How compliance exempts the company: Art. 31 bis 2 CP requirements

The fact that a company can be criminally convicted does not mean it is defenceless. Article 31 bis of the Spanish Criminal Code (CP) gives the legal person a route to be exempt from liability where an offence has been committed within it: by proving that it had an effective prevention programme in place and operating. Invoking it is not enough. The exemption is subject to strict, cumulative requirements, and this article explains what they are, how they differ from mere mitigation, and how the company's defence is built around them. For an overview of the liability regime — the two routes of Art. 31 bis and the catalogue of offences — see our analysis of corporate criminal liability; here we focus on the requirements of the exemption.

The Four Cumulative Requirements of Art. 31 bis 2 CP

Where the offence is committed by a representative, director or person with decision-making powers (the so-called "route a"), the legal person is exempt only if the four conditions of Art. 31 bis 2 CP concur together. The absence of a single one prevents full exemption:

• Prior and effective model. The management body must have adopted and effectively implemented, before the offence was committed, an organisation and management model with surveillance and control measures suitable to prevent offences of the same nature or significantly reduce their risk. Anteriority is non-negotiable: a model implemented after the notitia criminis does not exempt.
• Supervision by an autonomous body. The functioning and observance of the model must be entrusted to a body with autonomous initiative and control powers — the Compliance Officer or compliance committee — or to the body legally tasked with supervising internal controls.
• Fraudulent circumvention by the perpetrator. The individual perpetrators must have committed the offence by fraudulently circumventing the prevention model. The reproach thus shifts from the organisation to the individual deviation.
• No omission of supervision. There must have been no omission or insufficient exercise of the functions of supervision, surveillance and control by the compliance body.

What the Model Must Contain: Art. 31 bis 5 CP

The model's effectiveness is not an abstract concept. Art. 31 bis 5 CP lists the six content requirements every programme must meet to ground the exemption:

1. Criminal-risk map: identify the activities within which the offences to be prevented may be committed.
2. Protocols and procedures setting how the entity forms its decisions and how decisions are adopted and executed in risk areas.
3. Financial-resource management models adequate to prevent the identified offences.
4. Reporting obligation on possible risks and breaches to the body charged with overseeing the model (the whistleblowing channel).
5. Disciplinary system that adequately sanctions breaches of the model's measures.
6. Periodic verification of the model and its modification when relevant infringements are revealed or the organisation, the control structure or the activity changes.

The consolidated case law of the Supreme Court has stressed that these requirements are assessed by their real implementation, not by the existence of the document. As a technical benchmark of effectiveness, courts look to recognised standards such as UNE 19601 or ISO 37301, although certification alone does not guarantee the exemption.

Fraudulent Circumvention: the Decisive Element

Of the four requirements, fraudulent circumvention is often what decides the case. The law distinguishes two opposite scenarios:

• The offence was committed against the model: the perpetrator bypassed controls that worked, concealed information or falsified documents to evade the system. Here the failure is individual, not organisational, and the exemption may succeed.
• The offence was committed under cover of a gap in the model: the programme did not address the risk, the control did not operate, or the procedure was fictitious. The organisational defect then persists and there is no exemption.

Proving that the conduct was a deliberate, covert deviation — and not the foreseeable result of a weak programme — is one of the pillars of the company's defence.

When the Offence Is Committed by Senior Management (Art. 31 bis 4 CP)

The regime is modulated according to who the perpetrator is. If the offence is committed by a subordinate through a control failure (the "route b" of Art. 31 bis 1.b), Art. 31 bis 4 CP conditions the exemption on the company having, before the offence, adopted and effectively implemented a model adequate to prevent offences of that nature or significantly reduce their risk.

Where the perpetrator is a representative or senior officer (the "route a"), the exemption further requires proof that the supervisory body had a real capacity to control the person who committed the offence, which is markedly more demanding. In small legal persons — those allowed to file an abridged profit-and-loss account — the supervisory functions may be assumed directly by the management body, adapting the model to their size without sacrificing its effectiveness.

The Burden of Proof: a Balance Worth Knowing

Who must prove that the model worked? Recent Supreme Court doctrine, consolidated throughout 2025, requires the prosecution to establish the organisational defect as an element of the legal person's offence: the company does not start from a presumption of guilt it must dismantle. This rebalances the starting point, but does not dispense with mounting a defence. The evidence that the programme was implemented and operating (minutes of the supervisory body, training, whistleblowing-channel records, internal sanctions) lies with the company, and it is precisely what generates the reasonable doubt to be resolved in its favour. We have examined this shift in detail in a dedicated article on the burden of proof in compliance.

If the Exemption Does Not Apply: Mitigation

The exemption is the goal, but not the only defence. Art. 31 bis 2 CP itself provides that, where the circumstances of the exemption can only be proven in part, that circumstance is to be weighed to mitigate the penalty. Independently of this, Art. 31 quater CP sets out specific mitigating factors for the legal person:

• Confession of the infringement before learning that proceedings are directed against it.
• Cooperation in the investigation by providing new and decisive evidence.
• Repair or reduction of the harm caused.
• Implementation of effective measures to prevent and detect future offences.

Well argued, these factors can reduce the penalty by one or two degrees, which in serious offences makes the difference between a manageable fine and consequences that threaten the company's viability.

The Company's Defence: What We Do

When the legal person is summoned as investigated, the work is organised around proving the requirements of exemption:

1. Documentary snapshot with a certain date of the model in force at the time of the facts, to fix its anteriority against any later dispute.
2. Forensic audit of the model: review of compliance-committee minutes, training delivered, reports received and handled, risk assessments and controls applied to the specific area where the offence occurred.
3. Proof of the supervisory body's real autonomy: own budget, direct reporting to the board and precedents of the model being applied.
4. Evidence of fraudulent circumvention: reconstructing how the perpetrator evaded controls that worked.
5. Careful designation of the legal person's specific representative, who cannot be someone co-investigated for the same facts.

We work to ensure that your company's prevention model withstands judicial scrutiny and to prepare the legal person's defence once an investigation is already under way. You can read more about our approach on our page on extinguishing liability through effective compliance.