Latest Payments News: Spanish Data Regulator Fines Iberia Cards €20,000 For GDPR Breach, and more

Catch up on some of the stories our payments compliance analysts have covered lately, and stay up-to-date on the latest news.

Spanish Data Regulator Fines Iberia Cards €20,000 For GDPR Breach

Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has fined Iberia Cards €20,000 for violating the General Data Protection Regulation (GDPR).

Iberia Cards, which issues co-branded credit cards linked to Iberia Airlines’ loyalty programme, was found to have breached Article 6(1) of the GDPR, which governs the lawful processing of personal data.

The penalty was imposed after an individual filed a complaint regarding the right to erasure of their personal data.

Following the ruling, the company voluntarily paid €16,000, benefiting from a 20 percent reduction offered for early payment.

The AEPD has been relatively active in taking action against payment service providers (PSPs) in recent months, including issuing significant fines for data protection failures.

In October 2024, the regulator imposed a €300,000 penalty on Ibercaja Banco over data access violations.

Earlier that month, it had fined Banco Bilbao Vizcaya Argentaria (BBVA) €200,000 for breaches that resulted in a total loss of control over an individual’s data.

As with Iberia Cards, both banks opted for reduced payments after admitting liability.

Spanish Authorities Fine ING Bank €3.9m For AML Failures

Spain’s Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC) has imposed a €3.9m fine on ING Bank NV for breaches of anti-money laundering (AML) compliance requirements.

The Dutch bank, which is one of the largest retail and commercial banks in Europe, was found to have failed in its duty to report internally flagged suspicious transactions to SEPBLAC, as required under AML and counter-terrorism financing (CTF) law.

The fine, which includes a public reprimand, was approved by Spain’s Council of Ministers in July 2023 and became final following an administrative process.

This is not the first time ING has faced penalties over AML compliance failures.

In 2018, the bank agreed to pay €775m in fines and other payments in the Netherlands after admitting to prosecutors that weaknesses in its controls had allowed some customers to use their accounts for money laundering between 2010 and 2016.

Tether, Circle Win New Approvals From Thai SEC

Thailand’s Securities and Exchange Commission (SEC) has announced that Circle’s USDC and Tether’s USDT have become the first stablecoins to be approved for investment purposes.

Last week, the SEC added USDC and USDT to its list of crypto-assets that are approved for use as base trading pairs on regulated digital asset exchanges.

The move means that these exchanges can offer trading pairs between USDC, USDT and any other of the agency's approved crypto-assets, namely Bitcoin, Ethereum, Ripple’s XRP and Stellar’s XLM.

Any crypto-assets that are being used in the Bank of Thailand‘s (BOT) Programmable Payment Sandbox are also automatically added to the list of approved crypto-assets.

In addition, SEC-approved crypto-assets can be used to receive payments from investors during regulated initial coin offerings (ICOs), when new tokens are issued to the public for the first time.

The updated regulations, which come into effect on March 16, 2025, aim to enhance liquidity and flexibility in Thailand's digital asset sector.

The SEC had previously sought public feedback on the changes, which were finalised in February 2025 with widespread industry support.

Paolo Ardoino, CEO of Tether, welcomed the SEC’s announcement, noting that USDT already accounts for around 40 percent of crypto trading volume in Thailand.

“We highly value the Thai market and are continuously exploring ways to enhance our services and offerings,” he said.

“We are committed to supporting the long-term success and adoption of stablecoins in Thailand, and look forward to contributing to the growth of the country’s digital asset ecosystem.”

BaFin Fines Ratepay Over AML Compliance Failures

The German Federal Financial Supervisory Authority (BaFin) has fined payment institution Ratepay €25,000 for breaches of anti-money laundering (AML) compliance requirements.

BaFin determined that Ratepay had failed to maintain appropriate organisational measures, including “an appropriate data processing system to ensure compliance”.

Ratepay, which markets itself as “Europe’s number one white label payment provider”, was founded in 2009, and is now part of the Nexi group.

According to BaFin’s enforcement decision, which became legally binding in December last year, the company had also “submitted unsubstantiated reports of suspected money laundering”.

North Macedonia And Moldova Join SEPA Payment Schemes

The European Payments Council (EPC) has approved the inclusion of North Macedonia and Moldova in the geographical scope of the Single Euro Payments Area (SEPA) payment schemes.

With this expansion, SEPA now covers 40 countries, allowing financial institutions in North Macedonia and Moldova to participate in SEPA Credit Transfer (SCT), SEPA Instant Credit Transfer (SCT Inst) and SEPA Direct Debit (SDD) transactions.

SEPA was established in 2008, and harmonises Euro-denominated payments across participating countries, so that transactions are more seamless.

Countries that wish to advance their path to EU membership must be part of SEPA before admission.

Financial institutions from both countries can begin adhering to SEPA schemes from April 2025, with full operational readiness set for October 5, 2025.

This follows the inclusion of Montenegro and Albania in November 2024.

‍

Want to know more?

‍Request a demo with one of our experts today to gain full access to the stories we cover - and much more - and start learning how you can make compliance a competitive advantage for your organisation.