Criminal Compliance: Protect Your Company from Criminal Liability

Corporate criminal liability in Spain was introduced by Organic Law 5/2010, which reformed Article 31 bis of the Spanish Criminal Code (Código Penal) to establish that legal entities can be directly held criminally liable for a catalogue of offences — including corruption, money laundering, tax fraud, environmental crimes, and cybercrime — when committed by their directors, employees, or representatives acting on the company's behalf. A company can exonerate itself from criminal liability, or significantly mitigate sanctions, by demonstrating that it had an adequate criminal compliance programme in place before the offence occurred, meeting the requirements validated by the Supreme Court and the standards of UNE 19601 and ISO 37001. Sanctions for convicted companies include unlimited fines, dissolution, disqualification from public contracts, and temporary or permanent closure.

Our criminal compliance team combines criminal law specialists and corporate governance experts to design programmes that are genuinely effective: not shelf documents, but living tools for prevention and defence.

Corporate Criminal Liability: A Risk Most Directors Have Not Fully Assessed

The 2015 reform of Spain’s Criminal Code fundamentally changed the legal landscape for companies. Legal entities can now be criminally convicted for offences committed by their directors, managers, or employees acting on behalf of the company. The sanctions are severe: fines up to five times the criminal benefit obtained, dissolution of the company, suspension of activities for up to five years, disqualification from public procurement, and court-ordered closure. For companies with public contracts or regulated licences, a criminal conviction is existential.

The reform also created the path to exemption. Under Article 31 bis, a company can be exempt from criminal liability — or have it significantly mitigated — if it had an effective compliance programme in place before the offence was committed, and the offence was carried out by fraudulently circumventing the controls. The burden of proof on the programme’s adequacy falls on the company. This is where the quality of the documentation, the governance structure, and the evidence of implementation become legally decisive.

What Separates an Effective Programme from a Paper Exercise

The Supreme Court and the Attorney General’s Office have been explicit: a compliance programme that exists as a document but is not implemented, monitored, and enforced is not a valid exemption. Courts examine whether the Compliance Body had genuine autonomy and resources, whether the whistleblowing channel was accessible and its reports were investigated, whether employees received meaningful (not tick-box) training, and whether the controls identified in the risk map were actually operating.

Our programmes are built for effectiveness first and documentation second. The criminal risk map is not a generic list of offences: it is a specific analysis of how each offence could plausibly be committed in your company’s operations, by which roles, and through which processes. The controls are designed to interrupt those pathways, not merely to reference them. Training is role-specific: the procurement team understands bribery risk; the finance team understands tax-fraud and financial-statement fraud risk; management understands director-liability exposure.

The Whistleblowing Channel Under Law 2/2023

Spain’s transposition of the EU Whistleblowing Directive created mandatory requirements that go significantly beyond the Criminal Code’s compliance channel. Companies with 50 or more employees must have a confidential reporting channel that is accessible to both internal and external reporters, that protects against retaliation, and that manages investigations within defined timelines. The channel must be managed by a designated independent function — which for most SMEs means an outsourced provider. Non-compliance with Law 2/2023 attracts its own administrative sanctions, independent of any criminal compliance issue.

We design and operate whistleblowing channels that meet both the Criminal Code and Law 2/2023 requirements, with documented investigation procedures, response timelines, and reporting to the Compliance Body.

Criminal Compliance in Corporate Transactions

When a company is acquired, the buyer inherits its criminal compliance programme — or the absence of one. As part of due diligence, we assess the adequacy of the target’s programme, identify the gap between the documented controls and their actual implementation, and advise on the post-closing remediation plan. For transactions where the target operates in high-risk sectors (construction, infrastructure, public procurement, financial services), criminal compliance due diligence is not optional.

Offences Attributable to Legal Entities Under Article 31 bis of the Criminal Code

Article 31 bis of the Spanish Criminal Code does not attribute criminal liability to legal entities for every offence committed within the company, but only for those offence types in which the legislature has expressly provided for corporate liability. The catalogue is broad and expanding. The offences with the greatest practical relevance for the Spanish business environment include:

Tax fraud and Social Security offences (Articles 305-310 bis and 307-307 ter of the Criminal Code). Tax fraud exceeding EUR 120,000 per tax year, wrongful obtainment of refunds or tax credits, and Social Security fraud are among the offence types with the highest corporate exposure. Article 310 bis expressly extends liability to legal entities. A robust tax compliance programme, aligned with the AEAT’s guidelines on tax compliance, significantly reduces this risk.

Money laundering (Articles 301-304 of the Criminal Code). Money laundering is one of the offences most frequently generating criminal proceedings against legal entities, particularly in sectors such as real estate, financial services, and professional advisory. The criminal compliance programme must be articulated with the Anti-Money Laundering Programme (AMLD) required by Law 10/2010, as integrated documents rather than separate systems.

Bribery and corruption between private parties (Articles 419-427 bis and 286 bis of the Criminal Code). Active and passive bribery, corruption in international commercial transactions (relevant for companies with export activity or foreign subsidiaries), and private-sector corruption generate direct corporate liability. The US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act can apply extraterritorially to Spanish companies with activity in those markets.

Environmental offences (Articles 325-331 of the Criminal Code). Companies in industrial, energy, agri-food, and waste management sectors face significant exposure to criminal environmental offences, including serious contamination of soil, water, or air and the unlawful management of hazardous waste. Sanctions can include temporary or permanent closure of facilities.

Cybercrime (Articles 197 bis-197 ter of the Criminal Code). Unauthorised access to computer systems, interception of communications, and computer damage can be attributed to the legal entity when committed on its behalf or for its benefit. The proliferation of remote working and technology outsourcing has substantially expanded the risk surface in this area.

Requirements for an Effective Criminal Compliance Programme

The Attorney General’s Circular 1/2016 is the most relevant interpretive reference for assessing the effectiveness of a criminal compliance programme. It establishes that the programme must be genuinely effective and not merely formal. The following elements are indispensable:

Criminal risk map (risk assessment). The starting point is a specific criminal risk map that identifies the Article 31 bis catalogue offences with the highest probability and impact for the specific company, taking into account its sector, business model, corporate structure, markets, and counterparty profile. The risk assessment is not a static document: it must be updated following significant changes in the business or regulatory environment.

Ethics code and internal policies. The corporate ethics code translates the company’s values into enforceable conduct standards, complemented by specific policies: anti-corruption, gifts and entertainment, conflicts of interest, relationships with public administration, and donations and sponsorships. These documents must be known and formally accepted by all employees and directors.

Whistleblowing channel (Law 2/2023). The whistleblowing channel must guarantee confidentiality or anonymity, independence in management, acknowledgement of receipt within 7 calendar days, resolution within a maximum of 3 months, and effective protection for reporters against retaliation.

Compliance body: composition, independence, and resources. Article 31 bis requires supervision of the programme to be entrusted to a body with autonomous powers of initiative and control. Circular 1/2016 underlines that lack of genuine autonomy of the compliance body is a serious defect that undermines the programme’s exonerating effect.

Periodic review and continuous improvement. The Supreme Court’s case law emphasises genuine effectiveness over time. Periodic efficacy audits — at least annually — verify that controls are working, the risk map remains valid, and personnel are effectively applying the procedures. Audits must be documented to be evidenced in potential criminal proceedings.

We support companies seeking certification under UNE 19601, Spain’s technical standard for criminal compliance management systems — compatible with ISO 37301. Certification by an accredited body adds a layer of programme credibility before prosecutors and courts.