Criminal Compliance: the Corporate Shield Against Liability
Last updated:
listIn this article
lightbulbKey Takeaways
- check_circleCorporate criminal liability
- check_circleArt. 31 bis exemption
- check_circleProven effectiveness of the model
- check_circleWhistleblower channel
Quick answer
Since the 2010 and 2015 reforms, legal persons in Spain are criminally liable for offences committed in their name and benefit, with penalties ranging from severe fines to dissolution. Article 31 bis of the Criminal Code allows a company to be exempt if, before the offence, it adopted and effectively implemented a suitable organisation and control model. The Supreme Court requires ex ante suitability, proven effectiveness and autonomous oversight, and rejects merely cosmetic compliance.
Need help with your case? Talk to a criminal defense lawyer at Alonso Sala.
Since the 2010 reform of the Criminal Code, and with greater clarity after the 2015 reform, legal persons in Spain can be held criminally liable for offences committed in their name or on their behalf, and for their direct or indirect benefit. This means a company can be "convicted" and face penalties ranging from severe fines to disqualification from obtaining subsidies, the closure of premises, or even the dissolution of the company (the corporate "death penalty"). Criminal Compliance has stopped being a good-governance recommendation and has become a matter of legal survival.
Article 31 bis and the Exemption from Liability
The key lies in Article 31 bis of the Criminal Code. This provision establishes that the legal person will be exempt from liability if, before the offence was committed, it adopted and effectively implemented an organisation and management model that includes the surveillance and control measures suitable to prevent offences of the same nature or to significantly reduce the risk of their commission. In other words, Compliance is the only legal "shield" that can save a company from a criminal conviction.
warning Beware of "Fake Compliance"
The State Prosecutor's Office and the Supreme Court have been clear: the model must be real, effective and embedded in the corporate culture. A "paper compliance" programme will not work as a defence, and could even be counterproductive by showing awareness of the risk without a genuine intention to mitigate it.
Essential Elements of an Effective Model
For the Compliance programme to produce its exempting effect, it must meet strict requirements aligned with the UNE 19601 standard:
- Risk Map: a detailed analysis of the company's activities to identify where offences are likely to be committed (tax, fraud, data, money laundering, environmental).
- Whistleblower Channel: a secure and confidential system that allows employees and third parties to report irregularities.
- Disciplinary System: an internal sanctioning regime that punishes breaches of the prevention model.
- Compliance Officer: an autonomous supervisory body with powers of initiative and control.
The New Whistleblowing Act
With Law 2/2023, the whistleblower channel is no longer just a Compliance requirement but a legal obligation for every company with more than 50 employees. This channel must allow anonymous reports and guarantee the protection of the whistleblower against retaliation. Failing to have it operational carries substantial administrative fines, independent of any criminal liability. We implement channels that comply with both the criminal-law standard and data-protection and whistleblowing regulations.
Supreme Court Doctrine
The case law of the Supreme Court is the benchmark for the judicial assessment of compliance programmes. The Court requires three cumulative conditions for the model to operate as an exemption under Art. 31 bis CP:
- Ex ante suitability: the model must properly identify the real criminal risks of the activity and provide for proportionate controls.
- Proven effectiveness: documentary existence is not enough; training, audits, records of managed reports and disciplinary consequences actually applied must be evidenced.
- Autonomous supervision: the Compliance Officer must have functional independence, sufficient resources and direct reporting to the management body.
The Court expressly rejects so-called cosmetic compliance: copying templates, failing to update the risk map or failing to respond to internal alerts is equivalent to having no programme at all. It also confirms that the burden of proving effectiveness falls on the legal person, not on the prosecution.
Need a criminal defence lawyer?
If you are facing a criminal matter, our team of specialist lawyers can help. Contact us for a case evaluation.
gavelDo you need criminal defense in this area?
We are criminal defense lawyers specializing in criminal compliance. We act urgently to protect your rights.