On March 31, 2015, the Spanish Official State Gazette (no. 77) published a new set of amendments1 to modify la Ley Orgánica 10/1995, de 23 de noviembre, del Código Penal (the “1995 Criminal Code”). Due to take effect on July 1, 2015, the amendments will introduce a defense for companies potentially exposed to criminal liability for crimes committed by their officers or employees. As a result, Spain now joins various other nations, most notably the United Kingdom, that have incorporated compliance defense concepts into their anti-bribery and corruption laws.2 I. Background On December 17, 1997, Spain signed the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (the “OECD Convention”), and ratified it on January 14, 2000.3 On January 11, 2000, the Spanish legislature effectively implemented the OECD’s provisions by adding Article 445 (which has since been revised) to the 1995 Criminal Code. The scope of the prohibitions set forth in Article 445 was somewhat wider than those required by the OECD Convention, applying to foreign “authorities” as well as foreign officials. The Article effectively supplemented the existing law on domestic bribery and corruption, which was set out in the 1995 Criminal Code. That said, and contrary to the recommendations of the OECD Convention, Article 445 applied only to natural persons and not to corporations. At the time, Spanish law did not recognize the criminal liability of non-natural legal persons, such as companies. This aspect of Spanish criminal law was modified in 2010 through the implementation of Article 31 bis4 (cf. la Ley Orgánica 5/2010 of June 22, 2010), which stipulated that companies could be liable for: • criminal offenses committed by their de jure or de facto legal representatives or directors, acting in the name of or on behalf of such company and for their benefit; and 1. La Ley Orgánica 1/2015 de 30 de marzo, http://www.boe.es/diario_boe/txt.php?id=BOE-A-2015-3439. 2. Other states that have compliance defense concepts in their anti-bribery and corruption laws include Australia, Hungary, Italy, Japan, Korea, Poland, Portugal, Sweden and Switzerland. See generally, Mike Koehler, Revisiting a Foreign Corrupt Practices Act Compliance Defense, Wis. L. Rev 609, 638-44 (2012). 3. The OECD Convention has been adopted by the 34 OECD member states as well as the following seven non-member states: Argentina, Brazil, Bulgaria, Colombia, Latvia, Russia and South Africa. See http://www.oecd.org/corruption/oecdantibriberyconvention.htm. 4. The drafters of Spanish legislation use Latin terminology for numbering provisions that are added to the original legislative instrument after such original legislative instrument is enacted. As such, references in this article to “Article 31 bis” and “Article 31 quinquies” may be read as “Article 31.2” and “Article 31.5.” Continued on page 12 www.debevoise.com FCPA Update 12 May 2015 Volume 6 Number 10 • criminal offenses committed in the context of corporate activities by persons (such as employees) acting under the authority of such company’s de jure or de facto legal representatives or directors, acting in the name of or on behalf of such company and for their benefit, who have been able to perpetrate such acts, as due control was not exercised over them, having regard to the specific circumstances of each case. The scope for corporate criminal liability was potentially extensive under this new regime as it could apply even in situations in which it was not possible to identify the individual perpetrator of the relevant criminal act or in those cases in which it had not been possible to prosecute an individual. Additionally, the scope of “due control” was unclear. Significantly, the 2010 modification did provide that companies could mitigate their criminal liability if, after the criminal act had been committed, they could demonstrate the following: • The company had reported the criminal act to the authorities prior to criminal proceedings being brought against them; • The company had collaborated in the investigation of the events; • Prior to any trial, the company had taken steps to remediate or reduce the damage caused by the criminal act; and • The company had, before trial, established effective measures to prevent and detect future criminal acts. The 2010 modification did not, however, specify in terms that a company’s existing compliance program would lead to mitigation of any criminal sanction, although the adoption of a compliance program might be considered one means of establishing that the company had established effective measures to prevent and detect future criminal acts. II. The 2015 Amendments A. OECD Working Group Recommendations On December 14, 2012, an OECD Working Group on Bribery (the “Working Group”) released its Phase 3 Report on Spain, which evaluated and made recommendations on Spain’s implementation of the OECD Convention and the Spain Adopts New Compliance Defense Continued from page 11 Continued on page 13 www.debevoise.com FCPA Update 13 May 2015 Volume 6 Number 10 2009 Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions.5 At the outset of the Report, the Working Group expressed “serious concerns that, almost 13 years after the entry into force of Spain’s foreign bribery offense, no individual or company has ever been prosecuted or sanctioned for this offense.”6 At the time of the report, the Spanish foreign bribery offense had given rise to only seven investigations, all of which had been closed without charges having been lodged. These investigations had been conducted under Article 445 of the amended 1995 Criminal Code concerning alleged bribery of foreign public officials by individuals, but no corporation was investigated. The Working Group acknowledged that the implementation of criminal liability for legal persons in 2010 was “an important step,” but noted, critically, that stateowned enterprises were excluded from this regime. The Report concluded that, under Spanish law, state-owned enterprises could therefore bribe foreign public officials without incurring criminal liability under the Article 31 bis regime. As there are over 2000 public companies in Spain,7 this gap potentially affected a wide array of enterprises. Furthermore, financial institutions that had received government support in the financial crisis of 2008 might also fall under the exception. During the Working Group’s on-site visit, however, Spanish prosecutors denied that such institutions were exempt from liability.8 Spain Adopts New Compliance Defense Continued from page 12 “[T]he [OECD] Working Group expressed ‘serious concerns that, almost 13 years after the entry into force of Spain’s foreign bribery offense, no individual or company has ever been prosecuted or sanctioned for this offense.’” 5. See http://www.oecd.org/daf/anti-bribery/spain-oecdanti-briberyconvention.htm. The OECD Working Group on Bribery monitors OECD Convention signatories’ implementation and enforcement in three phases: “Phase 1 evaluates the adequacy of a country’s legislation to implement the OECD Convention; Phase 2 assesses whether a country is applying the legislation effectively; and Phase 3 focuses on enforcement of the OECD Convention, the 2009 Anti-Bribery Recommendation, and outstanding recommendations from Phase 2.” See http://www.oecd.org/daf/anti-bribery/countrymonitoringoftheoecdanti-briberyconvention.htm. 6. Phase 3 Report on Implementing the OECD Anti-Bribery Convention in Spain, Dec. 2012, at 5, http://www.oecd.org/daf/anti-bribery/spainoecdanti-briberyconvention.htm. 7. “El Gobierno suprime el 17% del las empresas publicas,” Público (Mar. 15, 2012), http://www.publico.es/espana/gobierno-suprime-17- empresas-publicas.html. 8. See sources cited in notes 5 and 6, supra. Continued on page 14 www.debevoise.com FCPA Update 14 May 2015 Volume 6 Number 10 9. Id. at 25. 10. Id. 11. Spain: Follow-up to the Phase 3 Report & Recommendations, March 2015, at 14, http://www.oecd.org/daf/anti-bribery/spain-oecdantibriberyconvention.htm. See Part C, La Ley Orgánica 1/2015 Amendments, infra. The Report also identified the “vagueness in the law with regard to the possible enforcement of the lack of ‘due control’ criteria.”9 The Working Group recommended that Spanish law should clarify “the criteria of ‘due control’ as well as the onus and level of proof of this standard of liability.”10 In response to this recommendation, the Spanish legislature reconsidered the wording of Article 31 bis “with the aim of minimizing the cases of exemption from liability for legal persons.”11 B. Spanish Government Proposals to Amend the Spanish Criminal Code On September 20, 2013, the Spanish Ministry of Justice published its proposals for amending the amended 1995 Criminal Code. Although the Preamble to the proposals does not expressly refer to the recommendations of the Working Group, some of the proposals may have been drafted with those recommendations in mind. These proposals became the basis for the amendments made to the amended 1995 Criminal Code pursuant to la Ley Orgánica 1/2015. The proposals included a new Article 286 seis, which sought to introduce a stand-alone offense whereby legal representatives or directors of companies would be held accountable for the failure for such companies to adopt compliance measures that are designed to prevent illicit conduct. Where a legal representative or director fails to fulfill this duty, the provision would impose: • either imprisonment for a period between three months to one year, or • a fine of 12 to 24 months, • and, in any case, disqualification from work in the relevant industry or business for a period lasting between six months to two years. This provision was not in fact adopted in the final amendments to the amended 1995 Criminal Code. Spain Adopts New Compliance Defense Continued from page 13 Continued on page 15 www.debevoise.com FCPA Update 15 May 2015 Volume 6 Number 10 12. See La Ley Orgánica 1/2015 de 30 de marzo, art. 31 bis.1.a), http://www.boe.es/diario_boe/txt.php?id=BOE-A-2015-3439. 13. See La Ley Orgánica 1/2015 de 30 de marzo, art. 31 bis.1.b), http://www.boe.es/diario_boe/txt.php?id=BOE-A-2015-3439. C. The 2015 Amendments The amended Article 31 bis now stipulates that companies can be liable for: • criminal offenses committed by legal representatives or persons authorized to take decisions in the company’s name or on behalf of the company and to the company’s benefit;12 and • criminal offenses committed in the context of corporate activities by persons (such as employees) acting under the authority of the company’s legal representatives or persons authorized to take decisions in the company’s name or on behalf of the company and to the company’s benefit, who have been able to perpetrate such acts where the company has seriously breached its duties to supervise, oversee and control such corporate activities.13 Previously, Spanish law did not require a breach to be serious. Nevertheless, under the amended Article 31 bis, either offense is triggered if the benefit to the company is direct or indirect. A company will have a defense to liability for an Article 31 bis.1.a) offense if it can establish that the following factors, set out in Article 31 bis.2, are satisfied: • Prior to the commission of the crime in question, the board of directors implemented a compliance program providing appropriate compliance monitoring aimed at preventing similar crimes or significantly reducing the risk of such crimes being committed; • The supervision of the compliance program is entrusted to a body of the company either with autonomous powers or that is legally mandated with the function to supervise internal controls of the company (the “Compliance Body”); • The perpetrators of the criminal conduct in question have fraudulently circumvented the compliance program; and • The Compliance Body has not neglected to perform its duties of supervision, oversight and control. Partial satisfaction of the above may go to mitigation but will not provide a full defense to liability. In the case of small companies (i.e., those authorized by Spanish law to file simplified profit and loss accounts), the new Article 31 bis.3 provides that the functions of the Compliance Body may be conducted by the board of directors. Spain Adopts New Compliance Defense Continued from page 14 Continued on page 16 www.debevoise.com FCPA Update 16 May 2015 Volume 6 Number 10 Under the new Article 31 bis.4, a company has a defense to the Article 31 bis.1.b) offense if, prior to the commission of the crime in question, it has implemented an adequate compliance program to prevent or significantly reduce the risk of such crimes being committed. Article 31 bis.5 sets out the six key elements, all of which are necessary to evidence the adequacy of a compliance system, namely that: • Appropriate risk assessments have been conducted; • Protocols or procedures have been implemented to mitigate the risks identified; • Adequate, preventative financial controls are in place; • Compulsory reporting policies are in force to ensure that misconduct is promptly notified; • Adequate disciplinary sanctions are implemented; and • The compliance program is subject to periodic review and updated accordingly. Furthermore, a new Article 31 quinquies has been included to address the concerns of the Working Group with respect to the exclusion of State-owned enterprises from the anti-bribery and corruption provisions in the 2010 version of the amended 1995 Criminal Code. Drafted in similar fashion to the old Article 31 bis.5, this provision explicitly stipulates that public corporations that implement public policies or provide services of general economic interest are included in the corporate criminal liability regime. Interestingly, a potential inconsistency appears to arise between Article 31 bis.1.b), which requires there to have been a serious lack of compliance oversight for a company to be held criminally liable, and Article 66 bis.2, a sentencing provision amended by la Ley Orgánica 1/2015, which now provides that companies may still be liable for sanctions of up to two years where the breach is not of a serious nature. It may be that the resultant lack of clarity as to the circumstances in which corporate liability arises will need to be resolved by the courts. Spain Adopts New Compliance Defense Continued from page 15 Continued on page 17 www.debevoise.com FCPA Update 17 May 2015 Volume 6 Number 10 III. Sanctions Applicable to Companies Corporates may be exposed to numerous sanctions if they are held criminally liable for Article 31 bis offenses. Article 33.7 sets out the range of sanctions which include: • A fine; • Compulsory dissolution; • Suspension of the company’s activities for a period not exceeding five years; • Closure of the company’s branches and establishments for a period not exceeding five years; • Prohibition, either temporary or permanent, to carry out the activities that led to the commission of the criminal act; • Disqualification from obtaining public subsidies and support for a period not exceeding five years; and • Court intervention to protect the rights of the company’s employees and creditors for a period deemed necessary, though such period shall not exceed five years. In the event that court intervention is imposed on a company, such intervention can affect the whole organization or only part of the business, the extent of which is to be determined by the court. This intervention can be modified or suspended at any time. Spain Adopts New Compliance Defense Continued from page 16 “Although it appears from the statistics that corporate prosecutions were previously almost non-existent, the latest amendments perhaps signal a recognition by the Spanish authorities that greater clarity was needed as to the expected levels of corporate governance required of companies.” Continued on page 18 www.debevoise.com FCPA Update 18 May 2015 Volume 6 Number 10 IV. Conclusion The latest amendments are helpful in clarifying that State-owned entities fall under the corporate liability regime. More significantly, perhaps, they provide Spanish companies with a defense to liability for acts committed by their employees and representatives. Although it appears from the statistics that corporate prosecutions were previously almost non-existent, the latest amendments perhaps signal a recognition by the Spanish authorities that greater clarity was needed as to the expected levels of corporate governance required of companies. The amendments go some way towards providing this. With greater clarity comes a greater obligation on companies to ensure that they have adequate systems in place and those with corporate interests in Spain should be minded to ensure that those interests meet, at a minimum, the new standards enshrined in the legislation. Karolos Seeger Alex Parker Laurence Hanesworth Karolos Seeger is a partner, Alex Parker is an international counsel, and Laurence Hanesworth is a trainee associate, in the London office. They are members of the Litigation Department and the White Collar Litigation Practice Group. The authors may be reached at firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org. Full contact details for each author are available at www.debevoise.com. Debevoise & Plimpton LLP does not practice or opine on matters of Spanish law.