Spain introduces compliance programs as a defence to criminal liability for companies

Spain adopts a new law that will increase the importance of corporate compliance programs, which may provide a defence to criminal liability for companies for any offence.

The criminal liability of companies and other legal persons has gained new importance in the last reform of the Criminal Code that took place by Law 1/2015, dated 30 March 2015, and which came into force on 01 July 2015.  It heralds an important reform that affects all Spanish companies.

The principal change is the exemption from criminal liability of companies and organizations that have implemented business procedures to prevent crimes being committed within it.

In the same way that the legislature turned companies into collaborators of the Treasury in the collection of taxes (VAT, Personal Income withholding tax), it now provides companies with the incentive to police their own activities, so that if the company finances and organizes internal control procedures to prevent crimes from being committed, to that extent, it shall be exempt from criminal liability (notwithstanding that an employee has committed an offence for the company’s benefit).

The conditions in which legal bodies can be considered criminally liable, first introduced in 2010, have changed.  As specified in this Code, legal entities shall be criminally liable for:

  • Offences committed for their benefit by their legal representatives or by those individuals who are authorized to make decisions or have the power to organize and control the company’s activities, and

  • Offences committed in the exercise of corporate activities, on behalf of and directly or indirectly for the benefit of the legal body, by those who are subject to the authority of those mentioned in the above paragraph, where the offence has been committed as a result of a failure to supervise, monitor and control their activity.

What must an organization do to control its employees or workers? The answer formulated by the Penal Code is to specify the requirements of “Corporate Compliance Programs”, which involve the protocols and internal procedures to control employees’ behaviour in the areas where offences could be committed.  In adopting this approach, Spain is following the model of the UK Bribery Act, which provides a defence for a company that has failed to prevent bribery by others on its behalf if it can show that it put in place “adequate procedures” to prevent bribery.

Conditions for avoiding liability

In relation to the offences committed by legal representatives, those authorized to make decisions on their behalf or those with management and control faculties, the legal body will be exempt if one of the following conditions are met:

  • The adoption of the following preventive measures before the offence is committed:
    • That the corporate body had adopted and duly enforced measures of vigilance and control within management suitable to prevent the offences, and

    • That a Compliance Officer had been appointed. This is a person or body with powers to initiate, control and supervise the functioning of and compliance with the controls. When dealing with small firms (those authorized to file a summarized version of their Balances and Profit and Loss accounts), this task can be assumed by the corporate body.


  • The individual offenders circumvented the management and prevention measures, without any omission or failures of the body designated for supervision, vigilance and control.

In relation to offences committed by workers where there has been a serious failure to fulfil the duties of supervision, vigilance and control, it will be enough if, prior to the offence being committed, a model of organization and management was adopted that was appropriate to prevent such offences to occurring.

What a compliance program should contain

The definition of the exemptions is completed by defining the minimum requirements of a Compliance Program:

  • the identification of the activities from which offences can arise (a “risk map”)
  • the establishment of protocols or procedures that establish the company’s relevant decision-making processes
  • management models of the financial resources allocated to the prevention of the offences
  • an obligation to report possible risks and breaches of the policy to those responsible for supervising the Compliance Program
  • a disciplinary system established to properly sanction any failure to comply with the compliance measures, and
  • a process of review of the effectiveness of the Compliance Program, in particular following any significant breach of it.

If a Compliance Program does not meet all of these criteria, or appears to have been inadequately implemented, it may still form a mitigating factor for a company found criminally liable, but not a complete exemption. Other mitigating circumstances include self-reporting to the authorities prior to any judicial proceedings against the company, collaboration with any investigation, making reparations for any harm caused and the establishment of effective compliance measures before the trial starts.

The reform reduces uncertainty for the judiciary and businesses as to when a company should be held to be criminally liable.  Having regard to the difficulty of investigating and pursuing criminal activities committed within complex business structures, and establishing those individuals responsible for them, the  aim of the reform is that the firms collaborate actively and take the lead in eliminating crime within their organizations.

Regardless of the fact that a lot of Spanish firms were already using internal compliance programs, even before the adoption of criminal liability for companies, many companies will now look to adapt their practices to more closely align with the requirements of the Criminal Code.  This will mean a clear change in Spanish business culture.

Responsible persons and employees must:

  • identify the activities of its business that give rise to criminal risk
  • identify suitable measures to avoid the risks
  • establish protocols and mandatory guides for how relevant steps should be taken
  • introduce efficient supervision systems.

The message is clear. If a company collaborates in the prevention of the offences it will be exempt from criminal liability. If not, it will suffer the harmful effects of a criminal sentence, including potential debarment under EU tendering rules and substantial damage to its reputation. 

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.