Liability for risk and compliance management in Spain

Liability

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Regarding the risk and compliance management obligations of members of governing bodies and senior management, from the criminal law perspective, these bodies have three different obligations:

• periodic verification of the effectiveness and compliance of the compliance programmes and processes;
• supervision and control of the effective implementation of the compliance programmes and processes; and
• reception and investigation of the complaints formalised as a consequence of the violation of the crime prevention and control measures.

Do undertakings face civil liability for risk and compliance management deficiencies?

The imposition of criminal liability on undertakings is compatible with any civil liability for the loss and damage that the offence may have caused, and any other type of civil or administrative liability that may be imposed on the corporate entity or the individual. When convicted, undertakings face civil direct liability jointly with the individual for the crime committed.

This civil action, improperly said to derive from the crime, does not emanate from the crime, but rather from illicit acts or omissions (not necessarily criminal) that produce unjust negative consequences or damages. That is, the civil liability for which one responds in the criminal proceedings is the ordinary extra contractual civil liability resulting from acts or omissions that cause prejudicial results. Thus, both case law and commentary in Spain have unanimously recognised that the possible joint exercise of the criminal and civil actions must not lead us to forget that both have distinct characteristics and that the civil action derived from the crime (or to be rigorous, the damages caused by the crime) is governed by rules and principles of its own.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

The Good Governance Code of listed companies approved by the board of the CNMV on 22 May 2006, and updated on 18 February 2015, does not regulate the application of administrative or regulatory sanctions if the recommendations are not followed. However, the ‘comply or explain’ principle became part of statute law under article 116 of Law 26/2003 by introducing a duty to publish an annual corporate governance statement reporting on the degree of compliance with corporate governance recommendations and, where appropriate, explaining any departure from such recommendations.

Under provisions of Law 10/2014 of 26 June 2014 on the regulation, supervision and solvency of credit institutions (Title IV, additional provision 14th and transitional provision 1st), the Bank of Spain may impose sanctions in relation to serious or very serious infringements for lack of compliance including regulated corporate governance procedures. The disciplinary and sanctioning system covers institutions and their directors or administrators.

Spanish regulations on money laundering (Law 10/2010 of 28 April on prevention on money laundering and terrorist financing, and Royal Decree 304/2014 of 5 May on the regulation on the prevention of money laundering and terrorist financing) establish the obligation for subject parties (article 2 of the Law) to have adequate prevention procedures and bodies. Article 26 of Law 10/2010 sets out which internal control obligations should be implemented. Sepblac (Spain’s financial intelligence unit and anti-money laundering supervisory authority) is legally empowered to require information and documentation from all reporting entities. Failure to comply with these legal obligations constitutes an administrative offence under Chapter VII, articles 50-62 of Law 10/2010 without prejudice to those laid down as crimes in the CC.

Do undertakings face criminal liability for risk and compliance management deficiencies?

In the cases provided for in the CC, legal persons shall be criminally liable (article 31-bis 1):

• for crimes committed in their name or their behalf, and to their direct or indirect benefit, by their legal representatives or by parties who, acting individually or as members of a body of the legal person, are authorised to take decisions in the name of the legal person or hold powers of organisation or control within said legal person; and
• for crimes committed in the course of corporate business, and for their account and to their direct or indirect benefit, by parties who, while subject to the authority of the natural persons referred to in the preceding paragraph, were able to commit the acts as those natural persons seriously breached the duties of supervision, oversight and control of their activities, having regard to the specific circumstances of the case.

Whenever an undertaking is convicted for deficiencies of risk and compliance management, they face a mandatory penalty of a fine at a stipulated rate or on a proportional basis. Additionally, courts may impose optional penalties such as:

• winding up of the undertaking;
• suspension of the business (up to five years);
• closure of premises and establishments (up to five years);
• ban on engaging in any of the business activities in which the crime was committed, prompted or concealed (temporary up to 15 years or permanent);
• disqualification from obtaining public aid and subsidies, from entering into public sector contracts and from taking tax or social security benefits or incentives (up to 15 years); or
• court supervision to safeguard the rights of employees or creditors for as long as is deemed necessary, which may not exceed five years.

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

As explained in question 11, within a criminal proceedings civil actions can be exercised against the individual or the company responsible for the offence committed. Moreover, Capital Companies Law imposes, among other things, duties of diligent management on directors. This means that, generally speaking, directors’ liability (civil law in nature from the shareholders or directors as regards damages) arises when the directors, having infringed the law, the bylaws or the duties inherent in their office have caused economic damage, provided that there is causation between the infringement committed by the directors and the damage caused to the company.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

As explained above, under provisions of Law 10/2014 of 26 June 2014 on the regulation, supervision and solvency of credit institutions (Title IV, additional provision 14th and transitional provision 1st), the Bank of Spain may impose sanctions in relation to serious or very serious infringements for the lack of compliance with the obligations on corporate governance procedures regulated. The disciplinary and sanctioning system covers institutions and their directors or administrators (de facto or de iure).

Also, under article 54 of Law 10/2010 of 28 April, on prevention on money laundering and terrorist financing, in addition to the liability corresponding to the obliged person even by way of simple failure to comply, those holding administrative or management positions in the latter, whether sole administrators or collegiate bodies, shall be liable for any breach should this be attributable to the latter’s wilful misconduct or negligence.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Yes, they do if they participate directly in the crime committed by the legal person as explained in question 13.

Moreover, the involvement of the person in the criminal act on which the attribution of criminal liability is based on must be interpreted broadly and encompasses both active forms of involvement (through an action in the strict sense) and passive forms (through passivity or the failure to do something required). According to article 31-bis 1b), CC governing bodies and senior management can transfer liability to undertakings when their subordinates commit criminal offences when carrying out their corporate activities and on their account and to their direct or indirect benefit, because the duties of supervision, surveillance and control of their activities were gravely breached by them. So members of governing bodies and senior managements may face criminal liability for breach of risk and compliance management, but this requires not only the breach of risk and compliance management but also that the manager can be found liable on the basis of commission by omission, according to article 11 CC.

In other words, they may be held liable if they failed to prevent offences from being committed by employees or officers within the company, being in a position of guarantor, when the requirements of omission to action are met and their omission is thus equivalent to an action. As laid down in Law 31/2014 of 3 December on the change of corporate enterprises for the improvement of corporate governance, they now have a specific legal duty of control of the company’s activities and its risks (duty of corporate control). This results in a position of guarantor in terms of preventing crimes from being committed within the company. Both the CC and this law should be interpreted jointly to make an assessment of criminal liability of governing bodies and managers.

The delegation of duties by directors to third parties, including the compliance officer, should not mean that directors become fully exonerated in favour of the delegated party. Moreover, if the members of governing bodies and senior management fail to prevent offences from being committed because of poor performance of their duty of corporate control, the exoneration of corporate liability cannot be invoked by the company.