Are foundations and associations required to have internal information systems?

Article 10.1. b) of Law 2/2023, establishes the obligation to legal entities in the private sector that fall within the scope of application of the acts of the European Union in the field of financial services, products and markets, prevention of money laundering or terrorist financing refered in the parties I.B and II of the Directive (EU) 2019/1937 annex. These legal entities must have an internal information system in accordance with the provisions of their specific regulations and regardless of the number of workers. In these cases, Law 2/2023 acts in a supplementary manner.

In accordance with Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism, Foundations and Associations are obliged entities, but subject to the simplified regime established by this Law in art. 39 and the Regulation of Law 10/2010 in art. 42. It does not follow from these articles that foundations and associations must have the internal procedures for communicating potential breaches provided for in art. 26 and 26 bis of Law 10/2010. Therefore, if the specific regulations do not establish the obligation for these reporting entities to have internal information systems, it will be necessary to additionally apply what is provided for art. 10.1 a) in general for any legal person. Consequently, associations and foundations that are not obliged to have the internal procedures provided for in Law 10/2010 for the communication of possible breaches but that have more than 50 workers hired, must have internal information systems in the terms provided for in Law 2/2023.