
Internal Corporate Investigations Defence Lawyers
External, independent direction of internal corporate investigations with a guarantor protocol and shielding of attorney-client privilege.
Last updated:
The internal corporate investigation is the procedure by which the company clarifies, before or during a criminal process, potentially criminal acts committed within it. It is a central piece of modern criminal compliance and, well executed, the queen of evidence for the exemption under Art. 31 bis 2 CP. Poorly executed, however, it can become the best evidence against the company and its officers.
When an Internal Investigation Is Activated
The protocol is triggered by a whistleblowing-channel report, an audit or internal-control alert, a finding during due diligence (typically in an acquisition) or a requirement from a public authority. Article 31 bis 5 CP requires the compliance model to impose an obligation to report and investigate irregularities, so failing to act when there are reasonable indications of an offence directly compromises the company's criminal exemption. The decision to open the investigation, and its precise scope, must be documented from the very first moment.
Structure of the Guarantor Protocol
A guarantor protocol requires: (1) appointment of an external investigator independent —ideally a criminal law firm—, with written mandate defining scope, deadlines and duty to report to the Compliance Committee; (2) investigation plan identifying hypotheses, documentary sources and witnesses; (3) digital evidence custody (e-discovery) with impeccable forensic chain of custody; (4) formal interviews with prior information to the employee about their status, the subject matter and their right to legal assistance and not to self-incriminate; (5) final report with findings, legal assessment and recommendations for internal measures and, where appropriate, external reporting.
Attorney-Client Privilege
Professional secrecy is the backbone of internal investigation. Communications between the company and the firm directing it, as well as drafts, notes and conclusions, are protected by professional secrecy and are unseizable even through judicial search, provided that: (a) there is prior written mandate, (b) the firm acts as lawyer and not as mere auditor, (c) documents are identified as subject to privilege, and (d) chain of custody is observed. STS 79/2012 and subsequent rulings have confirmed this shielding, aligned with the CJEU case law on attorney-client privilege and in-house lawyers.
Rights of the Investigated Employee
An investigation that tramples the employee's rights is worthless —or counterproductive— as evidence. The worker must be informed of their status and of the subject matter, may be assisted by a lawyer and cannot be compelled to self-incriminate. Access to corporate devices and accounts is only lawful where there are clear prior policies, a legitimate purpose and strict proportionality: STC 119/2022 and the European Court of Human Rights case law on employer monitoring of employee communications set firm limits on monitoring personal communications. Any disciplinary measure, including dismissal, requires proven cause and respect for these guarantees; a premature dismissal can generate labour nullity and undermine the credibility of the whole investigation.
Delivery to the Prosecutor and Penalty Mitigation
The findings are not necessarily handed over in full: a selective and well-timed delivery, accompanied by the internal measures adopted, operates as a highly qualified mitigating factor under Art. 31 quater CP and can yield one or two degrees of penalty reduction for the legal entity, occasionally approaching a partial exemption. Material evidence (emails, contracts, accounting) remains judicially seizable if reached through independent channels, but the firm's privileged work product stays protected. Deciding what to communicate, when and in what format —ideally within a prior cooperation framework agreed with the Prosecutor— is the most delicate strategic call of the entire process.
The requirements of an effective compliance model (Art. 31 bis 5 CP)
An internal investigation does not operate in a vacuum: it is the piece that closes the loop of a serious crime-prevention model. Article 31 bis 5 of the Spanish Criminal Code lists the requirements that such a model must meet in order to exempt or mitigate the criminal liability of the legal entity. First, it must identify the activities in whose scope the offences to be prevented could be committed, that is, an honest risk map specific to the sector and to the company's actual operations, not a generic template downloaded from the internet.
Building on that map, the model establishes protocols that set out how the legal entity forms its will, adopts decisions and executes them; it provides financial-resource management models suited to preventing the commission of the relevant offences; it imposes the duty to report possible risks and breaches to the body charged with monitoring the model; and it provides for a disciplinary system that adequately sanctions failures to comply with the measures the model establishes.
The final requirement is decisive and often neglected: the model must undergo periodic verification and be amended when relevant breaches come to light or when there are changes in the organization, in the control structure or in the activity carried out. A well-designed internal-investigation protocol feeds precisely that verification: every inquiry that ends in findings should translate into a review of the risk map and of the controls that failed. Without that documented feedback loop, the model becomes a dead paper that will hardly convince a court of its effectiveness.
The autonomous oversight body and the burden of proving the exemption
Article 31 bis 2 CP conditions the exemption on supervision of the model's operation and compliance having been entrusted to a body of the legal entity with autonomous powers of initiative and control. That autonomy is the key: the compliance officer or oversight body cannot depend functionally on those who execute the business decisions it is meant to monitor, nor lack budget, access to information or the ability to escalate its conclusions directly to the top management body. When the internal investigation is conducted or supervised by that body, its independence reinforces the credibility of the findings.
Autonomy is not merely a formal feature of the organisational chart; it is proven by facts: provision of resources, freedom to open inquiries without prior authorisation from the line being investigated, and the absence of retaliation against the person who performs the function. In small legal entities, Article 31 bis 3 CP allows the supervisory functions to be assumed directly by the management body, a concession to the reality of small firms that does not lower the model's remaining requirements.
It is worth bearing in mind where the burden of proof lies. The existence and effectiveness of the organisation and management model, and its effective adoption and execution before the offence was committed, operate as a circumstance that exempts or mitigates, and it falls to the legal entity to establish this in the proceedings. Hence the importance of documenting everything: the implementation date, the periodic verifications, the minutes of the oversight body and, very particularly, the internal investigations processed. A well-conducted, well-archived inquiry is not only risk management: it is exculpatory evidence.
The whistleblowing channel and Law 2/2023 on whistleblower protection
The fourth requirement of Article 31 bis 5 CP —the duty to report risks and breaches to the oversight body— is implemented in practice through an operational whistleblowing channel, now reinforced by Law 2/2023, of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption, which transposes Directive (EU) 2019/1937. That law requires an Internal Information System for companies with fifty or more employees and, regardless of headcount, for private-sector entities within the scope of EU acts on financial services and markets, anti-money-laundering and certain regulated matters.
The system must allow confidential —and even anonymous— communications and guarantee the reporting person's protection against retaliation, as well as sound practices for following up and investigating what is reported. Most internal investigations arise precisely from a report received through this channel, so the inquiry protocol and the regulations of the Internal Information System must be coordinated: response deadlines, appointment of a system manager, a record of the actions taken and confidentiality rules consistent with data protection.
Failing to have the system when one is obliged to is not harmless: it may constitute an administrative infringement carrying substantial fines, and it weakens the company's position when invoking the effectiveness of its prevention model. A channel that receives reports but does not investigate them rigorously, or that leaks the reporter's identity, is worse than having none, because it evidences apparent compliance and discourages future internal alerts.
When the legal entity is investigated: status, Art. 33.7 penalties and Art. 130.2 succession
If the internal inquiry reveals an offence attributable to the organisation, the company may shift from investigator to investigated party. Its criminal liability is autonomous from that of the natural person: under Article 31 ter CP, the legal entity is liable even where the specific responsible individual has not been identified or where proceedings could not be directed against them. As a defendant, the entity enjoys its own status as an investigated party, with the right of defence, to appoint counsel and not to incriminate itself; its legal representatives in the proceedings should not be the same individuals personally charged with the same facts, to avoid a conflict of interest that would taint the defence.
The catalogue of penalties applicable to the legal entity is set out in Article 33.7 CP: a fine by quotas or proportional, dissolution, suspension of activities, closure of premises and establishments, a prohibition on carrying out certain activities in the future, disqualification from obtaining grants and public aid, from contracting with the public sector or from enjoying tax or social-security benefits, and judicial intervention. These are consequences specific to the entity, distinct from those imposed on the natural person; for that reason the penalty or limitation scheme of each offence cannot be transferred to the legal entity as though it were liable in the same way as an individual.
Two further cautions guide strategy. The criminal liability of the legal entity is not extinguished by its transformation, merger, absorption or spin-off: under Article 130.2 CP, it passes to the resulting entity, which makes criminal due diligence an essential part of any M&A transaction. And, where the facts are recognised, the legal entity may reach its own plea agreement, separate from that of the other defendants. Cooperation —including providing the internal investigation and reporting to the authorities— may operate as a mitigating factor under the terms of Article 31 quater CP, but the decision to report requires weighing with counsel the scope of the findings and the risks before taking the step.
Penalties & Consequences: Internal Corporate Investigations Defence Lawyers
| Type / Scenario | Criminal Penalty |
|---|---|
| Highly qualified mitigation (Art. 31 quater CP) | Confession, cooperation, reparation and measures implementation may yield 1 or 2 degrees of penalty reduction for the legal entity. |
| Effective compliance exemption (Art. 31 bis 2 CP) | The internal investigation is key evidence to establish the real functioning of the program and the fraudulent circumvention by the author. |
| Risk of additional imputation | A poorly documented investigation or one violating rights may be used as evidence against the investigating officers. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Internal Corporate Investigations Defence Lawyers
Triple Defensive Layer
Criminal lawyer mandate (privilege) + technical forensic support (e-discovery) + legal assistance to the employee. Solid in any trial.
Internal Report / Prosecutor Report Bifurcation
Two reports with different detail levels: a complete one for the client, a refined one for delivery to the Prosecutor.
Cooperation Framework Agreement
Prior negotiation with the Prosecutor of cooperation scope in exchange for guarantees on penalty treatment (cooperation agreement).
Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes
Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.
Penalty Comparison: Economic Offenses
| Offense | Threshold | Penalty |
|---|---|---|
| Tax Fraud (Art. 305) | >€120,000 | 1 – 5 years + fine x6 |
| Aggravated Tax Fraud | >€600,000 | 2 – 6 years |
| Money Laundering (Art. 301) | Any amount | 6 months – 6 years |
| Aggravated Laundering | Organized/financial system | Up to 9 years |
| Corporate Crime (Art. 290) | Balance sheet falsification | 1 – 3 years |
| Punishable Insolvency (Art. 259) | Fraudulent bankruptcy | 1 – 4 years |
Key Defense Strategies
Tax Regularization Defense (Art. 305.4 CP)
Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.
Challenge the €120K Threshold
The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.
Money Laundering 'Self-laundering' Issues
Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.
Corporate Crime: Harm to Company vs. Shareholders
Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.