Vanessa Sánchez Martín: "Compliance is like a fine rain that gradually seeps in"

Vanessa Sánchez Martín is a Compliance and Anti-Money Laundering Prevention expert with a solid background in economics and financial management. An Economics graduate with a Master's in Financial Management and Stock Market, she holds specialized certifications such as Corporate Compliance by CUMPLEN, Expert in Money Laundering Prevention by INBLAC, External Expert registered at SEPBLAC, and Legal and Compliance Expert in Blockchain, crypto assets, smart contracts, and Web 3.0.

With a career that has taken her from insurance to specialized consulting, Vanessa has developed a unique vision of how organizations can integrate regulatory compliance gradually and effectively. "Compliance is like a fine rain," she affirms, "if you go out in a downpour, you get soaked immediately. But fine rain seeps in slowly."

Question: What personally attracted you to the world of compliance and anti-money laundering, being an economist by training?

Answer: I got into it somewhat by chance, actually. Back in 2015, when everything was just starting, a boss I had in an insurance benefits department told me: "We have to do this and retroactively get the KYC (Know Your Customer) information for the clients we already have and get up to date. Are you up for it?" I replied that I had no idea what that was. So, she gave me the law to study.

I started researching what it was about. And I suppose that because of my personality, my way of being, and my desire for things to always be very structured, that’s what attracted me to this field. The fact that everything has a rule and is well-defined.

Q: How has your background in economics and financial management influenced your approach to regulatory compliance and anti-money laundering?

A: I think people have a somewhat mistaken perception. Many believe that if you work in this field, you must be a lawyer. However, many of the things you need to analyze are from an economic and financial perspective. For example, when I worked in Technical Units, I often had to analyze balance sheets, look at ratios or working capital. In those cases, lawyers can feel more lost, and my training has allowed me to spot unusual aspects: whether we needed to request more information because something didn’t add up to validate it, etc.

That kind of knowledge is very useful. This field is not as legalistic as people often think. There’s a law you need to know how to apply, but you’re not defending an obligated party who has committed a money laundering crime. I believe the economic aspect is fundamental in this field. In fact, I’ve taught lawyers how to approach these operations.

It’s a peculiar experience because trying to teach finance to a lawyer can be challenging.

Q: You’ve worked in various areas of regulatory compliance and anti-money laundering prevention. What has been the most significant evolution in regulations over the years? What recent milestones do you find most important?

A: At first, when you talked about money laundering prevention, many people interpreted it as an accusation, as if you were insinuating that someone had committed a crime. It was very difficult to make them understand that it was about ensuring the company complied with the law, not so much about the individual themselves.

Gradually, both obligated parties and people in general are becoming more aware of this type of crime and understand that they need to cooperate. It’s true that the Data Protection Law constantly complicates our work as we request information to combat money laundering.

An important milestone? I don’t think there’s been a definitive one yet. Perhaps in compliance, yes—companies need an ethical code and a compliance officer. But in prevention, there are still many hesitations, though I don’t really understand why. If this regulation must be followed with these rules, I don’t see why it’s so difficult for them. Or maybe I do: because business isn’t going as well as they’d like.

A clear example is real estate agencies—one of the most challenging obligated parties to work with. Perhaps they fear that if they ask clients for information, those clients won’t buy the property. So from a business perspective, they think it limits them rather than helping them grow. We’re still fighting against that mindset. Progress is being made, but we haven’t reached the desired point yet.

Additionally, new methods are emerging for buying properties—even with Bitcoin. For instance, extra caution is needed with individuals from certain nationalities whose countries are non-cooperative according to provided lists. These cases carry more risk. Gradually, new methods are being developed so these individuals can also purchase properties; however, we encounter the same problem again: businesses unwilling to implement KYC systems or request proof of fund origins.

It’s funny because I recall anecdotes where real estate agents would claim everyone had €120,000 in their bank accounts—and we were baffled. No, not everyone has that amount of money! We need to know where it comes from. Upon investigation, some people would say it was savings—but achieving such savings with their declared annual salary seemed suspicious. These little details stand out.

In Spain’s coastal areas specifically, these regions are among the most problematic in every respect—a red zone on the map for working with them.

Q: Regulation always lags behind technology. Do you think current regulations are sufficient to address emerging risks related to Web 3.0 and decentralized technologies? Or is a stronger framework needed?

A: No—we still have a long way to go. In fact, one thing that impresses me about what you’re doing with Didit is the digital identity aspect; I think it could be crucial for regulatory compliance.

But there are many things we still need to address. I understand concerns about data protection since much documentation we must request can get lost—and there aren’t reliable tools or legislation yet to prevent that.

Could blockchain help? Possibly—and I like the idea—because if you create a Smart Contract where all information is stored unalterably and grant permissions so interested parties only see relevant parts, everything would become much simpler. But as of today, even this isn’t fully regulated; there are always legal loopholes.

It always happens: technology advances rapidly while laws lag behind. Either we step up or fail to keep pace.

Q: What differences have you observed between regulatory frameworks governing blockchain/crypto-assets versus traditional financial institutions?

A: Ultimately, anti-money laundering (AML) regulations remain the same—even for cryptocurrency providers or wallet custodians—which surprises me given they use unregulated technology like blockchain itself. But regarding AML requirements specifically? No difference at all—they’re held equally accountable under specific regulations like MiCA (Markets in Crypto-Assets), yet AML enforcement applies identically across both sectors.

Providers must submit manuals upfront alongside risk assessments—but when conducting external expert reports later down-the-line? Traditional obligated parties face identical scrutiny too!

Traditional sectors should embrace newer technologies better—leveraging them instead of fearing adoption unnecessarily! Tools enabling operational efficiency exist already; embracing innovation sooner benefits everyone involved!

Q: Do you think greater regulation will encourage the adoption of crypto-assets by institutional investors and the general public?

A: I’ve been asked this question many times. When there’s a lot of regulation, people tend to fear it because there are so many rules to follow. For the general public? Yes, I think there will be more trust because regulation helps build confidence. For institutions, though, I’m not sure how well it will be received given the burden of compliance with so many rules.

From my experience, we need to find a middle ground. It’s not about over-regulating but regulating effectively. Establishing too many rules—especially when some may even contradict each other—doesn’t make sense. Over-regulation is never a good thing, in my opinion.

To strike that balance, I think education is key. It’s not just about regulating but also about educating people on these new assets: explaining what they are, how they work, allowing them to explore and experiment, and providing testing platforms.

Here’s a thought: I always say that in school, there are many subjects that may not be very useful in the future, but perhaps offering some basic financial education is necessary so that people graduate with some knowledge and can make informed decisions about accepting or rejecting any investment.

Q: Companies must prepare to implement the Sixth Anti-Money Laundering Directive (AMLD6). How do you foresee this transition, and what practical measures would you recommend for companies to adapt effectively?

A: Well, the first thing is to see when it will be transposed into national law because I don’t think it will happen by the expected date. For example, in Spain, we experienced delays with the Fifth Directive (AMLD5), which led to several sanctions. I hope that doesn’t happen again this time.

When I teach courses to different companies, I try to give them a heads-up about the path they should follow. Step by step, they need to analyze what affects them because not all changes included in AMLD6 will impact every obligated party. Those who will be affected need to pay attention to what applies to them. I’d recommend staying informed by consulting experts or similar resources so they’re not caught off guard later.

It’s true that when we make adaptations for AML compliance, many people complain about having to do everything at once. My usual advice is to take it step by step, solidifying each part of the process.

This advice is also very relevant for newly obligated parties. They should internalize a couple of obligations first and understand what they need to do. Those who aren’t affected by new changes will remain as they are, while those with new obligations will find it easier to adapt gradually. The new guidelines under AMLD6 don’t introduce overly radical changes for those already meeting their obligations.

In short, I think it will be straightforward for those who are already obligated parties and slightly more challenging for newly obligated ones.

Q: What role do emerging technologies like artificial intelligence (AI) and machine learning play in strengthening KYC (Know Your Customer) and AML systems within financial institutions?

A: They play an important role within financial institutions but are rarely used in other obligated sectors. Many companies want to start using AI but are afraid because they don’t know how to implement it. I think AI faces the same issue as financial education: people don’t know how to use it and fear it will take their jobs—which isn’t true. We need to learn how to use these tools to make work easier and more efficient at all levels.

For example, even something as simple as a manual can be parameterized based on the type of entity, making things much easier. It’s not about having a template but rather using AI to help create one tailored specifically for your needs. However, this isn’t how things work in most cases today. At Didit, for instance, you’re using AI for identity verification (KYC), but many other companies only use AI for creating PowerPoint presentations.

Now, can compliance be achieved without technology? Yes, it can—but it’s more expensive and resource-intensive because manually performing tasks takes much longer than automating them with technology. SEPBLAC (Spain’s Executive Service of the Commission for the Prevention of Money Laundering) offers options for conducting non-face-to-face operations, but many people don’t use them—not even traditional methods! They sign off on a KYC report that gets filed away without further action.

Technology could greatly enhance tasks like report preparation or other operations—but in my experience, it’s underutilized. Some companies subscribe to watchlist services (e.g., large banks or financial institutions required by law), but beyond that? Not much else—some still rely on Excel for these tasks!

Q: In your experience, what are the most effective indicators for detecting suspicious activities in an AML context? Could you provide practical examples of how these indicators are applied in real-life scenarios?

A: The first step is understanding the risks within your sector and your specific company. Once those indicators are clear, you need to establish controls that align with what you’re doing. It’s not the same managing properties in Madrid or Toledo versus properties on Spain’s Costa del Sol—the client profiles differ significantly. You must clearly define who your clients are, their sector/activity type, where transactions take place, and create a solid risk assessment report followed by appropriate manuals and procedures—and then stick to them.

For example, during analysis processes, don’t assume that if X checks out positively you won’t need Y anymore. Intuition matters; if something doesn’t add up or feels off-kilter—keep requesting additional information until everything aligns properly! Documentation is key here—it doesn’t hurt anyone if done thoroughly yet respectfully.

When risks tied directly back into operational activities get addressed comprehensively upfront—it becomes harder overall being blindsided unexpectedly down-the-line during audits/reviews! Mistakes might still occur occasionally—but adhering strictly ensures smoother handling whenever issues arise unexpectedly!

Q: How do you balance rigorous regulatory compliance requirements with maintaining a positive customer experience in the financial sector?

A: Customers need to understand that when they’re required to provide certain information so companies comply with regulations—it also protects them as consumers! Imagine buying property where due diligence wasn’t conducted properly; if legal compliance fails mid-transaction—the entire deal collapses disastrously!

It’s essential communicating regulatory obligations aren’t solely self-serving—they guarantee users trustworthiness toward engaging respective services/products confidently long-term! However reasonable limits apply here too—asking excessive details beyond necessity risks alienating clientele unnecessarily!

Q: Beyond regulatory compliance, how important is a culture of compliance within an organization? What practices would you recommend to foster a strong ethical culture in a company?

A: The foundation of everything is having a culture of compliance within the organization. There is increasing awareness about this, but I believe the most critical aspect is ensuring that those at the top of the company—who are often the ones who resist the most—internalize this culture. From there, it should trickle down throughout the organization.

If every person in the company understands how they can contribute and what they can do to prevent inappropriate behaviors, it becomes much easier to establish a strong ethical culture.

Some companies have implemented whistleblowing channels, which is a great tool. However, due to cultural factors in Spain, many people perceive using these channels as being a "snitch," so they go unused. If instead of viewing it as a Big Brother surveillance tool, we saw it as a mechanism to improve operations and ensure everything runs smoothly, it would be much more effective. The goal is for everyone in the company to align with the culture of compliance.

This isn’t easy to achieve. If there are rapid changes within an organization, employees also need to be motivated. Compliance shouldn’t be sold as an obligation but as an improvement. It’s essential to explain why certain measures are being implemented, how they will benefit the company, and what purpose they serve.

I often compare compliance to light rain. If you’re caught in a downpour, you get drenched immediately. But light rain gradually soaks you over time. Compliance should work like that gentle rain—slowly permeating throughout all levels of an organization until it becomes second nature for everyone involved.