Criminal Compliance for Companies: Guide to Article 31 bis of the Spanish Criminal Code

Since the reform of the Spanish Criminal Code by Organic Law 5/2010, a Spanish company can be criminally convicted: it can face million-euro fines, dissolution, disqualification from public procurement or judicial administration of its business. The legal person is not a shield against criminal liability — it has been, for fifteen years, an active subject of criminal law. Criminal compliance, and specifically the organisation and management model of Article 31 bis of the Criminal Code, is the only legally recognised mechanism to exonerate or mitigate that liability.

What criminal compliance is and why it differs from general compliance

The term compliance — regulatory compliance — encompasses in its broadest sense all the policies, procedures and controls an organisation adopts to ensure it operates in accordance with the law and its own ethical standards. Criminal compliance is a specific category within that universe: it deals exclusively with the prevention of conduct that may constitute criminal offences attributable to the company as a legal person.

The distinction matters because criminal compliance has direct legal effects in court proceedings. Unlike other compliance obligations — anti-money laundering, data protection, occupational health and safety — whose breach generates administrative sanctions, criminal compliance operates as a ground for exoneration from criminal liability. An organisation and management model that meets the requirements of Article 31 bis.2 and .5 of the Criminal Code can result in the company being completely acquitted, even if one of its directors has committed an offence acting in its name.

The legal framework: Article 31 bis CP and the 2015 reform

The dual imputation model

Article 31 bis of the Criminal Code establishes two bases for corporate criminal liability:

First basis (Art. 31 bis.1.a): The company is liable when the offence is committed by its legal representatives or by those who, acting individually or as members of a body, are authorised to take decisions on behalf of the legal person or have organisational and control powers within it. This covers directors, managing directors, authorised signatories with sufficient powers and, generally, any person with capacity to bind the organisation.

Second basis (Art. 31 bis.1.b): The company is also liable when the offence is committed by employees subject to the authority of the above, provided the acts were possible because the supervisory, monitoring and control duties over those employees were seriously breached. Here the basis of liability is not the act of a director but the organisational defect that allowed an employee to commit an offence without being detected or prevented.

This dual basis has very significant practical consequences. A well-managed company can find itself prosecuted if a mid-level sales representative falsifies documents to close a deal, if there were insufficient controls over their activities. An offence committed by a junior employee can criminally implicate the entire organisation.

Penalties applicable to legal persons

The Criminal Code provides a specific catalogue of penalties for legal persons, distinct from those applicable to natural persons. The main penalties are:

• Fine by quotas or proportional, which can reach five times the benefit obtained or expected from the offence, or exceed €10 million in the most serious cases
• Dissolution of the legal person, with extinction of legal personality and permanent loss of capacity to act in legal transactions
• Suspension of activities for up to five years
• Closure of premises and establishments for up to five years
• Prohibition from carrying out the activities in the exercise of which the offence was committed, temporarily (up to fifteen years) or permanently
• Disqualification from obtaining grants and public subsidies, from contracting with the public sector and from enjoying tax benefits or Social Security incentives, for up to fifteen years
• Judicial administration to safeguard the rights of employees or creditors, for a period not exceeding five years

The offences that generate corporate criminal liability

Not all offences in the Criminal Code can generate criminal liability for a legal person. The legislator has opted for a numerus clausus system: only offences for which the Criminal Code itself expressly provides for corporate liability can lead to a conviction of the company. As of 2026, this catalogue comprises approximately twenty criminal categories, including:

• Drug trafficking (Art. 369 bis CP)
• Fraud (Art. 251 bis CP)
• Culpable insolvency (Art. 261 bis CP)
• Computer damage and offences against information systems (Art. 264 quater CP)
• Intellectual and industrial property offences (Arts. 270, 273 CP)
• Market and consumer offences (Art. 288 CP)
• Money laundering (Art. 302 bis CP)
• Tax offences, Social Security fraud and subsidy fraud (Arts. 310 bis, 318 bis CP)
• Bribery (Art. 427 bis CP)
• Influence peddling (Art. 430 CP)
• Corruption in business (private-to-private bribery, Art. 288 CP)
• Corruption of foreign public officials (Art. 445 CP)
• Environmental offences (Art. 328 CP)
• Terrorism financing (Art. 576 bis CP)

The catalogue reveals that the most prevalent offences in the corporate context — tax fraud, money laundering, bribery, business corruption and environmental offences — are all included. This means that virtually any company with significant activity faces real exposure to at least one of these.

The six requirements for the exoneration model (Art. 31 bis.5 CP)

Exoneration from corporate criminal liability requires that the organisation and management model adopted before the commission of the offence meets the six requirements that Article 31 bis.5 of the Criminal Code enumerates expressly:

1. Identification of risk-generating activities

The model must identify the activities within which the offences to be prevented may be committed. This is the criminal risk map: a systematic analysis of all the company’s business processes to determine which present exposure to the offences in the catalogue. The map cannot be generic or copied from a template: it must reflect the reality of the company, its sector, its structure and its specific operations.

2. Decision-making protocols

The model must establish protocols or procedures that define the process for forming the legal person’s decision-making will and for adopting and executing decisions in respect of risk-generating processes. In practice, this means that approval processes for expenditure, third-party contracting, supplier selection, discount concession and relations with public administration must have documented decision circuits with second-level controls.

3. Financial resource management models

The model must include financial resource management models adequate to prevent the criminal offences to be prevented. This requirement directly targets internal financial controls: segregation of duties in payments, dual authorisation for transfers above certain thresholds, prohibition of cash payments above certain amounts, and independent review of representation expenses and payments to commercial agents.

4. Obligation to report potential risks and infringements

The model must impose an obligation to report potential risks and infringements to the body responsible for supervising the operation and compliance of the prevention model. This requirement has two components: a communication channel for employees to report irregularities, and a receiving body that analyses that information and acts on it. In practice, the whistleblowing channel (or ethics channel) is the primary vehicle for meeting this requirement.

5. Disciplinary system sanctioning non-compliance

The model must establish a disciplinary system that adequately sanctions non-compliance with the supervision and control measures. Without effective consequences for non-compliance, the model lacks deterrent effect. The disciplinary system must be integrated into the internal employment regulations or the applicable collective agreement.

6. Periodic verification and modification

The model must be subject to periodic verification and modification when material infringements of its provisions are revealed or when changes in the organisation, control structure or activities make this necessary. A criminal compliance programme that is implemented once and never reviewed loses effectiveness over time and can be challenged in court.

The UNE 19601 certification: what it adds and what it does not

What UNE 19601 is

Standard UNE 19601, published by AENOR in 2017 (updated in 2023), establishes requirements for criminal compliance management systems. It is the national reference standard for Article 31 bis CP models, equivalent in the criminal compliance domain to what ISO 27001 is for information security.

UNE 19601 is compatible with ISO 37301 (general compliance management system standard) and the anti-corruption standard ISO 37001.

What certification adds

UNE 19601 certification attests that the criminal compliance model has been audited by an independent third party and meets the standard’s requirements. Its practical effects are:

• Evidentiary effect in criminal proceedings: Certification does not automatically exonerate the company from liability, but constitutes a relevant indication that the model is genuine. The Public Prosecutor and courts view it positively as a defence element
• Advantage in public tenders: An increasing number of public procurement contracts score or require UNE 19601 certification as a technical solvency criterion
• Better financing conditions: Some lenders and insurers consider certification as a positive factor in risk assessment
• Reputation: Certification is an external signal of commitment to corporate integrity, with value in international commercial relationships

What certification does not add

Certification is not an automatic guarantee of exoneration from criminal liability. The Supreme Court has recalled that what exonerates is the real and effective model, not the certificate. A company holding a UNE 19601 certificate whose model is in practice inoperative will not be exonerated.

Common errors in criminal compliance programmes

Generic template-based model. The most frequent error: acquiring a standard “compliance pack” without adapting it to the company’s specific activity, sector and structure. Courts detect this and view it negatively.

Theoretical risk map, not operational. Identifying risks in the abstract without linking them to processes, responsible persons and specific controls. A risk map that does not translate into real changes in processes does not meet the preventive function required by the Criminal Code.

Whistleblowing channel without real management. Implementing a mailbox or email address that nobody manages, that does not guarantee confidentiality, or that has no response protocol. An inactive or poorly managed channel is worse than no channel at all.

Compliance officer without real autonomy. Appointing as compliance officer the financial director, legal director or any person hierarchically subordinate to the person against whom they should exercise control functions. Lack of genuine autonomy invalidates the model.

Paper training. Recording training that is not delivered, or delivering generic training that does not address the specific risks of each area. Training must be specific, documented and evaluated.

Model without updating. Implementing the model and not reviewing it for years. Changes in activity, management team, corporate structure or regulation generate new risks that the original model does not cover.

How BMC can help

BMC’s criminal compliance team designs and implements crime prevention programmes adapted to the risk profile of each company. We coordinate the preparation of the criminal risk map, the implementation of the whistleblowing channel compliant with both Law 2/2023 and Article 31 bis CP, the drafting of the code of ethics and decision protocols, and the annual training programme.

Our service is available in integrated format — covering both criminal compliance and broader regulatory compliance — or as a standalone criminal compliance programme, depending on the company’s existing compliance structure.

---

Bárbara Botía Espín is a lawyer, member no. 11,233 of the Málaga Bar Association (ICAM), and a specialist in criminal compliance and corporate criminal liability at BMC.