In 2010, Spanish legislators amended the Criminal Code and introduced the concept of corporate criminal legal liability for a number of crimes, including corruption and bribery. The classic principle of societas delinquere non potest (meaning that companies would not commit crimes) no longer exists. A company is now criminally liable for crimes committed under their name and for their benefit by anyone authorised to act on their behalf, and for offences where there has been inadequate control over anyone with authority to act on their behalf.
The 2010-amended Code made it possible for law enforcers to find corporate entities criminally liable for the criminal offences committed in their names and on their behalf by employees, regardless of their positions. Lacking a sufficient due control and supervision on employees’ activities of companies could result in the same consequence.
The criminal offences for which companies are directly liable include fraud, fraudulent insolvency, insider trading, market manipulation, corruption, bribery, money laundering, breaches of environmental-protection regulations and violation of labour rights. Companies can face penalties ranging from fines to, for more serious cases, bans (on receiving public subsidies and public funds, or from entering into contracts with public administrations), judicial intervention or even forced closure.
The 2010 amendment to the Spanish Criminal Code marked a giant leap in the fight against corruption by limiting the ability of companies, including the subsidiaries of multinational corporations in Spain. However, the Code was still criticised by many legal professionals as it gave no incentive or compensation to companies for their efforts to prevent criminal acts by their own employees through the adoption of corporate compliance programmes.
Spanish legislators thus enacted another round of legislation reform on the Criminal Code on 26 March 2015, and the amended version came into force on 1 July 2015.
The 2015 amendments to the Code aim at achieving an even stronger compliance culture in Spain. Following the guidelines set by the United States Foreign Corrupt Practices Act and the United Kingdom Bribery Act, the amended Code expressly exempts companies with effective compliance programmes from criminal liability for crimes committed in their names and to their advantage by their legal representatives, directors or employees.
To use their compliance programme as a defence to be exempt from liability, companies must fulfil six elementary criteria of preventive measures. This is the only defence that companies can use in order to be exonerated from criminal liability if criminal charges arise.
HIGHLIGHTS OF THE 2015 AMENDMENTS TO THE CODE
Preventive measures as a compliance defence
Article 33 bis of the 2015 Spanish Criminal Code establishes that companies can only be exempt from criminal liability for crimes committed by their employees if:
- their decision-making body has adopted and effectively implemented a compliance programme that meets the legal requirements of Spanish law
- the operation of the programme is overseen by a body or individual with authorised self-governing powers of initiative and control (e.g. a company’s compliance team)
- the individual perpetrators (companies’ officers or employees, regardless of position) of any such crime have fraudulently and intentionally evaded the preventive measures and violated the compliance programmes
- their compliance body has not neglected, omitted or failed its duties of proper supervision, surveillance and control.
Six elementary criteria for compliance programmes
Article 33 bis 3 of the Criminal Code indicates that a company’s compliance programme should consist of:
- risk assessments of the crimes that should be prevented
- standards and controls to mitigate any detected criminal risks
- a financial management system that prevents identified crimes
- an obligation to report any violations of the standards and controls to the compliance body (i.e. a whistleblowing channel)
- a disciplinary system to sanction violations
- periodical reviews, making the necessary adjustments when serious violations occur or when the company undergoes organisational, structural or economic changes.
In addition, the 2015 Spanish Criminal Code requires that compliance programmes are effective. Companies are expected to prove that their officers and employees have received proper training on their programmes.
What does the amended Code mean for the compliance industry?
The 2015 reforms of the Code represent the doctrinal and jurisprudential trend in Spain of strengthening the compliance culture in the country. Companies operating in Spain, including branches and subsidiaries of multinational corporations, are now required to have adequate programmes to prevent, detect and correct risky actions by their employees, as an effective and appropriate compliance programme is the only means to absolve companies’ criminal liability.
From a wider perspective, the 2010 amendment of the Criminal Code, followed by the 2015 legislation reform, indicates that Spain has joined the global trend of anti-corruption enforcement efforts. The new Spanish legislation reveals an emerging and evolving international consensus on compliance best practices.
Multinational corporations are increasingly the target of an increasing number of anti-corruption regimes across various markets in which they operate. They are therefore encouraged to not only ensure that their policies and procedures conform to all applicable laws and regulations, but also take the initiative in the course of eliminating corruption and cultivating an anti-corruption culture.
The 2015 Spanish Criminal Code serves as yet another reminder for companies of the need for constant monitoring of corporate compliance programmes, not only to ensure effectiveness but also to ensure legal sufficiency in all respects.
Impact on third parties
With the new amendment having only been effective since 1 July, it would be hard to determine the number of companies in Spain that have yet to implement compliance programmes. Even more difficult to determine would be how many companies’ compliance programmes actually incorporate all six of the specific elements stated in the legislation.
The key concerns for many small and medium enterprises will be related to finances, such as:
- what initial investment will be needed to implement a compliance programme
- how much money will be required to maintain the programme
- whether there will be heavy fines if the compliance programme is not quickly implemented.
For some companies, an external service provider will have to be engaged at considerable expense to review, design and implement a robust programme completely from scratch. Other companies may require only minor changes to update their programmes to meet the new legal requirements.
It is extremely difficult to find a one-size-fits-all solution, as every company is unique and every company is at a different stage in their compliance understanding and knowledge. However, companies that have not yet implemented any controls, or for those that have so far only implemented minor compliance controls, should be systematic in their approach and not try to rush through implementation. They need to secure buy-in for the compliance programme from senior management. It is also good practice to be transparent and let all employees know – their support is just as crucial as senior management. A thorough risk assessment should also be conducted.
Companies that are yet to implement a full and complete compliance programme will either engage an external consultant or hire a compliance officer. Companies with limited resources may opt to use businesses that offer inexpensive off-the-shelf solutions to get the ball rolling (such as Compliance Mentor), while companies with a substantial budget may opt to engage with an external consultant.
Implementing and building a robust compliance programme takes time and will not be completed in a matter of weeks. It is important to not underestimate the time and resources that will be required.