterward comes access: onboarding, verification, activation. The result of that is monetization, transfers, loans, purchases, withdrawals, and mule networks. Finally, there is closure through wiping traces, rotating credentials, abandoning the asset, and moving on to the next one.

The most dangerous shift is that identity is no longer forged only with basic editing tools but with generative AI, and a sophisticated understanding of how digital trust is built.

Many companies fall short in assuming the threat is purely technical, when in reality it is socio-technical. Identity fraud relies on both technology and the human factor.

Digital identity as a reputational and financial risk

A compromised identity creates reputational risk that is hard to quantify but far more expensive to repair, in addition to financial losses.

When an organization suffers a wave of onboarding fraud, it ends with the loss of legitimate customer trust and the perception that the brand does not protect its customers. If victims are involved, there is a public and social media escalation. Complaints and disputes surge, as well as regulatory attention and legal exposure.

Once a company is perceived as an easy target, it becomes part of the attackers’ recurring map.

We see this repeatedly at OnbrandinG. The customer’s digital identity and a company’s reputational identity are connected. If your system enables impersonation, your brand becomes associated with weak governance and poor resilience, especially problematic in sensitive sectors.

Intelligence applied to verification is an approach that we advise companies to take. Identity verification must move from being a process to being an intelligence system.

What this means in practical terms

Context and signals play a vital role in validating documents, and thorough cross-checking of evidence is essential. Both open-source and closed-source intelligence indicators contribute significantly to this process. When fraud occurs, proper attribution becomes crucial. Additionally, having an effective response capability is key when the incident is made public.

There is also a competitive advantage in doing this. When done correctly, this approach reduces fraud, strengthens decision-making, protects brand value, and improves compliance. It transforms an operational cost into a strategic advantage.

This is already happening in mature markets. Spain is entering a new phase, prompted by new regulations, the growth of remote transactions, and a greater understanding that identity is the main way risks arise in the anti-money laundering system.

What comes next

Based on current trends, identity verification standards will become stricter. This isn't due to one law changing everything, but because the system is moving towards higher expectations for traceability and proof.

This has three immediate consequences.

First, identity verification will stop being a departmental issue and become a board-level issue. Compliance, legal, security, operations, communications, and executive leadership will all be involved.

Second, eID models that don’t integrate intelligence, context, and advanced signals will remain exposed because they lack resilience.

Third, incident response for identity fraud will become just as important as prevention. In identity crises, transparency and the ability to demonstrate control are part of the product.

Spain is transitioning from a focus on digitalization for growth to digitalization for resilience.

Digital identity is trust, and trust is business

SEPBLAC and digital identity verification are not separate worlds. They are the same chessboard seen from different angles. One focuses on systemic risk and AML intelligence, and the other on operational efficiency and user experience. The point of convergence is the same: identifying who people are and what it means to let them operate.

Organizations that understand this will treat identity as a pillar of governance, not a formality. They will see compliance as protection of business continuity. They won’t treat fraud as a random misfortune, but as an intelligent adversary who is able to learn.

Digital identity in Spain has entered the adult phase, so the question is no longer whether we verify identities, but whether we do it with the level of intelligence that real-world risk demands.