In Spain, the vast majority of respondents to the study thought that corruption was widespread in their country (95 percent). Most had been personally affected by it (63 percent), and many thought that it was getting worse (77 percent).
While Spain has been a signatory to the Organisation for Economic Co-operation and Development (OECD) Convention on Combating Bribery of Foreign Public Officials since 2000, and the UN Convention against Corruption since 2006, the primary focus of corruption prosecutions in Spain has been against the domestic bribery of government officials. Since 2000, there have been no convictions for overseas bribery and no investigations against corporate entities.
Partly in response to pressure by the OECD, in September 2013 the Spanish government approved a reform of the Spanish Criminal Code, which changes the law relating to corruption. Under Spanish constitutional law, it is now for the Spanish Parliament to approve the reform by absolute majority. Once approved, the new law will come into force six months after publication on the Boletín Oficial del Estado.
The reform introduces substantial modifications to the existing law. For the first time, criminal liability lies with the company and the board or any representatives acting on the company’s behalf unless they can prove that they implemented the necessary risk controls(i.e. compliance programmes). The reforms also make it easier to prove bribery where the intention of the recipient is not known.
This reform is a continuing evolution of the law, as prior to 2010 there was no corporate criminal liability for corruption as part of the Spanish Criminal Code. The 2010 changes provided the transfer of liability from the legal representatives personally to the legal entity jointly or separately if the crime was for the company’s benefit. The board of a company was then responsible for any crimes committed on behalf of the company, irrespective of whether they were directly responsible. Three years later, and following many cases of corporate corruption (though no successful prosecutions), the Spanish government agreed to implement new changes to the Criminal Code.
What are the changes?
Under the proposed amendments, companies will be criminally liable for the crimes committed in their name (or on their behalf) that benefit the company, either by their authorised representatives or by those not authorised but able to commit the crime due to a lack of controls.
Companies may be exempted from liability, however, if it can be shown that:
- the board has adopted and effectively implemented organisational and management measures that include monitoring and controls to prevent offences
- supervision and monitoring of the new implemented measures have been allocated to an independent body (i.e. a compliance function) within the company with powers to control it (which can remain with the board in smaller organisations)
- any individual committed the crime by evading the company’s controls
- there have been no omissions and no inadequate controls by the compliance function.
The penalties proscribed to the entity are related to the lack of implementation of a compliance programme rather than as a result of the crime; however, they seem to need to be linked to a successful prosecution of an individual.
The new role of the compliance function
Under the proposed amendments, there is now a clear requirement for any larger organisation to form an independent body to manage its controls and policies. This would typically be the compliance department, although in smaller organisations these duties can remain with the board.
A key decision needs to be made about how this body will function and what the scope of its role will be. At a minimum, there is a requirement that the compliance function needs to perform an assessment of which bribery risks are present. This assessment should consider:
- the obligations placed on the company, largely by these changes to the legislation, but also by laws of other jurisdictions where the company is active (e.g. the UK Bribery Act or the US Foreign Corrupt Practices Act), plus external sources such as client contracts or industry codes of conduct
- which actual risks are inherent, given the types of products sold, the location of the sales, how they are shipped, where the supplies come from and any other areas where there is a bribery risk
- any non-bribery risks that can be reviewed in the same process, such as export controls, sanctions or human rights that may contain legal risks but also contain significant reputational risks
- the likelihood of any of the risks identified occurring, the likelihood of prosecution and the potential impact if they did occur (even though in Spain there have be very few successful prosecutions for corporate bribery, it is important not to underestimate the risks elsewhere in the world where the appetite for prosecution is greater).
Differences from the UK Bribery Act’s ‘adequate procedures’
At the conclusion of the risk assessment, the compliance function should prioritise the areas that need attention. The next step is to determine a plan to manage those risks. At a minimum, the legislation suggests that the controls (called prevention guidelines) must:
- establish protocols and procedures to be able to make decisions and execute them
- include adequate financial resources to help avoid the crimes
- include a hotline or similar communication channel for reporting any potential misconduct or risk to the compliance body
- establish a disciplinary system that punishes breaches of the guidelines
- be verified and modified periodically, for example when any misconduct arises or when there are significant changes in the organisation, its structure or activities.
In some ways these changes are aligned with the UK Bribery Act and its offence of ‘failure to prevent bribery’ and concept of ‘adequate procedures’ for preventing bribery. There are areas where the Spanish regime is lacking behind the British, however.
Firstly, the amendments to the Spanish legislation do not include a requirement for senior management to show their commitment to compliance programmes other than by funding them. While funding of programmes is important, ‘tone from the top’ needs to be far wider than financial support. In best-practice programmes, senior management actively promote the need for compliance in all of their communications and actions. Resourcing of programmes should also be more than purely financial – access to resources such as personnel and systems within the firm is vital to a programme’s success.
Secondly, there is no explicit mention of the concept of associated persons or third parties in the Spanish regime. There is wording about authorised persons and people acting on behalf of the company, but it is not clear whether this includes third parties (whether acting as agents or otherwise) and whether only natural people and legal entities are included. In contrast, other sections in the penal code relating to foreign bribery specifically mention intermediaries. A bribery programme that does not actively consider the risks of bribes being channelled through third party intermediaries is not likely to be considered adequate. At a minimum, the management of third parties requires a level of due diligence based on the risks posed by the partner (for example, based on the service they provide, their location or their industry) and the follow up of any issues found.
Finally, the amendments do not include a clear requirement for training and communication. Although this might be considered implicit in the requirements, without a carefully-considered plan for training and communications the training will fail – either not enough information will be delivered or the information that is delivered will not be focused enough to effect real change. The threat of disciplinary action in the event of a breach, while necessary, should not be the key message. A compliance programme should aim at preventing bribery rather than enforcing punishment after the fact.
Since there is no specific guidance associated with the proposed legislation, the desire to implement only what is necessary without excess is likely to be a key issue for many companies. In this situation, help can be sought from external guides (like the UK Ministry of Justice or the OECD) to provide general direction. Practitioners at these organisations can also offer more specific direction or stipulate benchmarks based on their previous experience with similar companies.
Once a set of adequate procedures has been drafted, costs can be estimated and provided to the board for approval. At this point, the process considered by the legislation seems to be unclear.
If the board approves the plans but the compliance team fails to properly implement them, in the event of an incidence of bribery the company would not be held responsible. So, by failing in their duty to either recommend adequate procedures or implement them, the compliance team would have saved the company from liability (though what punishment would be meted out to the compliance team for this ‘successful’ failure is uncertain).
If the board doesn’t approve the plans and there is an issue, the argument will become whether the proposed plans would have avoided the bribery. If the proposal for funding was excessive, the board would have been correct to reject it. But, if it was reasonable, then the rejection could lead directly to liability.
It is not clear, however, whether a board would be in a better position than a compliance team to determine the adequacy of a compliance programme. The board must select its compliance team well in order to trust the risk assessment and plans that compliance proposes. The compliance team, on the other hand, must be careful to propose measures that are reasonable and achievable so as to not fail in their scope, adequacy or implementation.
What does a Spanish company need to do?
So what is likely to be considered adequate as a proposal for an anti-bribery compliance programme? Like most risk-based programmes, the nature of the work needed will depend very much on the type of company. Local Spanish companies will have far lower obligations placed on them than large multinationals. However, as a minimum, there should be:
- a comprehensive risk assessment and subsequent board approval, as discussed above, to provide a plan for the compliance programmes needed, including the metrics and goals that will be used in the annual review process – this can either be performed internally or by using outside resources to facilitate, benchmark or review
- a code of conduct that sets out the company’s standards, the disciplinary impact of breaches and the ethical expectations on management and employees while also containing a strong message from the executive that corruption will not be tolerated
- demonstration that the senior management actively endorse the programme in their communications and actions to complement the message from the executive in the code of conduct
- documentation in the form of policies and procedures to ensure that all staff and partners are aware of what is expected of them
- a training and communication campaign to inform staff about the code, policies and procedures
- a hotline facility to allow reporting of suspected breaches (anonymously if needed)
- some level of due diligence carried out on any companies that work in locations outside of Spain – due both to the legal positions in the other jurisdictions and, more importantly, to mitigate the reputational impact of any corruption breaches (domestic Spanish companies should also consider a due diligence programme as a method of better understanding their partners)
- active monitoring of the compliance programme and a regular comprehensive review to ensure that it still meets the needs of the company.
While there are a number of questions raised by the wording of the new legislation that will need to be clarified, in effect it imposes no greater burden on Spanish companies than that imposed on foreign companies by the legislation of their countries. It is essential that companies in Spain build on the experiences of those foreign companies that have created successful corruption programmes in response to their own countries’ legislation.
The key message is to take the new legislation seriously in the boardroom and at the executive-management level. If there is no genuine support from the top, any actions proposed by a compliance function will be ineffective. This support may come from directors, who may have been through investigations in the past, or from those who understand the impact to reputations and to that of their business.