Imagine calling your bank to dispute a charge you do not recognize. You spend several minutes explaining the issue, the agent understands the situation… and suddenly offers you a discounted home insurance policy. Beyond being poor practice, this is now a legal breach. Law 10/2025 expressly prohibits it, and financial institutions must review their processes, incentives, and team training to ensure it does not happen.

At first glance, this requirement may seem secondary within the regulation. However, its organisational implications are significant, especially in a sector where customer service teams have spent years being trained to maximise the commercial value of every customer interaction.

What the law prohibits

Article 29.3 of the amended Law 44/2002, in connection with Article 13 of the Customer Service Act (LSAC), establishes two obligations that financial institutions must implement before 28 December 2026:

• Organisational separation between Customer Service Departments and commercial teams. Both structures cannot share sales targets or sales incentives.
• An express prohibition on making commercial offers while handling a complaint or claim, without exceptions.

This prohibition is not arbitrary. It is directly linked to the risk of mis-selling — selling an unsuitable product by taking advantage of a customer’s vulnerable position — a practice that has been under the scrutiny of the Bank of Spain and the CNMV for years. The Customer Service Act now turns this into a legal obligation with clear sanctions.

Separation of teams or separation of functions?

One of the most common questions raised by financial institutions is whether the law requires physically separate teams for customer service and sales, or whether a functional separation is sufficient. Consulting C3’s interpretation, aligned with the position held by the AERC, is that the regulation requires functional separation, not necessarily structural separation.

In practice, this means that while an agent is managing a complaint or claim, they cannot perform any commercial action. Incentives, targets, and scripts must all be designed to exclude any commercial component during those interactions. If an agent’s compensation includes sales-related variables, institutions must ensure these do not apply or generate incentives during complaint handling.

This also impacts CRM systems: if, during a complaint call, the agent’s screen automatically suggests products that could be offered to the customer, this functionality must be disabled while the interaction is classified as a complaint.

What about customer retention?

This is where one of the most interesting discussions arises: if a customer calls to cancel a service, can the institution attempt to retain them? Is this considered a prohibited commercial action or a legitimate customer relationship management activity?

According to the AERC’s interpretation, the key distinction lies in the approach. What the law prohibits is a purely commercial action: making a financial offer to prevent the customer from leaving. What could still be allowed is informing the customer about alternatives that genuinely address the issue they are experiencing.

The difference is subtle but crucial. If a customer wants to close their account because fees are too high, offering them a discount would be considered a prohibited commercial action. However, if the customer is experiencing a technical issue with a digital service and, while resolving it, the agent informs them that there is an improved version without that issue, the context is different. The underlying principle should always be the same: are we solving the customer’s problem, or are we taking advantage of their vulnerability to sell them something?

The controls that the law requires

Having a written policy is not enough. The regulation requires specific and documented controls:

• Review and update of scripts and customer service protocols to remove any commercial call-to-action during complaint or claim handling.
• Systematic call monitoring to detect and document potential breaches, together with corrective action plans.
• Specific and documented training for Customer Service agents regarding this functional separation, with particular emphasis on ambiguous scenarios such as customer retention.
• Review of incentive models to ensure that no commercial component influences complaint management.
• Interaction records available for audit by the Bank of Spain, the CNMV, or the DGSFP at any time.

If the Customer Service model is properly designed, complying with this requirement is easier than it may seem. The real challenge appears when organisations have spent years combining functions that the law now requires to be clearly separated. The deadline is approaching quickly, and the risk of inaction goes beyond regulatory sanctions: an institution that sells during a complaint process not only breaches the law, but also damages customer trust in a way that is difficult to repair.

www.consultingc3.com

The financial sector has spent years investing heavily in the digitalisation of customer service: conversational bots, sophisticated IVR systems, self-service apps, and virtual assistants. A model that has proven highly efficient. Until now.

Law 10/2025 introduces a principle that changes the rules: no customer can be trapped in an automated system if, at any point, they wish to speak with a human agent. The concept is simple, but its operational implications are far deeper than they may initially appear.

What the law says: the explicit right to human assistance

The amended Law 44/2002 establishes that financial institutions must guarantee access to a human agent for any customer who requests it, at any stage of the interaction. Chatbots and virtual assistants are considered complementary tools, never substitutes for customer service.

The regulation also establishes two mandatory minimum service channels: telephone support and at least one non-face-to-face channel. Institutions may add more channels, but they cannot eliminate these two or replace them with exclusively automated systems. The compliance deadline is 28 December 2026.

The real change: leaving the bot without leaving the channel

Until now, many institutions configured their automated systems so that if a customer wanted to speak with a person, they had to leave the channel — for example, exit the app chat and make a phone call. The SAC Law removes that option.

If a customer starts an interaction within an automated channel and requests human assistance, they must be able to receive it within that same channel, without needing to switch channels or start the process again.

This means reviewing all automated customer service flows and ensuring that there is always a functional and accessible route to a human agent. In many cases, this requires redesigning IVR decision trees, chatbot flows, and escalation processes within messaging and chat environments.

The practical question for technology teams is straightforward: if a customer is checking the status of a transfer through the app chatbot and writes, “I want to speak with a person”, what happens next? If the system simply provides a phone number and asks the customer to call, that flow is non-compliant.

24/7 service and its reasonable limits

The law specifically refers to 24/7 availability for essential services and urgent or irreversible situations. In the financial sector, this includes card blocking, fraud reporting, or urgent transfers: for these types of requests, human assistance must be available outside standard business hours.

The expectation is not that every service must have human agents available at all times. The key is identifying which parts of the operation are considered critical or urgent and guaranteeing coverage for those specific cases.

The challenge of data protection and vulnerable customer groups

Personalised customer service introduces another dimension that the law addresses directly: data protection. In telephone and digital interactions, it is not always possible to verify a customer’s identity or determine whether they belong to a specially protected group without asking questions that could compromise their privacy.

In April 2026, the AERC submitted a formal consultation to the Spanish Data Protection Agency (AEPD) seeking clarification on how to reconcile the right to personalised service with data protection obligations, particularly regarding customers with disabilities. The AEPD’s response is highly anticipated across the sector and, once published, will need to be incorporated into customer service protocols.

What your institution should review before year-end

• Audit all automated service flows (bots, IVR systems, apps, chatbots) and identify whether there is an option to transfer the interaction to a human agent within the same channel.

• Verify that this transfer is fully functional during all hours in which the channel is operational.

• Review customer identification protocols to ensure data protection compliance in personalised interactions, particularly for vulnerable groups.

• Document the mandatory minimum service channels (telephone + non-face-to-face channel) and confirm that no process excludes their use.

• Define which services are considered urgent or critical and therefore require human assistance coverage outside normal business hours.

Digital transformation is irreversible, and the SAC Law is not intended to stop it. What it demands is that technology remains aligned with customer needs. Consulting C3 and MST Holding work with financial institutions to redesign these operations efficiently: preserving what already works, adapting what the regulation requires, and documenting everything necessary to successfully pass an audit.

Law 10/2025 on Customer Service sets a clear countdown for all financial institutions: they have until December 28, 2026, to adapt their operations. One of the requirements raising the most questions among operations teams is the new waiting time limit for inbound customer service calls, as it directly impacts workforce planning, technology, and the service model itself.

During the executive webinar organized by Consulting C3 together with the Spanish Association of Customer Relationship Experts (AERC), this was the topic that generated the highest number of questions. And for good reason: the nuances that separate compliance from non-compliance are significant.

What does the law say?

The amendment to Law 44/2002 is clear: 95% of inbound Customer Service (SAC) calls must be answered within a maximum of 3 minutes. This threshold is measured on an annual basis, meaning that not every individual call is required to meet the target, but the overall yearly average must comply.

Achieving this 95% target has major operational implications. Those managing customer service centers know that reaching this level effectively means maintaining an abandonment rate between 1% and 2%, which requires a complete review of workforce management and capacity planning models.

When does the waiting time start counting?

This detail directly affects how measurement systems must be configured. The law distinguishes between two scenarios:

• If the customer calls the Customer Service department directly without going through any automated system, the timer starts from the very first second of the call.

• If the customer first accesses an IVR or any other self-service system, the timer starts the moment the customer explicitly requests to speak with a human agent.

This second point is especially relevant for institutions already operating IVR systems: the clock does not start when the customer dials the number, but when they request human assistance. The contact center platform must accurately and audibly register that moment, as an approximate estimation will not be sufficient.

Callback: a safety valve with conditions

The law allows institutions to offer a callback service when waiting times are expected to exceed the limit. However, offering a callback does not exempt the institution from complying with the KPI. The metric still measures the actual waiting time, regardless of whether the customer accepted a deferred call.

Callback cannot become a systematic workaround. If an institution relies on it massively and takes hours — or even days — to return calls, it creates clear evidence of non-compliance that can easily be detected during an audit. The law requires real responsiveness and the ability to prove it with data. The UNE Committee is currently working on clarifying whether a callback offered before exceeding the threshold counts as KPI compliance.

Example: if service hours end at 10:00 PM and a customer accepts a callback at 9:55 PM, that call cannot simply be postponed until the following day. Responsiveness remains an enforceable criterion even if it is not quantified with the same level of detail as the main KPI.

Measurement, logging, and reporting obligations

Complying with the KPI is not enough: institutions must also be able to demonstrate compliance. Financial entities are required to maintain systematic KPI records available for regulatory audit at any time. This involves periodic reporting with data broken down by time slot, channel, and service type, properly stored and preserved.

The calculation is annual, but supervision may occur at any moment. And oversight will not only come from regulators: customers who believe they were not assisted within the required timeframe will be able to file complaints with Consumer Protection Authorities starting January 1, 2027.

What should your institution be doing right now?

• Measure current waiting times and calculate how far you are from the 95% within 3 minutes threshold. Without real data, there is no baseline.

• Review telephone service capacity planning: shifts, demand peaks, and agent-to-call volume ratios.

• Assess the role of callback within the customer service model. If you already use it, make sure response times and records are properly documented.

• Confirm that the technology platform accurately detects and logs the exact moment a customer requests human assistance through the IVR.

• Prepare regulatory reporting processes: format, frequency, and data custody chain.

Consulting C3 and MST Holding have been working for months with financial institutions on diagnostics and adaptation plans for the SAC Law. As members of the UNE Committee, we provide our clients with the most up-to-date interpretation of every regulatory requirement.