The recent amendment to the Spanish Criminal Code (“SCC”) (Organic Law 1/2015) provides the final inputs for the implementation of so-called “corporate criminal compliance” programs, confirming the doctrinal and jurisprudential trend on the matter and dispelling the doubts generated by the previous amendment to the SCC, dated 2010, concerning the regulation of the criminal liability of legal entities

There is, now, no doubt that all corporate entities operating in Spain − including subsidiaries of multinational companies − need an adequate program to prevent, detect and correct all those risky actions that could result in the criminal prosecution/conviction of a corporate entity. An effective and appropriate program can avoid criminal responsibility if the corporate entity can prove proper control over the actions of its employees.

As a new feature, the regulation lists the minimum requirements of a corporate criminal compliance program, which include a criminal risk analysis, a whistleblowing system and a system to discipline the infringement of a program’s preventive measures.

Which companies must have a corporate compliance program?

The legislation requires all corporate entities conducting business in Spain to have a corporate criminal compliance program, although the requirements may vary depending on the specific structure of the individual entity.

Consequently, for small legal entities, the SCC expressly allows for the supervisory functions to be carried out by the entities’ board of directors. This option is available to entities that are authorized to submit abridged financial statements. Despite resulting in a simpler criminal compliance structure, the obligation to have a criminal compliance program remains inescapable.

The special situation of spanish subsidiaries of a multinational group or company

The SCC does not address corporate groups or branches, nor does it address the situation of the subsidiaries of multinational companies which already have compliance programs. The SCC refers generally to “legal entities”. A criminal risk prevention program specifically focused on anti-corruption issues which is already implemented abroad by a multinational company will certainly be a good start, but it will not be enough.  In the light of the criminal offenses that may affect the Spanish legal entity, conducting a risk analysis of the business activity in Spain is unavoidable. In addition, the special peculiarities of local commerce may require preventive measures that may be considered odd or unnecessary in other markets.

The importance of the “risk map” and the preventive policies

Criminal risk assessment is the starting point for every criminal compliance system. The assessment must focus on actions that may constitute some of the offences vulnerable to criminal liability, but it can be extended to other offences, such as crimes against the rights of workers, where defective prevention could lead to the direct criminal liability of administrators or other senior managers. The development of appropriate policies for crime prevention from a prior risk assessment will complete the defensive framework for proceedings where criminal charges against a legal entity need to be fought off.

A compliance officer or a supervisory body? 

It is surprising that the SCC does not expressly contemplate the new trend in legal entities: the compliance officer. What is expressly mentioned (art. 31 bis.2, paragraph 1a) is the need to rely on “a body of the legal entity with autonomous powers of initiative and control” to whom the supervision of the prevention program of criminal acts committed by managers and directors is entrusted. In small legal entities, the supervision of the program can be left to the board of directors.

Further complications arise in the case of subsidiaries of multinational corporations which rely on a global or regional compliance officer. Is it necessary, in these cases, to create a new supervisory board within the Spanish subsidiary, with real autonomy and initiative, to monitor the criminal compliance of managers and directors? Cannot the global or regional supervisory body perform the preventive functions with local support?

The answer to these questions will depend on the actual capacity of this global/regional supervisory body to monitor the criminal compliance program of the subsidiary and to effectively propose measures for improvement. 

The reform of the Criminal Code regarding the criminal liability of legal entities

Article 31 bis

  1. In those cases provided in this Code, legal entities shall be criminally liable:
    1. For offences committed in the name and on behalf thereof, and for their direct or indirect benefit, by their legal representatives or by those who, acting individually or as members of a body of the legal entity, are authorised to make decisions in the name of the legal entity or hold organisational and management powers within it.
    2. For offences committed in the pursuit of corporate activities, on behalf and for the direct or indirect benefit thereof, by those who, being subject to the authority of the natural persons referred to in the above paragraph, have been able to perform such acts because of a serious breach by the former of their duties of supervision, oversight and control of their activity in accordance with the specific circumstances of the case.
  2. If the offence is committed by the persons indicated in subsection (a) of the above paragraph, the legal entity shall be exempt from liability if the following conditions are met:
    1. the management body adopted and effectively executed, prior to the commission of the offence, organisational and administrative models, including suitable measures of oversight and control to prevent offences of the same nature, or significantly reduce the risk of the commission thereof;
    2. supervision of the functioning of and compliance with the prevention model implemented was entrusted to a body of the legal entity which has independent powers of initiative and control, or is legally entrusted with the function of supervising the efficacy of the internal controls of the legal entity;
    3. the individual perpetrators committed the offence by fraudulently evading the organisation and prevention models; and
    4. there was no omission or inadequate exercise of functions of supervision, oversight and control by the body referred to in condition 2.

In those cases in which the above circumstances can be only partially accredited, this circumstance shall be taken into consideration in attenuation of the penalty.

  1. At small-scale legal entities, the functions of supervision referred to in condition 2 of section 2 may be directly assumed by the governing body. For these purposes, small-scale legal entities are those which, according to the applicable legislation, are authorised to submit an abbreviated income statement.
  2. If the offence is committed by the persons indicated in item (b) of section 1, the legal entity shall be exempt from liability if, prior to the commission of the offence, it adopted and effectively executed an organisational and administrative model which would be appropriate in order to prevent offences of the nature of that committed, or significantly reduce the risk of the commission thereof.

In this case the attenuation provided in the second paragraph of section 2 of this article shall likewise apply.

  1. The organisational and administrative models referred to in condition 1 of section 2 and the above section must fulfil the following requirements:
    1. They shall identify the activities in which the offences to be prevented may be committed.
    2. They shall establish protocols or procedures specifying the process for the definition of the will of the legal entity, the adoption of decisions and the execution thereof with regard to the former.
    3. They shall have in place appropriate financial resource management models to prevent the commission of the offenses which must be prevented.
    4. They shall impose the obligation to report potential risks and breaches to the body responsible for oversight of the functioning of compliance with the prevention model.
    5. They shall establish a disciplinary system which appropriately penalises a breach of the measures established by the model.
    6. They shall perform periodic verification of the model and the potential modification thereof should any significant violations of the provisions arise,
    7. or where so required in the event of changes in the organisation, the supervisory structure or the activity undertaken.