Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

The legal role that corporate risk and compliance management plays in the Spanish jurisdiction is defined by article 31-bis Spanish Criminal Code (CC). It is noteworthy that the legal framework for corporate risk and compliance management is laid down in a criminal law, but the two amendments to the CC (Organic Law 5/2010 and Organic Law 1/2015) introducing the criminal liability of legal entities are the main milestones in the jurisdictional handling of both corporate risk and compliance management.

Although the CC adopts a ‘comply or explain’ approach, in fact, any legal entity - no matter its size or if it is listed or not - that wishes to invoke the exoneration of corporate liability or a mitigating circumstance if a crime is committed by one of its managers or employees must have a corporate compliance system in place that meets the requirements laid down by article 31-bis CC.

Moreover, Law 31/2014 of 3 December, on the change of Corporate Enterprises for the improvement of corporate governance, imposes on directors a specific duty of corporate risk control, so that directors may be held liable, as guarantors, for the offences committed by the employees, on the basis of commission by omission.

In addition to this, listed companies are also affected by the Good Governance Code of Listed Companies (2015) that states the basic principles of the corporate compliance systems, also using a ‘comply or explain’ approach. Unlike the CC, the Good Governance Code of Listed Companies is considered as ‘soft law’.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The following laws and regulations address corporate risk and compliance management:

  • article 31-bis of the Spanish Criminal Code;
  • Law 10/2010 of 28 April on prevention of money laundering and terrorist financing, and Royal Decree 304/2014 of 5 May on the regulation on the prevention of money laundering and terrorist financing;
  • article 193.2 of the Stock Market Act, and Circular 1/ 2014 of the National Stock Exchange Commission (CNMV) for investment services companies; and
  • Good Governance Code of Listed Companies issued by CNMV.
Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Requirements applying to organisational and management models are defined under article 31-bis 5 CC:

  • the requirement to identify activities within the scope of which the crimes to be prevented may be committed - the ‘criminal risk map’;
  • the requirement to establish protocols or procedures setting out the process by which the legal person reaches consensus, takes decisions and implements those decisions by reference to those protocols or procedures (code of conduct, compliance policy, organisational model, internal compliance system, etc);
  • the requirement to have appropriate models for the management of financial resources in order to impede the commission of the crimes to be prevented;
  • the requirement to impose an obligation to report possible risks and breaches to the body charged with overseeing the functioning of, and compliance with, the prevention model (an internal complaints channel);
  • the requirement to establish a disciplinary system that appropriately penalises breaches of the measures established by the model (infringements of the compliance system and the associated penalties); and
  • the requirement to conduct a periodic review of the model and to amend it in the event of significant breaches or changes in the organisation, control structure or business pursued (internal or external audits; ‘ongoing improvement’).

Other standards and guidelines related to management processes are:

  • ISO 31000 (2009): with regard to risk management, it states principles and guidelines and provides principles, frameworks and a process for managing risks;
  • ISO 19600 (2014): concerning compliance management, it provides guidance for establishing an effective and responsive compliance management system within an organisation;
  • ISO 37001 (2016): regarding anti-bribery management systems, it specifies requirements and provides guidance for establishing an anti-bribery management system; and
  • UNE 19601 (2017): concerns criminal compliance management systems based on the CC.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

In accordance with article 23 of the Organic Law of the Judiciary, Spanish courts will be competent to prosecute the crimes committed in the Spanish territory, regardless of the nationality of the originator. Therefore, undertakings domiciled or operating in Spain could be investigated or prosecuted by the Spanish courts, and the risk and compliance governance obligations will be the same as those established for Spanish undertakings.

What are the key risk and compliance management obligations of undertakings?

The CC establishes a closed list of criminal offences that can be committed by legal entities. These specific criminal offences are:

  • trafficking in, and the unlawful transplantation of, human organs (156-bis CC);
  • trafficking in human beings (177-bis CC);
  • prostitution and corruption of minors (189-bis CC);
  • discovery and disclosure of secrets (197-quinquies CC);
  • fraud (251-bis CC);
  • criminal insolvency (258-ter and 261-bis CC);
  • IT damage (264-quarter CC);
  • crimes relating to intellectual and industrial property (270-272 CC and 273-277 CC);
  • crimes relating to the markets and consumers (270-280, 281, 282, 282-bis, 283, 284, 285, 286 and 288 CC);
  • corruption in business dealings (286-bis and 286-quarter CC);
  • money laundering (302 CC);
  • unlawful funding of political parties (304-bis CC);
  • crimes against the public finance and social security authorities (310-bis CC);
  • crimes against the rights of foreign citizens: unlawful trafficking or people smuggling (318 CC);
  • planning crimes (319 CC);
  • crimes against natural resources and the environment (325 CC);
  • catastrophe hazard crimes (343 and 348 CC);
  • crimes against public health (369-bis CC);
  • forgery of credit cards, debit cards or travellers checks (386 and 399-bis CC);
  • bribery (427 CC);
  • misuse of public office (430 CC);
  • incitement to commit acts of discrimination, hate or violence against groups (510 CC);
  • terrorist financing (576-bis CC); and
  • goods smuggling (the Anti-Smuggling Organic Law).