Criminal Compliance for SMEs: A Practical Guide for Spanish Companies
Last updated:
listIn this article
lightbulbKey Takeaways
- check_circleGenuine vs cosmetic compliance
- check_circleFive elements
- check_circleSupreme Court requirements
- check_circleWhistleblower channel (Law 2/2023)
Quick answer
Corporate criminal liability does not distinguish by size: a limited company with five employees can be investigated just like a listed one, and an SME often concentrates more risk because its internal controls are informal. A company that can show it had an effective prevention programme before the events may be exempt. The programme must be proportionate to its risks and rest on five elements: a risk map, protocols, a whistleblowing channel, documented training and real supervision.
Need help with your case? Talk to a criminal defense lawyer at Alonso Sala.
The 2015 reform of the Criminal Code made corporate criminal liability a reality for companies of every size. Even so, criminal compliance for SMEs is still seen as a luxury for large corporations.
What Genuine Compliance Looks Like for an SME
The Supreme Court has been clear: a paper programme — with no real training, no effective channel, no supervision — will NOT provide a criminal exemption. It must be shown that the programme was genuinely designed to prevent the offence, was implemented and was supervised.
If you need specialist legal advice, consult our criminal compliance service for SMEs for a confidential assessment of your case.
In practice this means the programme must exist before the offence is committed, not after; it must address the risk that actually materialised; and the company must be able to prove all of it with documents, records and dates.
The Five Essential Elements
- Risk map: the criminal risks specific to your sector and size.
- Prevention protocols: rules for each identified risk.
- Whistleblower channel: mandatory for companies with more than 50 employees (Law 2/2023).
- Training: regular, documented, in risk areas.
- Supervision: a compliance officer with real authority.
Cost and Implementation
For an SME of 10-50 employees with no unusual risk: 4-8 weeks of implementation. The cost is minimal compared with the potential criminal exposure — fines that can amount to multiples of annual turnover.
Implementation typically follows the same sequence: risk assessment first, then drafting of protocols, then training and the whistleblower channel, and finally the supervision and review cycle. From that point on, maintaining the programme is a matter of periodic reviews and of keeping the documentation alive as the business changes.
How to Build Each Element
The five elements only work if they are tailored to the actual business. The risk map starts with interviews with the people who run day-to-day operations: who handles money, who deals with public administrations, who signs contracts. From there, each identified risk needs a written protocol short enough to be read and applied — a 200-page manual nobody opens is precisely the "paper programme" the courts dismiss.
The whistleblower channel must guarantee confidentiality and protect whoever reports from retaliation; for companies with more than 50 employees it is a legal obligation under Law 2/2023, but smaller firms benefit from it too, because it shows the programme is real. Training should be documented, with attendance records and materials kept on file: if an offence ever occurs, that file is the evidence that the company did its part. Finally, supervision requires someone — internal or external — with genuine autonomy and direct access to management.
What Happens If an Offence Occurs Anyway
No programme prevents every crime, and the law does not demand that it should. What it demands is that the offence happened despite a serious prevention effort, with the individual offender fraudulently circumventing the controls. A company that can document its risk map, protocols, training and supervision is in a position to argue full exemption from criminal liability; one that cannot may still seek a mitigation of the penalty. The difference between those outcomes — and a conviction with fines that can reach multiples of annual turnover — is decided by the paperwork generated long before any investigation begins.
Common Mistakes in SME Compliance
The errors seen most often: buying a generic template that does not even mention the company's actual activity; appointing a compliance officer with no time, budget or authority; setting up a whistleblower channel that nobody knows exists; and never reviewing the programme after the initial implementation. A programme that has not been updated as the business changed is easy for a prosecutor to characterise as cosmetic.
Need a criminal defence lawyer?
If you are facing a criminal matter, our team of specialist lawyers can help. Contact us for a case evaluation.
gavelDo you need criminal defense in this area?
We are criminal defense lawyers specializing in criminal compliance. We act urgently to protect your rights.