The financial sector has spent years investing heavily in the digitalisation of customer service: conversational bots, sophisticated IVR systems, self-service apps, and virtual assistants. A model that has proven highly efficient. Until now.

Law 10/2025 introduces a principle that changes the rules: no customer can be trapped in an automated system if, at any point, they wish to speak with a human agent. The concept is simple, but its operational implications are far deeper than they may initially appear.

What the law says: the explicit right to human assistance

The amended Law 44/2002 establishes that financial institutions must guarantee access to a human agent for any customer who requests it, at any stage of the interaction. Chatbots and virtual assistants are considered complementary tools, never substitutes for customer service.

The regulation also establishes two mandatory minimum service channels: telephone support and at least one non-face-to-face channel. Institutions may add more channels, but they cannot eliminate these two or replace them with exclusively automated systems. The compliance deadline is 28 December 2026.

The real change: leaving the bot without leaving the channel

Until now, many institutions configured their automated systems so that if a customer wanted to speak with a person, they had to leave the channel — for example, exit the app chat and make a phone call. The SAC Law removes that option.

If a customer starts an interaction within an automated channel and requests human assistance, they must be able to receive it within that same channel, without needing to switch channels or start the process again.

This means reviewing all automated customer service flows and ensuring that there is always a functional and accessible route to a human agent. In many cases, this requires redesigning IVR decision trees, chatbot flows, and escalation processes within messaging and chat environments.

The practical question for technology teams is straightforward: if a customer is checking the status of a transfer through the app chatbot and writes, “I want to speak with a person”, what happens next? If the system simply provides a phone number and asks the customer to call, that flow is non-compliant.

24/7 service and its reasonable limits

The law specifically refers to 24/7 availability for essential services and urgent or irreversible situations. In the financial sector, this includes card blocking, fraud reporting, or urgent transfers: for these types of requests, human assistance must be available outside standard business hours.

The expectation is not that every service must have human agents available at all times. The key is identifying which parts of the operation are considered critical or urgent and guaranteeing coverage for those specific cases.

The challenge of data protection and vulnerable customer groups

Personalised customer service introduces another dimension that the law addresses directly: data protection. In telephone and digital interactions, it is not always possible to verify a customer’s identity or determine whether they belong to a specially protected group without asking questions that could compromise their privacy.

In April 2026, the AERC submitted a formal consultation to the Spanish Data Protection Agency (AEPD) seeking clarification on how to reconcile the right to personalised service with data protection obligations, particularly regarding customers with disabilities. The AEPD’s response is highly anticipated across the sector and, once published, will need to be incorporated into customer service protocols.

What your institution should review before year-end

• Audit all automated service flows (bots, IVR systems, apps, chatbots) and identify whether there is an option to transfer the interaction to a human agent within the same channel.

• Verify that this transfer is fully functional during all hours in which the channel is operational.

• Review customer identification protocols to ensure data protection compliance in personalised interactions, particularly for vulnerable groups.

• Document the mandatory minimum service channels (telephone + non-face-to-face channel) and confirm that no process excludes their use.

• Define which services are considered urgent or critical and therefore require human assistance coverage outside normal business hours.

Digital transformation is irreversible, and the SAC Law is not intended to stop it. What it demands is that technology remains aligned with customer needs. Consulting C3 and MST Holding work with financial institutions to redesign these operations efficiently: preserving what already works, adapting what the regulation requires, and documenting everything necessary to successfully pass an audit.