Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
The legal role that corporate risk and compliance management plays in the Spanish jurisdiction is defined by article 31-bis Spanish Criminal Code (CC). It is noteworthy that the legal framework for corporate risk and compliance management is laid down in a criminal law, but the two amendments to the CC (Organic Law 5/2010 and Organic Law 1/2015) introducing the criminal liability of legal entities are the main milestones in the jurisdictional handling of both corporate risk and compliance management.
Although the CC adopts a ‘comply or explain’ approach, in fact, any legal entity - no matter its size or if it is listed or not - that wishes to invoke the exoneration of corporate liability or a mitigating circumstance if a crime is committed by one of its managers or employees must have a corporate compliance system in place that meets the requirements laid down by article 31-bis CC.
Moreover, Law 31/2014 of 3 December, on the change of Corporate Enterprises for the improvement of corporate governance, imposes on directors a specific duty of corporate risk control, so that directors may be held liable, as guarantors, for the offences committed by the employees, on the basis of commission by omission.
In addition to this, listed companies are also affected by the Good Governance Code of Listed Companies (2015) that states the basic principles of the corporate compliance systems, also using a ‘comply or explain’ approach. Unlike the CC, the Good Governance Code of Listed Companies is considered as ‘soft law’.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
The following laws and regulations address corporate risk and compliance management:
- article 31-bis of the Spanish Criminal Code;
- Law 10/2010 of 28 April on prevention of money laundering and terrorist financing, and Royal Decree 304/2014 of 5 May on the regulation on the prevention of money laundering and terrorist financing;
- article 193.2 of the Stock Market Act, and Circular 1/ 2014 of the National Stock Exchange Commission (CNMV) for investment services companies; and
- Good Governance Code of Listed Companies issued by CNMV.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
The following are the primary types of undertakings:
- under CC: every legal entity regarding criminal offences that may be committed in Spain or is committed outside Spanish territory can be prosecuted in Spain according to the law. The legal regimen is less demanding for small businesses (those that, pursuant to the applicable legislation, are authorised to submit an abbreviated profit and loss statement);
- under the Good Governance Code: every listed company; and
- under the Stock Market Act: investment services companies (financial institutions included).
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
The main enforcement bodies are as follows:
- Prosecution Office: enforcement of the Criminal Code under Circular 1/2016 of the Attorney General’s office;
- SEPBLAC: Law 10/2010 of 28 April on prevention on money laundering and terrorist financing, and Royal Decree 304/2014 of 5 May on the regulation on the prevention of money laundering and terrorist financing;
- CNMV: enforcement of the Good Governance Code of listed companies; and
- CNMV and Bank of Spain: enforcement of sector-specific regulation for investment services companies and financial institutions.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
No. There are no definitions of these concepts but the requirements of a criminal compliance programme are defined under article 31-bis 5 CC, as explained below (see question 7).
Are risk and compliance management processes set out in laws and regulations?
Risk management and compliance management are defined by criminal, administrative and commercial laws and regulations.
From a criminal law perspective, the CC does not establish the obligation to have a compliance programme or specific compliance processes, although the due implementation of this type of programme or process has been configured in Spanish criminal law as an exonerating or mitigating circumstance.
In order to be able to appreciate this circumstance, compliance programmes must comply with conditions and requirements as explained below (see questions 7 and 17).
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
Requirements applying to organisational and management models are defined under article 31-bis 5 CC:
- the requirement to identify activities within the scope of which the crimes to be prevented may be committed - the ‘criminal risk map’;
- the requirement to establish protocols or procedures setting out the process by which the legal person reaches consensus, takes decisions and implements those decisions by reference to those protocols or procedures (code of conduct, compliance policy, organisational model, internal compliance system, etc);
- the requirement to have appropriate models for the management of financial resources in order to impede the commission of the crimes to be prevented;
- the requirement to impose an obligation to report possible risks and breaches to the body charged with overseeing the functioning of, and compliance with, the prevention model (an internal complaints channel);
- the requirement to establish a disciplinary system that appropriately penalises breaches of the measures established by the model (infringements of the compliance system and the associated penalties); and
- the requirement to conduct a periodic review of the model and to amend it in the event of significant breaches or changes in the organisation, control structure or business pursued (internal or external audits; ‘ongoing improvement’).
Other standards and guidelines related to management processes are:
- ISO 31000 (2009): with regard to risk management, it states principles and guidelines and provides principles, frameworks and a process for managing risks;
- ISO 19600 (2014): concerning compliance management, it provides guidance for establishing an effective and responsive compliance management system within an organisation;
- ISO 37001 (2016): regarding anti-bribery management systems, it specifies requirements and provides guidance for establishing an anti-bribery management system; and
- UNE 19601 (2017): concerns criminal compliance management systems based on the CC.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
In accordance with article 23 of the Organic Law of the Judiciary, Spanish courts will be competent to prosecute the crimes committed in the Spanish territory, regardless of the nationality of the originator. Therefore, undertakings domiciled or operating in Spain could be investigated or prosecuted by the Spanish courts, and the risk and compliance governance obligations will be the same as those established for Spanish undertakings.
What are the key risk and compliance management obligations of undertakings?
The CC establishes a closed list of criminal offences that can be committed by legal entities. These specific criminal offences are:
- trafficking in, and the unlawful transplantation of, human organs (156-bis CC);
- trafficking in human beings (177-bis CC);
- prostitution and corruption of minors (189-bis CC);
- discovery and disclosure of secrets (197-quinquies CC);
- fraud (251-bis CC);
- criminal insolvency (258-ter and 261-bis CC);
- IT damage (264-quarter CC);
- crimes relating to intellectual and industrial property (270-272 CC and 273-277 CC);
- crimes relating to the markets and consumers (270-280, 281, 282, 282-bis, 283, 284, 285, 286 and 288 CC);
- corruption in business dealings (286-bis and 286-quarter CC);
- money laundering (302 CC);
- unlawful funding of political parties (304-bis CC);
- crimes against the public finance and social security authorities (310-bis CC);
- crimes against the rights of foreign citizens: unlawful trafficking or people smuggling (318 CC);
- planning crimes (319 CC);
- crimes against natural resources and the environment (325 CC);
- catastrophe hazard crimes (343 and 348 CC);
- crimes against public health (369-bis CC);
- forgery of credit cards, debit cards or travellers checks (386 and 399-bis CC);
- bribery (427 CC);
- misuse of public office (430 CC);
- incitement to commit acts of discrimination, hate or violence against groups (510 CC);
- terrorist financing (576-bis CC); and
- goods smuggling (the Anti-Smuggling Organic Law).
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
Regarding the risk and compliance management obligations of members of governing bodies and senior management, from the criminal law perspective, these bodies have three different obligations:
- periodic verification of the effectiveness and compliance of the compliance programmes and processes;
- supervision and control of the effective implementation of the compliance programmes and processes; and
- reception and investigation of the complaints formalised as a consequence of the violation of the crime prevention and control measures.
Do undertakings face civil liability for risk and compliance management deficiencies?
The imposition of criminal liability on undertakings is compatible with any civil liability for the loss and damage that the offence may have caused, and any other type of civil or administrative liability that may be imposed on the corporate entity or the individual. When convicted, undertakings face civil direct liability jointly with the individual for the crime committed.
This civil action, improperly said to derive from the crime, does not emanate from the crime, but rather from illicit acts or omissions (not necessarily criminal) that produce unjust negative consequences or damages. That is, the civil liability for which one responds in the criminal proceedings is the ordinary extra contractual civil liability resulting from acts or omissions that cause prejudicial results. Thus, both case law and commentary in Spain have unanimously recognised that the possible joint exercise of the criminal and civil actions must not lead us to forget that both have distinct characteristics and that the civil action derived from the crime (or to be rigorous, the damages caused by the crime) is governed by rules and principles of its own.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
The Good Governance Code of listed companies approved by the board of the CNMV on 22 May 2006, and updated on 18 February 2015, does not regulate the application of administrative or regulatory sanctions if the recommendations are not followed. However, the ‘comply or explain’ principle became part of statute law under article 116 of Law 26/2003 by introducing a duty to publish an annual corporate governance statement reporting on the degree of compliance with corporate governance recommendations and, where appropriate, explaining any departure from such recommendations.
Under provisions of Law 10/2014 of 26 June 2014 on the regulation, supervision and solvency of credit institutions (Title IV, additional provision 14th and transitional provision 1st), the Bank of Spain may impose sanctions in relation to serious or very serious infringements for lack of compliance including regulated corporate governance procedures. The disciplinary and sanctioning system covers institutions and their directors or administrators.
Spanish regulations on money laundering (Law 10/2010 of 28 April on prevention on money laundering and terrorist financing, and Royal Decree 304/2014 of 5 May on the regulation on the prevention of money laundering and terrorist financing) establish the obligation for subject parties (article 2 of the Law) to have adequate prevention procedures and bodies. Article 26 of Law 10/2010 sets out which internal control obligations should be implemented. Sepblac (Spain’s financial intelligence unit and anti-money laundering supervisory authority) is legally empowered to require information and documentation from all reporting entities. Failure to comply with these legal obligations constitutes an administrative offence under Chapter VII, articles 50-62 of Law 10/2010 without prejudice to those laid down as crimes in the CC.
Do undertakings face criminal liability for risk and compliance management deficiencies?
In the cases provided for in the CC, legal persons shall be criminally liable (article 31-bis 1):
- for crimes committed in their name or their behalf, and to their direct or indirect benefit, by their legal representatives or by parties who, acting individually or as members of a body of the legal person, are authorised to take decisions in the name of the legal person or hold powers of organisation or control within said legal person; and
- for crimes committed in the course of corporate business, and for their account and to their direct or indirect benefit, by parties who, while subject to the authority of the natural persons referred to in the preceding paragraph, were able to commit the acts as those natural persons seriously breached the duties of supervision, oversight and control of their activities, having regard to the specific circumstances of the case.
Whenever an undertaking is convicted for deficiencies of risk and compliance management, they face a mandatory penalty of a fine at a stipulated rate or on a proportional basis. Additionally, courts may impose optional penalties such as:
- winding up of the undertaking;
- suspension of the business (up to five years);
- closure of premises and establishments (up to five years);
- ban on engaging in any of the business activities in which the crime was committed, prompted or concealed (temporary up to 15 years or permanent);
- disqualification from obtaining public aid and subsidies, from entering into public sector contracts and from taking tax or social security benefits or incentives (up to 15 years); or
- court supervision to safeguard the rights of employees or creditors for as long as is deemed necessary, which may not exceed five years.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
As explained in question 11, within a criminal proceedings civil actions can be exercised against the individual or the company responsible for the offence committed. Moreover, Capital Companies Law imposes, among other things, duties of diligent management on directors. This means that, generally speaking, directors’ liability (civil law in nature from the shareholders or directors as regards damages) arises when the directors, having infringed the law, the bylaws or the duties inherent in their office have caused economic damage, provided that there is causation between the infringement committed by the directors and the damage caused to the company.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
As explained above, under provisions of Law 10/2014 of 26 June 2014 on the regulation, supervision and solvency of credit institutions (Title IV, additional provision 14th and transitional provision 1st), the Bank of Spain may impose sanctions in relation to serious or very serious infringements for the lack of compliance with the obligations on corporate governance procedures regulated. The disciplinary and sanctioning system covers institutions and their directors or administrators (de facto or de iure).
Also, under article 54 of Law 10/2010 of 28 April, on prevention on money laundering and terrorist financing, in addition to the liability corresponding to the obliged person even by way of simple failure to comply, those holding administrative or management positions in the latter, whether sole administrators or collegiate bodies, shall be liable for any breach should this be attributable to the latter’s wilful misconduct or negligence.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
Yes, they do if they participate directly in the crime committed by the legal person as explained in question 13.
Moreover, the involvement of the person in the criminal act on which the attribution of criminal liability is based on must be interpreted broadly and encompasses both active forms of involvement (through an action in the strict sense) and passive forms (through passivity or the failure to do something required). According to article 31-bis 1b), CC governing bodies and senior management can transfer liability to undertakings when their subordinates commit criminal offences when carrying out their corporate activities and on their account and to their direct or indirect benefit, because the duties of supervision, surveillance and control of their activities were gravely breached by them. So members of governing bodies and senior managements may face criminal liability for breach of risk and compliance management, but this requires not only the breach of risk and compliance management but also that the manager can be found liable on the basis of commission by omission, according to article 11 CC.
In other words, they may be held liable if they failed to prevent offences from being committed by employees or officers within the company, being in a position of guarantor, when the requirements of omission to action are met and their omission is thus equivalent to an action. As laid down in Law 31/2014 of 3 December on the change of corporate enterprises for the improvement of corporate governance, they now have a specific legal duty of control of the company’s activities and its risks (duty of corporate control). This results in a position of guarantor in terms of preventing crimes from being committed within the company. Both the CC and this law should be interpreted jointly to make an assessment of criminal liability of governing bodies and managers.
The delegation of duties by directors to third parties, including the compliance officer, should not mean that directors become fully exonerated in favour of the delegated party. Moreover, if the members of governing bodies and senior management fail to prevent offences from being committed because of poor performance of their duty of corporate control, the exoneration of corporate liability cannot be invoked by the company.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
Article 31-bis 2 CC, establishes the grounds for a legal person to be exempted from liability when the crime is committed by those indicated in subparagraph a) of section 1 of article 31-bis CC, that is, by those that make decisions in the name of the legal person or hold powers of organisation or control within said legal person (ie, sole director, directors acting severally, joint directors, board of directors, executive committee and managing directors). This means that, if all the conditions contained in this article are fulfilled, the legal person shall be exempt from criminal liability.
These requirements are (article 31-bis 2 CC):
- the managing body must have actually adopted and implemented, prior to the commission of the crime, an organisational and management model incorporating suitable measures of oversight and control to prevent crimes of the same nature or to significantly reduce the risk of such crimes being committed;
- perpetrators must have committed the crime by fraudulently evading such models;
- supervision of the functioning of, and compliance with, the prevention model in place must be entrusted to a body within the legal entity that has standalone powers of initiative and control or on which statute has conferred the function of supervising the effectiveness of the internal controls of the legal entity; and
- there must not have been any omission or defective discharge of the functions of supervision, oversight and control of the body referred to.
The partial accreditation of these conditions could be considered as a mitigating circumstance.
When the criminal offence were perpetrated by those subject to the authority of those indicated in subparagraph a) of section 1 of article 31-bis CC, that is, by subordinated employees, the legal person shall be exempted from liability if, before the perpetration of the criminal offence, it has adopted and effectively implemented an organisational and management body to prevent criminal offences of the nature of the one perpetrated or to reduce in a significant way the risk of the perpetration thereof.
Additionally, there are certain circumstances when criminal liability of legal persons can be mitigated after the commission of the criminal persons. For this mitigating circumstance to be applicable, the legal person, through its legal representatives, should carry out the following activities:
- confess the criminal offences to the authorities before having knowledge of the initiation of judicial proceedings;
- collaborate with the investigation of the facts once the judicial proceedings have been initiated providing decisive evidences; and
- prior to the trial itself, endeavour to repair or decrease the damaged caused, or establish measures to prevent and discover the commission of criminal crimes by the company in the future.
This corporate compliance defence only applies for the company itself, and not for the employees. Therefore, the proceedings may continue to investigate or judge the individual’s criminal responsibility.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
Firstly, there have not been enough sentences regarding corporate risk and compliance management by companies in Spain. This is basically because, even if the introduction of legal entities criminal responsibility occurred in 2010, Spain’s judicial procedure is very slow and most of the cases are still under investigation; only a few of them have been tried. That being said, and while some provincial courts have issued sentences concerning this matter, the leading case law comes from cases that the Supreme Court have reached.
So far, the Supreme Court has only issued a few sentences. The most important would be the following:
- The first one, dictated on 2 September 2015, was related to a fraud crime and concerned the criminal responsibility of companies. It indicated that any conviction of a company must comply with the basic principles of criminal law. Hence, the importance of this judgment is that it considers that companies are subject to the application of the principles of criminal law within a criminal proceeding where an individual is affected. However, the failure risk and compliance management was not assessed.
- On 29 February 2016, the Supreme Court dictated a sentence that, in relation to a drugs offence case where there were no compliance measures, states that constitutional rights and guarantees also apply to legal persons. Moreover, it indicates that the nature of criminal liability of companies is of self-responsibility meaning that, unlike the state prosecutor’s criteria, which understand that a compliance system is configured as an absolutory excuse, the presence of appropriate mechanisms of control implies the very inexistence of the crime. The judgment also considers that the accusing parties should prove that there were not any instruments of compliance to avoid the commission of the crime and, additionally, that liability has to be established on the basis of the analysis of whether the offence committed by the individual under the wing of the legal entity (body corporate or legal person) has been facilitated by the absence of a ‘culture of respect for law’, which should be demonstrated in concrete ways (tangible manifestations or forms) of surveillance and control.
- According to another acquittal sentence dictated on 16 March 2016, the public prosecutor should make the same prosecutor effort for legal persons as for individuals, as they are subject to two different prosecutions, each being liable for their own offence. Even if the system is vicarious, that does not mean that criminal principles become secondary - all of the guarantees must be fulfilled.
- On 13 June 2016, another sentence from the Supreme Court rejected an appeal against an acquittal because, at the time when the offences were committed, article 31-bis had not been signed. There was no criminal liability allocated to the legal person from the prosecuting parties. It also states that an accusation against the legal person does not exclude the liability of the individual acting as its representative where there are elements of participation of the individual. The legislator has chosen a vicarious system, responding each of them separately.
- Another illuminating sentence was the one issued on 21 June 2017. Although it was not the case or even a key point of the resolution, the Supreme Court highlighted that, in order to convict a legal person, the crime must have been committed not only in the course of corporate business and for its account but also to its direct or indirect benefit. Therefore, the legal person cannot be held criminally liable if it was aggrieved and adversely affected by the crime, even when it was committed in the course of corporate business and for its account.
- The sentence issued on 19 July 2017 has not been seen as being as important as those previously mentioned. However, it sheds a light on different issues. It rules about a legal person’s domicile, standing that its scope is the one stipulated by article 554.4 of the Criminal Procedure Act, whether or not the legal person is being investigated by a court. The sentence also implies that mitigating circumstance consisting of undue delays might be applied to legal persons (a question which had not been clear for commentary). Moreover, the resolution points out that in order to set aside the legal persons’ right to presumption of innocence it is necessary to prove beyond a reasonable doubt three items:
- the crime has been committed on its behalf by:
(i) their legal representatives;
(ii) by parties who, acting individually or as members of a body of the legal person, are authorised to take decisions in the name of the legal person or hold powers of organisation or control within said legal person; or
(iii) by parties subject to the authority of natural person referred to in (i) and (ii);
- the crime has been committed to their direct or indirect benefit; and
- the legal person has not implemented organisational and management models according to conditions established under article 31-bis 5 CC (see question 7).
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
According to article 31-quinquies CC, criminal liability of legal persons cannot be applied to territorial and institutional Public Administrations, to the Regulatory Bodies, to Public Agencies and Corporate Entities, to international organisations under Public Law, or to others that exercise public powers of sovereignty or administration. Additionally, this article states that in the case of state mercantile companies that implement public policies or provide services of general economic interest, they can only be subject to fine penalties or judicial intervention. If the legal form was established in order to elude criminal liability, the investigating court or judge can consider that the limitation is not applicable.
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
As a consequence of the details given in question 19, those government bodies or agencies or stated-owned enterprises not included in the list of article 31-quinquies face the same risk and compliance management obligations as all private legal persons. For instance, political parties and trade unions were initially excluded from being criminally liable until 2012 when the CC was modified in order to include their potential liability.
Some public bodies, such as the Spanish Federation of Municipalities and Provinces, have developed internal good practice standards even if they are not potentially liable for criminal responsibility. This is an example of integrity compliance and ethical practices beyond the bounds of legislation.