The criminal liability of legal entities was introduced in the Spanish legal system in 2010. The reform left uncertainty about the elements and efficiency of a compliance program.

The 2015 Reform provides companies with an exemption from criminal liability if they have effectively implemented a compliance program that meets the requirements of the new Code.

The 2015 Reform establishes the elements that the compliance program should incorporate to serve as means of corporate defense from certain crimes committed by its directors or employees.

The 2015 Reform closely follows the structure of Italian Legislative decree 231/2001 and widens, in many cases, the traditional scope of US-based compliance programs.

Multinationals operating in Spain with already robust compliance programs should ensure local risk assessment of their operations is made and their corporate global program is adapted to the Spanish requirements.

On March 30, 2015, the Spanish Parliament passed the long awaited Organic Law 1/2015, which amends the Spanish Criminal Code, and came into effect on July 1. Among its provisions, the new Code incorporates a significant incentive for companies to adopt and effectively implement a compliance program that meets the requirements established by the law.

The previous Criminal Code Reform in 2010 introduced into the Spanish legislation the possibility for companies to be held criminally liable for acts committed by their directors or employees. However, it left some uncertainty regarding the value of having a compliance program as an effective corporate defense, and also as to the elements that any such compliance program should incorporate.

The 2015 Reform now brings certainty to these questions by establishing that the effective adoption and implementation of a compliance program can serve as an exonerating or attenuating factor when a company is subject to criminal liability for crimes committed by its directors or employees. In particular, the Code differentiates between (1) crimes committed in the benefit of the company by its legal representatives or by those with authorized decision-making authority (typically the senior management); and (2) crimes committed in the benefit of the company by individuals under the management of others (“subordinated individuals”), if the commission of the offence was possible due to the a lack of surveillance and control by the management.

Requirements of the law

In the first case, the new Code allows to exempt companies from criminal liability under the following requirements:

  • The board of directors has, prior to the perpetration of the crime, adopted and implemented an organizational, management,
  • and control model (the model) suitable to prevent offenses of the type committed.
  • The supervision of the model is entrusted to a supervisory body with independent powers of initiative and control. The Code accepts that in small and medium-size companies, the board of directors may accomplish this function directly.
  • The individual authors of the crime committed the offense while intentionally and fraudulently eluding the model.
  • The supervisory body has not neglected its duties of supervision and control.

If the crime is committed by a subordinated individual, the company will have to prove that it had effectively implemented an organizational and management model suitable to prevent offenses of the same type as the one committed, prior to the commission of the offense.

The model must incorporate the following:

  • Risk assessment to identify the activities within the company that may represent a risk;
  • Policies, procedures, and controls to prevent, mitigate, and/or sanction any criminal risks detected;
  • Financial management system to prevent the commission of the crimes identified;
  • Obligation to report any potential risks or non- compliant activities to the compliance officer/committee (i.e., need to implement whistleblowing channels); and
  • Disciplinary system to sanction any violation of the management model.
  • Periodic verification and changes to the model if significant violations are discovered, or if there are significant changes in the organization, control structure, or activities of the corporation.

Needless to say, training is key to the effectiveness of the model, even if the Code has not explicitly included it as one of the core elements.

The Italian precedent

The new reform clearly follows what has been incorporated in the legislation of many other jurisdictions around the world, and it is also contained in international treaties to which Spain has adhered.

In particular, there is a significant parallelism with the provisions of Italian Legislative Decree 231/2001 in the fact that the model that it contemplates could serve as affirmative defense in case of commission of crimes of very diverse nature—not focusing exclusively on bribery and/or corporate fraud. The Spanish criminal code contemplates this model as a preventive tool (and an affirmative defense instrument) for a defined number of crimes (numerous clausus in Latin) susceptible of generating the criminal liability of the legal entities.

These offenses somehow take into consideration the different areas of activity that a company may operate in and the risks that can be originated (i.e., a nuclear facility will have areas of risk that a financial institution may not necessarily face). The crimes included in the numerus clausus are therefore not only of what is typically known as of “corporate” nature (e.g., fraud, corruption, influence peddling; swindling, money laundering, punishable insolvency, IP and IT damages), but also:

  • offences against the rights of aliens;
  • crimes concerning organization of the territory and town planning, protection of the historic heritage and the environment;
  • crimes against natural resources and the environment;
  • crimes relating to nuclear energy and ionizing radiations;
  • offenses of risk caused by explosives, and other such agents;
  • offences against public health, drug trafficking;
  • crimes relating to terrorism, criminal organizations and groups;
  • forgery of credit and debit cards and travellers cheques;
  • crimes relating to corruption in international commercial transactions;
  • trafficking of human organs, trafficking of human beings, prostitution and corruption of minors;
  • crimes of discovery and revelations of secret information;
  • swindling, punishable insolvency, IP and IT damages;
  • crimes relating to the market and consumers; and
  • crimes against the tax regulations and Social Security.


Companies should therefore carefully identify through a tailored risk assessment any activities of their local subsidiaries where the crimes listed by the Code could be committed and adopt a compliance program (model) tailored to prevent  the same. In multinational companies with well- established corporate compliance programs, the mere translation into local language of the program will, therefore, not be sufficient to comply with the requirements established by the new criminal code – although there will be a clear benefit of having it, particularly if it is the reflection of the existence of a true culture of compliance within the organization.

Upcoming SCCE Web Conferences

11.10.2015 Third-Party Risk Management: Reducing the Costs of Third-Party Compliance:

JENNIFER CHILDS KUGLER, Principal Executive Advisor, CEB

11.12.2015 How To Build A World-Class Compliance Team and Accomplish Critical Goals in the First 100 Days:

SUZANNE RICH FOLSOM, General Counsel, Chief Compliance Officer, and Senior Vice President – Government Affairs, United States Steel Corporation;

VICTORIA MCKENNEY, Associate GC - Regulatory and Compliance and Deputy Chief Compliance Officer, United States Steel Corporation;

11.18.2015 Avoiding Costly Mistakes: Lessons Learned from Recent I-9 Enforcement:

CHRISTINE D. MEHFOUD, Director/Attorney, Spotts Fain PC;

12.3.2015   The Real Deal on Form I-9:

JUDITH W. SPAIN, J.D., Chief Compliance Officer, Manhattanville College; M. TINA DAVIS, University Registrar, Eastern Kentucky University;

12.8.2015   What you need to know about Supply-Chain Compliance with UK Modern Anti-Slavery Legislation:

JONATHAN ARMSTRONG, Partner, Cordery ANDRE BYWATER, Principal Advisor European Regulatory, Cordery;

12.17.2015 The Real Deal on Form I-9:

DAVE BASHAM, Sr. Outreach Analyst, USCIS (U.S. Citizenship and Immigration Services), DHS (Department of Homeland Security);

Learn more and register at